Last Updated: May 26, 2025

About this Privacy Policy

"Cellus" / "we" takes the personal data of our data subjects that we collect seriously. We understand the need to treat such information as confidential and use the information strictly for the purpose for which they were obtained and in accordance with the applicable extant laws. We are therefore committed to treating personal data received through our product offerings, website, and other platforms with due care and dedicated to safeguarding the personal data of our Data Subjects.

More importantly, we are bound by the Nigeria Data Protection Act (NDPA) 2023 and Nigeria Data Protection Regulation (NDPR) 2019. Therefore, in accordance with the obligations bestowed on Data Controllers and Data Processors under the NDPA and NDPR, this policy provides an overview of what personal data we gather about individuals ("you") and how we process it.

Additionally, this policy outlines the rights available to you under the NDPA and NDPR and how you can exercise them.

1. What constitutes your consent?

By providing your personal data to us, you have signified your acceptance of our Privacy Policy and agree that we may collect, use, and disclose your personal information for specified purposes as described in this Policy.

2. Who is legally responsible for handling your personal data and who can you contact about this subject?

According to the NDPA and NDPR, this responsibility rests upon the "Data Controller", namely:

If you have any general questions or concerns about this Policy as well as queries or complaints about the way in which we process your personal data, kindly contact our Data Protection Officer via the contact details above or this email address: privacy@cellus.app or legal@cellus.app

3. What personal data do we process?

Personal data refers to any information that tells us something about you or that we can link directly to you. Typically, we will hold data about you that is relevant to the business relationship we have with you and how you interact with us.

We process any information we receive from you, including personal and financial information you provide to us with respect to onboarding you as our customer, when you apply for a job with us, when we employ you as our staff, when you enquire about our services, register to use and/or use any of our services and when you communicate with us through our social media sites, our website or portal, e-mail, telephone or any other electronic means.

Such information may include the following:

Name and other contact data of customers, employees, and vendors

For Customers:

We may collect your:

• First, middle, and last name
• Phone number and email address
• Home address and date of birth
• Bank Verification Number (BVN)
• Account details and signature
• Identification document such as a copy of driver's license, international passport, national identity card (NIN)
• Cellus Tag information
• Multi-currency wallet balances (NGN and USD)
• Transaction history and payment patterns
• Other similar contact data to process your request

For Employees:

We may collect your:

• First, middle and last name
• Phone number, email address, and home address
• Date of birth and signature
• Details for the fulfillment of your employment relationship with us, such as degrees, next of kin phone number, certifications, academic transcripts
• Bank account information and professional licenses or certifications
• Background check (criminal history and employment verification)
• Immigration/Citizenship Information

For Vendors:

We may collect a contact name, phone number, email address, office address, etc to fulfill your contract with us.

Credentials

When you subscribe to any of our products, particularly our e-channels products, you may be required to provide a User ID, a password, PIN, biometric data, and similar security information used for authentication and account access.

Usage Data

We may collect usage data whenever you access our website or social media platforms. If you access our services through a computer, this data may include your Internet Protocol (IP) address, browser type and version, pages visited, duration of visit, date and time of access, unique device identifiers, and other diagnostic data.

When you access our services through a mobile device, this usage data may include the following:

• Geo-Location information: We may request access or permission to and track location-based information from your mobile device, either continuously or while you are using our mobile application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device's settings.
• Mobile Device Access: We may request access or permission to certain features from your mobile device, including your mobile device's camera, calendar, Bluetooth, contacts, storage, and other features. If you wish to change our access or permissions, you may do so in your device's settings.
• Mobile Device Data: We may automatically collect device information (such as your mobile device ID, model, and Manufacturer), operating system, version information, IP address, and diagnostic data.

4. Why do we collect your personal data?

We collect your personal data in order to facilitate and manage our relationship with you. Specifically, we collect your personal data for at least one of the following purposes:

For the performance of a contract

In order for you to open and maintain an account with us, have access to our products and services, or work with us, we will need to process your personal data. We may also need to process your personal data to take steps at your request prior to entering into a contract.

