Privacy Policy
straitPay Application and Website
Effective date: 1 June 2026
This Privacy Policy explains how Strait Sahara Limited collects, uses, stores, shares and protects your personal data when you use the straitPay application, website, or any related services. Please read it carefully.
1. Who We Are
Strait Sahara Limited ("straitPay", "we", "us", "our") is the data controller responsible for your personal data. We are incorporated in Nigeria and operate a licensed cross-border remittance and payments platform under the trading name straitPay. straitPay is a mini application within MiniPay (developed by Opera Norway AS) and is also accessible via our standalone web application at www.straitpay.com/app.
Our registered address is 20 Park Lane, Apapa, Lagos, Nigeria. For all privacy-related enquiries, please contact our Data Protection team at privacy@straitpay.com.
2. Who This Policy Applies To
This Privacy Policy applies to:
- All users who access or use the straitPay platform whether via MiniPay or the standalone web application ("senders");
- Recipients of transfers made through straitPay whose personal data is provided by senders;
- Visitors to the straitPay website at www.straitpay.com; and
- Any individual whose personal data is processed by straitPay in connection with the delivery of its services.
3. What Personal Data We Collect
3.1 Data You Provide Directly
Data Category | Specific Data Elements | Who Provides It |
Identity data | Full legal name Date of birth Nationality Government-issued ID number and document image Liveness check photograph | Sender — during KYC onboarding |
Contact data | Email address Phone number Country of residence | Sender — during registration |
Recipient data | Recipient full name Bank name and account number (Nigeria) Mobile money number and network (Ghana, Kenya, Uganda) Country of recipient | Sender — on each transaction |
Transaction data | Send amount and display currency USDT amount debited FX rate applied Transfer fee Recipient local currency amount Transaction reference number On-chain Celo transaction hash Date and time of transaction Provider used (internal only) | Generated automatically on each transaction |
Source of funds | Occupation Employer name Source of funds description | Sender — requested for enhanced due diligence where applicable |
3.2 Data Collected Automatically
When you use the straitPay application, we may automatically collect the following technical data:
- Device type and operating system;
- Browser type and version;
- IP address and approximate geographic location derived from IP address;
- Application usage data including screens viewed and features accessed;
- Error and crash reports via our security monitoring provider; and
- Session timestamps.
This data is collected to ensure the security and performance of the platform and is not used for marketing purposes.
3.3 Data We Receive From Third Parties
Source | Data Received | Purpose |
Identity verification provider | Identity verification outcome and verification reference | KYC compliance and fraud prevention |
AML and recipient verification provider | Sanctions screening results, PEP status, BVN account name lookup result | AML compliance, recipient verification |
Licensed off-ramp provider (Nigeria) | Payout status, transaction reference confirmation, any recipient payment errors | Transaction completion and failure handling |
Licensed off-ramp provider (multi-corridor) | Payout status, mobile money confirmation, corridor availability | Transaction completion and failure handling |
MiniPay (Opera) | Wallet address, transaction authorisation signal | Transaction execution on Celo blockchain |
4. Legal Basis for Processing
We process your personal data on the following legal bases depending on the purpose of processing:
Purpose | Legal Basis | Details |
Identity verification (KYC) | Legal obligation | Required under CBN IMTO, FinCEN MSB, FINTRAC MSB and FCA SPI regulations |
Transaction processing | Performance of contract | Necessary to execute the transfer you have requested |
AML and sanctions screening | Legal obligation | Required under applicable AML and CTF legislation in all operating jurisdictions |
Fraud prevention | Legitimate interests | To protect our customers and the platform from financial crime |
Regulatory reporting | Legal obligation | Required by CBN, FinCEN, FINTRAC, FCA and other applicable regulators |
Customer support | Performance of contract | To resolve queries and complaints relating to your transactions |
Platform security and monitoring | Legitimate interests | To maintain the security, performance and integrity of our services |
Service improvement | Legitimate interests | To analyse usage patterns and improve our product experience |
No marketing use
We do not use your personal data for direct marketing purposes. We do not sell, rent or license your personal data to third parties for their own marketing use. Any service-related communications (transaction confirmations, security alerts) are sent as part of the service contract and are not marketing.
5. How We Use Your Personal Data
5.1 To Deliver the Service
- Verifying your identity before your first transaction;
- Processing transfers and routing USDT to the appropriate off-ramp provider;
- Verifying recipient bank account or mobile money details;
- Sending transaction confirmation SMS notifications to sender and recipient via our SMS provider; and
- Maintaining your transaction history and saved beneficiaries within the application.
