This Privacy Policy explains how we collect and use your data. If you have a privacy question or want to exercise a data right, contact us at hello@financeguard.ng.
FinanceGuard Privacy Policy
Version 1.0.0 Effective Date: 19 April 2026 Operator: Plintar Systems Ltd. (trading as "FinanceGuard"), incorporated in the Federal Republic of Nigeria. Registered Address: [Registered Address — to be inserted] Contact: hello@financeguard.ng
This Privacy Policy explains how Plintar Systems Ltd. ("FinanceGuard", "we", "us", "our") collects, uses, discloses, stores, and protects your personal data when you use the FinanceGuard website, web application, and related services (together, the "Service"). It applies to everyone who visits https://financeguard.ng, creates a FinanceGuard account, or interacts with our Service.
This Policy is read together with our Terms of Service, Cookie Notice, and Acceptable Use Policy.
Legal review status. This Privacy Policy has been drafted by the FinanceGuard team from industry-standard templates adapted to the Nigeria Data Protection Act 2023. It has not yet been reviewed by Nigerian-qualified legal counsel. We will commission a full review before our first material revision and will update the version and effective date accordingly. Until then, this document reflects our genuine, current data-handling practices and is the policy on which users may rely.
1. Who we are and how to reach us
Data Controller. Plintar Systems Ltd., trading as FinanceGuard, is the data controller for personal data processed through the Service.
Contact for privacy matters.
- Email: hello@financeguard.ng
- Postal: [Registered Address — to be inserted]
A dedicated Data Protection Officer (DPO) and privacy mailbox (e.g. dpo@financeguard.ng) will be appointed before the Service's user base reaches the threshold at which the Nigeria Data Protection Act 2023 ("NDPA") requires formal DPO designation, or sooner. Until then, privacy requests are handled by the FinanceGuard team via hello@financeguard.ng.
2. Who this Policy is for
The Service is designed, priced, and registered for use by residents of the Federal Republic of Nigeria. It is not offered to, and is not intended for, residents of the European Economic Area, the United Kingdom, or Switzerland. We may apply geographic restrictions to enforce this. If you are a resident of one of those jurisdictions and you create an account in breach of our Terms of Service, we will delete your account and any associated personal data on becoming aware.
The Service is for adults aged 18 or over. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, contact us and we will delete it.
3. What personal data we collect
We have designed FinanceGuard to collect the minimum data needed to deliver the Service. Categories below reflect the actual fields stored in our database.
3.1 Data you provide when you create an account
- Email address (encrypted at rest)
- Password (stored only as a bcrypt hash — never in plain text)
- Phone number (encrypted at rest, optional at signup, required for SMS MFA)
- First name and last name
- Date of birth (optional; used for age-gating and tax eligibility)
- Nigerian state of residence (determines which State Internal Revenue Service handles your PAYE)
3.2 Tax identifiers (optional, feature-gated)
We do not require these at signup. We collect them only when you opt into a feature that needs them.
- National Identification Number (NIN) — the primary Tax Identification Number for individuals under the Nigeria Tax Administration Act 2026. Encrypted at rest using a dedicated tax-ID key. Stored as ciphertext plus a salted hash for lookup and duplicate-prevention.
- Bank Verification Number (BVN) — required by the Central Bank of Nigeria for bank-account linking. Encrypted at rest using a dedicated financial-data key. Stored as ciphertext plus a salted hash.
- Legacy TIN — kept for users who signed up before 1 January 2026; no new collection.
If you never use a feature that requires NIN or BVN, we never ask for these numbers.
3.3 Financial content you create or upload
- Income records (amounts, sources, dates, withholding tax)
- Expense records (amounts, categories, dates, vendor names, notes)
- Bank account metadata (account names and types you create inside the app — we do not, at the time of this Policy, store full bank account numbers)
- Receipts you upload (images, PDFs) and the structured data extracted from them by our OCR pipeline
- Bank statements you upload (PDFs, CSVs) and the transactions parsed from them
- Budgets, categories, and tax inputs you configure
3.4 Usage, device, and security metadata
- Last login IP address, approximate location, device type, browser, operating system
- Login count and timestamps
- Session identifiers and refresh tokens (hashed)
- Audit log entries for sensitive operations (authentication, MFA changes, data exports, deletions) — these contain your user ID and masked identifiers but do not contain plain-text NIN, BVN, or passwords
- Error telemetry captured by our error-monitoring provider when the app crashes or misbehaves (scrubbed of identifiers where practicable)
3.5 Consent records
We keep a record of when you accepted each policy so we can demonstrate your consent to a regulator if asked.
- Terms of Service accepted at / version
- Privacy Policy accepted at / version
- Marketing consent (opt-in, timestamp)
- Analytics consent
- Device tracking consent
3.6 Payment data
If you subscribe to a paid plan, payment is processed by Paystack. FinanceGuard does not see, store, or log your full card number, expiry date, CVV, or bank PIN. We receive from Paystack only the tokenised transaction reference, the last four digits of the card, the card brand, and the authorisation result. Card tokenisation and PCI-DSS scope sit with Paystack.
