Privacy Policy

Effective date: April 15, 2026  ·  Last updated: April 15, 2026

1. Introduction

Pila Inc. (“Pila”, “we”, “us”, or “our”) operates a multi-currency neobanking platform that combines fiat banking accounts with an embedded crypto wallet. This Privacy Policy explains what personal data we collect, how we use and protect it, and your rights in relation to it.

By registering for or using the Pila platform (the “Service”), you acknowledge that you have read and understood this Policy. If you do not agree, you must discontinue use of the Service.

This Policy is published in compliance with the Nigeria Data Protection Act 2023 (“NDPA”) and its Regulations, the Nigeria Data Protection Regulation 2019 (“NDPR”), and any other applicable data protection legislation in the jurisdictions where we operate.

2. Data Controller Identity

The data controller for personal data processed in connection with the Service is:

Pila Inc.
Email: team@pila.cash

Where we engage third-party processors, we enter into Data Processing Agreements that require them to handle personal data only on our documented instructions and to implement appropriate technical and organisational safeguards.

3. Information We Collect

3.1 Account Registration Data

When you create a Pila account we collect: full legal name, email address, phone number, date of birth, and country of residence. This information is required to create and manage your account.

3.2 Identity Verification (KYC) Data

To comply with financial regulations and to unlock higher service tiers, we collect and process the following through our identity verification partner:

  • KYC Level 1: Bank Verification Number (BVN) and National Identification Number (NIN).
  • KYC Level 2:Government-issued identity documents (passport, driver's licence, national ID card), selfie photograph, and liveness/biometric verification data.

Identity document images and biometric data are classified as sensitive personal data and are processed only for identity verification and fraud prevention purposes. Raw biometric data is not stored by Pila after verification is complete; we retain the verified status and reference identifiers only.

3.3 Financial and Transaction Data

We collect and maintain records of all financial activity on the platform, including: account balances across all currencies (NGN, USD, GBP, CAD, USDC, USDT), transaction history (amounts, currencies, timestamps, counterparties, transaction reference numbers), virtual account numbers assigned to you, and exchange rate data applicable to your swap transactions.

These records are maintained as an immutable ledger and are legally required to be retained for regulatory and audit purposes.

3.4 Crypto Wallet Data

Your embedded crypto wallet is created and managed through Privy, our embedded wallet infrastructure provider. We collect and store your wallet addresses (public keys only) and on-chain transaction references. Private keys are managed by Privy under their custody model and are never directly accessible to Pila. You can review Privy's privacy practices at privy.io/privacy-policy.

3.5 Device and Usage Data

We automatically collect certain technical data when you access the Service: IP address, device type and operating system, browser or app version, session timestamps, pages or screens viewed, and feature usage patterns. This data is used for security monitoring, fraud detection, and service improvement.

3.6 Communications Data

When you contact our support team or respond to our communications, we retain the content of those communications along with your contact details and the date and time of the interaction.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the NDPA and applicable law:

  • Performance of a contract: Processing necessary to open your account, execute transactions, and provide the Service.
  • Legal obligation: Processing required to comply with CBN regulations, NDPA/NDPR, the Money Laundering (Prevention and Prohibition) Act 2022, and any other applicable law (KYC, AML, transaction record-keeping).
  • Legitimate interests: Fraud prevention, security monitoring, service improvement, and direct marketing of closely related financial products — where such interests are not overridden by your rights.
  • Consent: Marketing communications for products materially different from those you already use, where we rely on opt-in consent. You may withdraw consent at any time.

5. How We Use Your Information

  • Create and maintain your Pila account and associated fiat and crypto accounts.
  • Process deposits, withdrawals, transfers, and stablecoin ↔ fiat swaps.
  • Verify your identity and comply with KYC/AML obligations under Nigerian and international law.
  • Detect, investigate, and prevent fraud, unauthorised access, and financial crime.
  • Send transaction receipts, OTP codes, security alerts, and account notifications via email, SMS, and push notification.
  • Respond to your support queries and resolve disputes.
  • Comply with legal obligations including court orders, regulatory directives, and law enforcement requests.
  • Maintain an immutable audit log for financial compliance purposes.
  • Improve, personalise, and develop the Service.

6. Third-Party Service Providers

We share your data with carefully selected third parties only to the extent necessary to deliver the Service. All processors are contractually bound to protect your data and are prohibited from using it for any purpose other than performing services for Pila.

  • Embedded wallet provider (Privy): Creates and manages your embedded crypto wallet. Receives your user identifier and manages key custody for wallet signing.
  • Identity verification provider: Processes your BVN, NIN, identity documents, and biometric data to complete KYC verification.
  • Banking infrastructure partners: Licensed financial institutions and payment processors that hold and manage underlying fiat currency accounts (NGN, USD, GBP, CAD). These partners receive the personal and financial data necessary to open and operate those accounts.
  • Stablecoin bridge provider: Processes stablecoin ↔ fiat conversion requests. Receives your wallet address, transaction amounts, and destination account details.
  • Communication providers: Transactional email, SMS, and push notification services used to deliver OTP codes, transaction alerts, and account communications.
  • Error tracking and monitoring: We use an error tracking service (Sentry) that may receive anonymised diagnostic data to help us identify and fix software defects.
  • Regulatory and law enforcement authorities: We disclose personal data to competent authorities where required by applicable law or a valid legal order.

We do not sell your personal data to third parties for advertising or marketing purposes.

7. International Data Transfers

Some of our service providers are located outside Nigeria. When we transfer personal data internationally, we ensure that appropriate safeguards are in place — including standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms — consistent with the NDPA and applicable regulations.

8. Data Retention

We retain your personal data for as long as your account is active and for as long as required to fulfil the purposes described in this Policy. Specifically:

  • Transaction and financial records: Minimum of 7 years from the date of the transaction, as required by Nigerian financial regulations and the Money Laundering (Prevention and Prohibition) Act 2022.
  • KYC and identity records: Minimum of 5 years after the termination of the customer relationship, or longer if required by law.
  • Audit logs: Retained indefinitely as an append-only compliance record. These records are never modified or deleted.
  • Account and usage data: Retained for the duration of the account and for up to 5 years after closure for dispute resolution and legal claims.

After applicable retention periods expire, we securely delete or anonymise your data.

9. Your Rights

Subject to applicable law and our legal obligations (including mandatory financial record-keeping), you have the following rights in respect of your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data where we are not required by law to retain it.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Portability: Receive your data in a machine-readable format where technically feasible.
  • Objection: Object to processing based on our legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at team@pila.cash. We will respond within 30 days. We may require identity verification before acting on a request. Where we are unable to fulfil a request due to a legal obligation, we will explain why.

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or the relevant supervisory authority in your jurisdiction.

10. Security

We implement and maintain technical and organisational measures appropriate to the sensitivity of the data we process, including: encryption of data in transit (TLS) and at rest; strict access controls and role-based permissions; isolated infrastructure with network segmentation; real-time fraud detection and anomaly monitoring; regular security assessments and penetration testing; and an incident response plan.

Despite these measures, no system is completely immune from breach. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected users, in accordance with applicable law.

11. Cookies and Analytics

Our web platform uses cookies and similar tracking technologies for session management, security, and anonymised analytics. We use Vercel Analytics (privacy-friendly, no cross-site tracking) to understand aggregate usage patterns. We do not deploy third-party advertising cookies.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data without parental consent, we will delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via an in-app notice at least 14 days before the changes take effect, and update the effective date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

For any privacy-related questions, requests, or complaints, please contact our Data Protection Officer at:

Pila Inc. — Privacy Team
Email: team@pila.cash