| Document Title | Privacy Notice |
| Version | Version 1.0 |
| Classification | PUBLIC |
| Effective Date | January 2026 |
| Data Controller | Bway Microfinance Bank Limited |
| RC Number | RC: 7269613 |
| Registered Address | 1st Floor, House 21/25 Broad Street, Marina, Lagos State, Nigeria |
| DPO Email | ayomide@bway.ng |
| Regulatory Framework | Nigeria Data Protection Act (NDPA) 2023; NDPA-GAID 2025; CBN Consumer Protection Framework 2022; CBN Guidelines on Electronic Banking; CBN AML/CFT Regulations |
Bway Microfinance Bank Limited (‘BWAY’, ‘we’, ‘us’, or ‘our’) is a Microfinance Bank licensed and regulated by the Central Bank of Nigeria (CBN), with its registered office at No 21/25 Broad Street, Marina, Lagos State, Nigeria (RC: 7269613). Bway is the data controller of the personal information you provide to us or that we collect in the course of providing our banking and financial services.
As a CBN-licensed financial institution, Bway is committed to processing your personal data responsibly, transparently, and in full compliance with the Nigeria Data Protection Act (NDPA) 2023 and its General Application and Implementation Directive (NDPA-GAID 2025).
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with data protection law. If you have any questions about this Privacy Notice, wish to exercise your data subject rights, or want to make a complaint, please contact the DPO:
| Data Protection Officer | Ayomide Odufowokan |
| ayomide@bway.ng | |
| Postal Address | Data Protection Officer, Bway Microfinance Bank Limited, No 21/25 Broad Street, Marina, Lagos State, Nigeria |
| Response Timeframe | We acknowledge all enquiries within 5 business days and provide a full response within 30 days of receipt of a valid request. |
This Privacy Notice applies to all individuals whose personal data Bway collects and processes in the course of our business. This includes:
This Notice does not apply to the personal data of Bway’s employees, which is governed by a separate Employee Privacy Notice provided to staff at onboarding.
The personal data we collect about you depends on the nature of your relationship with us and the products and services you use. We collect the minimum data necessary to provide our services and meet our legal obligations (‘data minimisation’ — NDPA 2023, s.24(c)). The categories of personal data we may collect include:
As a CBN-licensed institution, BWAY is legally required to conduct Know Your Customer (KYC) checks and Anti-Money Laundering (AML) verification before and during our business relationship with you. This includes:
Biometric data is special category data under the NDPA 2023 and is processed only where strictly necessary and with appropriate additional safeguards.
In certain circumstances, we receive personal data about you from third parties, including:
We collect personal data through the following channels:
We only use your personal data where we have a valid legal basis to do so under the NDPA 2023. The table below explains each purpose for which we process your data and the corresponding legal basis:
| Purpose of Processing | Data Categories Used | Legal Basis (NDPA 2023) |
|---|---|---|
| Account opening and management — creating and maintaining your account, processing transactions, managing your relationship with BWAY. | Identity, contact, financial, KYC data | Performance of contract (s.25(b)); Compliance with legal obligation — CBN account opening requirements (s.25(c)) |
| KYC / AML compliance — conducting identity verification, sanctions screening, PEP checks, and ongoing monitoring as required by CBN AML/CFT Regulations and FATF Recommendations. | Identity, KYC/AML, biometric data | Compliance with legal obligation (s.25(c)) — CBN AML/CFT Regulations 2022; BOFIA 2020 |
| Credit assessment and loan processing — assessing your eligibility for credit facilities, including credit bureau checks and financial analysis. | Financial, identity, employment, credit bureau data | Performance of contract (s.25(b)); Legitimate interests in responsible lending (s.25(d)); with your consent for credit bureau enquiries (s.25(a)) |
| Provision and management of digital banking services — internet banking, mobile banking, USSD, and card services. | Identity, financial, digital/technical data | Performance of contract (s.25(b)); Legitimate interests in providing secure digital banking (s.25(d)) |
| Fraud prevention and security — detecting, preventing, and investigating fraud, money laundering, cyber threats, and other financial crime. | Identity, financial, digital/technical, biometric data | Compliance with legal obligation (s.25(c)) — CBN AML/CFT; Legitimate interests in protecting our customers and the Bank (s.25(d)) |
| Regulatory reporting and compliance — meeting mandatory reporting obligations to the CBN, NDIC, NFIU, NDPC, and other regulatory bodies. | Identity, financial, KYC/AML data | Compliance with legal obligation (s.25(c)) — BOFIA 2020; CBN regulations; NDIC Act |
| Customer service and complaint handling — responding to enquiries, resolving complaints, and maintaining records of your interactions with us. | Identity, contact, communication data | Performance of contract (s.25(b)); Legitimate interests in maintaining service quality (s.25(d)) |
| Marketing and service communications — informing you of BWAY products, services, and promotions that may be relevant to you. | Identity, contact, financial profile data | Consent (s.25(a)) — you can opt out at any time |
| Research and analytics — analysing usage patterns on our digital platforms and improving our products and services. | Digital/technical, anonymised transaction data | Legitimate interests in business improvement (s.25(d)) — data anonymised where possible |
| Audit and internal compliance — conducting internal audits, risk assessments, and compliance reviews. | All categories as relevant to audit scope | Legitimate interests in maintaining governance (s.25(d)); Compliance with legal obligation (s.25(c)) |
