Privacy Policy
Last updated 7 June 2026 · PAYSCAN is a product of Trainup Technologies Ltd (RC 7892969)
1Who controls your data
This Privacy Policy explains how Trainup Technologies Ltd (RC 7892969, Lagos, Nigeria), trading as PAYSCAN ("we", "us", "our"), collects, uses, shares, and protects personal data when you use the PAYSCAN website and Service. We process personal data as a "data controller" under the Nigeria Data Protection Act, 2023 (NDPA) and the Nigeria Data Protection Regulation (NDPR).
2Data we collect
We collect the following categories of personal data:
- Account data — business name, your name, phone number, email address, city, password (stored as a salted hash, never in plain text), and your chosen PAYSCAN handle.
- Bank account data — account number, account name, and bank, which we verify through licensed account-resolution partners before displaying it on your payment page.
- Transaction metadata — amounts (in kobo), timestamps, references, and status of payments reported to or detected by the Service. We do not see your bank balance or other transactions unrelated to PAYSCAN.
- Usage and device data — pages visited, QR scans, button clicks, IP address, device/browser type, and an anonymous device identifier stored in your browser (used for product experiments — see "Cookies and similar technologies" below).
- Communications — messages you send to support, OTP verification codes, and records of SMS/email notifications we send you.
- Customer data you provide us — if you upload customer contacts, invoices, or product catalogues, that data is processed on your behalf and remains your responsibility as set out in this policy and our Terms of Service.
3Why we process your data (lawful basis)
- To perform our contract with you — creating your account, generating your QR code and payment page, sending OTPs and payment notifications, processing subscriptions, and providing support.
- Legitimate interests — keeping the Service secure, preventing fraud, improving features through aggregated analytics and A/B experiments, and enforcing our Terms.
- Legal obligation — retaining audit logs (5 years, in line with CBN and NDPR expectations for financial-adjacent platforms) and responding to lawful requests from regulators or courts.
- Consent — for optional communications such as product updates and referral nudges, which you can opt out of at any time.
4How we share your data
We do not sell your personal data. We share it only with service providers who help us run PAYSCAN, under contracts that require them to protect it and use it only for the purposes we specify:
- Cloud database and storage providers — to securely store your account, transaction, and file data (hosted within the EU);
- Bank account verification and payment processing providers — licensed partners who confirm that an account number matches an account name, and, for paid plans, handle subscription billing;
- SMS and email delivery providers — to send OTPs, payment notifications, and transactional messages;
- Hosting and infrastructure providers — who run our website and backend systems.
We choose providers that maintain strong security and privacy standards, and we do not name them individually here in order to protect the security of the Service and our merchants — full details of our processors are available on request to our Data Protection contact (see "Contact us" below) and to the Nigeria Data Protection Commission where required.
We may also disclose data where required by law, to protect the rights and safety of PAYSCAN, our users, or the public, or in connection with a merger, acquisition, or sale of assets (with notice to you where required).
5International data transfers
Some of our service providers process data outside Nigeria. Where we transfer personal data internationally, we rely on contractual safeguards and choose providers with strong security and privacy commitments, consistent with NDPA requirements for cross-border data transfer.
6How long we keep your data
- Account and transaction data is kept for as long as your account is active, and for a reasonable period afterwards to meet legal, accounting, and dispute-resolution needs.
- Audit logs of admin and security-relevant actions are retained for 5 years in line with CBN/NDPR expectations and cannot be altered once written.
- You can ask us to delete your account at any time; we will do so unless we are required to retain certain records by law (for example, financial transaction history).
7How we protect your data
- Passwords are hashed (never stored or transmitted in plain text); sessions use signed, time-limited tokens.
- All traffic is encrypted in transit (HTTPS/TLS); sensitive endpoints are rate-limited and protected by additional verification (OTP, TOTP for admin access).
- Receipts and payment-page links use cryptographically signed tokens that cannot be forged or guessed.
- Access to merchant data is restricted to authorised personnel for legitimate support and security purposes, and all admin actions are logged in an append-only audit trail.
No system is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you and, where required, the Nigeria Data Protection Commission (NDPC), in line with NDPA timelines.
8Cookies and similar technologies
We use a small amount of browser local storage — not third-party advertising cookies — to keep you signed in and to randomly assign an anonymous identifier used for product experiments (for example, testing which call-to-action helps merchants get paid faster). This identifier is not linked to your name or contact details and is never sold or shared with advertisers.
9Your rights
Under the NDPA/NDPR, you have the right to:
- Access the personal data we hold about you;
- Correct inaccurate or incomplete data (most profile fields can be edited directly in Settings);
- Delete your account and associated personal data, subject to our legal retention obligations;
- Object to or restrict certain processing, including marketing communications;
- Receive a copy of your data in a portable format; and
- Lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe we have mishandled your data.
To exercise any of these rights, email support@payscan.ng with the subject line "Data request". We will respond within the timeframes required by Nigerian law.
10Children's privacy
PAYSCAN is a business tool intended for adults operating a trade or business. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact us and we will delete it.
11Changes to this policy
We may update this Privacy Policy as our Service evolves or as Nigerian data protection law develops. If a change is material, we will notify you by email or in-app notice before it takes effect. The "Last updated" date at the top of this page always reflects the current version.
12Contact us / Data Protection queries
For any question about this policy or how we handle your personal data, email support@payscan.ng or write to Trainup Technologies Ltd (RC 7892969), Lagos, Nigeria.