Personal Data Protection Policy

Preamble.

Nexus places the highest importance on privacy and personal data protection. We commit to processing your data in compliance with Regulation (EU) 2016/679 of April 27, 2016 (GDPR), the French "Informatique et Libertés" law as amended, and all applicable national laws in the territories where we operate (Ivory Coast, Senegal, Cameroon, Benin, Morocco, etc.).

This policy applies to all data processed by Nexus via its websites, applications, APIs, dashboards and any other services provided under the Nexus brand.

Data controller.

The data controller is Nexus SA, a joint-stock company registered with the Douala Trade & Companies Register under RC/DLA/XXXX/B/XXXXX, headquartered in Cameroon.

For any question on data protection, contact our Data Protection Officer at dpo@nexus.com.

Personal data collected.

Nexus collects several categories of personal data depending on your relationship with our services:

Identification data

First and last name, date and place of birth, gender, nationality
ID document (national ID, passport, residence permit) with photo
National identifier number (if applicable)
Biometric "selfie" for KYC verification
Postal address and proof of address

Contact data

Email address, mobile phone number

Financial data

Mobile Money wallet numbers, IBAN, bank account numbers
Transaction history, amounts, timestamps, counterparties
Payment card data (tokenized, never in cleartext)

Business data

Company name, role, industry
Corporate legal documents (registration, statutes, beneficial owners)

Technical data

IP address, user-agent, device type, OS
Session identifiers and cookies
API connection and usage logs
Approximate geolocation (country, city)

Processing purposes.

Nexus processes your data only for specified, explicit and legitimate purposes:

Purpose	Data categories
Provision of payment services and transaction execution	Identification, financial, technical
Identity verification (KYC) and AML/CFT	Identification, contact, business
Fraud prevention and suspicious activity detection	Transactions, technical, behavioral
Regulatory reporting obligations	Transactions, identification
Customer relations, technical support, complaints	Contact, interaction history
Service improvement and anonymized statistics	Technical, behavioral
Marketing communications (with consent)	Contact
Collections and litigation	Identification, financial

Legal bases.

Contract performance (Article 6.1.b GDPR) — delivery of subscribed services.
Legal obligation (Article 6.1.c GDPR) — KYC, AML/CFT, reporting to regulators.
Legitimate interest (Article 6.1.f GDPR) — fraud prevention, service improvement, platform security.
Consent (Article 6.1.a GDPR) — marketing communications, non-essential cookies, biometric data.

Retention periods.

Data	Retention
KYC and identification data	10 years after relationship closure (AML/CFT obligation)
Transaction history	10 years after the transaction
Technical logs	12 months
Audit logs (security)	10 years (non-repudiation)
Tokenized card data	Contract duration + 13 months
Prospects without order	3 years after last contact
Analytics cookies	13 months

After these periods, data is either deleted or irreversibly anonymized for statistical purposes.

Data recipients.

Authorized internal teams: compliance, finance, support, risk.
Subcontractors and technical providers: cloud hosting, email/SMS, KYC/screening, analytics tools.
Banking partners and Mobile Money operators: Orange Money, Wave, MTN, Moov, YAS, Airtel — strict minimum required for transaction execution.
Regulatory and judicial authorities: BEAC, BCEAO, COBAC, TRACFIN, CENTIF, courts, upon valid request.
External auditors: statutory auditors, certification auditors — under confidentiality agreement.

Nexus never sells your data to third parties. No personal data is ever transferred to data brokers, marketing networks or advertising platforms, for any purpose.

Transfers outside the European Union.

Nexus hosts data primarily in Africa (WAEMU/CEMAC data centers) and the EU (Paris, Dublin). Some transfers may occur to other countries for cross-border payment execution.

These transfers are framed by appropriate GDPR safeguards:

Standard Contractual Clauses (SCC) from the European Commission for non-EU transfers.
Adequacy decisions from the European Commission (where applicable).
Binding Corporate Rules (BCR) within the Nexus group.

Your rights on your data.

Under GDPR, you have the following rights:

Right of accessConfirm whether data about you is processed and receive a copy.

Right of rectificationCorrect inaccurate or incomplete data about you.

Right to erasureDelete your data in cases provided by GDPR (except legal retention).

Right to restrictionTemporarily restrict processing of your data.

Right to portabilityReceive your data in a structured, machine-readable format.

Right to objectObject to processing based on legitimate interest or direct marketing.

Automated decisionsNot to be subject to decisions based solely on automated processing.

Post-mortem directivesDefine the fate of your data after death.

To exercise your rights, send your request to dpo@nexus.com with a proof of identity. We respond within one month, extendable by two months for complex requests.

If you believe your rights are not respected, you can file a complaint with a supervisory authority: CNIL in France, ARTCI in Ivory Coast, CDP in Senegal, APDP in Benin, CNDP in Morocco.

Cookies and tracers.

Nexus uses cookies and similar technologies to ensure site functionality, measure audience and improve your experience. You can modify your preferences at any time via the consent banner or browser settings.

Strictly necessary cookies

Essential for site functioning (session, security, CSRF). No consent required.

Audience measurement cookies

We use a privacy-respecting analytics tool with anonymized IP.

Third-party cookies

Only set after your explicit consent. You can refuse without impact on your navigation.

Data security.

Nexus implements appropriate technical and organizational measures to protect your data against destruction, loss, alteration, disclosure or unauthorized access.

TLS 1.3 encryption in transit, AES-256 at rest
Environment separation (prod / pre-prod / dev)
Mandatory MFA for internal access
Annual pentests by certified firms
Permanent bug bounty program
PCI-DSS Level 1, ISO 27001, SOC 2 Type II certifications

In case of a data breach likely to create a risk for your rights, we notify the supervisory authority within 72 hours and, where applicable, the affected individuals.

Minors data processing.

Nexus services are restricted to persons aged 18 and over or emancipated minors. We do not knowingly collect data about minors without prior authorization from a legal guardian.

Policy changes.

Nexus may modify this policy to reflect evolutions in its services, regulation or best practices. Substantial changes will be notified by email and/or via your dashboard at least 30 days before entry into force.

Data Protection Officer contact.

Data Protection Officer — Nexus
Email: dpo@nexus.com
Mail: DPO — Nexus SA, PO Box XXXX, Douala, Cameroon

Personal Data Protection Policy.

Preamble.

Data controller.

Personal data collected.

Identification data

Contact data

Financial data

Business data

Technical data

Processing purposes.

Legal bases.

Retention periods.

Data recipients.

Transfers outside the European Union.

Your rights on your data.

Cookies and tracers.

Strictly necessary cookies

Audience measurement cookies

Third-party cookies

Data security.

Minors data processing.

Policy changes.

Data Protection Officer contact.