Your data. Your rules.

Who runs this: DIDII AI TECHNOLOGY LIMITED, RC No. 9482812, registered office in Abuja, Federal Capital Territory, Nigeria. We are the data controller for the personal data described in this policy.

What we collect

When you join the Didii waitlist or use the Didii app, we collect information you give us directly:

• Identity: Your name, email address, and phone number
• Verification: Your BVN (Bank Verification Number) — required by the CBN for wallet activation
• Usage: How you interact with Didii — conversations, transactions, feature preferences
• Device: Browser type, operating system, and IP address for security purposes

We never ask for information we don't need. If we don't need it, we don't collect it.

If you apply for a role

When you apply through our careers page, we additionally collect:

• Application data — your role of interest, years of experience, expected salary range, profile links (LinkedIn, GitHub, portfolio, social), your answers to our scenario and "why didii" prompts, and when you can start
• Resume / CV — stored on Cloudinary, accessed only by the Didii hiring team

Application data is recorded in a private hiring tracker (Google Sheets) and emailed to career@didiiai.com for review. If you keep the "Keep me posted on didii" box ticked when you submit, your email is also added to the main Didii waitlist for product updates — unticking it adds you only to a careers-only list so we can email you about future role openings. You can unsubscribe from either list at any time via the link in any email we send, or by emailing career@didiiai.com.

We retain career application data for up to 24 months from submission so we can match you with future openings; you can request earlier deletion at any time.

Why we collect it

Every piece of data serves a purpose:

• To set up your wallet — your name, phone, email, and BVN are required to create a CBN-compliant wallet through our banking partner, Anchor
• To process your transactions — transfers, bill payments, and purchases require your identity and authorization
• To make Didii smarter for you — understanding your habits (with your permission) lets Didii suggest recurring payments, flag unusual activity, and save you time
• To keep you safe — device and location data help us detect unauthorized access and protect your money
• To reach you — your email and phone let us send transaction confirmations, security alerts, and (only if you opt in) product updates

Our lawful basis for processing

Under the Nigeria Data Protection Act 2023 (Section 25), we have to identify a legal reason for every category of data we process. Here are ours:

• Identity and verification data (name, email, phone, BVN): processed under the contract we have with you (we can't open your wallet without it) and our legal obligation under CBN Customer Due Diligence Regulations 2023 and the Money Laundering (Prevention and Prohibition) Act 2022
• Transaction data: processed under our contract with you and our legal obligation to maintain transaction records under CBN regulations
• Usage and device data: processed under our legitimate interests — keeping the service secure, detecting fraud, and improving the product — balanced against your reasonable expectations
• Marketing communications: processed only on your explicit consent. You can withdraw at any time via the unsubscribe link in any email or by emailing us
• Career application data: processed under our legitimate interest in evaluating candidates; for waitlist inclusion, on your consent (the ticked checkbox at submission)

When your data leaves Nigeria

Some of the services we rely on — cloud storage, email delivery, error monitoring, document storage — operate from servers outside Nigeria. Where this happens, we transfer your data under the safeguards required by NDPA Sections 41–42:

• We rely on adequacy decisions issued by the Nigeria Data Protection Commission (NDPC) where the destination country is on the whitelist
• For other destinations, we use standard contractual clauses approved by the NDPC, binding our processors to Nigerian-level protections
• For all transfers, the processor is contractually limited to using your data only for the service it provides to us

Our current processors include Anchor (Nigeria), Vercel (United States — SCCs in place), Brevo (European Union — adequacy basis), Cloudinary (United States — SCCs in place), and Google (United States — SCCs in place for Workspace and Analytics). We update this list when it changes.

Automated decisions

Some of Didii's safety systems use automated processing — for example, fraud risk scoring on transactions and pattern detection in your account activity. Under NDPA Section 38, where an automated decision has a legal or similarly significant effect on you (such as blocking a transaction or restricting your account), you have the right to:

• Request human review of the decision
• Express your point of view and contest it
• Receive a plain-language explanation of the logic involved

To exercise these rights, email privacy@didiiai.com within 14 days of the decision.

