This Privacy Policy explains how personal information is collected, used, stored, and disclosed by Grey Inc. across our websites, applications, products, and related services (collectively, the “Services”), regardless of how you access or use them. This Privacy Policy forms part of our Terms of Use.

Depending on the nature of the service provided, Grey may act either as a Data Controller or a Data Processor, or in some instances both, in respect of different categories of personal information:

• As a Data Controller: Grey determines the purpose and means of processing personal data in connection with business onboarding (including KYB), collection of director and UBO information, AML and sanctions screening, compliance monitoring, fraud prevention, risk scoring, and other regulatory or operational requirements necessary to provide our Services.
• As a Data Processor: Grey processes personal data on behalf of its business customers where required to deliver the Services, including the processing of transaction data relating to a business customer’s end users, payout recipient information, and data received through API integrations or other technical channels. In such cases, Grey acts only on documented instructions from the relevant business customer, who remains the Data Controller.

This Privacy Policy applies to your use of our Services through any device, including desktop, mobile, or tablet. It does not apply to services not owned or controlled by Grey, including third-party websites or platforms. Such third parties operate under their own privacy policies, and Grey is not responsible for their data handling practices.

INFORMATION WE COLLECT

a. Information You Provide Us

To gain full access to our website and services, you must register for a Grey account. When you register for an account, we collect Personal Information which you voluntarily provide to us. Personal Information refers to information relating to an identified person or information that can be used to identify you, (e.g. name, email, address, bank details, telephone number). It may also include anonymous information that may be linked to you specifically, (e.g. IP address).

The Personal Information we have about you is directly made available to us when you:

• Sign up for a Grey Account;
• Use any of our services;
• Contact us or our customer support team;
• Fill our online forms;

In certain cases, including when you engage in high-value or high-volume transactions, or when we are required to comply with applicable anti-money laundering (AML) regulations, we may request additional information. This may include:

• Copies of bank account statements.
• Other documents required for identity verification or compliance purposes.

We also gather your personal data using cookies, pixel tags, and other advanced tracking technologies to enhance your experience, tailor content, and optimize our services during your interactions with our platform. These tools allow us to understand your preferences, monitor usage patterns, detect and prevent fraudulent activities and strengthen security, ensuring a safer and more personalized user experience.

b. Personal Information We May Collect About You

We may collect, use, process, store, or transfer personal information such as:

Identity Data & Identification Documents: Information such as, your full name(s), your government-issued identity number, bank verification number (BVN) or NIN and your date of birth. Identification documents may include passport or any Government-issued identity card, a photograph (if applicable) and any other registration information you may provide to prove you are eligible to use our services. This data is to enable us to verify your identity in order to offer our services to you;

• Traceable Information: These are information that can be linked directly or indirectly to you when ever you use or interact with our services. This includes details about your device (e.g., type, OS, unique identifiers), interactions with our services (e.g., features accessed, actions performed, usage duration), financial transactions (e.g., history, payment details, timestamps), and additional data such as location, usage patterns, and session information.
• Contact Data: This is data that is needed to reach out to you, such as your contact address, email address, telephone number, details of the device you use, and billing details.
• Log/Technical information: When you access Grey’s services, our servers automatically record information that your browser sends whenever you visit a website, links you have clicked on, length of visit on certain pages, unique device identifier, log-in information, location, and other device details.
• Financial Data: Information, such as personal account number, the merchant’s name and location, the date, and the total amount of the transaction, and other information provided by financial institutions or merchants when we act on their behalf; •
• Transactional Data: These are information relating to payments when you as a merchant (using one or more of our payment processing services) or as a customer, are using our products or services;
• Marketing and Communications Data: This includes both a record of your decision to subscribe or to withdraw from receiving marketing materials from us or from our third parties.

