How We Collect, Use, and Protect Your Personal Information
Your privacy is important to us. Please read this Privacy Notice carefully. It explains who we are, what personal information we collect about you, why we collect it, how we use it, who we share it with, and what rights you have. If you have any questions, contact our Data Protection Officer at ayomide@bway.ng.
Bway Microfinance Bank Limited (‘BWAY’, ‘we’, ‘us’, or ‘our’) is a Microfinance Bank licensed and regulated by the Central Bank of Nigeria (CBN), with its registered office at No 21/25 Broad Street, Marina, Lagos State, Nigeria (RC: 7269613). Bway is the data controller of the personal information you provide to us or that we collect in the course of providing our banking and financial services.
As a CBN-licensed financial institution, Bway is committed to processing your personal data responsibly, transparently, and in full compliance with the Nigeria Data Protection Act (NDPA) 2023 and its General Application and Implementation Directive (NDPA-GAID 2025).
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with data protection law. If you have any questions about this Privacy Notice, wish to exercise your data subject rights, or want to make a complaint, please contact the DPO:
| Contact | Details |
|---|---|
| Data Protection Officer | Ayomide Odufowokan |
| ayomide@bway.ng | |
| Postal Address | Data Protection Officer, Bway Microfinance Bank Limited, No 21/25 Broad Street, Marina, Lagos State, Nigeria |
| Response Timeframe | We acknowledge all enquiries within 5 business days and provide a full response within 30 days of receipt of a valid request. |
This Privacy Notice applies to all individuals whose personal data Bway collects and processes in the course of our business. This includes:
This Notice does not apply to the personal data of Bway’s employees, which is governed by a separate Employee Privacy Notice provided to staff at onboarding.
The personal data we collect about you depends on the nature of your relationship with us and the products and services you use. We collect the minimum data necessary to provide our services and meet our legal obligations (‘data minimisation’, NDPA 2023, s.24(c)). The categories of personal data we may collect include:
As a CBN-licensed institution, BWAY is legally required to conduct Know Your Customer (KYC) checks and Anti-Money Laundering (AML) verification before and during our business relationship with you. This includes:
Biometric data is special category data under the NDPA 2023 and is processed only where strictly necessary and with appropriate additional safeguards.
In certain circumstances, we receive personal data about you from third parties, including:
We collect personal data through the following channels:
We only use your personal data where we have a valid legal basis to do so under the NDPA 2023. The table below explains each purpose for which we process your data and the corresponding legal basis:
| Purpose of Processing | Data Categories Used | Legal Basis (NDPA 2023) |
|---|---|---|
| Account opening and management — creating and maintaining your account, processing transactions, managing your relationship with BWAY. | Identity, contact, financial, KYC data | Performance of contract (s.25(b)); Compliance with legal obligation — CBN account opening requirements (s.25(c)) |
| KYC / AML compliance — conducting identity verification, sanctions screening, PEP checks, and ongoing monitoring as required by CBN AML/CFT Regulations and FATF Recommendations. | Identity, KYC/AML, biometric data | Compliance with legal obligation (s.25(c)) — CBN AML/CFT Regulations 2022; BOFIA 2020 |
| Credit assessment and loan processing — assessing your eligibility for credit facilities, including credit bureau checks and financial analysis. | Financial, identity, employment, credit bureau data | Performance of contract (s.25(b)); Legitimate interests in responsible lending (s.25(d)); with your consent for credit bureau enquiries (s.25(a)) |
| Provision and management of digital banking services — internet banking, mobile banking, USSD, and card services. | Identity, financial, digital/technical data | Performance of contract (s.25(b)); Legitimate interests in providing secure digital banking (s.25(d)) |
| Fraud prevention and security — detecting, preventing, and investigating fraud, money laundering, cyber threats, and other financial crime. | Identity, financial, digital/technical, biometric data | Compliance with legal obligation (s.25(c)) — CBN AML/CFT; Legitimate interests in protecting our customers and the Bank (s.25(d)) |