Who sees your data

We don't sell your data. Full stop. Here's who has access:

• Our banking partners — Anchor process your wallet and transactions under CBN regulation
• Payment processors — NIP (Nigeria Inter-Bank Settlement System) facilitates your transfers
• Cloud infrastructure — your data is stored on encrypted, SOC 2-compliant servers
• Regulators — the CBN and NDIC may require access as part of their supervisory mandate

No one else. No advertisers, no data brokers, no third-party "partners" digging through your spending habits.

How we protect it

Your data is encrypted at rest and in transit. Here's what that means in practice:

• BVN encryption: Your BVN is encrypted the moment you enter it. We never store it in plain text. It's used only for one-time verification with NIBSS, then locked down.
• Transaction PINs: Stored using one-way hashing — even we can't see your PIN
• API security: All communication between Didii and our servers uses TLS 1.3 encryption
• Access controls: Internal access to user data is role-based, logged, and audited
• Sensitive data redaction for AI: Your BVN, PIN, full card numbers, and full bank account numbers are stripped from your messages before our AI processes them. The AI never sees these in clear text.

If something goes wrong. If we ever discover a breach involving your personal data, we'll notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of it, as required by NDPA Section 40. We'll also contact you directly without undue delay when the breach is likely to cause significant risk to your rights — explaining what happened, what data was affected, and what we're doing about it. No spin, no jargon.

Your rights under Nigerian data protection law

Your personal data is protected by the Nigeria Data Protection Act 2023 (NDPA) and, where still applicable, the Nigeria Data Protection Regulation 2019 (NDPR). Under these laws, you have the right to:

• Access — request a copy of all personal data we hold about you and information about how we process it
• Correction — ask us to update or correct inaccurate information
• Erasure — request that we delete your data, subject to retention requirements under CBN and Money Laundering Act 2022 rules
• Restrict processing — ask us to pause processing while we resolve a dispute about accuracy or lawful basis
• Object — opt out of marketing communications at any time; you can also object to processing based on our legitimate interests
• Portability — receive your data in a structured, machine-readable format and have it transmitted to another service where technically feasible
• Withdraw consent — where we rely on your consent, you can withdraw it at any time without affecting any lawful processing already carried out
• Object to automated decisions — under NDPA Section 38, you can object to decisions based solely on automated processing (including by our AI) that have legal or similarly significant effects on you, and request human review
• Lodge a complaint — escalate concerns to the Nigeria Data Protection Commission at ndpc.gov.ng at any time

To exercise any of these rights, email privacy@didiiai.com. We'll respond within 30 days as required by NDPA Section 34(5), and usually much faster.

Our Data Protection Officer

For any data-protection question or to exercise your rights, contact our Data Protection Officer at privacy@didiiai.com. The DPO is independent within Didii and responsible for our compliance with the Nigeria Data Protection Act 2023.

Children's data

Didii is not for under-18s. If we discover that a minor has signed up, we'll close the account and delete the data without undue delay. If you believe we're processing a child's data, email privacy@didiiai.com and we'll act on it immediately.

Cookies

We use minimal cookies:

• Essential cookies: Keep you logged in and remember your preferences. These are necessary — the app doesn't work without them.
• Analytics cookies: Help us understand how people use Didii so we can improve. We use Google Analytics with IP anonymization enabled. You can opt out in your browser settings.

We don't use advertising cookies or tracking pixels from third parties.

Data retention

We keep your data only as long as we need it:

• Active accounts: Data is retained while your account is active
• Closed accounts: Transaction records are retained for 6 years as required by CBN regulations
• Waitlist data: If you never activate an account, your waitlist data is deleted after 24 months

Changes to this policy

If we make changes, we'll update this page and notify you by email if the changes are significant. We won't reduce your rights without your explicit consent.

Questions?

If anything here is unclear, reach out. We'd rather explain it plainly than hide behind legal jargon.

Email: hi@didiiai.com

Last updated: May 11, 2026