Privacy Policy
Last updated: May 19, 2026
This Privacy Policy explains how OnDesk ("we", "us", or "our") collects, uses, shares, and protects your personal information when you use the OnDesk mobile application and related services (collectively, the "Service"). By using OnDesk, you agree to the practices described in this policy.
1. Who We Are
OnDesk is a fintech application that provides bill payment services. Our services are subject to applicable financial regulations, including anti-money laundering (AML) and know-your-customer (KYC) requirements.
If you have questions about this policy, contact us at: support@ondesk.app
2. Information We Collect
2.1 Information You Provide
| Category | Examples |
|---|---|
| Account information | Full name, email address, phone number, username |
| Authentication credentials | Password (stored as a one-way hash), transaction PIN (stored as a one-way hash) |
| Identity verification (KYC) | Bank Verification Number (BVN), National Identification Number (NIN), government-issued ID data |
| Financial information | Bank account name, number, and bank details you add to your account |
| Profile | Profile photo |
2.2 Information We Collect Automatically
| Category | Examples |
|---|---|
| Network & device data | IP address, browser/device user-agent string, HTTP request metadata |
| In-app activity | API request logs, transaction activity, login events |
| Security and audit data | Login timestamps, security events, session identifiers |
2.3 Information from Third Parties
When you verify your identity or make payments, we receive information from the third-party providers listed in Section 5, including identity verification results and transaction status updates from payment processors.
We do not collect:
- Precise GPS or device location
- Contacts or address book data
- Third-party analytics data
3. How We Use Your Information
We use your information to:
- Create and manage your account — Registration, authentication, and account settings.
- Process transactions — Fiat deposits and withdrawals, internal transfers between users, and bill payments.
- Verify your identity (KYC) — Comply with financial regulations by verifying your BVN or NIN through our identity verification partner.
- Secure your account — Detect fraud, enforce rate limits, manage two-factor authentication (2FA), and maintain audit logs.
- Communicate with you — Send transactional emails (OTPs, verification results, transaction receipts, account alerts).
- Improve the Service — Analyse aggregate, anonymised usage patterns and API performance metrics.
- Meet legal obligations — Comply with applicable laws, regulations, and lawful government requests.
4. Legal Bases for Processing
Depending on your jurisdiction, we process your data under one or more of the following legal bases:
- Contract performance — Processing necessary to provide the Service you signed up for.
- Legal obligation — KYC/AML requirements under applicable financial regulations.
- Legitimate interests — Fraud prevention, security monitoring, and service improvement.
- Consent — Where you have given explicit consent (e.g., optional features).
5. Third-Party Service Providers
We share your information with the following categories of service providers only to the extent necessary to deliver the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Dojah | KYC identity verification (BVN, NIN, address, face match) | Name, BVN/NIN, selfie image |
| Paga | Bill payments, airtime, bank transfers | Name, account details, transaction data |
| Email (SMTP provider) | Transactional email delivery | Email address, name |
We do not sell your personal data to third parties. We do not share your data with advertisers. All third-party providers are bound by data processing agreements and are only permitted to use your data for the specific purpose for which it was shared.
6. Identity Verification Data (KYC)
Because OnDesk is a financial service for bill payments, we are required by law to verify your identity before enabling certain features (e.g., higher transaction limits). This involves:
- Collecting your BVN and/or NIN
- Submitting this information to Dojah, our licensed identity verification partner
- Storing the verification result (pass/fail status and reference ID) in your account record
Your BVN and NIN are stored securely in our database and are never exposed through our API. They are used solely for regulatory compliance purposes.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Retained for as long as your account is active |
| Transaction records | Retained indefinitely for financial audit and legal compliance |
| Audit logs (IP, user-agent) | Retained for security and compliance purposes |
| Session tokens | Expire after 30 days of inactivity |
| Temporary codes (OTPs) | Deleted after use or expiry |
| Deleted account data | Anonymised (email and name replaced) and retained for audit trail purposes |
When you delete your account, we anonymise your personal identifiers (your email is replaced with a randomised value and your phone number is removed). Transaction records are retained as required by applicable law.
8. Data Security
We protect your information using:
- Encryption in transit — All data transmitted over HTTPS/TLS.
- Hashed credentials — Passwords and transaction PINs are never stored in plain text (bcrypt).
- Sensitive field exclusion — BVN, NIN, and credentials are excluded from all API responses.
- Rate limiting — Brute-force protections on login, PIN entry, and verification endpoints.
- Two-factor authentication (2FA) — Available and encouraged for all accounts.
- Audit logging — All significant account and transaction events are logged.
No method of transmission or storage is 100% secure. If you become aware of a security issue, please contact us immediately at security@ondesk.app.
9. Your Rights
Depending on your location, you may have the right to:
- Access — Request a copy of the personal data we hold about you.
- Correction — Request correction of inaccurate data.
- Deletion — Request deletion of your account and personal data (subject to legal retention requirements).
- Portability — Request your data in a structured, machine-readable format.
- Objection — Object to certain types of processing.
- Withdraw consent — Where processing is based on consent.
To exercise any of these rights, contact us at support@ondesk.app. We will respond within 30 days.
10. Children's Privacy
OnDesk is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has created an account, please contact us and we will delete the account promptly.
11. International Data Transfers
OnDesk operates primarily in Nigeria. If your data is processed or stored outside your country of residence, we ensure appropriate safeguards are in place (such as contractual clauses with service providers) to protect your data consistent with applicable law.
12. Push Notifications and Communications
We use in-app notifications to deliver real-time alerts within the app. We send transactional emails for account events (OTPs, KYC results, transaction receipts). We do not send marketing emails at any point.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and notify you through the app or by email for material changes. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us:
OnDesk Support
Email: support@ondesk.app
This Privacy Policy is designed to meet the requirements of Apple App Store Review Guidelines (including Section 5 — Privacy) and applicable data protection laws.
