PRIVACY POLICY

ReUp DIGITAL SERVICES PLATFORM

Operated by Bellah Options

Registration Number: BN3668420

TABLE OF CONTENTS

1. Introduction and Overview
2. Definitions
3. Scope and Application
4. Data Controller Information
5. Types of Personal Data We Collect
6. How We Collect Your Personal Data
7. Legal Basis for Processing Personal Data
8. How We Use Your Personal Data
9. Data Sharing and Disclosure
10. International Data Transfers
11. Data Retention and Storage
12. Data Security Measures
13. Your Privacy Rights Under NDPR
14. Children's Privacy
15. Cookies and Tracking Technologies
16. Third-Party Services and Links
17. Marketing Communications
18. Automated Decision-Making and Profiling
19. Data Breach Notification
20. Changes to This Privacy Policy
21. Contact Information and Complaints
22. Consent and Acceptance

1. INTRODUCTION AND OVERVIEW

1.1 Our Commitment to Privacy

Welcome to ReUp, a digital bill payment and utility services platform operated by Bellah Options (Registration No. BN3668420). We are committed to protecting your privacy and ensuring the security of your personal data in accordance with the Nigeria Data Protection Regulation (NDPR) 2019 and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you access or use our website, mobile application, or related services (collectively, the "Platform").

1.2 Importance of Reading This Policy

We encourage you to read this Privacy Policy carefully to understand:

1. What personal data we collect about you
2. Why we collect and process your data
3. How we use, store, and protect your information
4. Your rights regarding your personal data
5. How to exercise your privacy rights

1.3 Your Consent

By accessing or using the ReUp Platform, you acknowledge that you have read, understood, and agree to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must discontinue use of the Platform immediately.

1.4 Regulatory Compliance

This Privacy Policy has been developed in compliance with:

• Nigeria Data Protection Regulation (NDPR) 2019
• Nigeria Data Protection Act (NDPA) 2023
• Guidelines for the Management of Personal Data by Public and Private Organisations in Nigeria.
• Other applicable Nigerian laws and international best practices

2. DEFINITIONS

For the purposes of this Privacy Policy, the following terms have the meanings set forth below:

"Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person (Data Subject). This includes but is not limited to names, identification numbers, location data, online identifiers, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

"Data Subject" means an identifiable natural person (you, the User) whose personal data is being processed.

"Data Controller" means Bellah Options, the entity that determines the purposes and means of processing personal data.

"Data Processor" means any entity that processes personal data on behalf of the Data Controller.

"Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, restriction, erasure, or destruction.

"Consent" means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which they signify agreement to the processing of their personal data.

"Sensitive Personal Data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation.

"Third Party" means any natural or legal person, public authority, agency, or body other than the Data Subject, Data Controller, Data Processor, and persons authorized to process data under the direct authority of the Controller or Processor.

"NDPR" means the Nigeria Data Protection Regulation 2019.

"NITDA" means the National Information Technology Development Agency, the regulatory authority responsible for enforcing data protection laws in Nigeria.

3. SCOPE AND APPLICATION

3.1 Who This Policy Applies To

This Privacy Policy applies to all individuals who:

1. Visit our website (www.reup.ng or any related domains)
2. Download and use our mobile application
3. Register for a ReUp Account
4. Make transactions through our Platform
5. Communicate with us via email, phone, WhatsApp, or other channels
6. Participate in our referral programs, promotions, or surveys
7. Interact with our content on social media platforms

3.2 Geographic Scope

This Privacy Policy primarily applies to Users located in Nigeria, where our services are primarily offered. However, we may process data of Users from other jurisdictions in accordance with applicable international data protection standards.

3.3 Services Covered

This Privacy Policy covers all services offered through the ReUp Platform, including:

1. Mobile airtime and data purchases
2. Cable TV subscription payments
3. Electricity bill payments
4. Educational service payments
5. Wallet management services
6. Referral rewards programs
7. Customer support services
8. Any other digital utility services we may offer

3.4 Relationship with Terms of Service

This Privacy Policy should be read in conjunction with our Terms of Service. In the event of any conflict between this Privacy Policy and the Terms of Service regarding data protection matters, this Privacy Policy shall prevail.

4. DATA CONTROLLER INFORMATION

4.1 Identity of Data Controller

The Data Controller responsible for your personal data is:

Bellah Options

Registration Number: BN3668420

Business Address: Onibukun, Atan Ota, Ogun State, Nigeria

Email: reup@bellahoptions.com

WhatsApp: 09076017916

4.2 Data Protection Officer

For all data protection inquiries, requests to exercise your privacy rights, or complaints, you may contact our Data Protection Officer at:

Data Protection Officer

Bellah Options

Email: reup@bellahoptions.com

Phone/WhatsApp: 09076017916

4.3 NITDA Registration

Bellah Options is NOT YET registered with the National Information Technology Development Agency (NITDA) as required under the Nigeria Data Protection Regulation.

5. TYPES OF PERSONAL DATA WE COLLECT

5.1 Information You Provide Directly

We collect personal data that you voluntarily provide when using our Platform:

5.1.1 Account Registration Information

1. Full legal name (first name, middle name, last name)
2. Email address
3. Mobile phone number
4. Password (encrypted)
5. Date of birth
6. Gender (optional)
7. Residential address (optional)

5.1.2 Identity Verification Information

1. Bank Verification Number (BVN) - if required for enhanced verification
2. National Identification Number (NIN) - if required
3. International passport, driver's license, or voter's card - for advanced verification
4. Photographs or scanned copies of identification documents

5.1.3 Financial Information

1. Bank account details (account number, bank name, account name)
2. Debit/credit card information (processed securely by our payment processor)
3. Transaction history and payment records
4. Wallet balance and funding history
5. Billing addresses

5.1.4 Transaction and Service Information

1. Phone numbers for airtime/data purchases
2. Smart card numbers for cable TV subscriptions
3. Electricity meter numbers and distribution company details
4. Beneficiary information for transactions made on behalf of others
5. Purchase history, preferences, and patterns