| Regulatory reporting and compliance — meeting mandatory reporting obligations to the CBN, NDIC, NFIU, NDPC, and other regulatory bodies. | Identity, financial, KYC/AML data | Compliance with legal obligation (s.25(c)) — BOFIA 2020; CBN regulations; NDIC Act |
| Customer service and complaint handling — responding to enquiries, resolving complaints, and maintaining records of your interactions with us. | Identity, contact, communication data | Performance of contract (s.25(b)); Legitimate interests in maintaining service quality (s.25(d)) |
| Marketing and service communications — informing you of BWAY products, services, and promotions that may be relevant to you. | Identity, contact, financial profile data | Consent (s.25(a)) — you can opt out at any time |
| Research and analytics — analysing usage patterns on our digital platforms and improving our products and services. | Digital/technical, anonymised transaction data | Legitimate interests in business improvement (s.25(d)) — data anonymised where possible |
| Audit and internal compliance — conducting internal audits, risk assessments, and compliance reviews. | All categories as relevant to audit scope | Legitimate interests in maintaining governance (s.25(d)); Compliance with legal obligation (s.25(c)) |
| Legal claims and disputes — establishing, exercising, or defending legal claims and proceedings. | All categories as relevant to the claim | Legitimate interests in legal defence (s.25(d)); Compliance with legal obligation (s.25(c)) |
| Operational continuity — ensuring the continuity of banking services in the event of a disruption, in accordance with our Business Continuity Plan. | Identity, financial, account data | Legitimate interests (s.25(d)); Performance of contract (s.25(b)) |
Certain categories of personal data are considered more sensitive under the NDPA 2023 and require additional protection. BWAY processes the following categories of sensitive or special category data:
| Sensitive Data Category | When We Process It | Legal Basis and Safeguards |
|---|---|---|
| Biometric data (fingerprint, facial image) | Account opening (BVN verification via NIBSS); Mobile banking authentication (device-stored only). | Explicit consent (NDPA 2023, s.29); CBN BVN Regulations; Collected only via NIBSS-approved channels; not stored by BWAY beyond verification. |
| Financial data revealing economic situation | Credit assessment; loan management; KYC; account management. | Performance of contract (s.25(b)); Legal obligation (s.25(c)) — necessary for regulated banking activities; minimum data collected. |
| Data relating to criminal convictions or offences | AML/CFT screening; fraud checks; adverse media screening. | Legal obligation (s.25(c)) — CBN AML/CFT Regulations 2022; BOFIA 2020; processed only by authorised compliance staff. |
| Health data (limited circumstances) | Only if relevant to insurance-linked banking products or incapacity-related customer welfare matters. | Explicit consent (NDPA 2023, s.29); processed only by designated welfare/compliance staff; not retained longer than necessary. |
| Political opinions / PEP status | Politically Exposed Person (PEP) screening for AML/CFT compliance. | Legal obligation (s.25(c)) — CBN AML/CFT Regulations; FATF Recommendations; screening results retained in compliance files. |
We do not sell your personal data to third parties. We share your personal data only where necessary and under appropriate legal and contractual protections. We may share your data with the following categories of recipients:
We engage third-party service providers who process personal data on our behalf under written Data Processing Agreements (DPAs) that meet NDPA 2023, Section 28 requirements. These include:
Where you have provided consent, we may share your data with: third-party financial product providers (e.g., insurance partners) where you have requested a product; credit reference agencies for purposes beyond mandatory AML/credit assessment; and other parties as specified at the time you provide your consent.
Some of our service providers are based outside Nigeria or operate global infrastructure that may involve the transfer of your personal data outside Nigeria. We only transfer personal data outside Nigeria where we are satisfied that adequate safeguards are in place, in accordance with NDPA 2023, Section 43. These safeguards include:
The primary international data transfers we currently make involve: cloud infrastructure services (AWS, processed under data processing agreements with appropriate safeguards); and international card scheme transactions (Mastercard/Visa, necessary for the performance of your card services contract). You may request details of the specific safeguards in place for any particular transfer by contacting our DPO.
