Ascent Finance Logo
Replace 10 separate finance apps today! See how

Business Privacy Policy

For businesses using Ascent Finance Suite to manage their finances

This Privacy Policy for Business Users governs how Ascent Tech Hub Africa Nig. Ltd. collects, processes, stores, and shares data obtained from and about business entities, merchants, and corporate customers that access the Ascent Finance Suite.

1. Introduction and Scope

Ascent Tech Hub Africa Nig. Ltd. ("Ascent", "we", "us", or "our") is committed to protecting Personal Data and Business Data processed through the Ascent Finance Suite (the "Platform"). This Business Privacy Policy applies to all business entities, sole traders, partnerships, limited liability companies, corporations, cooperatives, and any other legally recognised business forms (collectively, "Business Users" or "you") that register for or access the Platform.

This Policy is issued in compliance with the Nigerian Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and all other Applicable Law, including applicable sector-specific guidelines issued by the Central Bank of Nigeria (CBN), the Nigeria Data Protection Commission (NDPC), and the Federal Competition and Consumer Protection Commission (FCCPC).

This Policy should be read alongside the General Privacy Policy (applicable to individual end-users), the Business Terms of Use, and the Acceptable Use Policy, all of which form part of the Agreement between Ascent and Business Users.

2. Definitions

In this Policy, the following terms have the meanings set out below:

  • Applicable Law means all statutes, subsidiary legislation, regulatory guidelines, and directives applicable in Nigeria including the NDPA 2023, the NDPR 2019, CAMA 2020, BOFIA 2020, CBN regulations, the Money Laundering (Prevention and Prohibition) Act 2022, and the Cybercrimes (Prohibition, Prevention Etc.) Act 2015.
  • Business Data means financial records, transaction data, payroll records, inventory data, invoices, and any other data generated by or relating to the operations of a Business User on the Platform.
  • Data Controller means Ascent Tech Hub Africa Nig. Ltd., which determines the purposes and means of processing Personal Data on the Platform.
  • Data Processor means any third party engaged by Ascent to process Personal Data or Business Data on its behalf.
  • Data Subject means any identified or identifiable natural person whose Personal Data is processed on the Platform, including employees, directors, and customers of Business Users.
  • Personal Data has the meaning ascribed to it under the NDPA 2023 and includes any information relating to an identified or identifiable natural person.
  • Processing means any operation or set of operations performed on Personal Data or Business Data, including collection, storage, retrieval, use, disclosure, and deletion.
  • Sensitive Personal Data means Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or financial information, as defined under the NDPA 2023.

3. Data We Collect from Business Users

3.1 Business Registration and Identity Data

When a Business User registers on the Platform, Ascent collects the following data to verify the business and its authorised representatives:

  • Business legal name, trading name, and registration number (RC Number or Business Name Registration Number).
  • Certificate of Incorporation or Business Name Registration Certificate.
  • Memorandum and Articles of Association or Partnership Deed (as applicable).
  • Tax Identification Number (TIN) issued by the Federal Inland Revenue Service (FIRS); Verified business address and contact details.
  • Bank Verification Numbers (BVN) and government-issued identity documents of directors, partners, or authorised signatories.
  • Beneficial ownership information as required under CBN KYC Regulations and the SCUML registration framework.

3.2 Financial and Transaction Data

To provide Financial Services on the Platform, Ascent collects and processes:

  • Bank account details, including account numbers and bank names.
  • Payment and collections records, including transaction amounts, dates, counterparties, and references.
  • Invoice, receipt, and purchase order data submitted or generated through the Platform.
  • Payroll data, including employee salary schedules and statutory deductions (PAYE, pension, NHF).
  • Credit and lending data, including loan applications, repayment history, and data obtained from licensed credit bureaux.
  • Foreign exchange transaction records where applicable.

3.3 Operational and Usage Data

  • Platform usage logs, including login times, features accessed, and session durations.
  • Device identifiers, IP addresses, browser types, and operating system information.
  • Customer-facing data uploaded to the Platform, including customer records, product listings, and inventory data.
  • API call logs and integration data for businesses using the Ascent API.