5.1.5 Communication Information

1. Customer support inquiries and correspondence
2. Feedback, surveys, and reviews
3. Chat transcripts and call recordings (with your consent)
4. Email communications with our team
5. WhatsApp messages sent to our support line

5.1.6 Referral Information

1. Names and contact details of individuals you refer to ReUp
2. Referral codes and referral relationship data
3. Referral earnings and reward history

5.1.7 User-Generated Content

1. Promotional content you create about ReUp (social media posts, videos, testimonials)
2. Reviews, ratings, and comments
3. Profile pictures or avatars

5.2 Information We Collect Automatically

When you access or use our Platform, we automatically collect certain information:

5.2.1 Device Information

1. Device type, model, and manufacturer
2. Operating system and version
3. Device identifiers (IMEI, device ID, advertising ID)
4. Screen resolution and display settings
5. Mobile network information (carrier, network type)

5.2.2 Usage and Log Information

1. IP address and geolocation data (city, state, country)
2. Browser type and version
3. Pages visited and features used on the Platform
4. Time and date of access
5. Referring and exit pages
6. Clickstream data and navigation patterns
7. Time spent on pages or features
8. Errors, crashes, and performance data

5.2.3 Cookies and Tracking Technologies

1. Session cookies and persistent cookies
2. Web beacons and pixel tags
3. Local storage and cache data
4. Analytics and advertising identifiers

(See Section 15 for detailed information on cookies)

5.3 Information from Third-Party Sources

We may receive personal data about you from third-party sources:

5.3.1 Payment Processors

1. Payment confirmation and transaction status from Paystack
2. Fraud detection and risk assessment data
3. Payment method validation information

5.3.2 Service Providers and Partners

1. Transaction delivery confirmations from telecommunications companies
2. Service activation status from cable TV and electricity providers
3. Identity verification data from third-party verification services

5.3.3 Social Media Platforms

1. Profile information if you connect your social media account to ReUp
2. Public posts or content you create about ReUp on social media
3. Referral and sharing activity

5.3.4 Data Enrichment Services

1. Publicly available information to verify or supplement your data
2. Fraud prevention and security intelligence

5.4 Sensitive Personal Data

We generally do NOT collect sensitive personal data such as:

1. Racial or ethnic origin
2. Political opinions
3. Religious or philosophical beliefs
4. Trade union membership
5. Genetic or biometric data (except for secure authentication features, if implemented)
6. Health information
7. Sexual orientation or sex life

If we ever need to collect sensitive personal data for specific purposes, we will obtain your explicit consent and process such data in strict compliance with NDPR requirements.

6. HOW WE COLLECT YOUR PERSONAL DATA

6.1 Direct Collection

We collect personal data directly from you through:

1. Account registration forms on our website or mobile app
2. Transaction processes when you purchase services
3. Wallet funding and withdrawal requests
4. Customer support interactions via email, phone, WhatsApp, or in-app chat
5. Surveys, feedback forms, and promotional campaigns
6. Referral program participation
7. Identity verification processes

6.2 Automatic Collection

We automatically collect data through:

1. Cookies and similar technologies deployed on our website and app
2. Server logs and analytics tools that track Platform usage
3. Mobile app permissions (location, camera, contacts - only with your consent)
4. Error reporting and crash analytics

6.3 Third-Party Collection

We receive data from:

1. Payment processors (Paystack) regarding transaction status
2. Telecommunications and utility providers regarding service delivery
3. Fraud prevention services for security purposes
4. Marketing and analytics partners for campaign performance
5. Social media platforms if you interact with our social media content

6.4 Public Sources

We may collect publicly available information from:

1. Social media profiles and public posts
2. Business directories and registries
3. Public records and databases (where legally permitted)

7. LEGAL BASIS FOR PROCESSING PERSONAL DATA

Under the NDPR and applicable data protection laws, we process your personal data based on the following legal grounds:

7.1 Consent

We process certain personal data based on your explicit, freely given, informed, and specific consent, including:

1. Marketing communications and promotional offers
2. Use of non-essential cookies and tracking technologies
3. Collection of location data for personalized services
4. Processing of data for surveys and research
5. Sharing your information with third-party marketing partners

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

7.2 Contractual Necessity

We process personal data as necessary to perform our contract with you (the Terms of Service), including:

1. Creating and managing your Account
2. Processing transactions and delivering purchased services
3. Managing your Wallet balance and funds
4. Providing customer support
5. Communicating important service updates
6. Fulfilling our obligations under the Terms of Service

7.3 Legal Obligation

We process personal data to comply with legal and regulatory obligations, including:

1. Anti-money laundering (AML) and counter-terrorism financing (CTF) requirements
2. Know Your Customer (KYC) and identity verification regulations
3. Tax reporting and record-keeping obligations
4. Responding to lawful requests from law enforcement or regulatory authorities
5. Compliance with court orders and legal processes
6. NDPR and NITDA reporting requirements

7.4 Legitimate Interests

We process personal data based on our legitimate business interests, which include:

1. Fraud prevention and security monitoring
2. Platform improvement and optimization
3. Analytics and business intelligence
4. Network and information security
5. Internal administration and management
6. Enforcing our Terms of Service and policies
7. Protecting our legal rights and interests

We balance our legitimate interests against your privacy rights and only process data where our interests do not override your fundamental rights and freedoms.

7.5 Protection of Vital Interests

In rare circumstances, we may process personal data to protect your vital interests or those of another person, such as in medical emergencies or security threats.