We retain your personal data only for as long as necessary to fulfil the purpose for which it was collected and to meet our legal, regulatory, and contractual obligations. The NDPA 2023 requires us to apply the principle of storage limitation — we do not keep data longer than we need it.
| Data Category | Retention Period | Legal / Regulatory Basis for Retention |
|---|---|---|
| Customer account records (identity, KYC, account data) | Minimum 5 years from date of account closure or end of business relationship | NDPA 2023 storage limitation; CBN KYC Guidelines (minimum 5-year post-relationship retention); NFIU AML record-keeping requirements |
| Transaction records (including internet banking and payment data) | Minimum 5 years from transaction date | CBN AML/CFT Regulations 2022; Money Laundering (Prevention and Prohibition) Act 2022; NDIC reporting obligations |
| Loan records (application, agreement, repayment history) | Minimum 5 years from final loan repayment or write-off | CBN Credit Risk Management Guidelines; contractual necessity; potential legal claims |
| AML / compliance records (STRs, KYC screening results, PEP declarations) | Minimum 5 years from date of filing or screening | NFIU record-keeping requirements; CBN AML/CFT Regulations 2022 |
| Customer service call recordings | 90 days from date of call (extended to 5 years if relevant to a complaint or legal matter) | Legitimate interests in quality assurance and dispute resolution; CBN Consumer Protection Framework |
| CCTV footage (branches and ATMs) | 90 days from date of recording | Security necessity; Nigerian law enforcement cooperation obligations; extended if relevant to an incident |
| Credit assessment data (credit bureau reports) | Duration of loan relationship plus 5 years | CBN Credit Risk Guidelines; loan agreement; potential legal claims |
| Marketing preferences and consent records | Until you withdraw consent, plus 3 years for proof of consent | NDPA 2023 consent documentation requirements |
| Website and digital platform usage data (anonymised analytics) | Up to 2 years (anonymised after 6 months) | Legitimate interests in platform improvement; fully anonymised after 6 months |
| Job applicant data (unsuccessful applicants) | 6 months from notification of outcome | Legitimate interests in defending potential employment claims; NDPA 2023 storage limitation |
When your data reaches the end of its retention period, we will securely delete or anonymise it so that it can no longer be attributed to you. If you wish to request early deletion, please see Section 11 (Your Rights).
Bway takes the security of your personal data very seriously and implements comprehensive technical and organisational measures to protect it against unauthorised access, disclosure, alteration, loss, or destruction. Our security measures include:
In the event of a personal data breach, BWAY will: notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, where required by NDPA 2023, Section 40; notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms; and take immediate steps to contain and remediate the breach. You can report a suspected data breach or security concern to our DPO at ayomide@bway.ng.
Under the Nigeria Data Protection Act (NDPA) 2023, you have the following rights in relation to your personal data. We are committed to responding to all valid rights requests within 30 (thirty) days of receipt. In complex cases, we may extend this by a further 30 days and will notify you if this is necessary.
