Privacy Policy

How Zuba collects, uses, and protects personal data.

1. Introduction

Zuba Technologies Ltd ("Zuba", "we", "us", or "our") is a company incorporated under the laws of Canada. We provide technology and infrastructure to facilitate cross-border payments for enterprises.

This Privacy Policy ("Policy") explains how we collect, use, store, share, and protect personal data when you:

• Access our website (www.zuba.com);
• Use our products or services; or
• Interact with us as a client, prospective client, partner, supplier, or authorised representative of an enterprise customer.

For the purposes of applicable data protection laws, including the UK General Data Protection Regulation ("UK GDPR"), the EU General Data Protection Regulation ("GDPR"), and the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), Zuba acts as a data controller, unless it explicitly acts as a data processor on behalf of a customer under a separate written agreement.

Zuba provides services globally. Where personal data is subject to UK GDPR or EU GDPR, Zuba processes such data in accordance with those regimes in addition to its obligations under Canadian privacy law, including PIPEDA.

We may update this Policy from time to time. Material changes will be notified via email. Previous versions are available on request.

2. Scope of This Policy

This Policy applies to personal data relating to:

• Authorised users and representatives of our customers;
• Counterparties, beneficiaries, or payees where relevant to payment processing;
• Visitors to our website; and
• Business contacts, partners, and suppliers.

Nothing in this Policy is intended to limit any rights available to individuals under applicable data protection legislation in their jurisdiction of residence.

Where Zuba processes personal data on behalf of a customer in its capacity as a data processor, such processing is governed by a separate data processing agreement or equivalent contractual arrangement between Zuba and the relevant customer.

Our services are designed for business use and are not directed at individuals under 18 years of age.

3. Information We Collect

We may collect and process the following categories of personal data:

3.1 Information You Provide

• Name, job title, and business contact details
• Company name and business address
• Identification and verification information required for compliance, which may include government-issued identification documents, proof of residential or business address, corporate registration and constitutional documents, and beneficial ownership or control information (as required under applicable KYC, AML, and sanctions laws)
• Communications with us (emails, calls, and support correspondence)

3.2 Information We Collect Automatically

• IP address and device identifiers
• Log and access records relating to use of our services
• Website usage data collected through cookies or similar technologies

3.3 Information from Third Parties

We may receive personal data from third parties in connection with the provision of our services and our compliance with applicable laws. This may include:

• Compliance, screening, and verification data from sanctions screening providers, politically exposed persons (PEP) and watchlist databases, adverse media and risk intelligence services, and other regulated or reputable third-party compliance service providers
• Information received from financial institutions, payment networks, clearing partners, or other payment service providers involved in the processing or settlement of transactions
• Personal data provided by enterprise customers relating to their authorised users, counterparties, beneficiaries, or payees, where necessary to perform contracted services

Such data is processed only for the purposes described in this Policy.

4. How We Use Personal Data

We process personal data for the following purposes:

• Providing, operating, and maintaining our services
• Onboarding customers and authorised users
• Complying with legal and regulatory obligations, including financial crime prevention
• Processing, reconciling, and settling transactions
• Detecting, preventing, and investigating fraud, misuse, or security incidents
• Communicating with customers and authorised representatives
• Improving and developing our services, systems, and infrastructure
• Establishing, exercising, or defending legal claims

We may use automated processing and analytical tools, including transaction monitoring, risk scoring, and sanctions screening systems to support the purposes described above. These systems assist decision-making and are subject to appropriate human review and oversight.

Zuba does not make decisions based solely on automated processing that produce legal or similarly significant effects on individuals, except where permitted by applicable law.

5. Legal Bases for Processing

We process personal data only where permitted by law, including where processing is necessary for:

• Performance of a contract with our customers
• Compliance with legal obligations, including regulatory and supervisory requirements
• Legitimate interests, such as service improvement, business continuity, and security
• Consent, where required under applicable law (for example, certain marketing activities)

For completeness, we process personal data as necessary to maintain system security, detect and respond to incidents, investigate suspected misuse, and comply with regulatory and legal obligations, including through logging, monitoring, and incident response activities.

6. Data Location and International Processing

Data may be accessed and processed by Zuba employees based in the UK for operational, compliance, and support purposes.

Where personal data originates from the European Economic Area or the United Kingdom, such processing is conducted in accordance with UK GDPR and EU GDPR requirements. In limited circumstances, personal data originating from the EEA or the United Kingdom may also be accessed by Zuba employees located in other jurisdictions, including Nigeria, strictly where necessary for operational, compliance, or support purposes.

We implement appropriate safeguards to ensure that personal data remains protected when accessed across jurisdictions, including contractual, technical, and organisational measures. Where access occurs from jurisdictions not subject to an adequacy decision under UK or EU data protection law, such safeguards are implemented in accordance with Chapter V of the UK GDPR and EU GDPR.

For the purposes of Canadian privacy law, including PIPEDA, Zuba remains accountable for personal data under its control, including where such data is processed by employees or service providers located outside Canada.

As a company established outside the United Kingdom and the European Union, Zuba has appointed representatives in accordance with Article 27 of the UK GDPR and the EU GDPR.

United Kingdom Representative

European Union Representative

Data subjects may contact Zuba or its UK or EU representatives regarding matters related to the processing of personal data.

7. Sharing of Personal Data

We may share personal data with:

• Regulated financial institutions and payment partners involved in transaction processing
• Partner banks, payment institutions, or other regulated financial counterparties
• Compliance, identity verification, and fraud-prevention service providers
• Blockchain infrastructure providers, distributed ledger network participants, or node operators (where relevant)
• Professional advisers, including legal, audit, and accounting firms
• Regulators, courts, or law enforcement authorities where legally required
• Other entities within the Zuba group and service providers acting under contractual confidentiality and data protection obligations

We do not sell personal data or share it for third-party marketing purposes.

8. Data Security

We maintain appropriate technical and organisational security measures designed to protect personal data against unauthorised access, loss, misuse, or alteration, including access controls and role-based permissions, encryption and secure communications protocols, monitoring and logging of system activity, and periodic security reviews and risk assessments.

These measures are supported by internal information security policies, employee training, and incident response procedures designed to protect the confidentiality, integrity, and availability of personal data. Access to personal data is restricted to personnel who require it for legitimate business purposes.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, comply with legal, regulatory, and accounting requirements, and resolve disputes or enforce contractual obligations.

Retention periods vary depending on the nature of the data and applicable legal requirements. As a general guide, transaction records, customer due diligence materials, and know-your-customer documentation are typically retained for between five (5) and seven (7) years following the end of the relevant business relationship or completion of the transaction, in accordance with applicable anti-money laundering and financial services laws.

10. Your Rights

Subject to applicable law, you may have the right to access personal data held about you; request correction of inaccurate or incomplete personal data; request deletion of personal data (subject to legal and regulatory retention obligations); restrict or object to certain processing activities; withdraw consent at any time, where processing is based on consent; request data portability, where applicable; and not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except as permitted by law.

Certain transaction information may be recorded on public or distributed blockchain networks. Due to the immutable nature of blockchain technology, such information cannot be modified or deleted once recorded. Zuba limits on-chain data to pseudonymous or transactional identifiers wherever possible. Identifying information is maintained off-chain and subject to deletion obligations.

Depending on your location, you may lodge a complaint with the relevant supervisory authority in your jurisdiction. We encourage you to contact us first so we can address concerns promptly and transparently.

11. Cookies

Our website uses cookies and similar technologies to ensure proper functionality, maintain security, and analyse website usage. We use strictly necessary cookies, required for website operation and security, and analytical cookies, used to improve website performance and user experience.

Where required by applicable law, we will obtain your consent before placing non-essential cookies on your device. You may manage or withdraw your cookie preferences at any time through your browser settings or any cookie preference tool made available on our website.

12. Contact Us

If you have questions about this Policy or wish to exercise your data protection rights, please contact:

Zuba Technologies Ltd.
Email: privacy@zuba.com