8. HOW WE USE YOUR PERSONAL DATA

8.1 Account Management and Service Delivery

We use your personal data to:

1. Create, maintain, and secure your ReUp Account
2. Authenticate your identity and verify Account access
3. Process transactions and deliver purchased services (airtime, data, cable subscriptions, electricity)
4. Manage your Wallet balance, funds, and transaction history
5. Send transaction confirmations, receipts, and service notifications
6. Provide customer support and respond to inquiries
7. Facilitate refunds and resolve disputes

8.2 Platform Operation and Improvement

We use your data to:

1. Operate, maintain, and improve the ReUp Platform
2. Monitor Platform performance, uptime, and reliability
3. Diagnose and fix technical issues and bugs
4. Develop new features and services
5. Conduct user experience research and testing
6. Analyze usage patterns and trends
7. Optimize Platform speed and functionality

8.3 Personalization and User Experience

We use your data to:

1. Personalize your Platform experience and interface
2. Recommend services based on your transaction history
3. Remember your preferences and settings
4. Display relevant content and promotions
5. Provide location-based services (with your consent)
6. Customize communication frequency and channels

8.4 Security and Fraud Prevention

We use your data to:

1. Detect, prevent, and investigate fraud and suspicious activity
2. Monitor transactions for unusual patterns or anomalies
3. Verify identity and authenticate Users
4. Protect against unauthorized access and cyber threats
5. Enforce our Terms of Service and policies
6. Investigate and respond to security incidents
7. Comply with anti-money laundering (AML) regulations
8. Maintain the security and integrity of the Platform

8.5 Communication and Customer Support

We use your data to:

1. Respond to your inquiries, questions, and support requests
2. Send important service announcements and updates
3. Notify you of Account activity and security alerts
4. Provide transaction confirmations and receipts
5. Send password reset and verification codes
6. Communicate policy changes and new features
7. Conduct customer satisfaction surveys

8.6 Marketing and Promotional Activities

With your consent, we use your data to:

1. Send promotional offers, discounts, and special deals
2. Inform you about new services and features
3. Share news, tips, and educational content
4. Conduct marketing campaigns and promotions
5. Measure marketing effectiveness and ROI
6. Create targeted advertisements based on your interests

You can opt out of marketing communications at any time (see Section 17).

8.7 Referral Program Management

We use your data to:

1. Track referrals and attribute new Users to referring parties
2. Calculate and credit referral bonuses
3. Detect and prevent referral fraud or abuse
4. Communicate referral program updates and earnings

8.8 Analytics and Business Intelligence

We use your data to:

1. Analyze Platform usage statistics and trends
2. Generate reports on business performance
3. Understand User demographics and behavior
4. Conduct market research and competitive analysis
5. Make data-driven business decisions
6. Forecast demand and optimize inventory (for prepaid services)

8.9 Legal and Compliance Purposes

We use your data to:

1. Comply with legal obligations and regulatory requirements
2. Respond to lawful requests from government authorities
3. Enforce our Terms of Service and legal rights
4. Defend against legal claims and disputes
5. Maintain records for audit and compliance purposes
6. Report to NITDA and other regulatory bodies as required
7. Investigate and report fraud to law enforcement

8.10 Business Transfers and Corporate Transactions

We may use your data in connection with:

1. Mergers, acquisitions, or sale of business assets
2. Corporate restructuring or reorganization
3. Due diligence processes
4. Transfer of business operations to another entity

9. DATA SHARING AND DISCLOSURE

9.1 Our Data Sharing Principles

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We only share your data as described in this Privacy Policy and as necessary to provide our services, comply with legal obligations, and protect our legitimate interests.

9.2 Service Providers and Business Partners

We share personal data with trusted third-party service providers who assist us in operating the Platform:

9.2.1 Payment Processors

1. Paystack Technologies Limited - Processes payments, verifies payment methods, and handles transaction security
2. Data shared: Name, email, phone number, payment details, transaction amounts

9.2.2 Telecommunications and Utility Providers

1. MTN, Airtel, Glo, 9mobile - Deliver airtime and data services
2. DSTV, GoTV, Startimes - Activate cable TV subscriptions
3. Electricity Distribution Companies - Load prepaid meter units
4. Data shared: Phone numbers, smart card numbers, meter numbers, transaction amounts, customer names

9.2.3 Technology and Infrastructure Providers

1. Cloud hosting services - Store and process data securely
2. Database management services - Maintain data infrastructure
3. Content delivery networks (CDNs) - Optimize Platform performance
4. Data shared: User data necessary for service provision

9.2.4 Analytics and Performance Monitoring

1. Google Analytics, Firebase, or similar services - Analyze Platform usage and performance
2. Data shared: Usage data, device information, anonymized identifiers

9.2.5 Customer Support and Communication Tools

1. Email service providers - Send transactional and marketing emails
2. SMS gateway providers - Deliver text message notifications
3. Customer support platforms - Manage support tickets and inquiries
4. Data shared: Contact information, communication content, support history

9.2.6 Security and Fraud Prevention Services

1. Fraud detection services - Monitor and prevent fraudulent activity
2. Identity verification services - Verify User identities and documents
3. Data shared: Identity information, transaction patterns, device data

9.2.7 Marketing and Advertising Partners

1. Advertising networks (with your consent) - Deliver targeted advertisements
2. Social media platforms - Manage social media campaigns
3. Data shared: Anonymized or aggregated data, advertising identifiers

9.3 Legal and Regulatory Authorities

We may disclose personal data to government authorities, law enforcement agencies, and regulatory bodies when:

1. Required by law - Court orders, subpoenas, warrants, or legal processes
2. Regulatory compliance - NDPR, NITDA, Central Bank of Nigeria (CBN), Economic and Financial Crimes Commission (EFCC), Nigerian Communications Commission (NCC)
3. Fraud investigation - Reporting suspected fraud, money laundering, or illegal activity
4. Public safety - Protecting against threats to public safety or national security
5. Legal rights protection - Defending our legal rights or responding to legal claims

9.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity or successor. We will notify you of any such transfer and provide information about the new data controller.

