Kudy Financials Limited

Privacy Policy

  1. Introduction
    1. 1.1.To service our clients, Kudy Financials Limited (hereinafter referred to as “Kudy”, “we” “us” or “the Company”) needs to collect personal data from our clients and/or potential clients, employees and suppliers. In light of the above, Kudy wants to ensure a high level of data protection as privacy is a cornerstone in gaining and maintaining the trust of our clients, employees and suppliers in Kudy’s business.

      The protection of personal data requires that appropriate technical and organizational measures are taken to demonstrate a high level of data protection. Kudy has adopted several internal and external data protection policies, which must be adhered to by the employees of Kudy.

      Additionally, Kudy will monitor, audit and document internal compliance with data protection policies and applicable statutory data protection requirements, including the provision in the Nigeria Data Protection Act (“NDPA”) and relevant guidelines and/or rules issued by the Nigerian Data Protection Commission, a regulator of Kudy.

      Kudy will also take the necessary steps to enhance data protection compliance within it These steps include assignment of responsibilities, raising awareness and training of staff involved in processing operations. Please note that this Privacy Policy will be renewed from time to time to take account of any new obligations that any personal data we hold would be governed by our most recent policy.

      This Privacy Policy, along with guidelines for processing personal data, constitutes the overall framework for processing personal data within Kudy.
    2. 1.2.“Personal Data” is any information which may relate to an identified or identifiable natural person (“Data Subject”). An identifiable natural person can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, phone number, age, gender, an employee, a job applicant, clients, suppliers and other business partners. This also includes special categories of personal data (“sensitive personal data”) and confidential information such as health information, account number, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    3. 1.3.Although information regarding companies/businesses is not such, as personal data, please note that information relating to contacts within such companies/businesses, e.g. name, title, work email, work phone number, etc. is considered personal data.
    4. 1.4.Kudy collects and uses personal data for a variety of legitimate business purposes, including establishing and management of customer and supplier relationships, completion of purchase orders, recruitment and management of all aspects of terms and conditions of employment, communication, fulfilment of legal obligations or requirements, performance of contracts, providing services to clients, etc.
    5. 1.5.Kudy will ensure that personal data are always:
      • Processed lawfully, fairly and in a transparent manner concerning the Data Subject
      • Collected for specified, explicit and legitimate purposes and further processed in a manner that is incompatible with those purposes
      • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purpose for which they are processed, are erased or rectified without delay
      • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; against accidental loss, destruction or damage, using appropriate technical or organizational measures.
    6. 1.6. Kudy will be responsible for and be able to demonstrate compliance with the above as part of Kudy’s accountability.
  2. Legal Basis For Processing Personal Data
    1. 2.1. Processing of personal data requires a legal basis. The most predominant legal basis for processing data within Kudy are:
      • Consent from the Data Subject for one or more specific purposes
      • The performance of a contract to which the Data Subject is a party
      • A legal obligation or requirement
      • Legitimate interest pursued by Kudy
    2. 2.2.Consent
      1. 2.2.1.if the collection, registration and further processing of personal data on clients, suppliers, other business relations and employees are based on such a person’s consent to the processing of personal data for one or more specific purposes, Kudy will ensure to demonstrate that the Data Subject has consented to processing of such personal data.
      2. 2.2.2.consent must be freely given, specific, informed and unambiguous. The Data Subject must actively consent to the processing of personal data by a statement or by a clear affirmative action, to him/her.
      3. 2.2.3.a request for consent must be presented in a manner, which is distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
      4. 2.2.4.to process a special category of personal data (sensitive personal data) the consent must also be explicit.
      5. 2.2.5.the Data Subject is entitled to withdraw his/her consent at any time and upon such withdrawal, Kudy will stop collecting or processing personal data about the Data Subject unless Kudy is obligated or entitled to do so based on another legal basis.
    3. 2.3.Necessary for the performance of a contract
      • 2.3.1.It will be legitimate to collect and process personal data relevant to the performance of a contract to which the Data Subject is party or to take steps at the request of the Data Subject before entering into a contract. This applies to all contractual obligations and agreements signed by Kudy, including the pre-contractual phase irrespective of the success of the contract negotiation or not.
    4. 2.4.Comply with a legal obligation
      • 2.4.1.Kudy must comply with various legal obligations and requirements, which have a legal basis in Nigeria. Such legal obligation, to which Kudy is subject, may be sufficient as a legitimate basis for processing personal data.
