This privacy policy (“Policy”) sets out the basis on which Payoak.net (StoneBridge Technologies Limited) (RC.) (“Company”) may collect, use, disclose, or otherwise process personal data relating to you in accordance with the Nigerian Data Protection Regulation (NDPR) 2019. This Policy applies to personal data in the possession or under the control of the Company, including any organisation that the Company may engage to collect, use, disclose, or process personal data for the purposes of the Company

1. Basic Information on Data Processing and Legal Basis

This data protection declaration informs you about the type, scope, and purpose of the processing of personal data within the escrow services offered by Payoak.net and the websites, functions, and content connected to it (hereinafter jointly referred to as “escrow services”). The privacy policy applies regardless of the domains, systems, platforms, and devices (e.g., desktop or mobile) used on which the escrow services are executed.

The terms used, such as “personal data” or “processing,” refer to the definitions in the Nigerian Data Protection Regulation (NDPR) 2019. The personal data of users processed within the scope of these escrow services includes inventory data (e.g., email addresses, names, and addresses of users), contract data (e.g., services used, names of clerks, payment information), usage data (e.g., the visited web pages of our escrow services), and content data (e.g., details of escrow transactions, chat messages, images).

The term “user” includes all categories of data subjects. They include our business partners, customers, interested parties and other users of our online offer. The terms used, such as “user”, are to be understood as gender neutral.

We process users’ personal data only in compliance with the relevant data protection provisions. This means that user data will only be processed if a legal basis exists. Specifically, this includes situations where data processing is necessary for the provision of our contractual services and escrow services, is required by law, or is based on the user’s consent, as well as due to our legitimate interests (i.e., interests in the analysis, optimisation, and economic operation and security of our escrow services, particularly in terms of measuring usage, creating profiles for advertising and marketing purposes, and collecting access data and utilising third-party services).

We would like to point out that the legal basis for processing based on consent is defined under the NDPR, the legal basis for processing necessary for the performance of our services and implementation of contractual measures is under Article 2.1 of the NDPR, the legal basis for processing to fulfil our legal obligations is under Article 2.3 of the NDPR, and the legal basis for processing to protect our legitimate interests is also addressed within the NDPR.

2. Security Measures

We take organisational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. The security measures include the encrypted transmission of data between your browser and our server.

3. Transfer of Data to Third Parties and Third-Party Providers

Data is only shared with third parties within the framework of legal requirements. We only share users’ data with third parties if this is necessary, for example, based on Article 2.1 of the Nigerian Data Protection Regulation (NDPR) for contractual purposes or based on legitimate interests under Article 2.5 of the NDPR for the economic and effective operation of our business.

If we use subcontractors to provide our services, we take appropriate legal precautions and implement corresponding technical and organizational measures to ensure the protection of personal data in accordance with the relevant legal provisions.

If content, tools, or other resources from third-party providers are used within the scope of this data protection declaration and their registered office is in a country outside Nigeria (referred to as “third countries”), it is to be understood that a data transfer to those third-party providers’ countries of domicile may occur. Third countries are those where the NDPR is not directly applicable, essentially countries outside Nigeria. Data transfer to third countries occurs only if there is an adequate level of data protection, user consent, or otherwise legal permission and the GDPR applies.

4. Provision of Contractual Services

We process inventory data (e.g., names and addresses as well as contact data), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Article 2.1 of the Nigerian Data Protection Regulation (NDPR).

Website visitors can create a user account on our website, with which they can create, view and manage their trust payments. For the opening of the user account as well as for the disbursement of the funds, the following personal data are collected:

• Name: First name, Last name

• E-mail address

• Password

• Date of birth

• Nationality

• Address (street, house number, postal code, city, country)

• Mobile number

• Bank details (e.g. IBAN, BVN,)

For business accounts, the following data is also collected:

• Name of the company

• Sales Tax Identification number or Tax Identification Number (TIN)

• Address of the company

For registration we use the double-opt-in procedure. This means that registration is not completed until the user confirms registration by clicking a link in a verification e-mail sent for this purpose.

The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data regarding the user account will be deleted, subject to their retention being necessary for reasons of commercial or tax law in accordance with Article 2.3 of the Nigerian Data Protection Regulation (NDPR).

For carrying out trustee payments, personal data will be processed as follows:

• First and last name

• Status of identification (identification open / identification completed)

• Chat messages

as well as information and status messages on the escrow payments that are exchanged between the underlying parties involved.

The payments initiated via PayOak are processed electronically via our system at Payoak.net, (StoneBridge Technologies Limited), (“Payoak.net”). For this purpose, your data (see 4 above) will be forwarded to Payoak.net. Required data beyond this (e.g. identification data or company documents for identification) are stored by Payoak.net.

5. Contacting Us

When contacting us (by e-mail or telephone), the information is processed for the purpose of handling the contact request and its processing in accordance with Article 2.1 of the Nigerian Data Protection Regulation (NDPR).