9.5 With Your Consent

We may share your data with third parties when you explicitly consent to such sharing, including:

1. Participation in joint promotions or partnerships
2. Integration with third-party services you authorize
3. Sharing testimonials or reviews publicly (with your permission)

9.6 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you:

• Industry reports and market research
• Statistical analysis and trends
• Business presentations and marketing materials
• Academic research and publications

9.7 Referrals and Social Sharing

When you use our referral program or social sharing features:

• Your referral code may be shared with individuals you invite
• Your name or username may be visible to referred Users
• Social media platforms may receive information about your sharing activity

9.8 Third-Party Data Protection

All third parties with whom we share data are required to:

• Process data only for specified purposes
• Implement appropriate security measures
• Comply with applicable data protection laws
• Maintain confidentiality of personal data
• Enter into data processing agreements with us

10. INTERNATIONAL DATA TRANSFERS

10.1 Primary Data Storage Location

Your personal data is primarily stored and processed within Nigeria on servers located in Nigerian data centers or cloud infrastructure operating in Nigeria.

10.2 Transfers Outside Nigeria

In certain circumstances, your personal data may be transferred to, stored, or processed in countries outside Nigeria, including:

• Cloud service providers with servers in other African countries or globally
• Payment processors with international operations
• Technology service providers based outside Nigeria
• International fraud prevention networks

10.3 Safeguards for International Transfers

When transferring data internationally, we ensure adequate protection through:

• Standard contractual clauses approved by data protection authorities
• Adequacy decisions by NITDA recognizing equivalent data protection standards
• Binding corporate rules for group companies
• Your explicit consent for specific transfers
• Necessary transfers for contract performance or legal compliance

10.4 Your Rights Regarding International Transfers

You have the right to:

• Request information about international data transfers
• Object to transfers that lack adequate safeguards
• Withdraw consent for transfers based on consent

11. DATA RETENTION AND STORAGE

11.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

11.2 Retention Periods

11.2.1 Active Account Data

1. Account information: Retained while your Account is active and for 7 years after Account closure
2. Transaction records: Retained for 7 years from the transaction date (legal requirement for financial records)
3. Communication logs: Retained for 3 years from the last communication
4. Marketing consent records: Retained until consent is withdrawn, then for 2 years

11.2.2 Dormant Account Data

1. Accounts with no activity for 365 days: User notified 30 days before deletion; permanently deleted on day 366
2. Transaction history: Retained for 7 years even after Account deletion (legal requirement)

11.2.3 Technical and Log Data

1. Server logs: Retained for 90 days
2. Security logs: Retained for 2 years
3. Analytics data: Retained in aggregated form indefinitely; individual data for 2 years

11.2.4 Legal and Compliance Data

1. Fraud investigation records: Retained for 10 years
2. Legal dispute documents: Retained until resolution plus 7 years
3. Regulatory compliance records: Retained as required by law (typically 7-10 years)

11.3 Deletion and Anonymization

After retention periods expire, we:

1. Permanently delete personal data from active systems
2. Anonymize or aggregate data for statistical purposes where deletion is not required
3. Securely destroy backup copies in accordance with our data retention schedule

11.4 Extended Retention Circumstances

We may retain data beyond standard periods when:

1. Required by law or regulatory obligation
2. Necessary for pending legal proceedings or investigations
3. Needed to defend against legal claims within limitation periods
4. Essential for fraud prevention or security purposes
5. You request extended retention for legitimate purposes

11.5 Your Right to Request Deletion

You may request earlier deletion of your personal data, subject to:

• Legal retention requirements (e.g., financial records)
• Ongoing legal or regulatory obligations
• Pending disputes or investigations
• Legitimate business needs

12. DATA SECURITY MEASURES

12.1 Our Security Commitment

We take the security of your personal data seriously and implement comprehensive technical, organizational, and physical measures to protect your information from unauthorized access, alteration, disclosure, or destruction.

12.2 Technical Security Measures

12.2.1 Encryption

• Data in transit: All data transmitted between your device and our servers is encrypted using TLS/SSL protocols (minimum TLS 1.2)
• Data at rest: Sensitive data stored in databases is encrypted using industry-standard encryption algorithms (AES-256)
• Password protection: Passwords are hashed using strong one-way cryptographic functions (bcrypt or similar)

12.2.2 Access Controls

• Authentication: Multi-factor authentication (MFA) for sensitive operations
• Role-based access: Employees and contractors have access only to data necessary for their roles
• Least privilege principle: Access rights are minimized and regularly reviewed
• Access logging: All access to personal data is logged and monitored

12.2.3 Network Security

• Firewalls: Advanced firewalls protect our servers and infrastructure
• Intrusion detection: Real-time monitoring for suspicious activity
• DDoS protection: Distributed denial-of-service attack mitigation
• Regular security audits: Penetration testing and vulnerability assessments

12.2.4 Application Security

• Secure coding practices: Development follows OWASP security guidelines
• Input validation: Protection against SQL injection, XSS, and other attacks
• Security patches: Regular updates and security patches applied promptly
• Code reviews: Security-focused code reviews before deployment

12.3 Organizational Security Measures

12.3.1 Employee Training and Awareness

• Regular data protection and security training for all employees
• Confidentiality agreements and non-disclosure agreements (NDAs)
• Clear data handling policies and procedures
• Security awareness programs and phishing simulations

12.3.2 Vendor Management

• Due diligence and security assessments of third-party vendors
• Data processing agreements with strict security requirements
• Regular vendor audits and compliance reviews
• Incident response coordination procedures

12.3.3 Incident Response

• Dedicated security incident response team
• Documented incident response plan and procedures
• 24/7 monitoring and alerting systems
• Breach notification protocols (see Section 19)

12.4 Physical Security Measures

• Data center security: Physical access controls, surveillance, and environmental controls
• Secure disposal: Secure destruction of physical documents and hardware
• Equipment security: Encrypted laptops and mobile devices for authorized personnel

12.5 Payment Security

• PCI-DSS compliance: Payment card data handled in accordance with Payment Card Industry Data Security Standards
• Tokenization: Payment information tokenized by Paystack to minimize exposure
• No card storage: We do not store complete credit/debit card details on our servers

12.6 Security Limitations

Despite our best efforts, no security system is impenetrable. We cannot guarantee absolute security of your data. You acknowledge and accept the inherent risks of transmitting information over the internet.

