Privacy Policy

3.1 User Account Data

We collect information necessary to manage and secure your access to the platform:

• Identity Information: Full name and official designation within the organization.
• Contact Information: Professional email address and phone number.
• Authentication Data: Login credentials (passwords are cryptographically hashed) and Multi-Factor Authentication (MFA) logs.
• Role Information: Assigned permissions (e.g., Platform Admin, Org Admin, Standard User, or Auditor).

3.2 Transaction Verification Data (The “Input”)

When a user performs a single or bulk verification, the platform processes:

• Account Identifiers: The 10-digit Nigerian Uniform Bank Account Number (NUBAN).
• Financial Institution Data: The Bank Name or the 3-digit Central Bank of Nigeria (CBN) Bank Code.
• Batch Metadata: For bulk uploads, we record the Filename (e.g., Project_Vendor_List.csv) and the total count of records processed.

3.3 Verification Results (The “Output”)

Upon successful communication with the banking API, the platform stores:

• Account Name: The official name registered to the account at the financial institution.
• Verification Status: Status indicators such as “Verified,” “Account Not Found,” or “Invalid Bank Code.”
• Timestamp: The exact date and time the verification was performed for audit purposes.

3.4 Data We Do NOT Collect

To maintain strict data minimization and security:

• Financial Secrets: QuickCheque never requests or stores Transaction PINs, BVN (Bank Verification Numbers), or Account Balances.
• Personal Identity Documents: QuickCheque does not store or process signatures, ID cards, or passport photographs. Its sole focus is bank account name matching.

4.1 Payment Accuracy & Error Prevention

The primary purpose of the platform is to confirm that a provided 10-digit NUBAN matches the official Account Name registered at a financial institution. This prevents:

• Manual Entry Errors: Identifying typos before funds are committed.
• Transaction Failures: Reducing the rate of reversed or “flagged” payments due to incorrect banking details.

4.2 Fraud Prevention & Security

QuickCheque acts as a critical layer in the “Know Your Payee” (KYP) process. By verifying the account holder’s name before a transaction is initiated, Organizations can mitigate “Ghost Payee” risks and ensure funds reach the intended recipients.

4.3 Audit & Compliance for Organizations

QuickCheque maintains a secure, timestamped record of every verification performed by an Organization. This data is used for:

• Organizational Audits: Allowing Org Admins to review internal verification activities.
• Regulatory Reporting: Providing proof to external auditors or donors that bank accounts were validated against official banking records prior to disbursement.

4.4 System Health & Provider Performance

We use anonymized, non-personal metadata (such as API response times and failure rates for specific banks) to monitor the health of our Provider-Agnostic architecture and ensure high availability for all Organizations.

5.1 Verification Service Providers (VSPs)

QuickCheque is a “Provider-Agnostic” platform. We securely transmit Verification Data to licensed third-party financial technology providers (e.g., Paystack, Flutterwave, or direct Banking APIs) to retrieve the official Account Name.

• Data Minimization: We only share the 10-digit Account Number and the Bank Code.
• No Identity Sharing: We never share User names, email addresses, or Organization details with these external providers.

5.2 Legal & Regulatory Disclosure

We may disclose processed data only if required by law, such as:

• To comply with a legal obligation or a valid court order.
• To protect and defend the rights or property of the Platform.
• To prevent or investigate possible wrongdoing in connection with the Service (e.g., fraud detection).

5.3 No Data Monetization

QuickCheque does not sell, rent, or trade any Verification Data or User Account Data to third parties for marketing or advertising purposes. All data sharing is strictly functional and limited to the verification request initiated by the User.

6.1 Logical Data Separation

Every Organization invited to QuickCheque is assigned a unique Organization ID (Org-ID). All data — including User profiles, Verification Data, and Result Data — is tagged with this ID.

• The “Wall”: The platform’s database queries are architected to only return records matching the logged-in User’s Org-ID.
• No Cross-Visibility: It is technically impossible for a User in Organization A to view, search for, or export the verification history of Organization B.

6.2 Administrator Boundaries

• Org Admins: Have full visibility and control only over their own Organization’s users and data. They cannot see the activities of other Organizations.
• Platform Admins (IT): While Platform Admins manage the system’s global health and Provider configurations, they do not access the private verification results of specific Organizations unless required for a documented support ticket or troubleshooting.

6.3 Secure Onboarding & Offboarding

When an Organization is deactivated, access is revoked for all Users within that Org-ID. The data remains isolated and encrypted until it is purged according to the retention policy.