The user’s /customer’s details may be stored in our Customer Relationship Management System (“CRM System”) or comparable inquiry database systems.

6. Collection of Access Data and Log Files

We collect data based on our lawful interest, as provided under Section 2.2(c) of the Nigeria Data Protection Regulation (NDPR) 2019. This includes data from each access to the server on which this service is hosted (commonly referred to as server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

Log file information is stored for security reasons, including the detection and prevention of abuse or fraud, in line with our obligations to safeguard data and ensure the integrity of our systems.

7. Cookies and Reach Measurement

Cookies are pieces of information that are transmitted from our web server or third-party web servers to the web browsers of the users of our online offering and stored there for later retrieval. Cookies may be small files or other types of information storage.

We use “session cookies”, which are only stored for the duration of the current visit to our online presence (e.g. to enable the storage of your login status and thus the use of our escrow services et. al). In a session cookie, a randomly generated unique identification number is stored, a session ID. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our escrow services and log out, for example.

Users are informed about the use of cookies in the context of pseudonymous range measurement as part of this privacy policy.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

You can object to the use of cookies that are used for range measurement and advertising purposes via the Network Advertising Initiative deactivation page (http://www.payoak.net/yourad-choices/).

8. Google Analytics

We use Google Analytics, a web analytics service provided by Google Inc., based on our lawful interest in analysing, optimising, and improving the economic operation of our online services, in accordance with Section 2.2(c) of the Nigeria Data Protection Regulation (NDPR) 2019. Google Analytics uses cookies, and the information generated by these cookies about users’ activity on our platform is typically transmitted to and stored on Google servers in the USA.

Google is certified under international frameworks, ensuring compliance with global data protection standards. Google processes this data on our behalf to evaluate the use of our website, generate reports on website activity for our internal use, and provide other services related to website and internet usage. This may involve creating pseudonymous usage profiles based on the data processed.

We use Google Analytics to help display advertisements placed within Google’s advertising network and its partners’ networks. These ads are shown to users who have demonstrated interest in our services or who have specific characteristics (such as interest in topics or products based on their previous browsing behavior). We share this information with Google to form so-called “Re-marketing Audiences” or “Google Analytics Audiences” to ensure that our advertisements are relevant to the users and do not cause unnecessary disruption.

For enhanced privacy, we use Google Analytics with IP anonymization enabled. This means that Google truncates users’ IP addresses within member states of the European Union and other countries in agreement with the European Economic Area. Only in exceptional cases will the complete IP address be transmitted to Google servers in the USA and shortened there. Google does not merge the transmitted IP address with any other data.

Users can prevent the storage of cookies by adjusting their browser settings. Additionally, users can opt-out of data collection by downloading and installing the Google Analytics opt-out browser add-on, available at: http://tools.google.com/dlpage/gaoptout.

For more information on how Google uses data, and to manage or opt out of Google’s data collection, please visit:

• Google’s Privacy Policy

• Managing Google Ads.

If you do not consent to this data collection, you may prevent it by installing the browser add-on to disable Google Analytics: https://tools.google.com/dlpage/gaoptout.

9. Newsletter

With the following instructions, we inform you about the contents of our free newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.

9.1. Content of the newsletter

We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter “newsletter”) only with the consent of the recipients or a legal permission. In-so-far as the contents of the Newsletter are specifically described in the context of a registration, they are decisive for the consent of the users. Otherwise, our newsletters contain information about our products, offers, promotions and our company.

9.2. Double opt-in and logging

Registration for our newsletter is carried out in a so-called double opt-in process. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other e-mail addresses. The registrations for the newsletter are logged to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.

9.3. Dispatch Service Provider

We use “MailChimp,” a newsletter dispatch platform provided by Rocket Science Group, LLC, located at 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. You can review the privacy policy of the service provider here: https://mailchimp.com/legal/privacy/. Rocket Science Group LLC complies with international data protection standards to ensure the protection of personal data. In accordance with the Nigeria Data Protection Regulation (NDPR) 2019, we ensure that any data transfer to a foreign entity (such as MailChimp) is conducted in line with the NDPR’s cross-border data transfer requirements, ensuring the security of your personal data. Furthermore, according to its own information, the shipping service provider may use this data in pseudonymous form, i.e. without assigning it to a user, to optimize or improve its own services, e.g. to technically optimize the shipping and display of the newsletters or for statistical purposes to determine which countries the recipients come from. However, the dispatch service provider does not use the data of our newsletter recipients to address them itself or to pass them on to third parties.

9.4. Registration data

To sign up for the newsletter, it is sufficient to provide your e-mail address.