HOW WE MAY USE YOUR PERSONAL INFORMATION

We may use the Personal Information we collect to:

• Create and manage any accounts you may have with us, verify your identity, provide our services, and respond to your inquiries;
• To administer Grey (i.e. to provide our Services to you) and support internal operations, including troubleshooting, data analysis, testing, research, statistical, and survey purposes. This helps ensure Grey’s stability and security, improve our Services, website, and user experience, create new products, and solicit your feedback.
• Process your payment transactions (including authorization, clearing, chargebacks and other related dispute resolution activities);
• Protect against and prevent fraud, unauthorized transactions, claims and other liabilities;
• Provide, administer and communicate with you about products, services, offers, programs and promotions of Grey, financial institutions, merchants and partners;
• Evaluate and improve our business, including developing new products and services;
• As necessary to establish, exercise and defend legal rights; As may be required by applicable laws and regulations, including for compliance with Know Your Customers and risk assessment, Anti-Money Laundering, anti-corruption and sanctions screening requirements, or as requested by any judicial process, law enforcement or governmental agency having or claiming jurisdiction over Grey Inc.  or it’s affiliates/subsidiaries;
• To comply with our legal and regulatory obligations.
• We also facilitate seamless communication between Users and send both marketing and non-marketing communications. This helps us better understand your preferences, enhance the effectiveness of our marketing efforts, and refine our campaigns and communication channels to serve you more effectively.
• For other purposes for which we provide specific notice at the time of collection.

HOW WE PROCESS PERSONAL DATA

Categories of Data Covered

For the purpose of this policy, the following categories of data may be collected, shared, or processed in the course of their business relationship:

a. Personal Data

‍Personal Data includes any information relating to an identified or identifiable individual processed in connection with the Parties’ services, operations, or contractual engagements. This may include, but is not limited to:

• Customer identification data
• Employee data
• Contact details of staff or representatives
• Account information
• Transaction data
• Authentication credentials
• Communication records

Such data may be obtained directly or indirectly through the provision of services, platform usage, onboarding processes, integrations, or operational interactions between the Parties.

b. Technical and Usage Data

This includes operational and system-generated data necessary for service delivery, such as:

• IP addresses
• Device identifiers
• Log files
• Access timestamps
• System activity records
• Platform interaction data

This data supports system security, performance monitoring, and operational continuity.

‍

Data Protection Principles

You agrees that Personal Data shared or processed shall be:

• Processed lawfully, fairly, and transparently
• Collected for specified, explicit, and legitimate business purposes
• Limited to what is necessary for agreed services
• Accurate and kept up to date where required
• Retained only for as long as necessary
• Protected against unauthorized access, loss, or misuse
• Processed in compliance with applicable Data Protection Laws

Grey will not sell, trade, or commercially exploit Personal Data received from the other party. All personnel, agents, and subcontractors handling such data shall be bound by confidentiality and data protection obligations.

‍

Purpose of Processing

Personal Data shared under this policy may be used strictly for legitimate business purposes, including:

• Provision and management of contracted services
• Performance of contractual obligations between the Parties
• Operational communications between the Parties
• Customer support and service improvement
• Regulatory compliance and reporting obligations
• Risk management, fraud prevention, and security monitoring
• Business continuity, restructuring, or corporate transactions
• Data hosting, backup, and infrastructure management
• Legal claims, enforcement, or dispute resolution
• Internal business analytics and performance optimization

Processing shall not extend beyond the purposes defined in this policy unless authorized in writing.

‍

Data Sharing Between the Parties

Personal Data may be shared only where necessary for:

• Service execution
• Platform integration
• Regulatory compliance
• Operational collaboration
• Each Party shall ensure that:
• Data access is restricted to authorized personnel
• Shared data is used solely for agreed purposes
• Affiliates and vendors receiving data are bound by equivalent protections
• Data shall not be disclosed to third parties without:
• Legal obligation, or
• Written approval of the disclosing Party

‍

Sources and Methods of Data Collection (B2B Context)

Data covered under this policy may be obtained through:

• Direct business onboarding processes
• Service agreements and transactions
• API integrations and system connections
• Customer relationship management platforms
• Operational communications
• Partner platforms and authorized third parties
• Regulatory and compliance submissions

All data collection shall be limited to what is necessary for legitimate business operations.

