Privacy Policy

AELLA MICROFINANCE BANK LIMITED (“Aella”) is committed to protecting the privacy, confidentiality, and rights of all individuals whose personal data we collect, process, and store in the course of providing financial services.

This Privacy Policy is developed in line with the Nigeria Data Protection Act (NDP Act) 2023 and the General Application and Implementation Directive (GAID) 2025.

It outlines our practices in the collection, use, disclosure, and safeguarding of personal data, ensuring transparency and accountability in data processing.

Aella Microfinance Bank is a duly licensed Microfinance Bank regulated by the Central Bank of Nigeria (“CBN”).

Part 1: Our Commitment to Data Processing Principles

We are committed to processing personal data in compliance with the NDP Act 2023 principles:

a. Lawfulness, Fairness, and Transparency

b. Purpose Limitation – Data collected solely for specified, explicit, and legitimate purposes.

c. Data Minimisation – Only necessary data is collected.

d. Accuracy – Ensuring data is accurate and up to date.

e. Storage Limitation – Retaining data only for as long as necessary.

f. Integrity and Confidentiality – Ensuring appropriate technical and organisational measures.

g. Accountability – Demonstrating compliance with the NDP Act 2023 and GAID 2025.

Part 2: Consent of Data Subject

a. We obtain consent before processing personal data unless processing is required by law, contract, vital interest, or legitimate interest.

b. Consent is freely given, specific, informed, and unambiguous.

c. Data subjects may withdraw consent at any time, without affecting the lawfulness of prior processing.

Part 3: Our Scope of Data Processing

We collect and process personal data from:

a. Customers – account holders, loan applicants, depositors, and guarantors.

b. Employees & Contractors – for HR, payroll, and compliance.

c. Third Parties – vendors, agents, and service providers.

Data categories may include:

a. Identification details (Name, NIN, BVN, Passport, Driver’s License).

b. Contact details (Email, Phone number, Address).

c. Financial information (Bank account details, Loan records, Transaction history).

d. Employment details (for staff and applicants).

e. Sensitive data (biometric information where applicable).

Part 4: Data Subject Rights

Under the NDP Act 2023 and GAID 2025, you have the following rights:

a. Right to access your personal data.

b. Right to rectify inaccurate or incomplete data.

c. Right to erasure (“right to be forgotten”).

d. Right to restrict processing.

e. Right to data portability.

f. Right to object to processing (including marketing communications).

g. Right not to be subject to automated decision-making/profiling.

Part 5: Data Retention and Security

a. Data is retained only as long as necessary to fulfill the purposes for which it was collected or as required by law.

b. We employ technical, organisational, and physical safeguards, including encryption, access control, firewalls, and staff training, to prevent unauthorised access, alteration, disclosure, or destruction.

Part 6: Mandatory Data Collection

Certain personal data is mandatory under laws and regulations such as Know Your Customer (KYC), Anti-Money Laundering (AML), and Counter-Terrorism Financing (CTF) requirements.
Failure to provide such data may result in our inability to provide services.

Part 7: Transfer of Data to Third Parties

We may share personal data with:

a. Regulatory authorities (e.g., NDPC, CBN, NDIC, EFCC, NFIU).

b. Credit bureaus and financial institutions.

c. Service providers engaged for core banking, IT support, payment processing, and debt recovery.

d. All transfers are governed by contracts ensuring confidentiality and compliance.

Part 8: Technical Information and Cookies

a. When you use our website or digital platforms, we may collect technical information such as IP address, browser type, and usage patterns.

b. Cookies may be used to enhance user experience and analyse web traffic. Users may opt out by adjusting browser settings.

Part 9: Personal Data Security and Integrity

We adopt ISO/IEC 27001-aligned security controls, periodic risk assessments, access restrictions, and incident response measures to preserve confidentiality, availability, and integrity of data.

Part 10: Job Applicants

Personal data provided by job applicants (such as CVs, academic and professional qualifications, references, and any other supporting documents) will be collected and processed solely for recruitment and selection purposes.

We will retain such data only for as long as necessary to complete the recruitment process. Records of unsuccessful applicants will be securely deleted within six (6) months of the recruitment exercise, unless a longer retention period is required by law or with the applicant’s express consent.