3.7 Data we do not collect
- We do not collect biometric data.
- We do not collect special-category data (health, religion, politics, sexuality) and ask you not to submit it.
- We do not purchase data about you from data brokers.
- We do not track you across other websites using advertising pixels.
4. How we use your personal data and our lawful basis
NDPA section 25 requires a lawful basis for every processing activity. Our bases are:
| Processing activity | Purpose | Lawful basis |
|---|---|---|
| Creating and authenticating your account | Delivering the Service you asked for | Contract performance |
| Calculating your estimated tax liability | Core product feature | Contract performance |
| Processing subscription payments via Paystack | Billing | Contract performance |
| Sending transactional emails (verification, receipts, security alerts) | Performing the Service | Contract performance |
| Retaining tax and accounting records for six (6) years | Nigerian tax and record-keeping law | Legal obligation |
| Detecting fraud, abuse, and security incidents | Protecting users and the Service | Legitimate interest |
| Collecting NIN / BVN when you opt into a feature that needs it | Tax-ID verification or bank linking | Consent (and legal obligation where CBN rules apply) |
| Marketing emails and product-update newsletters | Growing the Service | Consent (opt-in only) |
| Cookies and analytics on the marketing site | Understanding which pages work | Consent (opt-in; see Cookie Notice) |
| Device and session tracking for logged-in sessions | Security | Legitimate interest |
| Error monitoring and crash reporting | Fixing bugs | Legitimate interest |
We do not use your personal data or your financial content for automated decision-making that has legal or similarly significant effects. We do not profile you for advertising. Our tax calculations are deterministic and based on the rules of the Nigeria Tax Act 2025 and the Nigeria Tax Administration Act 2026 — not on predictive models.
5. Who we share your personal data with
We only share personal data with third parties to the extent necessary to operate the Service. Each processor below operates under a written data-processing arrangement and is bound by confidentiality and security obligations at least equivalent to those in this Policy.
5.1 Our service providers ("data processors")
| Processor | Role | Where processed |
|---|---|---|
| Paystack Payments Ltd. | Payment processing, subscription billing, card tokenisation | Nigeria |
| Neon, Inc. | Managed PostgreSQL database hosting | AWS region (EU or US) |
| Render, Inc. | API and worker hosting | US / Frankfurt |
| Vercel Inc. | Marketing-site hosting | Global CDN edge |
| Upstash, Inc. | Redis queue, rate-limiting, ephemeral caches | Selected region |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, WAF | Global anycast network |
| Hostinger International Ltd. | Domain registration, auxiliary hosting | Europe |
| Resend Inc. | Transactional email delivery | US |
| Sentry (Functional Software, Inc.) | Error monitoring and crash reporting | US / EU region |
If we add, replace, or remove a processor in a way that materially changes the categories of data processed or the location of processing, we will update this Policy and notify registered users by email.
5.2 Other disclosures
We may also disclose personal data:
- To you, when you request access, export, or deletion (see §10).
- To law enforcement, courts, or regulators in response to a lawfully issued subpoena, court order, NDPC order, or comparable legal process. We review each request for validity before responding.
- In a business transfer (merger, acquisition, restructuring, insolvency), in which case the successor entity will be bound to honour this Policy or a policy at least as protective. We will notify you of any such transfer before your data moves.
- With your explicit consent for anything else.
We do not sell personal data. We do not share personal data with advertising networks.
5.3 Professional Marketplace (future feature)
Our Terms of Service reserve the right to launch a Consultancy Marketplace in future, allowing verified tax or legal professionals to receive information you explicitly choose to share with them. This feature is not live at the time of this Policy. When it launches, no personal data will be shared with any professional without your prior, explicit, revocable consent per engagement.
6. International transfers
Some of our processors operate data centres outside Nigeria (see §5.1 table). Where personal data is transferred outside Nigeria, we rely on one or both of the following safeguards under NDPA sections 41–43:
- Adequacy — the destination country has been recognised as providing an adequate level of protection, or the processor is in a jurisdiction with a comparable data protection regime.
- Contractual safeguards — the processor's standard terms include privacy obligations equivalent to those under NDPA, including confidentiality, security, onward-transfer restrictions, breach notification, and support for data-subject rights.
You can ask us for a summary of the safeguards in place for any specific processor by emailing hello@financeguard.ng.