12.7 Your Security Responsibilities

You are responsible for:

• Maintaining password confidentiality: Never share your password with others
• Using strong passwords: Create unique, complex passwords
• Securing your devices: Use antivirus software and keep systems updated
• Reporting suspicious activity: Immediately notify us of unauthorized Account access
• Logging out: Log out after using the Platform on shared or public devices

13. YOUR PRIVACY RIGHTS UNDER NDPR

13.1 Overview of Rights

Under the Nigeria Data Protection Regulation (NDPR) and related laws, you have specific rights regarding your personal data. These rights are not absolute and may be subject to certain limitations and exceptions.

13.2 Right to Access (Subject Access Request)

You have the right to request:

• Confirmation of whether we process your personal data
• Access to your personal data in our possession
• Information about how we collect, use, and share your data
• Details of third parties with whom your data has been shared
• The source of your personal data (if not collected directly from you)
• Information about automated decision-making or profiling

How to exercise: Submit a request to reup@bellahoptions.com with "Subject Access Request" in the subject line.

Response time: We will respond within 30 days of receiving your request.

Cost: The first request in a 12-month period is free. Subsequent requests may incur a reasonable administrative fee.

13.3 Right to Rectification

You have the right to:

• Request correction of inaccurate personal data
• Request completion of incomplete personal data
• Update your Account information at any time

How to exercise: Update information directly in your Account settings or contact us at reup@bellahoptions.com.

Response time: We will correct or update your data within 7 business days.

13.4 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• Your data has been unlawfully processed
• Erasure is required to comply with a legal obligation

Limitations: We may refuse erasure requests when we need to retain data for:

• Compliance with legal obligations (e.g., 7-year retention of financial records)
• Defense of legal claims
• Fraud prevention and security purposes
• Contractual obligations

How to exercise: Contact us at reup@bellahoptions.com with your request.

Response time: We will respond within 30 days.

13.5 Right to Restrict Processing

You have the right to request restriction of processing when:

• You contest the accuracy of your personal data (restriction during verification)
• Processing is unlawful, but you prefer restriction over erasure
• We no longer need the data, but you need it for legal claims
• You object to processing pending verification of our legitimate grounds

How to exercise: Contact us at reup@bellahoptions.com.

Effect: We will store the data but not further process it (except with your consent or for legal claims).

13.6 Right to Data Portability

You have the right to:

• Receive your personal data in a structured, commonly used, machine-readable format
• Transmit your data to another service provider
• Request direct transmission to another controller (where technically feasible)

Scope: This right applies only to data:

• You provided to us
• Processed based on consent or contract
• Processed by automated means

How to exercise: Contact us at reup@bellahoptions.com.

Response time: We will provide your data within 30 days.

Format: JSON, CSV, or other commonly used formats.

13.7 Right to Object

You have the right to object to processing based on:

• Legitimate interests: You can object unless we demonstrate compelling legitimate grounds
• Direct marketing: You have an absolute right to object to marketing at any time
• Profiling: You can object to automated profiling for marketing purposes

How to exercise:

• For marketing: Click "unsubscribe" in emails or contact reup@bellahoptions.com
• For other processing: Contact us with specific objections

Response time: We will stop processing within 15 business days unless we can demonstrate compelling legitimate grounds.

13.8 Right to Withdraw Consent

You have the right to:

• Withdraw consent at any time (where processing is based on consent)
• Not suffer any detriment for withdrawing consent

Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.

How to exercise: Contact us at reup@bellahoptions.com or adjust consent settings in your Account.

13.9 Right Not to be Subject to Automated Decision-Making

You have the right to:

• Not be subject to decisions based solely on automated processing (including profiling) that produce legal or significant effects
• Request human intervention in automated decisions
• Express your point of view
• Contest automated decisions

Current practices: We currently do not make decisions solely based on automated processing that significantly affect you.

13.10 Right to Lodge a Complaint

You have the right to:

• Lodge a complaint with the National Information Technology Development Agency (NITDA)
• Seek judicial remedy if you believe your rights have been violated

NITDA Contact Information:

National Information Technology Development Agency (NITDA)

No. 28, Port Harcourt Crescent, Off Gimbiya Street,

Area 11, Garki, Abuja, Nigeria

Email: info@nitda.gov.ng, dpo@nitda.gov.ng

Phone: +234 9 291 9000

Website: www.nitda.gov.ng

Our commitment: We encourage you to contact us first so we can address your concerns directly. However, you have the right to approach NITDA at any time.

13.11 Exercising Your Rights

To exercise any of your privacy rights:

1. Contact us: Email reup@bellahoptions.com or WhatsApp 09076017916
2. Identify yourself: Provide sufficient information to verify your identity
3. Specify your request: Clearly state which right you wish to exercise
4. Provide details: Include relevant details (e.g., specific data, time period)

Verification: To protect your privacy, we may request additional information to verify your identity before responding to requests.

No cost: Most requests are free. We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests.

Response time: We will respond to all requests within 30 days. If we need more time, we will inform you and explain the delay.

14. CHILDREN'S PRIVACY

14.1 Age Restrictions

The ReUp Platform is not intended for use by individuals under the age of 18 years. We do not knowingly collect, use, or disclose personal data from children under 18.

14.2 Parental Consent

If you are between 13 and 17 years old, you may only use ReUp with the consent and supervision of a parent or legal guardian. Your parent or guardian is responsible for your Account and all activities conducted through it.

14.3 Parental Rights

Parents or guardians have the right to:

• Review personal data we may have collected from their child
• Request deletion of such data
• Refuse further collection or use of their child's information

14.4 Discovery of Children's Data

If we discover that we have inadvertently collected personal data from a child under 18 without proper parental consent, we will:

• Delete such data as soon as reasonably practicable
• Terminate the associated Account
• Not use or disclose such data

14.5 Reporting Underage Users

If you believe a User is under 18 and using ReUp without appropriate parental consent, please contact us immediately at reup@bellahoptions.com.