5.2 To Meet Our Legal and Regulatory Obligations
- Screening all transactions and parties against applicable sanctions lists;
- Monitoring transactions for money laundering and suspicious activity indicators;
- Filing regulatory reports including Suspicious Activity Reports where required;
- Responding to lawful requests from regulators including the CBN, FinCEN, FINTRAC, FCA and law enforcement; and
- Maintaining records for the minimum periods required by applicable law.
5.3 To Maintain Platform Security
- Monitoring for unauthorised access, fraud attempts and technical failures;
- Investigating and resolving security incidents; and
- Maintaining audit logs of administrative actions within our compliance dashboard.
6. Who We Share Your Personal Data With
We share personal data only where necessary to deliver the service, meet our legal obligations, or protect the security of the platform. We do not sell your data. We work with carefully selected third-party service providers who are contractually bound to process data only on our instructions and to maintain appropriate security standards. We do not disclose the specific identities of all our service providers publicly in order to maintain operational security, but all providers are subject to data processing agreements and are disclosed to relevant regulators as required.
Recipient | Location | Purpose and Data Shared |
Identity verification provider | European Economic Area / Global | Identity document and liveness data for sender KYC verification. Our identity verification provider processes this data as a data processor on our behalf. |
AML and recipient verification provider | Nigeria | Sender name and transaction details for sanctions and PEP screening. Recipient account details for BVN lookup. |
Licensed off-ramp provider (Nigeria) | Nigeria | Recipient bank details, transfer amount in local currency, transaction reference. Required to instruct payout to recipient bank account. |
Licensed off-ramp provider (multi-corridor) | Africa / Global regions | Recipient mobile money details, transfer amount in local currency, transaction reference. Required to instruct payout to recipient mobile money wallet. |
SMS notification provider | Nigeria / Global | Sender and recipient phone numbers and transaction details for SMS confirmation messages. |
Cloud database provider | USA | Cloud database and infrastructure provider storing transaction records, user profiles and compliance data. Processes data as our data processor under a formal data processing agreement. |
Security monitoring provider | USA | Security monitoring and error tracking provider receiving technical error logs. Does not receive payment or identity data. |
Regulatory authorities | Nigeria, UK, USA, Canada, Uganda | CBN, FinCEN, FINTRAC, FCA and equivalent bodies. Data shared only where required by law including regulatory reports and responses to lawful requests. |
Law enforcement | Various | Shared only in response to valid legal process — court orders, subpoenas, statutory notices. We review all such requests for legal validity. |
7. International Data Transfers
As a cross-border payments operator, some of your personal data is transferred to and processed by our service providers in countries outside Nigeria, including the United States, Estonia, and the United Kingdom. We ensure that all such transfers are subject to appropriate safeguards:
- Transfers to our identity verification provider (based in the EEA) are covered by the EU Standard Contractual Clauses and the provider's status as an ISO 27001 certified processor;
- Transfers to our US-based cloud database and security monitoring providers are covered by Standard Contractual Clauses or equivalent transfer mechanisms;
- Transfers to UK-based services are covered by the UK's adequacy regulations and Transfer Risk Assessments where required; and
- All third-party processors are contractually required to implement appropriate technical and organisational security measures.
Nigerian users: transfers of your personal data outside Nigeria are conducted in accordance with the Nigeria Data Protection Act 2023 and the standards set by the Nigeria Data Protection Commission (NDPC).
8. How Long We Keep Your Data
Data Type | Retention Period | Reason |
Identity verification records | 5 years from end of relationship | CBN, FinCEN, FINTRAC and FCA AML record-keeping requirements |
Transaction records | 5 years from transaction date | Regulatory record-keeping and dispute resolution |
Compliance and SAR records | 5 years from date of report | Statutory requirement across all jurisdictions |
Saved beneficiaries | Until deleted by user or 2 years of inactivity | Service delivery — user-controlled |
Technical logs and error reports | 12 months | Security monitoring and incident investigation |
Customer support communications | 3 years from last interaction | Complaint handling and dispute resolution |
After the applicable retention period, personal data is securely deleted or anonymised. We cannot delete data earlier than the regulatory minimum retention period where that data is required for compliance purposes.