7. How long we keep your personal data
We retain personal data only for as long as we have a lawful basis to do so.
| Category | Retention period |
|---|---|
| Active account and profile data | While your account is active |
| Account after you request deletion | 30-day soft-delete grace period (recoverable), then permanent deletion |
| Tax, income, and expense records | Six (6) years from the end of the relevant tax year |
| Uploaded receipts and bank statements | Same as the underlying transaction record |
| Authentication logs and audit trails | Twelve (12) months; longer for security-incident records where legally required |
| Marketing consent records | Until you withdraw consent, plus one (1) year thereafter |
| Backups | Rolling ninety (90) days |
| Session and refresh tokens | Until session expiry or manual revocation |
If you would like a specific record deleted before the end of its retention period, see §10. We will delete it unless we are legally required to keep it (in which case we will tell you).
8. How we protect your personal data
- Encryption at rest — database fields. Email, phone, NIN, BVN, and legacy TIN are stored as ciphertext using envelope encryption with purpose-specific keys. Passwords are stored only as bcrypt hashes with a modern cost factor.
- Encryption at rest — uploaded files. Receipts, bank statements, and other files you upload are written to object storage with server-side encryption (AES-256) explicitly requested on every write. Managed PostgreSQL additionally encrypts the underlying database volumes at rest.
- Encryption in transit. All traffic is served over TLS 1.2+ with modern cipher suites and HSTS.
- Access control. Engineering access to production data is limited to named individuals, requires multi-factor authentication, and is logged.
- Audit logging. Sensitive operations are written to an append-oriented audit log. NIN and BVN values are masked in logs.
- Multi-factor authentication. Available to all users; we encourage you to enable it.
- Rate limiting and WAF. Provided via Cloudflare and application-layer controls.
- Key management. Encryption keys are managed separately from the application database, rotated on a published schedule, and revoked on personnel change.
- Secure development. Code review, dependency scanning, automated tests, and error monitoring.
No system is perfectly secure. We commit to continuous improvement and to the breach process in §11.
9. Your rights under NDPA
| Right | What it means |
|---|---|
| Access | A copy of the personal data we hold about you. |
| Rectification | Correction of inaccurate or incomplete data. |
| Erasure | Deletion of your data where we no longer have a lawful basis to keep it. |
| Restriction | Pause our processing while a dispute is resolved. |
| Portability | A structured, machine-readable export of the data you have provided to us. |
| Objection | Object to processing based on legitimate interest or for direct marketing. |
| Withdraw consent | Where processing is based on consent, withdraw it at any time. |
| Complain to the NDPC | Lodge a complaint with the Nigeria Data Protection Commission. |
We will never charge you a fee to exercise these rights unless your request is manifestly unfounded or excessive.
10. How to exercise your rights
- In-app — data export (portability). Request a full export of the personal data we hold about you via the API at
POST /v1/users/me/export-data. The export is a machine-readable JSON archive covering every user-scoped record and a signed-URL manifest for any uploaded files. If you have MFA enabled, the endpoint re-verifies your MFA code, and the resulting download URL is signed for 48 hours. Rate-limited to one per 24 hours. - In-app — other rights. Profile edit, account deletion, and preferences are available in the app for rectification, erasure, and withdrawal of consent.
- By email. Email
hello@financeguard.ngwith the subject line"Privacy request: [access | rectify | delete | port | object | withdraw consent]". - Deadline. We will acknowledge within seven (7) days and complete within thirty (30) days where possible, extendable to sixty (60) days for complex requests.
- Complaints. If you are not satisfied, you may complain to the Nigeria Data Protection Commission (NDPC) at https://ndpc.gov.ng.
11. Data breach notification
If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will, in line with NDPA section 40:
- assess the breach within forty-eight (48) hours of discovery;
- notify the NDPC within seventy-two (72) hours if the breach meets the notification threshold;
- notify affected users without undue delay, by email, where the breach is likely to result in a high risk; and
- keep an internal register of all breaches, whether notifiable or not.
12. Cookies and similar technologies
Our use of cookies, local storage, and device identifiers is covered in the Cookie Notice. Strictly-necessary cookies (login session, CSRF, security) are set without consent because the Service cannot function without them. All other cookies (analytics, preference tracking) are set only after you opt in via the cookie banner on first visit.
13. Automated decision-making and profiling
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing. Our tax calculations are rule-based and deterministic (not predictive models), and the calculated figures are estimates for planning — they are not official assessments and are not automatically transmitted to any Tax Authority.
14. Changes to this Policy
- Minor changes (clarifications, typos, processor contact updates): we update the
last_updateddate. - Material changes (new categories of data, new purposes, new processors in new jurisdictions, narrowing of your rights): we bump the version, update the effective date, notify registered users by email at least fourteen (14) days before it takes effect, and ask you to re-consent on next login.
We keep an archive of prior versions so you can compare.
15. Contact
- Email: hello@financeguard.ng
- Postal: Plintar Systems Ltd., [Registered Address — to be inserted], Nigeria
- Website: https://financeguard.ng
For questions you do not want to raise with us directly, the Nigeria Data Protection Commission is at https://ndpc.gov.ng.