1. Introduction

At VerifyAfrica, privacy is not merely a regulatory obligation — it is the cornerstone of our brand promise and a non‑negotiable part of our corporate DNA. The company recognizes that identity verification inherently involves the collection and processing of personal and sensitive data. Therefore, it has adopted a privacy‑first operating model that embeds protection mechanisms into every layer of its infrastructure and service delivery pipeline.

This Privacy Policy outlines the guiding principles under which VerifyAfrica processes personal data, the lawful bases for doing so, the rights of data subjects, and the organizational and technical safeguards that ensure data integrity across all markets in which the company operates.

2. Scope and Applicability

This Policy applies to all processing of personal data by VerifyAfrica, whether collected directly from individuals, indirectly through corporate clients integrating our APIs, or via third‑party identity databases. It extends to all subsidiaries, contractors, vendors, and affiliates that participate in the provision of VerifyAfrica's services.

It covers all identifiable information, including personal identifiers, biometric data, financial or transactional data, device and system logs, and any metadata that could, either directly or indirectly, reveal an individual's identity or digital footprint.

3. Lawful Basis for Processing

VerifyAfrica processes data strictly in accordance with the lawful bases permitted under applicable laws. In most cases, this includes:

• Performance of a Contract: When processing is required to fulfill a service request initiated by a client or user.
• Legal Obligation: When required to comply with AML, CFT, or sanctions regulations imposed by law.
• Legitimate Interest: When processing enables fraud prevention, service enhancement, or operational analytics, provided that such interests do not override the rights and freedoms of data subjects.
• Consent: When individuals voluntarily grant permission for processing specific categories of data, particularly biometric information.

The company maintains detailed consent records, demonstrating that every processing activity has a defined purpose and lawful basis documented in its internal Data Processing Register.

4. Categories of Data Processed

VerifyAfrica may collect and process the following categories of data, depending on the service provided and integration model used:

• Identification Data: Full name, date of birth, nationality, gender, national identification number, passport or driver's license details.
• Biometric Data: Facial images, fingerprints, or other biometric identifiers necessary for liveness and document verification.
• Contact Data: Email addresses, phone numbers, and residential or business addresses.
• Device and Technical Data: IP addresses, browser fingerprints, system logs, and location metadata to enhance fraud detection.
• Verification Artifacts: Submitted documents, scanned IDs, or video evidence captured during the KYC process.

5. California Privacy Rights (CCPA/CPRA Disclosure)

While VerifyAfrica does not currently meet the applicability thresholds under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), we respect the privacy rights of all individuals whose information we may process.

If and when we process the personal information of California residents, we do so solely as a service provider on behalf of our business clients and under their instructions. We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

California residents may nevertheless contact us at support@verifyafrica.io to inquire about the categories of personal information processed, the purpose of processing, or to request deletion where applicable.

6. Data Collection and Purpose Limitation

VerifyAfrica collects only the minimum amount of data necessary for the purpose for which it is processed. The company's platform is designed around a "data minimization" architecture, ensuring that personal data is never retained longer than needed or used for secondary purposes without appropriate legal grounds.

All data collected through VerifyAfrica's systems are used solely to verify identity, conduct risk assessments, and fulfill legal compliance requirements. Under no circumstances does VerifyAfrica sell, trade, or monetize user data.

7. Cross-Border Transfers

Given VerifyAfrica's multinational operations, data may be transferred across borders between the United States, the European Union, and African countries where clients operate. To ensure legality and security, all cross‑border transfers are governed by Standard Contractual Clauses (SCCs) and intercompany Data Transfer Agreements between VerifyAfrica and CJ Solutions Ltd. The company also employs regional data storage strategies to comply with local data residency laws where applicable (e.g., Nigeria, Kenya, and South Africa).

8. Data Retention and Destruction

Personal data is retained only for as long as necessary to fulfill its intended purpose, or as required by law or regulatory authorities. Once retention periods expire, data is permanently deleted using certified data destruction protocols. Anonymized or aggregated data may be retained for analytics or performance benchmarking, provided such data can no longer be linked to identifiable individuals.

9. Data Security and Technical Safeguards

VerifyAfrica employs state‑of‑the‑art cybersecurity measures, including multi‑layer encryption (AES‑256 at rest, TLS 1.3 in transit), intrusion detection systems, secure development practices, and continuous monitoring. Access to personal data is role‑based and restricted under the principle of least privilege. The company also conducts regular third‑party penetration tests and vulnerability assessments, with findings reported to the Board's Compliance Committee.

10. Data Subject Rights

All data subjects interacting with VerifyAfrica retain rights of access, rectification, erasure, portability, and objection under applicable privacy laws. Requests are managed through a structured process handled by the Data Protection Officer (DPO), with acknowledgment issued within 48 hours and resolution typically within 30 days.

11. Third-Party Processors and Vendors

Any external vendors engaged by VerifyAfrica for hosting, verification, or analytics are subject to rigorous due diligence. Each vendor relationship is governed by a Data Processing Agreement that ensures compliance with privacy regulations, audit rights, and confidentiality clauses.

12. Accountability and Enforcement

VerifyAfrica maintains detailed audit logs of all data access and processing activities. Breaches of this policy by employees, contractors, or partners are treated as serious compliance violations and may result in disciplinary or contractual sanctions.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: