Privacy Policy

The data controller is Wajub UK Ltd, 83 Baker Street, London, W1U 6AG, United Kingdom. A Data Protection Officer (DPO) has been appointed and can be contacted at dpo@wajub.com for any questions relating to the protection of your data.

We collect different categories of data depending on your relationship with Wajub: merchant identification and registration data (company name, registration, contact details), legal representative data (ID document, proof of address), KYC/KYB verification data, financial data (bank details), transaction data (amount, currency, date, status), technical data (IP address, browser fingerprint, device type), approximate location data, and browsing data. Wajub does not collect or store full card numbers, expiry dates or CVVs.

We process your data for the following purposes: service delivery (contractual basis), AML/CFT verification and compliance (legal obligation), security and anti-fraud via Shield (legitimate interest), communication and support (contractual performance), service improvement (legitimate interest), and recruitment (consent). Processing based on consent includes commercial communications and payment method tokenisation.

Our site uses strictly necessary cookies (authentication, security, session) that do not require consent, functional cookies (preference storage), analytical cookies (audience measurement, anonymised data), and personalisation cookies. Non-essential cookies are placed after your consent via the information banner. The maximum retention period is 13 months. You can configure your preferences at any time via the preference centre accessible at the bottom of the page.

Your data is accessible to authorised persons at Wajub (technical teams, support, compliance, finance, sales, recruitment) on a need-to-know basis. We share certain data with our payment Providers (mobile money operators, card acquirers, transfer providers) strictly necessary for processing the transaction. We use technical sub-processors for hosting, databases, email, monitoring, support, KYC and security. The updated list is available at wajub.com/legal/subprocessors.

Your data may be transferred to France, the European Union, the United States and South Africa for the purposes of providing the services. Transfers to countries without an adequacy decision are governed by the European Commission's Standard Contractual Clauses (SCCs) (Decision 2021/914), Binding Corporate Rules (BCRs), or adequacy decisions. We contractually require our sub-processors to provide guarantees equivalent to those of the GDPR.

Data is retained for the period necessary for the purposes: registration and account data (duration of relationship + 5 years), KYC/KYB documents (duration of relationship + 5 years), transaction data (10 years, accounting obligations), production API logs (1 year, extendable to 7 years), sandbox API logs (90 days), browsing data and cookies (maximum 13 months), commercial contact data (3 years), and support communications (3 years). At the end of these periods, data is permanently deleted or anonymised.

We implement technical and organisational measures including: TLS 1.3 encryption in transit and AES-256 at rest, HSM for key management, mandatory multi-factor authentication, granular permissions, strict isolation of sandbox and production environments, continuous monitoring, real-time anomaly detection (Shield), regular penetration tests, continuous vulnerability scanning (SAST, DAST, SCA), and a bug bounty programme. In the event of a data breach, we notify the supervisory authority within 72 hours (Article 33 GDPR) and the data subjects without undue delay.

In accordance with the GDPR, you have the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), objection (Article 21), to withdraw your consent, and to define post-mortem directives. To exercise your rights, contact dpo@wajub.com. We respond within 1 month (extendable by 2 months in case of complexity). You have the right to lodge a complaint with the competent supervisory authority (ICO in the UK, CNIL in France, CNPD in Cameroon, etc.).

The updated list of our sub-processors is available at wajub.com/legal/subprocessors. We undertake to only use sub-processors providing sufficient guarantees, to contractually govern these relationships in accordance with Article 28 of the GDPR, to notify the merchant of any change, and to allow the merchant to object to a new sub-processor.

We may modify this Policy at any time to reflect changes to our services, regulatory changes, or recommendations from authorities. In the event of a substantial modification, we will inform you by email, website notification, and by updating the version date. For any questions, contact our DPO at dpo@wajub.com or by post at Wajub UK Ltd — DPO, 83 Baker Street, London, W1U 6AG, United Kingdom.