Products

Company

Learn

Get the app

Products

Company

Learn

Get the app

Products

Company

Learn

Get the app

Privacy Policy

Updated on 20th June, 2025

At Casa Microfinance Bank (“Casa”, “we”, “our”, or “us”), your privacy is a top priority. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our mobile app, website, and other digital banking services.


By using Casa's digital platform, you agree to the terms of this Privacy Policy.

1. What Information We Collect

We collect the following types of personal and transactional information:

A. Personal Information

  • Full name

  • Phone number and email address

  • Date of birth

  • National Identification Number (NIN), BVN

  • Government-issued ID (e.g., driver’s license, international passport)

  • Residential address and utility documents


A.1. Biometric Data and Facial Recognition (TrueDepth API)

During identity verification (KYC), we collect and process facial biometric data:

What We Collect:

  • Selfie photographs (facial images)

  • Facial expressions for liveness detection (smile detection)

  • 3D facial spatial orientation (captured via Apple TrueDepth API/ARKit)

  • Face positioning and movement data during capture

Collection Method:
This data is collected through your device's camera during identity verification using the Smile ID SDK, which utilizes Apple's TrueDepth API for enhanced liveness detection on compatible iOS devices.

How TrueDepth Data is Used:

  • TrueDepth Spatial Data: Processed LOCALLY on your device in real-time for liveness detection. This data is NEVER transmitted or stored.

  • Facial Images (Selfies): Transmitted securely to Smile ID (our identity verification partner) for identity matching.

  • Facial Expression Data: Used during capture only, not stored or transmitted.

Purpose:

  • Identity verification (matching selfie to government ID)

  • Liveness detection (confirming a live person, not photo/video/mask)

  • Fraud prevention and account security

  • Regulatory compliance (KYC/AML requirements)

Third-Party Sharing:

  • Selfie images are shared with Smile ID (SOC 2 Type II certified) for verification

  • TrueDepth spatial data is NOT shared with anyone (stays on device)

  • No biometric data is shared with advertisers or unrelated parties

Storage & Retention:

  • Selfie images: Stored on Smile ID's secure AWS servers (encrypted), retained 7 years per banking regulations

  • TrueDepth spatial data: NOT stored (0 days retention, processed and discarded)

Security:

  • All transmission via TLS 1.3 encryption

  • Data encrypted at rest with AES-256

  • Smile ID is SOC 2 Type II certified and NDPR compliant


B. Financial & Transactional Data

  • Bank account and wallet details

  • Transaction history

  • Payment and transfer behaviour

  • Card usage information (if applicable)

C. Device & Usage Data

  • IP address and device identifiers

  • Location data (with permission via your device)

  • Contacts (with permission via your device)

  • App usage logs and activity patterns

  • Cookies and similar technologies on our website

D. Third-Party Data

We may also collect information from third parties such as:

  • Credit bureaus

  • Payment service providers

  • Identity verification services

  • Partner banks or fintech platforms

2. How We Use Your Information

We use your data to:

  • Open and manage your bank account

  • Authenticate your identity and perform KYC checks

  • Process your transactions and card payments

  • Provide customer support

  • Assess creditworthiness and underwrite loans

  • Communicate important service-related updates

  • Prevent fraud, comply with AML/CFT laws, and fulfil regulatory obligations

  • Improve the functionality and security of our platform

3. Legal Basis for Processing

We process your personal data under the following lawful bases:

  • Your consent (e.g., during registration or when you opt into services)

  • Contractual necessity (to provide banking services to you)

  • Legal obligations (compliance with CBN, NDPA,NDPR, AML/CFT regulations)

  • Legitimate interest (e.g., fraud prevention, service improvement)

4. Third-Party Integrations

To deliver our services, we securely share limited data with licensed third-party partners, including:

  • Identity verification providers

  • Payment processors and card issuers

  • Credit bureaus and credit scoring agencies

  • Technology vendors and cloud service providers

We ensure that all third parties comply with relevant data protection and banking regulations.

5. Data Sharing and Disclosure

We may disclose your data:

  • To regulators such as the Central Bank of Nigeria (CBN), NFIU, or NDIC, when required

  • In response to legal requests or court orders

  • In the event of a business merger, acquisition, or restructuring

  • To fraud prevention agencies or law enforcement where necessary

We do not sell your personal information.

6. Your Rights

Under the Nigeria Data Protection Regulation (NDPR), you have the right to:

  • Access the personal data we hold about you

  • Request correction of inaccurate or incomplete data

  • Withdraw consent for data processing (where applicable)

  • Request data deletion (subject to legal and regulatory obligations)

  • Object to processing for marketing purposes

  • Request data portability (where applicable)

To exercise these rights, contact us at privacy@mycasabank.com

7. Data Retention

We retain your personal information only as long as necessary:

  • To provide you with services

  • To comply with legal and regulatory obligations

  • To resolve disputes or enforce agreements

Inactive or closed accounts may have data retained for up to 7 years or as required by law.

8. Data Security

We implement robust administrative, technical, and physical safeguards to:

  • Encrypt sensitive data in transit and at rest

  • Monitor systems for unauthorized access

  • Enforce strict access controls for employees and service providers

  • Conduct regular security audits and penetration testing

Despite these efforts, no digital system is completely immune to threats. We urge users to secure their devices and accounts.

9. Cookies and Analytics

Our website may use cookies to:

  • Improve user experience

  • Track browsing behavior

  • Analyze service performance

You can manage cookie preferences through your browser settings.

10. Children’s Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect data from minors.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in law, technology, or our services. You will be notified of material changes via email, in-app alerts, or website announcements. Continued use of our services after updates constitutes your acceptance of the revised policy.

12. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or your personal data, please contact:

Email: privacy@mycasabank.com
Phone: +2349024166584
Address: Shop 279 & 280, Road 4 Ikota Shopping Complex

You may also lodge a complaint with the Nigeria Data Protection Commission (NDPC) if your rights are violated.

By using Casa Microfinance Bank’s services, you acknowledge that you have read and agreed to the terms of this Privacy Policy.