| Legal claims and disputes — establishing, exercising, or defending legal claims and proceedings. | All categories as relevant to the claim | Legitimate interests in legal defence (s.25(d)); Compliance with legal obligation (s.25(c)) |
| Operational continuity — ensuring the continuity of banking services in the event of a disruption, in accordance with our Business Continuity Plan. | Identity, financial, account data | Legitimate interests (s.25(d)); Performance of contract (s.25(b)) |
Certain categories of personal data are considered more sensitive under the NDPA 2023 and require additional protection. BWAY processes the following categories of sensitive or special category data:
| Sensitive Data Category | When We Process It | Legal Basis and Safeguards |
|---|---|---|
| Biometric data (fingerprint, facial image) | Account opening (BVN verification via NIBSS); Mobile banking authentication (device-stored only). | Explicit consent (NDPA 2023, s.29); CBN BVN Regulations; Collected only via NIBSS-approved channels; not stored by BWAY beyond verification. |
| Financial data revealing economic situation | Credit assessment; loan management; KYC; account management. | Performance of contract (s.25(b)); Legal obligation (s.25(c)) — necessary for regulated banking activities; minimum data collected. |
| Data relating to criminal convictions or offences | AML/CFT screening; fraud checks; adverse media screening. | Legal obligation (s.25(c)) — CBN AML/CFT Regulations 2022; BOFIA 2020; processed only by authorised compliance staff. |
| Health data (limited circumstances) | Only if relevant to insurance-linked banking products or incapacity-related customer welfare matters. | Explicit consent (NDPA 2023, s.29); processed only by designated welfare/compliance staff; not retained longer than necessary. |
| Political opinions / PEP status | Politically Exposed Person (PEP) screening for AML/CFT compliance. | Legal obligation (s.25(c)) — CBN AML/CFT Regulations; FATF Recommendations; screening results retained in compliance files. |
We do not sell your personal data to third parties. We share your personal data only where necessary and under appropriate legal and contractual protections. We may share your data with the following categories of recipients:
We engage third-party service providers who process personal data on our behalf under written Data Processing Agreements (DPAs) that meet NDPA 2023, Section 28 requirements. These include:
Where you have provided consent, we may share your data with: third-party financial product providers (e.g., insurance partners) where you have requested a product; credit reference agencies for purposes beyond mandatory AML/credit assessment; and other parties as specified at the time you provide your consent.
Some of our service providers are based outside Nigeria or operate global infrastructure that may involve the transfer of your personal data outside Nigeria. We only transfer personal data outside Nigeria where we are satisfied that adequate safeguards are in place, in accordance with NDPA 2023, Section 43. These safeguards include:
The primary international data transfers we currently make involve: cloud infrastructure services (AWS processed under data processing agreements with appropriate safeguards); and international card scheme transactions (Mastercard/Visa necessary for the performance of your card services contract). You may request details of the specific safeguards in place for any particular transfer by contacting our DPO.
We retain your personal data only for as long as necessary to fulfil the purpose for which it was collected and to meet our legal, regulatory, and contractual obligations. The NDPA 2023 requires us to apply the principle of storage limitation — we do not keep data longer than we need it.
| Data Category | Retention Period | Legal / Regulatory Basis for Retention |
|---|---|---|
| Customer account records (identity, KYC, account data) | Minimum 5 years from date of account closure or end of business relationship | NDPA 2023 storage limitation; CBN KYC Guidelines; NFIU AML record-keeping requirements |
| Transaction records (including internet banking and payment data) | Minimum 5 years from transaction date | CBN AML/CFT Regulations 2022; Money Laundering (Prevention and Prohibition) Act 2022; NDIC reporting obligations |
| Loan records (application, agreement, repayment history) | Minimum 5 years from final loan repayment or write-off | CBN Credit Risk Management Guidelines; contractual necessity; potential legal claims |
| AML / compliance records (STRs, KYC screening results, PEP declarations) | Minimum 5 years from date of filing or screening | NFIU record-keeping requirements; CBN AML/CFT Regulations 2022 |
| Customer service call recordings | 90 days from date of call (extended to 5 years if relevant to a complaint or legal matter) | Legitimate interests in quality assurance and dispute resolution; CBN Consumer Protection Framework |
| CCTV footage (branches and ATMs) | 90 days from date of recording | Security necessity; Nigerian law enforcement cooperation obligations; extended if relevant to an incident |
| Credit assessment data (credit bureau reports) | Duration of loan relationship plus 5 years | CBN Credit Risk Guidelines; loan agreement; potential legal claims |
| Marketing preferences and consent records | Until you withdraw consent, plus 3 years for proof of consent | NDPA 2023 consent documentation requirements |
| Website and digital platform usage data (anonymised analytics) | Up to 2 years (anonymised after 6 months) | Legitimate interests in platform improvement; fully anonymised after 6 months |
| Job applicant data (unsuccessful applicants) | 6 months from notification of outcome | Legitimate interests in defending potential employment claims; NDPA 2023 storage limitation |
When your data reaches the end of its retention period, we will securely delete or anonymise it so that it can no longer be attributed to you. If you wish to request early deletion, please see Section 11 (Your Rights).