For compliance with a legal obligation or acting in the public interest

As an organization, we are subject to a number of statutory and regulatory obligations that may require us to collect, store, or disclose personal data. Such obligations might be for anti-money laundering purposes, or to respond to investigations or disclosure orders from law enforcement agencies, our regulators, and tax or other public authorities.

For the purposes of legitimate interests

Where necessary, we will process your personal data to serve our legitimate interests or those of a third party. Such applicable cases include:

• Managing our overall relationship with you as our customer, employee, or vendor
• Facilitating peer-to-peer transfers using Cellus Tags
• Processing currency conversions between NGN and USD
• Managing multi-currency wallet balances
• Facilitating cross-border transactions
• Responding to your complaints and inquiries
• Carrying out statistical and other analyses to identify potential markets and trends, and evaluate and improve our business
• Information security and building security
• Managing the risks and optimizing the efficiency of our operations
• Recording telephone calls and monitoring electronic communications for business and compliance purposes
• Prevention and detection of fraud, money laundering, and other financial crimes
• Evaluating, bringing or defending legal claims
• Assessment of your employability with us as well as for other employee benefits-related purposes when you become our staff
• Marketing of our products and services. We will not send unsolicited marketing communications to you by SMS or email if you have not opted in to receive them. Additionally, you can withdraw your consent at any time and free of charge via our customer service channels
• Audit purposes

5. What are our data collection methods?

We may obtain personal data through the following methods:

Direct collection source:

• Mobile Application (Cellus App)
• Electronic means (emails, social media sites, website, telephone, and postal)
• Job application documentation
• Employee engagement forms
• Visitors register
• KYC verification processes
• Transaction processing and wallet management

Third party data collection source:

• Individuals nominated and authorized by the data subject to engage us on his/her behalf. A copy of your consent given to the third party to transfer your data to Cellus shall suffice for our processing
• Financial Institutions
• Paystack Payments Limited (for payment processing)
• 9 Payment Service Bank Limited (for bill payments and airtime)
• Quidax Technologies Limited (for cryptocurrency wallet services)
• Publicly available sources e.g. newspapers, websites
• Government agencies
• Vendors engaged to conduct screening checks on newly employed staff before confirmation of appointment

6. Use of cookies

We will use cookie technology on our website. Cookies are small applications that are saved on your Internet browser when you use our website. The cookie is sent to your computer or device each time you visit our websites. Cookies enable you to access our website faster and have a better experience online. The cookies can be disabled, if you wish, by clicking on the appropriate prompt. However, some parts of our websites or online services may not work if you do so.

7. Record Retention

In line with the record preservation requirement of the Money Laundering (Prevention and Prohibition) Act, 2022 (As Amended), we will retain your personal data for a minimum period of five (5) years after your relationship with us has ended. This is to enable us to fulfill the relevant purposes set out in this policy and to comply with our regulatory obligations. However, we may retain personal data for longer periods if it is in our legitimate business interests and required to comply with applicable laws. We will continue to use and disclose such personal data in accordance with this Privacy Policy.

8. Sharing your personal data

We may share information about you with a range of third parties for our business purposes or as permitted/required by law. Such third parties may include our service providers; professional advisors; background screening providers; health maintenance organizations; financial institutions; exchanges; regulators; law enforcement agencies; courts; public authorities; and potential purchasers of elements of our business. These third parties could be located outside Nigeria.

We will only disclose information about you with your consent, where necessary, and in line with the provisions of the NDPR.

9. Transferring your data to other countries

Where necessary, in line with the purposes described in section 8 above, information relating to you may be transferred to countries outside Nigeria i.e. third countries. However, if we use service providers in a third country, they will be obligated to apply the same level of protection to your data as would be necessary in Nigeria. We will enforce this through the inclusion of standard data protection clauses in our agreements with them and by conducting vendor security assessments. Above all, we will only transfer your personal data to a third country in a way that is permitted under the NDPA and NDPR.

We may also share your information with our affiliates. Affiliates include our parent company (Eleastar Technology Limited) and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us.

10. What are your rights?

Under the NDPA and NDPR, you are entitled to the following rights:

I. Request to Access, Rectify, or Erase

1. Access Request:

You have the right to access personal data relating to you. This enables you to receive a copy of the personal data we hold about you in electronic form unless you want a paper copy which will attract a fee.