| Right | What It Means |
|---|---|
| Right of Access (NDPA 2023, s.34) | You have the right to request a copy of the personal data we hold about you and to receive information about how we process it, including the categories of data, the purposes of processing, who we share it with, and how long we retain it. Submit access requests to: dpo@bway.ng. We will provide a response within 30 days. The first copy is free of charge; reasonable fees may apply for subsequent requests. |
| Right to Rectification (NDPA 2023, s.35) | If any personal data we hold about you is inaccurate, incomplete, or out of date, you have the right to request that we correct it without undue delay. You can also update certain information yourself via your internet banking profile. We will confirm any correction we make to you and, where appropriate, notify third parties to whom we have disclosed the data. |
| Right to Erasure (NDPA 2023, s.36) | You have the right to request deletion of your personal data in certain circumstances — for example, where the data is no longer necessary for the purpose it was collected, where you withdraw consent, or where processing was unlawful. Please note: we may be required to retain certain data to meet our legal obligations to the CBN, NDIC, NFIU, or under anti-money laundering laws. Where this is the case, we will explain the legal basis for retention. |
| Right to Restrict Processing (NDPA 2023, s.37) | You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, if you contest the accuracy of your data (while we verify it), or if processing is unlawful and you prefer restriction to erasure. Where processing is restricted, we will continue to store your data but will not process it further without your consent or for legal claims. |
| Right to Data Portability (NDPA 2023, s.38) | Where processing is based on your consent or on a contract with you, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV or PDF), and to request that we transmit it directly to another financial institution where technically feasible. This right applies to data you have provided to us — it does not apply to data we have derived or inferred. |
| Right to Object (NDPA 2023, s.39) | You have the right to object to the processing of your personal data where we rely on legitimate interests as our legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing your data for direct marketing purposes — we will always honour opt-out requests for marketing. |
| Right to Withdraw Consent | Where processing is based on your consent, you may withdraw that consent at any time by: contacting our DPO at dpo@bway.ng; adjusting your marketing preferences in your internet banking profile; or updating your Cookie Preferences via our Cookie Consent Tool. Withdrawal of consent does not affect the lawfulness of processing that took place before withdrawal, and does not affect processing conducted on other legal bases. |
| Right Not to Be Subject to Automated Decisions (NDPA 2023, s.41) | Where BWAY makes automated decisions that significantly affect you (e.g., an initial credit scoring assessment), you have the right to: request human review of the decision; express your point of view; and obtain an explanation of the decision. BWAY does not use fully automated decision-making without the possibility of human review for decisions affecting credit access or account status. |
To exercise any of your rights, please contact our Data Protection Officer at dpo@bway.ng. We may need to verify your identity before processing your request. All rights requests are free of charge; however, we may charge a reasonable fee for manifestly unfounded or excessive requests.
BWAY uses automated systems to assist with certain decisions in the course of providing banking services. These include: initial credit scoring assessments for loan applications (using financial data you provide and credit bureau data); fraud detection alerts generated by our transaction monitoring system; and AML transaction screening for sanctions and PEP matches.
In all cases where automated processing generates an outcome that materially affects you (e.g., a preliminary loan decision, an account restriction, or a fraud alert), a qualified BWAY staff member reviews the automated outcome before it is implemented. You have the right to request human review of any automated decision, as described in Section 11.
We do not use profiling for purposes that would result in discrimination on the basis of protected characteristics under Nigerian law, including race, ethnicity, religion, gender, or disability.
With your consent, BWAY may use your personal data to send you information about our banking products, services, and promotions that we believe may be relevant to you. Marketing communications may be sent by: email, SMS, in-app notification, or phone call. We will only send marketing communications where you have opted in to receive them.
You can opt out of marketing communications at any time by:
Opting out of marketing will not affect transactional and service communications, such as account statements, transaction alerts, OTPs, and security notices, which are necessary for your banking relationship with us.
When you use BWAY’s website, internet banking portal, or mobile banking application, we may use cookies and similar technologies to enhance your experience and to collect usage data. Our use of cookies is governed by our separate Cookie Policy, which is available at www.bway.ng/cookie-policy and from the footer of every BWAY webpage. The Cookie Policy explains: what cookies are; the specific cookies we use and why; how long they are stored; and how to manage your cookie preferences.
Bway’s banking services and digital platforms are not directed at individuals under the age of 18. We do not knowingly collect personal data from children under 18 without verifiable parental or guardian consent. Bway offers certain youth savings products for minors; in such cases, the account is operated by a parent or legal guardian, and personal data collected relates primarily to the adult guardian.