7.1 Encryption in Transit

All communication between the User’s browser and the QuickCheque platform, as well as between QuickCheque and our Service Providers, is encrypted using Transport Layer Security (TLS 1.2 or higher). This ensures that account numbers and result data cannot be intercepted by unauthorized parties during transmission.

7.2 Encryption at Rest

Sensitive data stored within our databases is protected using Advanced Encryption Standard (AES-256).

• Database Encryption: Verification records and user profile information are encrypted at the storage level.
• Credential Hashing: User passwords are never stored in plain text. We use strong, one-way salted hashing algorithms (e.g., BCrypt or Argon2) to ensure that even in the event of a database breach, original passwords remain unreadable.

7.3 Access Controls & MFA

• Role-Based Access Control (RBAC): Access to specific features (like Bulk Uploads or Provider Configuration) is strictly limited based on the User’s assigned role.
• Multi-Factor Authentication (MFA): To prevent unauthorized login via compromised passwords, QuickCheque supports (or requires, depending on Organization policy) an additional layer of verification for all Users.

7.4 Network & Infrastructure Security

The platform is hosted on secure, enterprise-grade cloud infrastructure featuring:

• Web Application Firewalls (WAF): To block common web attacks like SQL Injection and Cross-Site Scripting (XSS).
• Regular Security Patching: Automated updates to the platform’s underlying software to defend against newly discovered vulnerabilities.

8.1 Active Retention (Verification Logs)

To provide Organizations with a reliable historical record for financial reconciliation, all Verification Data and Result Data (Account Number, Account Name, and Timestamp) are retained for a standard period of seven (7) years, unless otherwise requested by a specific Organization’s contractual agreement.

• Purpose: This supports long-term donor audits and internal financial reviews.

8.2 User Account Retention

• Active Users: User profiles (Name, Email, Role) are retained for as long as the User is authorized by their Organization.
• Deactivated Users: When an Org Admin deactivates a User, their login ability is revoked immediately. However, their historical activity (e.g., “Who verified this account?”) remains linked to their name for audit integrity.

8.3 Organization Deactivation & Deletion

Upon the formal request of an Organization or a decision to terminate a tenant’s access:

• Immediate Suspension: All Users within that Organization are locked out.
• Data Archival: The data is moved to a “Cold Storage” encrypted state for a grace period of 90 days to allow for final exports or legal holds.
• Permanent Purge: After the grace period, all Organization-specific records are permanently deleted from the active database, leaving only anonymized system logs.

8.4 Automated Cleanup

QuickCheque utilizes automated cleanup processes to identify and securely erase data that has exceeded the 7-year retention limit. This process ensures the platform does not become a “data graveyard,” maintaining system performance and security.

9.1 Right to Access & Data Portability

Every User has the right to request a summary of the personal data QuickCheque holds about them, including their profile information and a log of their verification history.

• Access Procedure: Users may view their current profile and recent verification history directly through the “My Dashboard” or “Profile Settings” interface.

9.2 Right to Rectification

If a User notices that their personal information (such as their full name or contact details) is inaccurate or incomplete, they have the right to request a correction.

• Correction Procedure: Users may update their profile information directly via the dashboard. For administrative or role-based changes, the User must contact their Org Admin.

9.3 Right to Erasure (“Right to be Forgotten”)

A User may request the deletion of their account and associated personal data.

• Scope: While the User’s personal profile can be deleted, please note that for audit and compliance reasons, the Verification History (the record of which account was verified and when) must be retained as part of the Organization’s financial records.
• Process: The User must submit a formal request to their Org Admin, who will coordinate with the Platform Admin (IT) to process the account deactivation.

9.4 Grievance & Escalation

If a User feels that their privacy rights have been violated, they may raise a formal grievance.

• Step 1: Contact your Org Admin.
• Step 2: If the issue is not resolved, contact the QuickCheque Platform Support Team (IT).

10.1 Notification of Changes

When significant changes are made to how we handle personal or verification data, we will notify Users and Organizations through one or more of the following channels:

• In-App Notification: A pop-up or banner alert displayed upon the next login.
• Email Communication: A formal notice sent to the registered email addresses of all Organization Admins.
• Version History: A “Last Updated” date clearly displayed at the top or bottom of the Privacy Policy page.

10.2 Review and Acceptance

Continued use of the QuickCheque platform following the notification of an update constitutes acceptance of the revised Privacy Policy. Organizations that do not agree with the updated terms should contact the Platform Admin (IT) to discuss data export and account deactivation options prior to the changes taking effect.

10.3 Archive of Previous Versions

QuickCheque maintains an internal archive of previous Privacy Policy versions. Organization Admins may request access to these archives to track the evolution of our data handling standards for audit purposes.