‍

Data Retention

Each Party shall retain Personal Data only for:

• The duration required to fulfill contractual obligations
• Compliance with legal and regulatory requirements
• Legitimate business recordkeeping

Upon expiry of retention periods, data shall be securely deleted, anonymized, or returned where applicable.

‍

INTERNATIONAL DATA TRANSFERS

Grey operates globally and may transfer, store and process Personal Data outside of the country in which it was originally collected. This may include transfers to jurisdictions where Grey, its affiliates, service providers or banking partners maintain operations.

Where Personal Data is transferred across borders, Grey will ensure that appropriate safeguards are implemented in accordance with applicable data protection laws. Such safeguards may include:

• Entering into standard contractual clauses or equivalent transfer mechanisms approved by relevant regulators;

• Relying on adequacy decisions where available;

• Implementing contractual, technical, and organizational measures designed to ensure that Personal Data remains protected to a standard consistent with applicable law.

By using the Services, you acknowledge that your Personal Data may be transferred to and processed in countries outside your jurisdiction of residence, where data protection laws may differ from those in your home country.

Grey takes reasonable steps to ensure that any cross-border data transfer complies with applicable regulatory requirements and that Personal Data remains protected in accordance with this Privacy Policy.

If you require further information about the safeguards we use for international data transfers, you may contact us at dpo@grey.co

‍

OTHER RIGHTS TO YOUR PERSONAL INFORMATION WITH US

Below are the rights you have as a user in relation to your Personal Information;

• Right to request access or copies to your Personal Information by contacting us
• Right to information on their personal information collected and stored;
• Right to objection or request for restriction; this means refrain us from doing certain things with your data or restrict the extent of our collection or processing of your data.
• Right to correct or rectify any Personal Information that you provide which may be incorrect, out of date or inaccurate.
• Right to object to the processing of your Personal Information for marketing purposes. You have a right to ask us not to contact you for marketing purposes by adjusting your notification preference on the settings page or by opting out via the unsubscribe link in marketing emails we send you.
• Right to request that Grey erase your Personal Information. You have the right to ask us to erase your Personal Information. Please note that this is a limited right which applies where the data is no longer required, or the processing has no legal justification. The exceptions to this right is where the applicable law requires us to retain a historical archive or where we retain a core set of your personal data to ensure we do not inadvertently contact you in future where you object to your data being used for marketing purposes.
• Right to object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you.
• Right to request the movement of data from Grey to a third party; this is the right to the portability of data.

The Grey processes Personal Information on the basis of contractual necessity, compliance with legal and regulatory obligations (including AML, KYC/KYB, sanctions screening and related financial regulations), and legitimate interests such as fraud prevention, risk management, and service improvement.

Consent is relied upon only where required, such as for marketing communications and cookies. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Where you choose not to provide information required for contractual or regulatory purposes, we may be unable to provide certain services. You may review, update, or exercise your data protection rights by contacting us using the details provided below.

‍

SECURITY AND STORAGE OF YOUR PERSONAL INFORMATION

We have suitable security measures in place to prevent your Personal Information from being accidentally lost or used or accessed in an unauthorised way by a third party.

When your bank account information is transmitted via our Services, it will be protected by encryption technology. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Information on our instructions.

All our employees who have access to your personal data are required to adhere to this Policy and all third-party service providers are requested by Grey to ensure appropriate safeguards are in place. In addition, contracts are in place with third-party service providers that have access to your personal data, to ensure that the level of security and protective measures required is in place, and that your personal data is processed only as instructed by Grey.

We continuously educate and train our employees about the importance of confidentiality and privacy of customer personal information. We maintain physical, technical and organizational safeguards that comply with applicable laws and regulations to protect your personal information from unauthorised access.