      • 2.4.2.such legal obligations include obligations to collect, register and/or make available certain types of information relating to employees, clients, etc. Such legal requirements will then form the legal basis for us to process the personal data, however, it is important to note whether the provisions allowing or requiring Kudy to process certain personal data also set out requirements concerning storage, disclosure and deletion.
    5. 2.5.Legitimate Interests
      • 2.5.1.Data will only be processed where it is necessary for the legitimate interests pursued by Kudy, and these interests or fundamental rights are not overridden by the interests of the Data Subjects. Kudy will when deciding to process data ensure that the legitimate interests override the rights and freedoms of the individuals and that the processing would not cause unwarranted harm. For instance, it is a legitimate interest of Kudy to process personal data on potential clients to expand the business and develop new business relationships. The Data Subject must be given information on the specific legitimate interest if a processing is based on this provision, cf. section 4.1. below.
    6. 2.6.Processing Personal Data for Machine Learning and Artificial Intelligence Training
      • 2.6.1.Definitions
        1. Artificial Intelligence (“AI”): Systems designed to simulate human reasoning and carry out tasks such as detecting payment irregularities, analysing support communications, or forecasting behavioural trends.
        2. Machine Learning (ML): A subfield of AI where systems autonomously improve their performance by analysing data and adjusting their parameters, rather than relying on fixed programming.
        3. AI/ML Training: The processing of pseudonymised or anonymised data—such as transaction logs, device data, and chat transcripts—to improve model accuracy and performance in tasks like fraud detection and automated service delivery.
        4. Inference: The process where a trained AI model is applied to new data inputs to generate predictions, classifications, alerts, or recommendations.
        5. Profiling: Any automated processing of personal data to evaluate certain personal characteristics, particularly to analyse or predict aspects concerning an individual’s preferences, behaviour, performance, or reliability.
        6. Automated Decision-Making: A decision made solely through automated means without human involvement, which significantly affects the data subject, such as access to a service or risk profiling.
      • 2.6.2.Purpose and Scope
        Kudy’s use of AI and ML is strictly for purposes that align with the principles of fairness, transparency, and purpose limitation under Section 24 of the NDPA. These purposes include:
        • Enhancing fraud detection systems.
        • Powering customer service automation (e.g., chatbots).
        • Personalising user experiences and recommendations.
        • Piloting innovative financial technology products and features.
        All processing activities are governed by the NDPA and NDPA-GAID and are subject to ongoing privacy risk assessments.
      • 2.6.3.Legal Grounds for Processing
        1. Explicit Consent: Where personal data is used beyond the core service delivery—such as for experimental features or third-party model training—KK obtains the data subject’s explicit and informed consent, as required under Section 26 NDPA. Consent may be withdrawn at any time without impact on service delivery.
        2. Contractual Necessity & Legal Obligation: Where AI is necessary for providing or securing services, or complying with statutory obligations (e.g., anti-money laundering), processing is based on Section 25(1)(a) and (c) of the NDPA.
        3. Public Interest Task: For essential internal improvements to fraud prevention and model accuracy, KK may process data under Section 25(1)(b) where the task is necessary for the performance of a function in the public interest.
        Kudy does not rely on “legitimate interest” as a basis for data processing, in compliance with the NDPA framework.
      • 2.6.4.Data Protection Impact Assessment (DPIA)
        All AI/ML projects involving high-risk processing—such as profiling, behavioural prediction, or automated decision-making—require a documented DPIA, as mandated under Part III of NDPA-GAID. These DPIAs are reviewed and updated at least every six months or upon significant changes in processing.
      • 2.6.5.Data Minimisation and Security Safeguard
        Kudy adheres to the principles of data minimisation and security under Section 24(1)(c) and Section 39 of the NDPA:
        • Only data strictly necessary for the stated AI objectives is collected.
        • Direct personal identifiers are pseudonymised using tokenisation.
        • All datasets are encrypted at rest and in transit.
        • Access is restricted via role-based controls and logged with secure audit trails.
        • A breach notification protocol is in place in compliance with NDPA-GAID Part V.
      • 2.6.6.Transparency and Data Subject Rights
        Kudy is committed to transparency and accountability as required by Sections 27–34 NDPA:
        • Privacy notices detail the categories of personal data used, the purposes of processing, and how AI decisions are made.
        • Data subjects have the right to:
          • Access, rectify, or erase their data
          • Restrict or object to processing
          • Withdraw consent at any time
          • Request human intervention in automated decisions
          • Receive explanations of AI logic where decisions significantly affect them
        Special consideration is given to children and vulnerable persons, with age-appropriate explanations and consent protocols, as required by NDPA-GAID Part IV(13).
        Requests can be submitted to Kudy’s Data Protection Officer, and responses are provided within 30 (thirty) calendar days.