15. COOKIES AND TRACKING TECHNOLOGIES

15.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites or use applications. They help websites remember information about your visit, making it easier and more useful.

15.2 Types of Cookies We Use

15.2.1 Essential Cookies (Strictly Necessary)

Purpose: Enable core Platform functionality

Examples:

• Session authentication cookies
• Security and fraud prevention cookies
• Load balancing cookies
• Shopping cart and transaction cookies

Legal basis: Contractual necessity (cannot be disabled without affecting Platform functionality)

Duration: Session cookies (deleted when you close your browser) or up to 12 months

15.2.2 Performance and Analytics Cookies

Purpose: Understand how Users interact with our Platform

Examples:

• Google Analytics cookies
• Page view tracking
• Error reporting
• Performance monitoring

Legal basis: Consent (can be disabled)

Duration: Up to 24 months

Third parties: Google LLC, Firebase

15.2.3 Functionality Cookies

Purpose: Remember your preferences and settings

Examples:

• Language preferences
• Display settings
• Location preferences
• Recently viewed services

Legal basis: Consent (can be disabled)

Duration: Up to 12 months

15.2.4 Advertising and Marketing Cookies

Purpose: Deliver relevant advertisements and measure campaign effectiveness

Examples:

• Behavioral advertising cookies
• Retargeting cookies
• Conversion tracking pixels
• Social media cookies

Legal basis: Consent (can be disabled)

Duration: Up to 24 months

Third parties: Facebook, Google Ads, other advertising networks

15.3 Other Tracking Technologies

We also use:

• Web beacons (pixels): Track email opens and engagement
• Local storage: Store data locally on your device
• SDKs (Software Development Kits): Collect data in mobile apps
• Device fingerprinting: Identify devices for fraud prevention

15.4 Managing Cookies

You can control cookies through:

15.4.1 Cookie Consent Manager

When you first visit our Platform, you'll see a cookie consent banner allowing you to:

• Accept all cookies
• Reject non-essential cookies
• Customize cookie preferences

15.4.2 Browser Settings

Most browsers allow you to:

• Block all cookies
• Delete existing cookies
• Accept cookies only from specific sites
• Receive notifications before cookies are stored

Browser-specific instructions:

• Chrome: Settings > Privacy and Security > Cookies
• Firefox: Settings > Privacy & Security > Cookies and Site Data
• Safari: Preferences > Privacy > Cookies and Website Data
• Edge: Settings > Privacy, Search, and Services > Cookies

15.4.3 Mobile App Settings

In our mobile app, you can manage tracking preferences through:

• App Settings > Privacy > Tracking Preferences
• Device Settings > Privacy > Tracking (iOS)
• Device Settings > Google > Ads (Android)

15.5 Third-Party Cookies

Some cookies are set by third-party services we use. We do not control these cookies. Please review the privacy policies of:

• Google Analytics: https://policies.google.com/privacy
• Facebook Pixel: https://www.facebook.com/privacy
• Paystack: https://paystack.com/privacy

15.6 Effect of Disabling Cookies

If you disable certain cookies:

• The Platform may not function properly
• Some features may be unavailable
• Your experience may be less personalized
• You may need to log in more frequently

Essential cookies cannot be disabled without affecting core functionality.

15.7 Do Not Track (DNT) Signals

Some browsers offer "Do Not Track" settings. Our Platform does not currently respond to DNT signals, as there is no universal standard for how to interpret them.

16. THIRD-PARTY SERVICES AND LINKS

16.1 Third-Party Websites and Services

Our Platform may contain links to third-party websites, applications, or services, including:

• Telecommunications company websites
• Cable TV provider portals
• Payment processor sites (Paystack)
• Social media platforms
• Partner and affiliate websites

16.2 No Control or Responsibility

We do not control and are not responsible for:

• The privacy practices of third-party websites
• The content or accuracy of third-party services
• The security of third-party platforms
• The collection or use of data by third parties

16.3 Third-Party Privacy Policies

When you click on third-party links or use third-party services, you leave our Platform and are subject to the privacy policies and terms of those third parties. We strongly encourage you to:

• Read the privacy policies of all third-party services you use
• Understand how your data will be collected and used
• Make informed decisions about sharing your information

16.4 Social Media Plugins

Our Platform may include social media features and widgets (e.g., Facebook "Like" button, Twitter "Tweet" button, Instagram share). These features may:

• Collect your IP address and page visit information
• Set cookies to enable proper functionality
• Be hosted by the third-party social media platform

Your interactions with social media features are governed by the privacy policies of the respective social media companies.

16.5 Embedded Content

We may embed content from third-party platforms (YouTube videos, Twitter feeds, etc.). Embedded content may:

• Set cookies on your device
• Track your interaction with the content
• Collect information about your visit

16.6 Third-Party Analytics and Advertising

We use third-party analytics and advertising services that may collect data about your online activities across different websites and services. These third parties may use cookies, web beacons, and other technologies to:

• Track your browsing behavior
• Build profiles about your interests
• Deliver targeted advertisements

You can opt out of interest-based advertising through:

• Digital Advertising Alliance: www.aboutads.info
• Network Advertising Initiative: www.networkadvertising.org
• Google Ads Settings: www.google.com/settings/ads

17. MARKETING COMMUNICATIONS

17.1 Types of Marketing Communications

With your consent, we may send you marketing communications, including:

• Email newsletters: Service updates, promotions, tips
• SMS messages: Special offers, discount alerts
• Push notifications: Time-sensitive deals, new features
• WhatsApp messages: Personalized offers, customer support
• In-app messages: Feature announcements, promotions

17.2 Legal Basis

We send marketing communications based on:

• Explicit consent: You opted in to receive marketing
• Soft opt-in: You are an existing customer and the marketing relates to similar products/services
• Legitimate interests: For transactional messages related to your Account

17.3 Content of Marketing

Our marketing communications may include:

• Promotional offers and discounts
• New service announcements
• Referral program updates
• Seasonal campaigns
• Educational content and tips
• Product recommendations based on your transaction history

17.4 Frequency

We respect your inbox and time. We aim to send:

• Promotional emails: Maximum 2-3 per week
• SMS: Maximum 1-2 per week
• Push notifications: As needed for time-sensitive offers

You can adjust communication frequency in your Account settings.