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Unfortunately, no method of electronic transmission or storage via the Internet is 100% secure. Therefore, we cannot guarantee absolute security of your Personal Information. You also play a role in protecting your Personal Information. Please safeguard your password for your Grey account and do not share them with others.

If we receive instructions using your Grey account login information, we will consider that you have authorized the instructions. You agree to notify us immediately of any unauthorized use of your Grey account or any other breach of security.

We reserve the right, in our sole discretion, to refuse to provide our Services, terminate Grey accounts, and to remove or edit content. Subject to applicable law, which might, from time to time, oblige us to store your Personal Information for a certain period of time, we will retain your Personal Information for as long as necessary to fulfil the purposes we collected it for, including the purposes of satisfying any legal, accounting, or reporting requirements.

‍

DATA RETENTION

We will retain your personal data only for as long as is necessary to fulfil the purposes for which we collected it. As a regulated financial institution, Grey is required by law to store some of your personal and transactional data beyond the closure of your account with us. We only access your data internally on a need-to-know basis, and we’ll only access or process it if absolutely necessary.

We will always delete data that is no longer required by a relevant law or jurisdiction in which we operate. We do this automatically, so you don’t need to contact us to ask us to delete your data. Deletion methods include shredding, destruction and secure disposal of hardware and hard-copy records, and deletion or over-writing of digital data.

We may retain certain information when necessary to ensure safety, security, and prevent fraudulent activities. For instance, if your account is deactivated due to unsafe behavior or security violations, we may retain specific details about your account to safeguard our platform and prevent unauthorized re-registration or misuse

Under some circumstances, we may anonymize personal information so that it can no longer be associated with a particular individual. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to the relevant individual  or its consent.

MARKETING AND BUSINESS COMMUNICATIONS

Grey may process limited contact information of business representatives, employees, or partners for legitimate business communication purposes, including:

• Service updates
• Relationship management
• Product or service information relevant to existing business engagements
• Industry insights and corporate communications

Such communications shall be conducted in accordance with applicable Data Protection Law. Recipients may opt out of non-essential communications through the designated contact channels. Service-related and operational communications may still be sent where necessary for ongoing business relationships. Data used for marketing or communication purposes shall not be sold or disclosed for unrelated third-party marketing without an appropriate legal basis.

‍

COOKIES

Like many other websites, we use cookies to distinguish you from other users and to customize and improve our services. Cookies allow our servers to remember IP addresses, date and time of visits, monitor web traffic and prevent fraudulent activities.

Our cookies never store personal or sensitive information; they simply hold a unique random reference to you so that once you visit the site we can recognize who you are and provide certain content to you. If your browser or browser add-on permits, you have the choice to disable cookies on our website, however, this may impact your experience using our website. Unless you opt out of Cookies, we will assume you consent to the use of Cookies.

‍

THIRD-PARTY LINKS

Our Services may, from time to time, contain links to the websites or online platforms of our partner networks, advertisers and affiliates. Please note that these websites have their own privacy policies and that we do not accept any responsibility for them, so if you follow a link, check these policies before you submit any personal data to these websites or platforms.

‍

CHANGE TO OUR PRIVACY POLICY

Subject to applicable law, we may change, amend or review this Privacy Policy at any time to reflect new services or changes in our Policy. All changes made will be posted on this page and where changes will materially affect you, we will notify you of this change by placing a notice online or via mail. If you keep using our Services, you consent to all amendments of this Privacy Policy.

To stay up to date on any changes, check back periodically.

‍

CONTACT US

If you have any questions, comments or concerns about this Privacy Policy, the personal information we hold on you, or you would like to exercise one of your data protection rights provided for under applicable privacy laws, you may contact us by:

• reaching out to the customer service support available on the website.
• sending an email to dpo@grey.co ‍

If you feel that we have not addressed your questions or concerns adequately, or you believe that your data protection or privacy rights have been infringed, you can complain to your local Data Protection Authority.