Yalabit Privacy Policy
Effective date: 05 August 2025
Last updated: 26 August 2025
Yalafi Global Technology Limited ("Yalabit", "we", "us", or "our") operates the Yalabit platform and related services (the "Platform"). This Privacy Policy explains how we collect, use, share, and protect personal data in connection with your use of the Platform, and how your privacy rights are protected. It is designed specifically for a hybrid fintech/dApp that combines non‑custodial on‑chain activity (via Online+/ION MPC wallet) with custodial fiat services offered through licensed partners.
This Policy applies to personal data processed by Yalabit in the provision of our services, including data we collect directly from you, through third parties, and from public blockchains where relevant. If you are using an integration or third‑party service that links to the Platform (for example, Online+ / ION wallet providers, payment processors, KYC vendors), their data practices may differ, and their own privacy notices apply.
1. Key principles
Lawfulness & purpose limitation. We process personal data only where we have a lawful basis and for specified, explicit, and legitimate purposes (e.g., performance of contract, legal compliance, fraud prevention, consent where required).
Data minimization. We collect only the minimum personal data necessary to provide the Platform features and maintain security and compliance.
Transparency. We aim to be clear about what data we collect, why we collect it, and how it will be used and shared.
Security. We use technical and organizational measures to protect data, including encryption, access controls, and secure key management (for wallet-related processing).
Accountability. We maintain records of our processing activities and perform privacy risk assessments (including Data Protection Impact Assessments for blockchain-related processing where appropriate).
2. Definitions
For clarity in this Policy:
Personal data / personal information — information that identifies or is reasonably capable of identifying an individual (directly or indirectly).
Processing — any operation performed on personal data, whether automated or manual (collection, storage, disclosure, erasure, etc.).
Controller — the entity that determines the purposes and means of processing personal data (Yalabit, where we set the purposes and methods of processing).
Processor — a third party that processes personal data on behalf of the controller (e.g., payment processors, KYC vendors, custodians).
On‑chain data — information recorded on public or permissioned blockchains (e.g., public wallet addresses, transaction hashes and timestamps).
Off‑chain data — data stored or processed outside blockchains (e.g., KYC documents, fiat ledger balances, chat logs).
Online+ / ION MPC wallet — the non‑custodial wallet architecture used to sign on‑chain transactions; private key material is split or stored locally per user (self‑custody model).
3. Data we collect (categories)
A. Account & registration data
Name, username, email address, phone number, country, date of birth (if required), password (hashed), profile picture, and other registration fields.
B. Identity & verification (KYC) data
Government ID, selfie/photo verification, proof of address, tax ID, KYC metadata, and verification results necessary to comply with anti‑money laundering (AML), counter‑terrorist financing (CTF), and local regulatory obligations.
C. Transaction & financial data
Fiat balances, fiat deposit/withdrawal records, payment method details (bank account numbers, card tokenized data handled by payment partners), crypto transaction records (amounts, currencies), swap details, escrow histories, fee records, and refund/chargeback information.
D. Wallet & blockchain data
Public wallet addresses, transaction hashes, block confirmations, on‑chain balances, smart contract interactions, and other publicly available blockchain metadata linked to your Account.
E. Communications & support data
Chat messages (P2P and Escrow chat, subject to chat warnings), support tickets, call recordings or transcripts (where allowed), and emails.
F. Device, usage & diagnostic data
IP address, device identifiers, browser and OS information, crash logs, analytics data, application usage metrics, geolocation (approximate) if permitted, and Cookies and similar technologies.
G. Marketing & preferences
Marketing consents, communication preferences, referral details, and opt‑in/opt‑out signals.
H. Other categories
Any other information you voluntarily submit (e.g., business details for Merchant verification, team member contact details, dispute evidence).
4. How we collect personal data
Directly from you when you register, KYC, transact, open support tickets, or use the Platform.
From third parties such as KYC/identity verification providers, payment processors, custodians, partners, or when you connect a third‑party wallet.
From public blockchains (public on‑chain data) when you transact or link an Online+ username; this data is publicly accessible and may be associated with your Account for operational and compliance purposes.
Automatically through Cookies, logs, analytics, and device telemetry.
5. Legal bases for processing (summary)
Where applicable law requires, we identify a lawful basis for each processing activity. Typical bases include:
Performance of contract. To provide the Platform and deliver services you request (e.g., to execute trades, manage Escrow, process withdrawals).
Legal obligation. To comply with AML/KYC, tax, sanctions, or other regulatory requirements.
Legitimate interests. For fraud prevention, security, network protection, product improvement, and platform administration — balanced against your rights and freedoms.
Consent. For optional marketing communications and certain optional features where consent is required. You may withdraw consent at any time.
6. How we use personal data
We use personal data to:
Register and manage Accounts, authenticate users, and provide core Platform functions.
Perform identity verification and AML/CTF screening required by law or our partners.
Process transactions, manage Fiat Balances, facilitate Swaps, and operate Escrow workflows.
Log, monitor, and store on‑chain transaction data necessary for reconciliation, dispute resolution, and compliance.
Operate P2P chat and dispute resolution tools; retain chat logs and metadata for safety, moderation, and dispute evidence.
Detect, prevent, and respond to fraud, abuse, suspicious activity, and security incidents.
Communicate with you about the Platform, changes to terms and policies, and your Account.
Provide marketing communications where you have given consent.
Comply with legal obligations, regulatory requests, and law enforcement orders.
Analyse and improve the Platform (usage analytics, product research, testing).
7. Special notes: blockchain & immutability
Public nature of on‑chain data. Transactions recorded on public blockchains are public and may be associated with identifiable parties outside our control. We may link public on‑chain records to your Account where necessary for service operation and compliance.
