Back to Home

Privacy Policy

Effective: March 2026 · Version 1.0 · NDPA 2023 · NDPR 2019 · PIPEDA

Your financial privacy is fundamental to how we build and operate SlasPay. This Policy explains what personal and financial data we collect, why we collect it, how we use it, and your rights over it.

1. Who We Are

This Privacy Policy applies to all personal data processed by Slas Technologies Limited (“SlasTech”) in connection with SlasPay, including slaspay.com, the web console, mobile applications, and payment APIs. We are registered with the Nigeria Data Protection Commission (NDPC). Our Data Protection Officer can be reached at dpo@slastech.com.

Nigeria (Primary Controller): Slas Technologies Limited, Lagos, Nigeria
Canada (Branch): Slas Technologies Inc., Barrie, Ontario, Canada

2. Information We Collect

Information you provide directly:

  • Registration data: full name, email address, phone number, date of birth, country of residence
  • KYC documents: government-issued ID (NIN, passport, driver's licence, provincial ID), BVN (Nigeria), proof of address, and facial biometric data for identity verification
  • Financial data: bank account details for linking (read-only tokenised connections), wallet funding instructions
  • Transaction data: send/receive amounts, currencies, recipient identifiers, payment references, timestamps
  • Source of funds declarations (for enhanced KYC and large transactions)
  • Business registration documents (for business accounts)
  • Communications: support requests, dispute evidence, email correspondence

Information collected automatically:

  • Device and network data: IP address, browser type, operating system, device fingerprint (for fraud detection)
  • Session data: pages visited, features used, session duration, API calls
  • Transaction metadata: timestamps, geolocation of transaction initiation (where consented), payment channel used
  • Cookies and authentication tokens (see our Cookie Policy)

Information from third parties:

  • KYC verification results from identity verification providers (Smile Identity or similar)
  • Payment confirmations from Paystack, Stripe, and the Stellar Network
  • Interac e-Transfer confirmation data from Canadian banking partners
  • Fraud and sanctions screening results from compliance providers
  • Credit and AML risk scores (only with your explicit consent for credit-linked features)

3. How We Use Your Information

  • Account creation and management (contract performance)
  • KYC/AML identity verification and ongoing compliance monitoring (legal obligation)
  • Payment processing — local and international transfers, currency exchange (contract performance)
  • Escrow management for SlasProp property transactions (contract performance)
  • FINTRAC transaction reporting for qualifying transfers (legal obligation)
  • CBN regulatory reporting and suspicious transaction reports (legal obligation)
  • Fraud detection, sanctions screening, and platform security (legitimate interests)
  • Customer support and dispute resolution (contract performance)
  • Anonymised transaction analytics and platform improvement (legitimate interests)
  • Legal compliance and regulatory record keeping (legal obligation)
  • Marketing communications (consent — opt-in only, withdrawable at any time)

4. Legal Basis for Processing

We process your data on the following legal bases under the NDPA 2023, NDPR 2019, and PIPEDA: contract performance (account management, payment execution); legal obligation (KYC/AML under the Money Laundering Act, FINTRAC Proceeds of Crime reporting, CBN PSP regulations); legitimate interests (fraud prevention, security monitoring, anonymised analytics); consent (marketing, optional biometric features — withdrawable at any time); and vital interests (emergency fraud response).

5. Data Sharing

We do not sell your personal or financial data. We share your data only with:

  • Payment counterparties as strictly necessary to execute transactions you initiate (recipient identifiers, amounts)
  • SlasProp and SlasIntel (SlasTech group companies) for property escrow and fraud analytics, under binding intra-group data processing agreements
  • KYC providers (Smile Identity or similar) under binding data processing agreements
  • Paystack and Stripe for payment rail processing under their own privacy policies
  • Stellar Network for blockchain settlement (transaction data only — no personal data written to the blockchain)
  • Interac for Canadian e-Transfer processing under their privacy policy
  • FINTRAC (Canada) and NFIU / CBN (Nigeria) as required by law
  • Sanctions screening providers for OFAC, UN, and Nigerian sanctions list checks
  • Amazon Web Services as our cloud provider under a Data Processing Agreement; all data stored in AWS Canada (ca-central-1)
  • Professional advisers (lawyers, auditors) under strict confidentiality obligations

6. International Data Transfers

Your data is stored in AWS Canada (ca-central-1). Where international processing is necessary (e.g. KYC verification providers, Stellar network nodes), we ensure protection through Standard Contractual Clauses, binding processor agreements, and adequacy assessments. We comply with PIPEDA's accountability principle for all cross-border data transfers.

7. Data Retention

  • Account and profile data: duration of account plus 7 years (FIRS / CRA tax obligations)
  • KYC documents: 7 years from last transaction (CBN AML regulations, FINTRAC requirements)
  • Payment transaction records: 7 years (Financial Regulations Act, FINTRAC record-keeping)
  • Fraud and security logs: 3 years (operational security and legal claims)
  • Support communications: 3 years (limitation period for claims)
  • Marketing preferences: until opt-out plus 1 year

After the applicable retention period, data is securely deleted or fully anonymised. Some data may be retained longer where required by law, court order, or regulatory investigation.

8. Your Rights

Under the NDPA 2023, NDPR 2019, and PIPEDA, you have the right to: access your personal data; correct inaccurate data; request erasure (subject to legal retention and AML obligations that may prevent immediate deletion); restrict processing; data portability in machine-readable format; object to processing based on legitimate interests; withdraw consent at any time without affecting prior lawful processing; and lodge a complaint with the NDPC (Nigeria) at ndpc.gov.ng or the OPC (Canada) at priv.gc.ca.

Submit rights requests to privacy@slastech.com. We respond within 30 days. Identity verification is required before we can action data subject requests.

9. Cookies & Tracking

We use strictly necessary cookies for authentication, session management, and CSRF protection (always active); functional cookies for preferences (optional); and first-party anonymised analytics (optional). We do not use advertising cookies or share data with advertising networks. See our full Cookie Policy.

10. Security Measures

We implement: TLS 1.3 encryption in transit; AES-256 encryption at rest; httpOnly cookie-based authentication with refresh token rotation; bcrypt password hashing; real-time transaction fraud monitoring; dedicated encrypted S3 storage for KYC documents with strict IAM access controls; AWS Shield DDoS protection; API rate limiting and abuse detection; comprehensive audit logging; role-based access controls; regular dependency security audits; and a 72-hour breach notification procedure to the NDPC as required by NDPA 2023.

11. Children's Privacy

SlasPay is a financial services platform not intended for use by anyone under the age of 18. If you believe a minor has provided us with personal data, contact privacy@slastech.com immediately and we will promptly delete such data.

12. Third-Party Services

SlasPay integrates with Paystack (NGN payment processing), Stripe (international card processing), Stellar Network (blockchain settlement), Interac (Canadian e-Transfer), KYC verification providers, and Amazon Web Services (infrastructure). We encourage you to review their privacy policies before using those services through our platform.

13. Changes to This Policy

We may update this Policy from time to time. Material changes are notified via email and in-platform notice at least 30 days before taking effect. The effective date at the top of this Policy is updated with each revision. Prior versions are archived and available on request from privacy@slastech.com.

14. Contact & Complaints

Data Protection Officer: dpo@slastech.com
Privacy enquiries: privacy@slastech.com
Nigeria DPA regulator: NDPC — ndpc.gov.ng
Canada privacy regulator: OPC — priv.gc.ca

Version 1.0 — Effective March 2026. Also see our Terms of Service and Cookie Policy.