9. Your Rights
Depending on your location, you have the following rights in relation to your personal data:
Right | What it means | Applies to |
Access | Request a copy of the personal data we hold about you | All users |
Rectification | Request correction of inaccurate or incomplete data | All users |
Erasure | Request deletion of your data where we no longer have a legal basis to hold it | All users — subject to regulatory retention obligations |
Restriction | Request that we limit processing of your data in certain circumstances | UK, EU, Nigerian users |
Portability | Receive your data in a structured, machine-readable format | UK and EU users — where processing is automated |
Object | Object to processing based on legitimate interests | UK, EU, Nigerian users |
Withdraw consent | Where processing is based on consent, withdraw it at any time | All users |
Lodge a complaint | Complain to your relevant data protection authority | All users |
To exercise any of these rights, contact us at support@straitpay.com with the subject line DATA REQUEST — [your name and registered email]. We will respond within 30 days. We may need to verify your identity before actioning your request.
Data protection authorities by jurisdiction:
- Nigeria: Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
- Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca
- United States: Federal Trade Commission — ftc.gov (and applicable state authorities)
10. How We Protect Your Data
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration. These measures include:
- Encryption of sensitive data at rest and in transit using industry-standard encryption protocols;
- Production-grade encryption of beneficiary data within the application database;
- Role-based access controls on our compliance dashboard — only authorised personnel can access personal data;
- Two-factor authentication required for all administrative access;
- Immutable audit logging of all access to and actions taken on personal data in our compliance system;
- Regular security monitoring with automated alerts for anomalies; and
- Annual review of our security controls and third-party processor agreements.
Blockchain transparency note
Transfers processed through straitPay are settled on the Celo blockchain. Blockchain transactions are publicly visible and include the Celo wallet addresses of the sender and off-ramp provider, the USDT amount, and the transaction timestamp. straitPay does not publish personal identifying information on-chain recipient banks and mobile money details are never included in the blockchain transaction. However, wallet addresses associated with your MiniPay account are visible on the Celo blockchain explorer.
11. Cookies and Tracking
The straitPay web application (app.straitpay.com) and website (www.straitpay.com) use essential cookies and similar technologies required for the platform to function. We do not use advertising cookies, tracking pixels or third-party marketing analytics.
Cookie Type | Purpose | Examples | Can be disabled |
Essential | Session management, security, platform function | Session tokens, CSRF protection | No required for service |
Performance | Error monitoring and performance measurement | Security error monitoring | No used for security monitoring |
Analytics | Aggregate usage statistics | Page views, session duration | contact support@straitpay.com |
12. MiniPay Platform
straitPay operates as a mini application within MiniPay, developed by Opera Norway AS. MiniPay provides the wallet infrastructure, device authentication and stablecoin balance management. Opera Norway AS has its own privacy policy governing the MiniPay wallet which can be found within the MiniPay application. Strait Sahara Limited is an independent data controller for data processed in connection with straitPay transactions and is not affiliated with Opera Norway AS.
When you use straitPay within MiniPay, your wallet address and transaction authorisation are processed by Opera Norway AS in accordance with their privacy policy. straitPay receives only the Celo wallet address and transaction confirmation required to execute the transfer — we do not receive your full MiniPay profile or any other data held by Opera.
13. Children's Privacy
straitPay is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take immediate steps to delete that data. If you believe we may have collected data from a minor, please contact us at support@straitpay.com.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our services, data processing practices, or applicable law. Where changes are material, we will notify you via email or in-app notification at least 14 days before the changes take effect. The current version of this Policy is always available at www.straitpay.com/privacy. Your continued use of straitPay after the effective date of any updated Policy constitutes your acceptance of the changes.
15. Contact and Complaints
15.1 Privacy Enquiries
For any questions, requests or concerns about how we handle your personal data, please contact:
- Data Protection Team, Strait Sahara Limited
- Email: support@straitpay.com
- Subject line: PRIVACY — [your name and query]
- Address: Strait Sahara Limited, 20 Park Lane, Apapa, Lagos, Nigeria
We aim to respond to all privacy enquiries within 30 days.
15.2 Complaints
If you are not satisfied with our response to a privacy enquiry, you have the right to lodge a complaint with the data protection authority in your jurisdiction:
- Nigeria: Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
- Canada: Office of the Privacy Commissioner of Canada — priv.gc.ca — 1-800-282-1376
- United States: Federal Trade Commission — ftc.gov/about-ftc/contact
Strait Sahara Limited — Privacy Policy — Effective 1 June 2026 — www.straitpay.com/privacy