Erasure & rectification constraints. Because blockchains are inherently immutable, certain data recorded on‑chain cannot be altered or deleted. Where on‑chain PII (personal data) exists or is reasonably linkable to natural persons, we take steps to minimise such storage and pursue privacy‑preserving alternatives (e.g., avoid storing raw PII on‑chain; use hashes, pseudonymisation, and off‑chain mapping). However, we cannot guarantee the erasure of data already written to public ledgers.
Privacy by design & DPIAs. For blockchain‑linked processing that presents high risk to individual rights, we conduct Data Protection Impact Assessments and implement privacy‑by‑design measures (data minimisation, encryption, access controls, and role‑based data access).
8. Sharing personal data (who we share with and why)
We share personal data with:
Service providers & processors (KYC vendors, payment processors, custodial partners, swap liquidity providers, escrow partners, cloud hosting and analytics vendors). These parties process personal data under contract and only for specified purposes.
Online+ / ION wallet providers and other wallet infrastructure providers for wallet‑related operations and to enable on‑chain signing and transaction processing.
Regulators, law enforcement, and authorities where required by law, court order, or to prevent fraud or other illegal activity.
Affiliates and corporate partners if needed to provide services or support platform operations.
Counterparties in P2P trades and Escrow transactions — limited transaction data (payment instructions, names) is shared to complete transactions; any additional sharing is subject to your consent and need‑to‑know.
Third parties in M&A or restructuring circumstances — we will notify affected users as required.
We require contractual safeguards (data processing agreements) and apply technical safeguards to protect data shared with third parties.
9. International transfers & safeguards
The Platform operates globally, and your data may be processed or stored in countries other than your residence. Where data is transferred across borders, we implement appropriate safeguards (e.g., contractual clauses, mechanisms required under applicable law) to protect your personal data. For transfers from the UK/EU or other jurisdictions with restrictive transfer rules, we will adopt the safeguards required by applicable regulators and legislation and inform you where relevant.
10. Data retention
We retain personal data only as long as necessary for the purposes described in this Policy and to meet legal, regulatory, tax, or audit obligations. Specific retention periods include:
KYC & verification records: retained as required by applicable AML and regulatory rules (and in accordance with our legal obligations).
Transaction records & financial logs: retained to support dispute resolution, reconciliation, and regulatory reporting.
Account records & communications: retained for operational needs, safety, and legal defense.
Where possible, we aggregate or pseudonymise data when long‑term retention is required for analytics or compliance.
11. Your data rights (how to exercise them)
Subject to applicable law and technical limits (particularly for on‑chain data), you may have the right to:
Access personal data we hold about you.
Rectify inaccurate or incomplete personal data.
Request erasure of personal data where lawful and feasible (note: erasure requests may be limited where data exists on public blockchains, or where retention is required by law).
Object to or restrict processing in certain circumstances (for legitimate interests processing) and to withdraw consent where applicable.
Portability of data you have provided to us in a structured, commonly used format, where this applies.
Complain to a supervisory authority (in Nigeria: the Nigeria Data Protection Commission / NDPC) or to the regulator in your country of residence.
To exercise any rights, contact our Data Protection Officer at the contact details below. We will respond in accordance with applicable law.
12. Security measures
We design and maintain reasonable administrative, technical, and physical safeguards to protect personal data, including:
Encryption in transit (TLS) and at rest for sensitive off‑chain data.
Role‑based access controls and least‑privilege access.
Non‑custodial MPC wallet architecture for on‑chain operations where users maintain control of private key material.
Regular security testing, vulnerability management, and third‑party security assessments where practicable.
Policies and training for staff handling personal data.
While we strive to protect personal data, no network or storage system is completely secure, and we cannot guarantee absolute security. Compromise of private wallet seed material by a user or third party can lead to permanent asset loss.
13. Cookies & similar technologies
We use Cookies and similar technologies to enable core functionality, remember preferences, analyze usage, and deliver targeted marketing where you consent. You can manage cookie preferences via your browser or our cookie controls within the Platform.
14. Children
The Platform is not intended for individuals under the age of majority in their jurisdiction (typically 18). We do not knowingly collect personal data from children. If you believe we have collected such data, contact us and we will take steps to delete it in accordance with applicable law.
15. Changes to this Policy
We may update this Policy to reflect legal, regulatory, technical, or business changes. We will publish the revised Policy with a new “Last updated” date and, where appropriate, notify you of material changes.
16. Contact; supervisory authority
Data Protection Officer (DPO)
Engr. John E. Friday
Email: privacy@yalabit.app
Phone: +234 901 7125 334
If you are in Nigeria and wish to lodge a complaint with the supervisory authority, you may contact:
Nigeria Data Protection Commission (NDPC)
Website: ndpc.gov.ng
(We will cooperate with the NDPC and other regulators in case of investigations.)
17. Annex: How we treat on‑chain information and user requests
Avoidance & minimisation. Where practicable we avoid storing users’ PII on public ledgers. When blockchain identifiers are required, we store only necessary metadata and apply pseudonymisation.
Hashes & salts. If a cryptographic representation of data is used on‑chain (e.g., hashes), we treat the mapping key and salts as sensitive off‑chain secrets and protect them accordingly.
Rectification & erasure alternatives. If data is on‑chain and immutable, we will (where possible) sever mappings to your identity (delete or anonymise off‑chain linkages), restrict access to off‑chain metadata, and document why erasure of on‑chain data is technically infeasible.
DPIA & records. We maintain DPIAs and records of processing activities for high‑risk blockchain features and update them as required by law.
Acknowledgement
By using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the processing described herein (to the extent legally required). If you do not agree, please do not use the Platform.