17.5 Personalization

We may personalize marketing messages based on:

• Your transaction history
• Service preferences
• Location (with consent)
• Browsing behavior on our Platform
• Engagement with previous communications

17.6 Opting Out of Marketing

You have the absolute right to opt out of marketing at any time.

To unsubscribe:

17.6.1 Email

• Click the "Unsubscribe" link at the bottom of any marketing email
• Log in to your Account > Settings > Communication Preferences
• Email reup@bellahoptions.com with "Unsubscribe" in the subject

17.6.2 SMS

• Reply "STOP" to any marketing SMS
• Contact us at reup@bellahoptions.com

17.6.3 Push Notifications

• Disable in App Settings > Notifications
• Adjust device notification settings

17.6.4 WhatsApp

• Reply with "Unsubscribe" or "Stop marketing"
• Contact us to remove you from our WhatsApp marketing list

Effect of opting out:

• You will stop receiving marketing communications within 5-10 business days
• You will continue to receive transactional and service-related messages (receipts, security alerts, Account notifications)
• Opting out does not delete your Account or affect your service

17.7 Transactional Communications

You cannot opt out of essential transactional communications, including:

• Transaction confirmations and receipts
• Account security alerts
• Password reset emails
• Terms of Service and policy updates
• Customer support responses
• Service outage notifications
• Legal notices

These communications are necessary for the provision of our services and your Account security.

18. AUTOMATED DECISION-MAKING AND PROFILING

18.1 Use of Automated Systems

We may use automated systems and algorithms for certain purposes, including:

• Fraud detection: Analyzing transaction patterns to identify suspicious activity
• Credit risk assessment: Evaluating transaction limits based on Account history
• Service recommendations: Suggesting services based on your preferences
• Pricing optimization: Offering personalized discounts or promotions

18.2 Profiling Activities

We may create profiles about you based on:

• Transaction history and spending patterns
• Service preferences and usage
• Device and location information
• Engagement with our Platform and communications

Purpose of profiling:

• Improve service personalization
• Detect and prevent fraud
• Optimize Platform performance
• Deliver relevant content and offers

18.3 No Solely Automated Decisions with Legal Effects

We do NOT make decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you, except where:

• Necessary for contract performance
• Authorized by law
• Based on your explicit consent

18.4 Human Oversight

All significant automated decisions include human review and oversight. You have the right to:

• Request human intervention
• Express your point of view
• Contest the decision
• Receive an explanation of the decision

18.5 Fraud Prevention Automation

Our fraud detection systems may automatically:

• Flag suspicious transactions for review
• Temporarily restrict Account activity
• Request additional verification

These measures protect you and our Platform. If your Account is affected, you can contact us for review.

18.6 Your Rights

You have the right to:

• Request information about automated decision-making logic
• Object to profiling for marketing purposes
• Request manual review of automated decisions
• Opt out of non-essential profiling

To exercise these rights: Contact reup@bellahoptions.com

19. DATA BREACH NOTIFICATION

19.1 Our Commitment

We take data security seriously and have implemented measures to prevent data breaches. However, despite our best efforts, breaches may occur.

19.2 What is a Data Breach?

A personal data breach is a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

19.3 Detection and Response

We have systems and procedures to:

• Detect potential breaches promptly
• Assess the nature and severity of the breach
• Contain and remediate the breach
• Investigate the root cause
• Implement measures to prevent recurrence

19.4 Notification to NITDA

If we discover a data breach likely to result in a risk to your rights and freedoms, we will:

• Notify NITDA within 72 hours of becoming aware of the breach
• Provide details of the breach, affected data, and remedial measures
• Cooperate fully with NITDA's investigation

19.5 Notification to You

If a data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via:

• Email to your registered email address
• SMS to your registered phone number
• In-app notification
• Public notice on our website (if we cannot contact you individually)

Our notification will include:

• Description of the breach and affected data
• Potential consequences of the breach
• Measures we have taken to address the breach
• Recommendations for protecting yourself (e.g., changing passwords, monitoring accounts)
• Contact information for further inquiries

19.6 Breach Documentation

We maintain detailed records of all data breaches, including:

• Facts and circumstances of the breach
• Effects of the breach
• Remedial actions taken
• Notifications sent

19.7 Your Actions

If you suspect unauthorized access to your Account or a potential data breach:

1. Change your password immediately
2. Contact us: Email reup@bellahoptions.com or WhatsApp 09076017916
3. Monitor your Account: Check for unauthorized transactions
4. Enable additional security: Activate multi-factor authentication if available
5. Report fraud: If fraudulent activity occurred, report to relevant authorities

20. CHANGES TO THIS PRIVACY POLICY

20.1 Right to Modify

Bellah Options reserves the right to modify, update, or amend this Privacy Policy at any time to reflect:

• Changes in data protection laws or regulations
• Changes in our data processing practices
• Introduction of new features or services
• Feedback from Users or regulators
• Enhanced security or privacy measures

20.2 Notification of Changes

When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top
• Notify you via one or more of the following methods:
• Email to your registered email address
• In-app notification or banner
• SMS notification
• Prominent notice on our website

For non-material changes (e.g., clarifications, typo corrections), we will update the policy and "Last Updated" date without individual notification.

20.3 Effective Date

Changes will become effective:

• Material changes: 30 days after notification
• Non-material changes: Immediately upon posting

20.4 Review and Acceptance

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

Your continued use of the Platform after changes become effective constitutes acceptance of the updated Privacy Policy.