• Statistical collection and analyses: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from the server of the dispatch service provider when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval are initially collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistical surveys also include the determination of whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor that of the dispatch service provider to observe individual users. The evaluations serve us much more to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The use of the dispatch service provider, performance of statistical surveys and analyses, and logging of the registration process are carried out based on our lawful interest, in accordance with Section 2.2(c) of the Nigeria Data Protection Regulation (NDPR) 2019. Our interest is directed towards implementing a user-friendly and secure newsletter system that aligns with our business objectives while fulfilling the expectations and needs of our users.

• Cancellation/revocation: You can cancel the receipt of our newsletter at any time, i.e. revoke your consent. This will simultaneously terminate your consents to its dispatch by the dispatch service provider and the statistical analyses. A separate cancellation of the dispatch by the dispatch service provider or the statistical analysis is unfortunately not possible. A link to cancel the newsletter can be found at the end of each newsletter. If users have only registered for the newsletter and cancelled this registration, their personal data will be deleted.

10. Integration of Third-Party Services and Content

In providing our services, Payoak.net may use third-party content and services based on our legitimate interests, which are aimed at optimising and ensuring the proper functioning of our online services in line with Nigerian law. Our processing of your data, including through third-party providers, is based on legitimate business interests, such as the improvement of user experience and platform security. We integrate content or services such as videos, fonts, analytics, and more into our platform. These third-party providers may require access to your IP address to deliver content correctly. We ensure that third-party providers use your IP address exclusively for this purpose. Additionally, third-party services may collect anonymous data for statistical or marketing purposes using technologies like pixel tags (also called web beacons). These allow third parties to track information such as user traffic, which may be linked to information from other sources. Some third-party providers that me may integrate to deliver effective services may include the following:

10.1. Google Fonts

We use Google Fonts (Google, Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to integrate fonts into our platform. This service involves a server request to Google, which may collect data as part of the integration. For more information, refer to Google’s Privacy Policy and their Opt-Out.

10.2. Google Maps

We may use Google Maps (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) for location-based services. For more details, refer to Google’s Privacy Policy and their Opt- Out.

10.3 Social Media Integration

• X (Formerly Twitter): We may use X's social sharing features, which collect data when you interact with these functions. Data is transferred to X, but we have no control over how X uses the data. Please refer to X's Privacy Policy for more information.

• Facebook: We may integrate Facebook’s social media features into our platform. By interacting with these features, certain data, such as your interactions, may be collected and transferred to Facebook. We have no control over how Facebook processes this data. For more details, refer to Facebook’s Privacy Policy.

• Instagram: We may use Instagram’s social media functions, which collect data when you interact with these functions. This data is transferred to Instagram, but we have no control over its use. For more information, please refer to Instagram’s Privacy Policy.

• TikTok: We may use TikTok’s social sharing features, which may collect data when you interact with these functions. Data is transferred to TikTok, and we have no control over how TikTok processes this data. Please consult TikTok’s Privacy Policy for further details.

Your Rights and Data Management

As a user, you have the right to request access to your data, correction of inaccuracies, and the deletion of your data under applicable Nigerian laws. You also have the right to object to the processing of your data or to withdraw consent where applicable. For further information on how your data is handled and your rights under Nigerian data protection law, please contact us via our designated privacy officer.

11. Rights of the Users

Users have the right to obtain, upon request and free of charge, information about the personal data that we have stored about them. In addition, users have the right to correct inaccurate data, restrict processing and delete their personal data, if applicable, to assert their rights to data portability and, in the event of the assumption of unlawful data processing, to file a complaint with the competent supervisory authority. Likewise, users may revoke consents, in principle with effect for the future.

12. Deletion of Data

The data stored by us will be deleted as soon as they are no longer necessary for their intended purpose, and such deletion does not conflict with any statutory retention obligations. If user data is not deleted due to its requirement for other legally permissible purposes, its processing will be restricted. This means the data will be blocked and not processed for any other purposes. For instance, this applies to user data that must be retained for commercial or tax reasons. In compliance with Nigerian legal requirements, data will be stored for a minimum period of 6 years in accordance with the Companies and Allied Matters Act (CAMA) and other applicable laws related to business documentation and accounting records. This includes but is not limited to, financial statements, business correspondence, and accounting records. Additionally, tax-related documents may be retained for up to 10 years in line with the Nigerian tax law, specifically the Federal Inland Revenue Service (FIRS) guidelines.

13. Right of Objection

Users may object to the future processing of their personal data in accordance with the legal requirements at any time. The objection can be made against processing for purposes of direct advertising.

14. Changes to the Data Protection Declaration

We reserve the right to change the data protection declaration to adapt it to changed legal situations, or in the event of changes to the service as well as data processing. However, this only applies to declarations on data processing. If user consents are required or components of the data protection declaration contain provisions of the contractual relationship with the users, the changes will only be made with the consent of the users. Users are requested to inform themselves regularly about the content of the data protection declaration.

Effective Date: 16/12/2024