Privacy Policy | Crezaro

Bolrach Technologies Limited, trading as Crezaro ("Crezaro," "we," "us," or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our payment services platform, website, APIs, and related services (collectively, the "Services").

This policy applies to merchants, their employees, end-users (payers/customers), website visitors, and any other individuals whose personal data we process. It is designed to comply with the European Union General Data Protection Regulation (GDPR), the United Kingdom General Data Protection Regulation (UK GDPR), the Nigeria Data Protection Regulation (NDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA).

1. Data Controller

Bolrach Technologies Limited is the data controller for personal data collected through the Services. For personal data processed on behalf of merchants, the merchant is the data controller and Crezaro acts as the data processor, as detailed in our Data Processing Agreement.

Our Data Protection Officer can be contacted at: [email protected]

2. Data We Collect

2.1 Account Data

When you create a merchant account, we collect: full name, email address, phone number, business name, business registration number, tax identification number, business address, beneficial ownership information, government-issued identification documents, and bank account details for settlement.

2.2 Transaction Data

For each transaction processed through the Services, we collect: transaction amount and currency, payment method details (card BIN, last four digits, bank name), payer name and email, IP address, device information, geolocation data, and transaction metadata provided by the merchant.

2.3 Technical Data

We automatically collect: IP address, browser type and version, operating system, referring URL, pages visited, time and duration of visit, device identifiers, and API usage logs.

2.4 Communications Data

We retain records of communications between you and our support team, including emails, chat messages, and phone call recordings (where permitted and with notice).

3. Purpose and Legal Basis

We process personal data for the following purposes and on the following legal bases:

Purpose	Legal Basis (GDPR/UK GDPR)
Processing payment transactions	Performance of contract
Account creation and management	Performance of contract
KYC/KYB identity verification	Legal obligation
AML/CFT screening and monitoring	Legal obligation
Fraud detection and prevention	Legitimate interest
Product improvement and analytics	Legitimate interest
Marketing communications	Consent
Compliance with legal obligations	Legal obligation
Dispute and chargeback resolution	Legitimate interest / Legal obligation

4. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Account data: For the duration of the account relationship and 7 years after account closure (as required by financial regulation)
Transaction data: 7 years from transaction date (financial record-keeping requirements)
KYC/KYB documents: 5 years after the end of the business relationship (AML requirements)
Technical/analytics data: 24 months from collection
Marketing consent records: Until consent is withdrawn, plus 12 months
Audit logs: 7 years (immutable records required for compliance)

5. Data Sharing

We share personal data with the following categories of recipients:

Payment networks and processors: Visa, Mastercard, Verve, and banking partners as necessary to process transactions
Identity verification providers: For KYC/KYB checks (BVN validation, NIN verification, document verification services)
Fraud detection services: For transaction risk scoring and fraud prevention
Cloud infrastructure providers: For secure hosting and data storage
Regulatory authorities: Where required by law, court order, or regulatory investigation
Professional advisors: Auditors, legal counsel, and compliance consultants under strict confidentiality

We do not sell personal data to third parties. We do not share personal data for third-party marketing purposes without your explicit consent.

6. International Data Transfers

As we operate across multiple jurisdictions (Nigeria, UK, Canada, USA), personal data may be transferred internationally. For transfers from the EEA/UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers from Canada, we ensure compliance with PIPEDA's accountability principle. All international transfers are subject to appropriate safeguards including encryption in transit and at rest.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

7.1 GDPR / UK GDPR Rights (EEA and UK Residents)

Right of access (Article 15): Request a copy of your personal data
Right to rectification (Article 16): Correct inaccurate personal data
Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention requirements
Right to restrict processing (Article 18): Request limitation of data processing
Right to data portability (Article 20): Receive your data in a machine-readable format
Right to object (Article 21): Object to processing based on legitimate interest
Right to withdraw consent: Where processing is based on consent
Right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK)

7.2 NDPR Rights (Nigerian Residents)

Right to be informed about data collection and use
Right of access to personal data
Right to rectification of inaccurate data
Right to withdraw consent
Right to object to processing
Right to lodge a complaint with the Nigeria Data Protection Commission (NDPC)

7.3 PIPEDA Rights (Canadian Residents)

Right to access personal information held about you
Right to challenge the accuracy and completeness of your data
Right to withdraw consent (subject to legal or contractual restrictions)
Right to lodge a complaint with the Office of the Privacy Commissioner of Canada

7.4 CCPA Rights (California Residents)

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information
Right to opt out of the sale of personal information (we do not sell personal data)
Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or the applicable statutory timeframe).

8. Security

We implement industry-standard security measures to protect personal data, including:

PCI-DSS Level 1 compliance for card data handling
AES-256 encryption at rest and TLS 1.3 encryption in transit
Multi-factor authentication for account access
Regular penetration testing and security audits
Role-based access controls with principle of least privilege
Real-time intrusion detection and monitoring
Immutable audit logs for all data access and modifications

9. Cookies

We use cookies and similar tracking technologies as described in our Cookie Policy. You can manage your cookie preferences through your browser settings or our cookie consent banner.

10. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Services dashboard at least thirty (30) days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was last revised.

12. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Data Protection Officer
Bolrach Technologies Limited
Email: [email protected]
Web: crezaro.com/contact