3.4 Employee and Payroll Data

Where a Business User operates payroll, HR, or workforce management features on the Platform, Ascent processes Personal Data of the Business User's employees on behalf of the Business User. In this context, the Business User is the Data Controller and Ascent acts as a Data Processor. Business Users are responsible for ensuring they have a valid legal basis for providing employee Personal Data to Ascent and for issuing appropriate privacy notices to their employees.

3.5 Data from Third Parties

Ascent may receive data about Business Users from the following third-party sources:

  • The Corporate Affairs Commission (CAC) for corporate registry verification.
  • Licensed credit bureaux for credit assessment and risk scoring.
  • Partner banks and payment processors for transaction verification and reconciliation.
  • Government identity databases (NIMC, FRSC, NPC) for identity verification.
  • SCUML and other compliance databases for AML screening.

4. Legal Basis for Processing

Ascent processes Business Data and Personal Data of Business Users and their Data Subjects on the following legal bases under the NDPA 2023:

(a) Performance of Contract

Processing is necessary to deliver the Financial Services and Platform functionalities requested by the Business User under the Business Terms of Use.

(b) Legal Obligation

Processing is required to comply with Applicable Law, including KYC/AML requirements under CBN regulations, tax reporting obligations under FIRS guidelines, and data retention requirements under financial services law.

(c) Legitimate Interests

Processing is necessary for Ascent's legitimate interests in operating a secure, compliant, and commercially viable financial technology platform, including fraud detection, risk management, product improvement, and business analytics, provided such interests are not overridden by the interests or fundamental rights of Data Subjects.

(d) Consent

Where Ascent relies on consent as a legal basis, including for certain marketing activities or the processing of Sensitive Personal Data, such consent will be obtained in a clear, specific, and informed manner. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

5. Purpose of Processing

Ascent processes Business Data and Personal Data for the following purposes:

  • Onboarding, KYC/AML verification, and ongoing due diligence of Business Users and their beneficial owners.
  • Providing, operating, and maintaining the Platform and all Financial Services.
  • Processing payments, collections, transfers, and other financial transactions.
  • Generating and managing invoices, receipts, financial statements, and business reports.
  • Facilitating payroll processing, tax filings, and statutory remittances.
  • Credit assessment and lending facilitation through licensed credit partners.
  • Fraud detection, prevention, and investigation.
  • Compliance with regulatory reporting obligations to the CBN, FIRS, NDPC, and other Regulators.
  • Platform security, system integrity monitoring, and audit logging.
  • Customer support, dispute resolution, and complaint management.
  • Product analytics and development to improve Platform features.
  • Marketing and communications, subject to applicable consent requirements and opt-out rights.

6. Data Sharing and Disclosure

Permitted Disclosures

  • Regulatory and law enforcement authorities, including the CBN, NDPC, EFCC, NFIU, and courts, where required or permitted by Applicable Law.
  • Licensed partner banks, payment processors, card schemes, and settlement institutions necessary to process transactions.
  • Licensed credit bureaux for credit scoring and risk assessment.
  • Payroll and tax service providers engaged to facilitate statutory deductions and remittances.
  • Technology service providers and cloud infrastructure partners processing data on Ascent's behalf under binding Data Processing Agreements (DPAs) that comply with the NDPA 2023.
  • Auditors, legal advisers, and compliance consultants bound by professional confidentiality obligations.
  • Prospective acquirers or investors in connection with a merger, acquisition, or corporate restructuring, subject to appropriate confidentiality arrangements.

6.2 Prohibition on Sale of Data

Ascent will NOT sell, rent, or commercially license Business Data or Personal Data to any third party for marketing, advertising, or any other commercial purpose not described in this Policy.

6.3 Business User's Own Data Sharing

Where a Business User shares its customers' Personal Data with Ascent through the Platform, the Business User represents and warrants that it has obtained all necessary consents, provided all required privacy notices, and has a valid legal basis for such sharing under Applicable Law. Ascent processes such data as a Data Processor acting on the instructions of the Business User.

7. Cross-Border Data Transfers

The Platform's primary infrastructure is hosted within Nigeria. Where Ascent transfers Business Data or Personal Data outside Nigeria, including to cloud service providers or technology partners in other jurisdictions, Ascent shall ensure that:

  • The recipient country provides an adequate level of data protection as recognised under the NDPA 2023.
  • Appropriate contractual safeguards are in place, including standard contractual clauses approved by the NDPC.
  • Business Users are notified of the nature and location of international transfers where required by law.