If you do not agree to the changes:

• Stop using the Platform
• Close your Account
• Withdraw consent for data processing
• Exercise your right to erasure (subject to legal limitations)

20.5 Version History

We maintain a version history of this Privacy Policy. Previous versions are available upon request by contacting reup@bellahoptions.com.

21. CONTACT INFORMATION AND COMPLAINTS

21.1 Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer

Bellah Options

Registration Number: BN3668420

Address: Onibukun, Atan Ota, Ogun State, Nigeria

Email: reup@bellahoptions.com

WhatsApp: 09076017916

Business Hours:

Monday to Saturday: 8:00 AM – 8:00 PM (WAT)

Sunday: 10:00 AM – 6:00 PM (WAT)

21.2 Privacy Inquiries

We welcome inquiries about:

• How we collect and use your data
• Your privacy rights under NDPR
• Our data security practices
• Data sharing and third-party services
• Cookie and tracking practices
• Any other privacy-related matters

21.3 Response Time

We will acknowledge receipt of your inquiry within 48 hours and provide a substantive response within 30 days.

If we need additional time, we will inform you of the delay and expected response date.

21.4 Internal Complaints Process

If you have a privacy complaint:

1. Submit a written complaint to reup@bellahoptions.com with:

• Description of the complaint
• Relevant details and evidence
• Desired resolution

1. We will acknowledge your complaint within 5 business days
2. We will investigate and respond within 30 days
3. If unresolved, you may escalate internally to our senior management

21.5 External Complaints and Regulatory Contact

If you are not satisfied with our response or believe we have violated your privacy rights, you have the right to lodge a complaint with:

National Information Technology Development Agency (NITDA)

No. 28, Port Harcourt Crescent,

Off Gimbiya Street, Area 11, Garki,

Abuja, Nigeria

Email: info@nitda.gov.ng, dpo@nitda.gov.ng

Phone: +234 9 291 9000

Website: www.nitda.gov.ng

NITDA Data Protection Compliance Complaints:

Email: dpo@nitda.gov.ng

Online Portal: https://ndpr.nitda.gov.ng

You may also seek judicial remedies through Nigerian courts if you believe your data protection rights have been violated.

21.6 Good Faith Cooperation

We are committed to resolving privacy concerns amicably and in good faith. We encourage you to contact us directly before approaching external authorities so we can address your concerns promptly.

22. CONSENT AND ACCEPTANCE

22.1 Providing Consent

By using the ReUp Platform, you acknowledge that you have:

• Read and understood this Privacy Policy in its entirety
• Been informed about how we collect, use, store, and share your personal data
• Understood your privacy rights under Nigerian data protection law
• Consented to our data processing practices as described in this policy

22.2 How Consent is Obtained

We obtain your consent through:

• Registration: When you create a ReUp Account
• Cookie banner: When you accept cookies on our website
• Opt-in forms: When you subscribe to marketing communications
• In-app permissions: When you grant permissions in our mobile app
• Explicit consent requests: For specific data processing activities

22.3 Voluntary and Informed Consent

Your consent is:

• Voluntary: You are not obligated to use ReUp
• Informed: This Privacy Policy provides comprehensive information about our data practices
• Specific: We obtain separate consent for different processing purposes
• Unambiguous: Your consent is indicated by clear affirmative action

22.4 Withdrawing Consent

You may withdraw your consent at any time by:

• Contacting us at reup@bellahoptions.com
• Adjusting privacy settings in your Account
• Unsubscribing from marketing communications
• Deleting your Account

Effect of withdrawal:

• We will stop processing your data for the purposes to which you consented
• Withdrawal does not affect the lawfulness of processing before withdrawal
• We may still process your data based on other legal grounds (e.g., legal obligations, contract performance)

22.5 Minors

If you are under 18, by using ReUp, you confirm that:

• You have obtained consent from your parent or legal guardian
• Your parent/guardian has read and understood this Privacy Policy
• Your parent/guardian consents to our processing of your personal data

22.6 Legal Capacity

By using ReUp, you represent and warrant that you have the legal capacity to provide consent under Nigerian law.

23. ADDITIONAL PROVISIONS

23.1 Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the Federal Republic of Nigeria, particularly:

• Nigeria Data Protection Regulation (NDPR) 2019
• Nigeria Data Protection Act (NDPA) 2023
• Other applicable Nigerian laws and regulations

23.2 Jurisdiction

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts in Ogun State, Nigeria.

23.3 Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.

23.4 Language

This Privacy Policy is drafted in English. If translated into other languages, the English version shall prevail in case of any inconsistency.

23.5 Entire Agreement

This Privacy Policy, together with our Terms of Service and any other referenced policies, constitutes the entire agreement between you and Bellah Options regarding the processing of your personal data.

23.6 No Waiver

Our failure to enforce any provision of this Privacy Policy does not constitute a waiver of that provision or our right to enforce it in the future.

23.7 Compliance Certifications

Bellah Options is committed to maintaining compliance with:

• NDPR requirements and NITDA guidelines
• International data protection standards and best practices
• Industry-specific security standards (e.g., PCI-DSS for payment data)

We undergo regular compliance audits and assessments to ensure ongoing adherence to data protection standards.

24. ACKNOWLEDGMENT

BY USING THE REUP PLATFORM, YOU ACKNOWLEDGE THAT:

1. You have read and understood this Privacy Policy
2. You consent to the collection, use, storage, and disclosure of your personal data as described herein
3. You understand your rights under the NDPR and how to exercise them
4. You are aware of the security measures we implement and your own security responsibilities
5. You understand how to contact us regarding privacy matters
6. You acknowledge that we may update this policy from time to time
7. You have the option to withdraw consent or close your Account if you disagree with our practices

This Privacy Policy is effective as of January 17, 2026.

For questions or concerns about this Privacy Policy or our data protection practices, please contact us at reup@bellahoptions.com or WhatsApp 09076017916.

© 2026 Bellah Options (Registration No. BN3668420). All rights reserved.