Successful applicants’ data will be incorporated into their employee records and processed in accordance with the Bank’s Employee Privacy Policy.

Part 11: Maintaining Accurate Information

Data subjects are encouraged to ensure their information is accurate and up-to-date. Requests for updates may be made through our Data Protection Help Desk.

Part 12: Children’s Privacy

We do not knowingly collect personal data from children under the age of 18 without verifiable parental or guardian consent.

Part 13: Caveat on Website Links

Our platforms may contain links to third-party websites. We are not responsible for the content or privacy practices of such websites.

Part 14: Transfer to Third Parties and Cross-Border Data Transfers

Where data is transferred outside Nigeria, we ensure:

a. Adequacy decision by the NDPC.

b. Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

c. Data subjects are informed, and consent is obtained where required.

Part 15: Data Protection Help Desk

We have a dedicated Data Protection Help Desk to address inquiries, complaints, and rights requests from data subjects.

Part 16: Data Deletion

Data subjects may request deletion of their data where processing is no longer necessary, subject to regulatory retention requirements.

Part 17: Data Subject Access Request (DSAR)

Requests for access, correction, or erasure of data may be submitted in writing to the Data Protection Officer. We shall respond within the timelines stipulated in the NDP Act 2023 and GAID 2025.

Part 18: Remediation

In the event of a data breach, we shall:

a. Notify the NDPC within 72 hours.

b. Notify affected data subjects where there is a high risk to their rights and freedoms.

c. Take prompt steps to remediate and mitigate risks.

Part 19: Policy on Lending and Credit Products

As a duly licensed MFB regulated by the Central Bank of Nigeria (“CBN”), all loan and credit facilities offered through our physical or digital channels are financed and administered by Aella.

In addition to the data processing practices described in this Privacy Policy, the following provisions apply specifically to loan applicants, borrowers, guarantors, and other persons whose data is processed in connection with credit products.

19.1 Lending-Related Data Collection

In connection with credit assessment and loan administration, we may collect and process:

a. Credit bureau reports and credit scores

b. Bank account and transaction history

c. Income and employment information

d. Repayment performance records

e. Guarantor details

f. Device and fraud-risk indicators (where legally permissible)

g. Communications relating to loan servicing and recovery

Certain information is mandatory under KYC, AML, CBN, and other regulatory requirements. Failure to provide required data may prevent loan approval.

19.2 Lawful Bases for Lending Data Processing

Lending-related data is processed on the basis of:

a. Performance of a contract (loan agreement)

b. Compliance with legal and regulatory obligations (including CBN and AML requirements)

c. Legitimate interest (credit risk management, fraud prevention, and debt recovery)

d. Consent (where specifically required, including certain marketing communications)

Processing of lending data is not based solely on consent.

19.3 Automated Decision-Making and Credit Scoring

We may use automated systems, credit scoring models, profiling tools, and AI-assisted risk assessment mechanisms to:

a. Assess creditworthiness

b. Determine eligibility and credit limits

c. Set loan pricing

d. Detect fraud and financial crime

Credit scoring may consider repayment history, income stability, credit bureau records, transaction behaviour, existing debt exposure, and fraud risk indicators.

Where automated processing significantly affects you (such as loan approval or rejection), you may request meaningful information about the logic involved and request human review, in accordance with the NDPA.

19.4 Credit Bureau Reporting

In accordance with applicable law and CBN requirements:

a. We may obtain credit reports from licensed credit bureaus.

b. We may report repayment performance, arrears, and defaults to licensed credit bureaus.

Such reporting may affect your credit profile within the Nigerian financial system and is conducted pursuant to legal and regulatory obligations.

19.5 Guarantor Data

Where a guarantor is required, we process guarantor data for credit risk mitigation and recovery purposes. Guarantors may be contacted in the event of borrower default. Borrowers are responsible for ensuring that guarantors are informed that their data will be shared with Aella for lending purposes.

19.6 Debt Recovery and Enforcement

In the event of default, we may disclose relevant personal data to guarantors, licensed recovery agents, legal advisers, courts, regulatory authorities, and credit bureaus strictly for lawful recovery and enforcement purposes.