Bway takes the security of your personal data very seriously and implements comprehensive technical and organisational measures to protect it against unauthorised access, disclosure, alteration, loss, or destruction. Our security measures include:
In the event of a personal data breach, BWAY will: notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach, where required by NDPA 2023, Section 40; notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms; and take immediate steps to contain and remediate the breach. You can report a suspected data breach or security concern to our DPO at ayomide@bway.ng.
Under the Nigeria Data Protection Act (NDPA) 2023, you have the following rights in relation to your personal data. We are committed to responding to all valid rights requests within 30 (thirty) days of receipt. In complex cases, we may extend this by a further 30 days and will notify you if this is necessary.
To exercise any of your rights, please contact our Data Protection Officer at dpo@bway.ng. We may need to verify your identity before processing your request. All rights requests are free of charge; however, we may charge a reasonable fee for manifestly unfounded or excessive requests.
BWAY uses automated systems to assist with certain decisions in the course of providing banking services. These include: initial credit scoring assessments for loan applications (using financial data you provide and credit bureau data); fraud detection alerts generated by our transaction monitoring system; and AML transaction screening for sanctions and PEP matches.
In all cases where automated processing generates an outcome that materially affects you (e.g., a preliminary loan decision, an account restriction, or a fraud alert), a qualified BWAY staff member reviews the automated outcome before it is implemented. You have the right to request human review of any automated decision, as described in Section 11.
We do not use profiling for purposes that would result in discrimination on the basis of protected characteristics under Nigerian law, including race, ethnicity, religion, gender, or disability.
With your consent, BWAY may use your personal data to send you information about our banking products, services, and promotions that we believe may be relevant to you. Marketing communications may be sent by: email, SMS, in-app notification, or phone call. We will only send marketing communications where you have opted in to receive them.
You can opt out of marketing communications at any time by:
Opting out of marketing will not affect transactional and service communications, such as account statements, transaction alerts, OTPs, and security notices, which are necessary for your banking relationship with us.
When you use BWAY’s website, internet banking portal, or mobile banking application, we may use cookies and similar technologies to enhance your experience and to collect usage data. Our use of cookies is governed by our separate Cookie Policy, which is available from the footer of every BWAY webpage. The Cookie Policy explains: what cookies are; the specific cookies we use and why; how long they are stored; and how to manage your cookie preferences.
Bway’s banking services and digital platforms are not directed at individuals under the age of 18. We do not knowingly collect personal data from children under 18 without verifiable parental or guardian consent. Bway offers certain youth savings products for minors; in such cases, the account is operated by a parent or legal guardian, and personal data collected relates primarily to the adult guardian.
If you are a parent or guardian and you believe your child under 18 has provided personal data to BWAY without your consent, please contact our DPO immediately at ayomide@bway.ng. We will take prompt steps to verify the information and, where appropriate, delete the data from our records.
Bway’s website and digital platforms may contain links to third-party websites, social media platforms, and partner services. These third-party sites are governed by their own privacy policies, which we encourage you to review. BWAY is not responsible for the privacy practices or content of third-party websites and cannot guarantee that those sites process your personal data lawfully. The inclusion of a link to a third-party website does not constitute an endorsement by Bway of that site’s privacy practices.
If you believe that BWAY has not complied with this Privacy Notice or has processed your personal data unlawfully, we encourage you to contact our Data Protection Officer in the first instance. We take all privacy complaints seriously and will investigate and respond to your complaint within 30 days of receipt.
| Data Protection Officer | Ayomide Odufowokan |
| ayomide@bway.ng | |
| Postal Address | No 21/25 Broad Street, Marina, Lagos State, Nigeria |
If you are not satisfied with our response, or if you wish to report a concern directly to the national supervisory authority, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC):
| Nigeria Data Protection Commission (NDPC) | |
| info@ndpc.gov.ng | |
| Address | No. 5 Donau Crescent, Off Amazon Street, Maitama, Abuja, Nigeria |
Bway may update this Privacy Notice from time to time to reflect changes in applicable law (including new NDPC or CBN guidance), changes in our data processing practices, or changes in Bway’s products and services. When we make material changes, we will:
We encourage you to review this Notice periodically. Your continued use of Bway’s services after material changes are communicated constitutes your acknowledgement of the updated Notice. This Notice was last reviewed and approved in January 2026.
BWAY Microfinance Bank Limited — Bridging Gaps, Empowering Lives