2. Rectification Request:

You have the right to ask us to correct your personal data if it is inaccurate and to have incomplete personal data updated without undue delay.

3. Erasure Request:

You have the right to ask us to erase your personal data if:

• Your personal data are no longer necessary for the purpose(s) they were collected for
• Your personal data have been unlawfully processed
• Your personal data must be erased to comply with a regulation
• You withdraw your consent for the processing of the personal data (and if this is the only basis on which we are processing your personal data)
• You object to processing that is based on our legitimate interests, provided there are no overriding legitimate grounds for continued processing
• You object to processing for direct marketing purposes

If we have made the personal data concerned public, we will also take reasonable steps to inform other data controllers processing the data so they can seek to erase links to or copies of your personal data.

II. Request to Object

You have the right to object at any time to the processing of your personal data if we process it based on our legitimate interests or on the basis that we are acting in the public interest. This includes any so-called "profiling". Our Privacy Policy informs you when we rely on legitimate interests to process your personal data. In these cases, we will stop processing your personal data unless we can demonstrate compelling legitimate reasons for continuing the processing. We may reject your request if the processing of your personal data is needed to establish, exercise, or defend legal claims.

Additionally, you have the right to object at any time if we process your personal data for direct marketing purposes. You may also object at any time to profiling supporting our direct marketing. In such cases, we will simply stop processing your personal data when we receive your objection.

III. Request to Restrict

You have the right to ask us to restrict the processing of your personal data if:

• You contest the accuracy of your personal data and we are in the process of verifying the Personal Data we hold
• The processing is unlawful and you do not want us to erase your personal data
• We no longer need your personal data for the original purpose(s) of processing, but you need them to establish, exercise or defend legal claims and you do not want us to delete the Personal Data as a result
• You have objected to processing carried out because of our legitimate interests while we verify if our legitimate grounds override yours

IV. Request for Portability

You have the right to ask that we transfer any personal data that you have provided to us to another third party in a commonly used electronic format. Once transferred, the other party will be responsible for safeguarding such personal data.

V. Request to Object to Automated Decisions

Typically, you have the right to object to any decision producing a legal effect concerning you or which otherwise significantly affects you if this is based solely on the automated processing of your personal data. This includes automated decisions based on profiling.

We may refuse your request if the decision in question is:

• Necessary to enter into a contract with you, or for the performance of your contract with us
• Permitted by regulations

To exercise these rights, please write to the Data Protection Officer via the contact details provided in Section 2 above.

VI. Withdrawal of Consent

Basically, a data subject has the right to withdraw consent at any time. As an organization, we must ensure that the process of withdrawing consent is easy for a data subject.

11. How do we protect your personal data?

We store personal data as required by law and such is held in Nigeria both physically and electronically. Our security systems are designed to prevent the loss, unauthorized destruction, damage, and/or access to your personal data from unauthorized third parties. Some of our security measures include physical access controls to our premises, cyber security controls, and information access authorization controls.

We will also publish security tips and updates from time to time on our website to make sure that you benefit from our security systems, and stay updated with the latest fraud scams and trends. While we are dedicated to securing our systems and services, you are responsible for securing and maintaining the privacy of your password(s) and account/profile registration information and verifying that the personal data we maintain about you is accurate and up to date.

We will duly inform you of any breaches that may threaten the security and confidentiality of your personal data.

12. Remedies for violation of the privacy policy and timeframe for remedy

In the event of a violation of this policy, our Data Protection Officer shall within 7 days redress the violation. Where the violation pertains to the disclosure of your personal data without your consent, such information shall be retracted immediately, and confirmation of the retraction sent to you within 48 hours of the redress.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time in order to address amendments in the NDPA and NDPR or our business operations. We will notify you, by email, if we make any significant updates.

14. Contact Us

If you have any questions about this Privacy Policy or need to exercise your data protection rights, you can contact us through the following channels:

• Send an email to privacy@cellus.app
• Send legal inquiries to legal@cellus.app
• Use the Cellus mobile app in-app customer support chat
• Contact our Data Protection Officer at the address provided in Section 2