8. Data Retention

Ascent retains Business Data and Personal Data for the following periods:

  • KYC and identity verification records: minimum of 5 years after the end of the business relationship, as required by CBN AML/CFT regulations.
  • Financial transaction records: minimum of 6 years in accordance with the Financial Reporting Council of Nigeria Act and tax laws.
  • Payroll and employee data: as directed by the Business User (as Data Controller) and in accordance with applicable labour and tax laws.
  • Platform usage and audit logs: minimum of 2 years for security and compliance purposes.

After the applicable retention period, data will be securely deleted or anonymised in accordance with Ascent's data destruction policy and Applicable Law.

9. Data Security

Ascent implements appropriate technical and organisational security measures to protect Business Data and Personal Data against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • End-to-end encryption for data in transit using TLS 1.2 or higher.
  • Encryption at rest for sensitive financial and identity data.
  • Role-based access controls and multi-factor authentication for Platform access.
  • Regular penetration testing, vulnerability assessments, and security audits.
  • Comprehensive audit logging and anomaly detection systems.
  • Incident response and data breach notification procedures aligned with the NDPA 2023.

In the event of a data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, Ascent will notify the NDPC within 72 hours of becoming aware of the breach, and will notify affected Business Users without undue delay, in accordance with the NDPA 2023.

10. Rights of Business Users and Data Subjects

10.1 Rights of Business Users

Business Users have the following rights in relation to their Business Data and Personal Data, exercisable by contacting Ascent at [email protected].

  • Right of Access: to request confirmation of what data Ascent holds and to receive a copy.
  • Right to Rectification: to request correction of inaccurate or incomplete data.
  • Right to Erasure: to request deletion of data, subject to legal retention obligations.
  • Right to Restriction: to request that Ascent limits its processing in certain circumstances.
  • Right to Data Portability: to receive data in a structured, commonly used, machine-readable format.
  • Right to Object: to object to processing based on legitimate interests

10.2 Rights of Employees and End-Customers of Business Users

Where Ascent processes Personal Data of employees or customers of Business Users as a Data Processor, requests from such Data Subjects should be directed to the Business User in the first instance, as the Data Controller. Ascent will cooperate with Business Users in facilitating the exercise of Data Subject rights in accordance with Applicable Law.

10.3 Response Timeframes

Ascent will respond to rights requests within 30 days of receipt. Where a request is complex or involves a large volume of data, Ascent may extend this period by a further 30 days, with notice to the Business User.

11. Data Processing Agreements

Where Ascent processes Personal Data on behalf of a Business User as a Data Processor, the parties shall execute a Data Processing Agreement (DPA) in compliance with the NDPA 2023 and the NDPC's published standard clauses. The DPA will govern, among other matters: the subject matter and duration of processing, the nature and purpose of processing, the type of Personal Data involved, and the obligations and rights of the Business User as Data Controller.

Business Users engaged in processing activities that involve Sensitive Personal Data or high-risk processing operations may be required to complete a Data Protection Impact Assessment (DPIA) before commencing such processing on the Platform.

12. Cookies and Tracking Technologies

The Platform uses cookies and similar tracking technologies to maintain session security, analyse usage patterns, and improve Business User experience. Business Users can manage cookie preferences through the Platform settings. Disabling certain cookies may affect Platform functionality. A full Cookie Policy is available on the Platform.

13. Changes to this Policy

Ascent reserves the right to update this Policy at any time to reflect changes in Applicable Law, regulatory guidance, or business practices. Material changes will be communicated to Business Users via the Platform, email, or other appropriate means at least 14 days before taking effect.

Continued use of the Platform after the effective date of any amendment constitutes acceptance of the revised Policy.

14. Contact and Complaints

For any queries, data access requests, or complaints regarding this Policy or Ascent's data practices, please contact:

Data Protection Officer - Ascent Tech Hub Africa Nig. Ltd.

Email: [email protected].

Address: Plot 12, Oladele Kadiri Close, Ogba, Lagos, Nigeria

Website: www.ascentfinance.africa

If you are not satisfied with Ascent's response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng.

Effective Date:

April 2026

Version:

1.0

Reviewed By:

Legal & Compliance, Ascent Tech Hub Africa Nig. Ltd.