19.7 Retention of Lending Data

Loan and credit-related data shall be retained:

a. For the duration of the credit relationship; and

b. For the minimum statutory retention period required under banking, AML, tax, and regulatory laws.

Retention may extend beyond loan closure where required for audit, regulatory, or litigation purposes.

19.8 Controller and Processor Roles

For lending activities, Aella Microfinance Bank acts as a Data Controller under the Nigeria Data Protection Act 2023. Third-party service providers engaged for credit assessment, analytics, loan servicing, IT support, or recovery act as Data Processors under binding contractual safeguards.

Part 20: Alteration of Privacy Policy

We may update this Privacy Policy to reflect changes in practices, legal requirements, or operational needs. All updates will be communicated through our website and banking platforms.

Part 21: Location Data

When you use the Aella mobile application, we may collect and process location information from your device. This section explains what location data we collect, why we collect it, and how we handle it.

21.1 Types of Location Data We Collect

Depending on the feature you use, we may collect:

a. Precise location - GPS-based latitude and longitude coordinates from your mobile device.

b. Address and residence verification data - location and address details (including street, neighbourhood, city, state, and country) collected when you complete digital address verification.

c. Approximate location - where precise location is unavailable, we may use less precise location signals permitted by your device and operating system.

21.2 How We Collect Location Data

Location data is collected:

a. When you use the app (foreground) - for example, when you apply for a loan, check loan eligibility, request a loan top-up or extension, or start address verification.

b. During address verification (including in the background, where permitted) - when you enrol in our address verification programme, we and our verification partner may collect location data periodically, including when the app is not actively in use, to confirm that you reside at the residential address you provided. Background collection applies only during the address verification process and only where you have granted the required permissions on your device.

Location data is collected only after you grant location permission on your device. You may withdraw permission at any time through your device settings; however, certain services may not function without it.

21.3 Why We Use Location Data

We use location data for the following purposes:

a. Credit and lending services - to assess loan eligibility, determine suitable credit offers, process loan applications, and administer loan top-ups and extensions.

b. Regulatory compliance - to meet Know Your Customer (KYC), Anti-Money Laundering (AML), and Central Bank of Nigeria (CBN) requirements, including verification that you are within our authorised service area (Nigeria).

c. Address and identity verification - to confirm that your registered residential address is accurate and that you reside at that address.

d. Fraud prevention and security - to detect and prevent fraudulent applications, identity misuse, and other financial crime.

21.4 Lawful Basis for Processing Location Data

We process location data on the basis of:

a. Performance of a contract - where location is required to provide loan and banking services you request.

b. Legal and regulatory obligation - including KYC, AML, and CBN requirements.

c. Legitimate interest - including credit risk assessment, fraud prevention, and service integrity, balanced against your rights and freedoms.

d. Consent - where required by law or by your device operating system, including permissions for foreground and, where applicable, background location during address verification. You may withdraw consent at any time through your device settings.

21.5 Sharing of Location Data

We do not sell your location data. We may share location data with:

a. Regulatory and law-enforcement authorities - where required by applicable law.

b. Credit bureaus and credit-scoring institutions - as part of credit assessment and lending administration, consistent with our lending disclosures.

c. Service providers acting as data processors - including providers engaged for address verification, core banking, fraud detection, analytics, and IT infrastructure, under contractual safeguards requiring confidentiality and compliance with applicable data protection law.

d. Professional advisers and recovery agents - strictly for lawful debt recovery and enforcement where permitted by law.

21.6 Retention of Location Data

Location data is retained only for as long as necessary to fulfil the purposes described in this Policy, including for the duration of a loan or banking relationship and for the minimum periods required under banking, AML, tax, and regulatory laws. Data may be retained longer where required for audit, regulatory review, dispute resolution, or litigation.

21.7 Your Choices and Rights

You may:

a. Decline or revoke location permissions through your device settings at any time.

b. Request access, correction, or deletion of personal data, including location data, subject to regulatory retention requirements, by contacting our Data Protection Help Desk (see Part 15).

Please note that if you decline location access, you may be unable to apply for loans, complete address verification, or access other features that require location for regulatory or security purposes.