      • 2.6.7.Third-Party Processors and Cross-Border Transfer
        1. Kudy only engages data processors and AI vendors under written Data Processing Agreements compliant with Section 38 NDPA.
        2. International data transfers are conducted in line with Section 41 NDPA, using one of the following safeguards:
          • Adequacy decision by the Nigerian Data Protection Commission (NDPC)
          • Standard Contractual Clauses (SCCs) approved by the NDPC
          • Binding Corporate Rules
          • Explicit, informed consent of the data subject
        Kudy discloses the countries involved and ensures ongoing compliance monitoring.
      • 2.6.8.Retention and Deletion of AI Training Data
        Kudy retains training data only for the period necessary to improve models or comply with legal obligations. At the end of this period or upon consent withdrawal, data is either:
        • Irreversibly anonymised, or
        • Securely deleted in accordance with industry best practices
        Data retention policies are aligned with NDPA-GAID PartVI.
  3. Processing And Transfer Of Personal Data
    1. 3.1. Kudy as a Data Controller
      • 3.1.1.Kudy will be considered a data controller to the extent that we decide by which means the Data Subject’s data shall be processed e.g. When a Data Subject signs an agreement with Kudy.
    2. 3.2.Use of Data Processors
      • 3.2.1.An external data processor is a company which processes personal data on behalf of Kudy and by Kudy’s instructions, e.g. in relation to the HR system, third-party IT providers, etc. When Kudy outsources the processing of personal data to data processors, Kudy ensures that the said company has a minimum degree of data protection and that the company applies the same degree of data protection as Kudy. If these cannot be guaranteed, Kudy will choose another data processor.
    3. 3.3.Data processing agreements
      • 3.3.1.Before the transfer of personal data to the data processor, Kudy will ensure to enter into a written Data Processing Agreement (“DPA”) with the data processor. The DPA will serve as a guarantee that Kudy controls the processing of personal data, which takes place outside of Kudy for which Kudy is responsible.
      • 3.3.2.if the data processor/sub-data processor is located outside Nigeria, the conditions of clause 3.4.4. below will apply.
    4. 3.4.Disclosure of personal data
      • 3.4.1.Before disclosing personal data to others, it is the responsibility of Kudy to consider whether the recipient is employed by it or not. Furthermore, Kudy may only share personal data within the Company, if Kudy have a legitimate business purpose in the disclosure.
      • 3.4.2.it is Kudy’s responsibility to ensure that the recipient has a legitimate purpose for receiving the personal data and will ensure that sharing personal data is restricted and kept to a minimum.
      • 3.4.3.Kudy will always show caution before sharing personal data with persons, Data Subjects, or entities outside Kudy. Kudy will ensure that personal data is only disclosed to third parties acting as individual data controllers if a legitimate purpose for such transfer exists. If the recipient is acting as a data processor, please refer to clause 3.2. above.
      • 3.4.4.if a third-party recipient is located outside Nigeria or in a country not ensuring an adequate level of data protection, the transfer can only be completed if a transfer agreement has been entered into between Kudy and the third party.
  4. Rights Of The Data Subject
    1. 4.1.Duty of Information
      • 4.1.1.When Kudy collects and registers personal data on Data Subjects, Kudy is obligated to inform such persons about:
        • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
        • The legitimate interests pursued by Kudy, if the processing is based on a balancing of interests
        • The recipients or categories of recipients of the personal data, if any
        • Where applicable, the fact that Kudy intends to transfer personal data to a third country and the legal basis for such transfer
        • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
        • The existence of the right request from Kudy access to and ratification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
        • Where the processing is based on the Data Subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal
        • The right to complain to Kudy via a correct procedure or with a supervisory authority
        • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether the Data Subject is obliged to provide the personal data and of the possible consequence of failure to provide such data
      The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject. This information will in most cases be provided via a privacy notice on Kudy’s home page
    2. 4.2.Right to access
      • 4.2.1.any person whose personal data is processed by Kudy, including, but not limited to, Kudy’s employees, job applicants, external suppliers, clients, potential clients, business partners, etc. has the right to request access to the personal data that Kudy processes or stores about him/her.
      • 4.2.2. If Kudy processes or stores personal data about the Data Subject, the Data Subject has the right to access the personal data and the reasons for the data to be processed concerning the criteria set out in Clause 4.1.1. above.
      • 4.3.The Data Subject has the right to obtain from Kudy without undue delay the rectification of inaccurate personal data concerning him or her.
      • 4.4.the Data Subject has the right to obtain from Kudy the erasure of personal data concerning him/her and Kudy shall have the obligation to erase the personal data without undue delay, unless required by law or retain any information for a prescribed period, for example, by financial regulators or tax authorities.