If you are a parent or guardian and you believe your child under 18 has provided personal data to BWAY without your consent, please contact our DPO immediately at ayomide@bway.ng. We will take prompt steps to verify the information and, where appropriate, delete the data from our records.
Bway’s website and digital platforms may contain links to third-party websites, social media platforms, and partner services. These third-party sites are governed by their own privacy policies, which we encourage you to review. BWAY is not responsible for the privacy practices or content of third-party websites and cannot guarantee that those sites process your personal data lawfully. The inclusion of a link to a third-party website does not constitute an endorsement by Bway of that site’s privacy practices.
If you believe that BWAY has not complied with this Privacy Notice or has processed your personal data unlawfully, we encourage you to contact our Data Protection Officer in the first instance. We take all privacy complaints seriously and will investigate and respond to your complaint within 30 days of receipt.
| Contact | Details |
|---|---|
| Data Protection Officer | Ayomide Odufowokan |
| ayomide@bway.ng | |
| Postal Address | No 21/25 Broad Street, Marina, Lagos State, Nigeria |
If you are not satisfied with our response, or if you wish to report a concern directly to the national supervisory authority, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):
| Contact | Details |
|---|---|
| Website | ndpc.gov.ng |
| info@ndpc.gov.ng | |
| Address | No. 5 Donau Crescent, Off Amazon Street, Maitama, Abuja, Nigeria |
Bway may update this Privacy Notice from time to time to reflect changes in applicable law (including new NDPC or CBN guidance), changes in our data processing practices, or changes in Bway’s products and services. When we make material changes, we will:
We encourage you to review this notice periodically. Your continued use of Bway’s services after material changes are communicated constitutes your acknowledgement of the updated notice. This notice was last reviewed and approved in January 2026.
The table below summarises the key points of this Privacy Notice in plain language for quick reference. It does not replace the full Notice.
| Question | Answer (see full Notice for details) |
|---|---|
| Who controls my data? | Bway Microfinance Bank Limited — RC 7269613, 1st Floor, House 21/25 Broad Street, Marina, Lagos. |
| What data do you collect? | Identity, financial, KYC/AML, digital, biometric, and communication data — depending on your products and relationship with us (Section 3). |
| Why do you collect it? | To open and manage your account; process transactions; comply with CBN/NFIU/NDIC regulatory obligations; assess loan applications; prevent fraud; and (with consent) market relevant products (Section 5). |
| Who do you share it with? | Regulators (CBN, NDIC, NFIU, NDPC, EFCC), payment infrastructure (NIBSS, card schemes), service providers under data processing agreements, credit bureaus, and with your consent — other financial partners (Section 7). |
| Do you send my data outside Nigeria? | Only with appropriate safeguards (standard contractual clauses or adequacy determination) — primarily for cloud hosting and international card transactions (Section 8). |
| How long do you keep it? | Minimum 5 years from end of relationship for most account and transaction data, in line with CBN and AML regulations (Section 9). |
| How is my data secured? | AES-256 encryption; MFA; role-based access; 24/7 monitoring; ISO/IEC 27001 aligned security programme (Section 10). |
| What are my rights? | Access, rectification, erasure, restriction, portability, objection, consent withdrawal, and human review of automated decisions — all exercisable via ayomide@bway.ng (Section 11). |
| Can I opt out of marketing? | Yes — at any time via email unsubscribe, SMS ‘STOP’, internet banking preferences, or by contacting dpo@bway.ng (Section 13). |
| What if I have a complaint? | Contact our DPO at ayomide@bway.ng first. If unsatisfied, escalate to the NDPC at ndpc.gov.ng or info@ndpc.gov.ng (Section 17). |
| How do I contact the DPO? | Email: ayomide@bway.ng, Address: 1st Floor, House 21/25 Broad Street, Marina, Lagos. |
© 2026 Bway Microfinance Bank Limited — This Privacy Notice is published under the authority of the Data Protection Officer.