      • 4.5.the Data Subject has the right to obtain from Kudy restriction of processing, if applicable
      • 4.6.the Data Subject has the right to receive personal data registered in a structured commonly used and machine-readable format, if applicable.
      • 4.7.the Data Subject has the right to object, on grounds relating to his/her particular situation, at any time to processing personal data concerning him/her which are based on a balancing of interests, including profiling.
      • 4.8.All requests by the Data Subject shall be sent to dpo@kudy.ng. Any requests received from a Data Subject to exercise the rights in this clause will be answered as soon as reasonably possible, and no later than thirty (30) days from receipt. Requests shall be forwarded to Kudy’s Data Protection Officer to process the request and to meet the reply to the deadline.
  5. Data Protection By Design And Data Protection By Default
    1. 5.1. Kudy will ensure that all new products, services, technical solutions etc. must be developed so that they meet the principles of data protection by design and data protection by default.
      1. 5.1.1.Data protection by design means that when designing new products or services due consideration to data protection is taken.
        • Kudy will ensure to take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the proceeding.
        • Kudy will ensure that, both at the time of the determination of the means of processing and at the time of the processing itself, appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data protection principles, such as data minimization, effectively and to integrate the necessary safeguards into the processing to meet data protection requirements and protect the rights of data subjects.
      2. 5.1.2.Data protection by default requires that relevant data minimization techniques are implemented.
        • Kudy will ensure the implementation of appropriate technical and organization measures to ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed.
        • Kudy will ensure that, both at the time of the determination of the means of processing and at the time of the processing itself, appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data protection principles, such as data minimization, effectively and to integrate the necessary safeguards into the processing to meet data protection requirements and protect the rights of data subjects.
        • This minimization requirement applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
        • Kudy will ensure that, with these measures, by default, personal data is not made accessible without careful consideration.
  6. Records Of Processing Activities
    1. 6.1. Kudy will ensure that as a data controller, it maintains records of processing activities. The records will contain the following information:
      • The name and contact details of the Data Subject
      • The purposes of the processing
      • A description of the categories of the Data Subjects and of the categories of personal data
      • The recipients to whom the personal data have been or will be disclosed
      • Including recipients in third countries or international organization
      • Where applicable, transfers of personal data to a third country, including the identification of that third country and, if relevant, the documentation of suitable safeguards
      • Where possible, the envisaged time limits for the erasure of the different categories of data
      • Where possible, a general description of the applied technical and organizational security measures
    2. 6.2.Kudy will ensure to make the records available to relevant data protection authorities upon request.
  7. Deletion Of Personal Data
    1. 7.1.Kudy will ensure to delete personal data when Kudy no longer has a legitimate purpose for the continuous processing or storage of the personal data, or when it is no longer required to store the personal data following applicable legal requirements.
    2. 7.2.Detailed retention periods concerning various categories of personal data are specified in Kudy’s Retention and Information Sharing Policy.
  8. Risk Assessment Of Risk
    1. 8.1.Kudy will ensure to process personal data that is likely to result in a high risk for the personal data is being processed, a Data Protection Impact Assessment (“DPIA”) will be carried out
    2. 8.1.1.A DPIA implies that Kudy will, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure and to be able to demonstrate the processing is performed following the data protection requirements.
    3. 8.2.The technical and organizational measures shall be reviewed and updated where necessary and no later than every six (6) months.
    4. 8.2.1.Kudy will ensure that adherence to approved codes of conduct or approved certification mechanisms is used as an element by which to demonstrate compliance with the appropriate technical and organisational measures according to this clause.
  9. National Requirements
    1. 9.1.Kudy will ensure to comply with the Nigeria Data Protection Act
    2. 9.2.If applicable, where a data protection law requires a higher level of protection for personal data than such policies/guidelines, such stricter requirements will be complied with. If Kudy’s policies/guidelines are stricter than the local legislation, Kudy’s policies/guidelines must be complied with.
  10. Contact and Complaints
    1. 10.1.If you have any questions regarding the content of this Policy, please contact Kudy Financials Limited’s Data Protection Officer at dpo@kudy.ng.
    2. 10.2.If you would like to file a complaint about Kudy’s processing of personal data, please contact the Nigerian Data Protection Commission.

Have any questions?

Need more information about our Funds and other services we offer?

Say Hi

experience@kudy.ng

© 2026 Kudy Financials Limited. All Rights Reserved.