Dark Veil

Legal Documentation

Privacy Policy

Building trust through transparency.

Effective: 01/05/2026Last Updated: April 30, 2026

01 / Identity

Institutional Data

We collect your student ID, CGPA, and level to verify eligibility without traditional credit checks.

02 / Usage

Analytics

We track how you interact with Pody to optimize our automated credit-limit adjustments.

03 / Sharing

Vendor

We only share your shipping details with vetted tech vendors after purchase approval.

"Your data is personal. We treat your data as the infrastructure for your future, not as a product to be sold."

01. Introduction and Who We Are

Pody Network Limited ("Pody," "we," "our," or "us") operates the Pody mobile application and web platform (collectively, the "Platform") — a Buy Now, Pay Later (BNPL) service designed exclusively for Nigerian students, enabling interest-free instalment-based access to goods and services.

We are a technology company incorporated under the laws of the Federal Republic of Nigeria. We are not a bank, microfinance institution, or licensed financial services provider. Pody operates as a technology-enabled marketplace and BNPL platform intermediary, connecting Nigerian students with approved merchants and facilitating instalment-based payments.

Our operations are subject to applicable Nigerian laws including, but not limited to, the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), the Federal Competition and Consumer Protection Act 2018 (FCCPA), directives issued by the Federal Competition and Consumer Protection Commission (FCCPC) regarding Digital Lending and BNPL services in Nigeria, and the Credit Reporting Act 2017 where applicable to our data-sharing activities.

This Privacy Policy explains what personal information we collect from you when you use our Platform, how we use it, how we protect it, with whom we share it, and what rights you have over it. By accessing or using Pody, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

If you do not agree with any part of this Privacy Policy, you must immediately discontinue use of the Platform. You may contact us at privacy@pody.network for any privacy-related queries.

02. Categories of Personal Data We Collect

We collect personal data through multiple touchpoints during your onboarding, daily use, and credit assessment processes. The categories below describe our data collection in full:

2.1 Identity and Verification Data

To verify your identity and establish your account, we collect:

  • Full legal name (as it appears on government-issued ID)
  • Date of birth
  • Gender
  • National Identification Number (NIN) and/or Bank Verification Number (BVN)
  • Passport photograph or selfie image
  • Government-issued identification documents (e.g., National ID card, voter's card, student ID)
  • Utility bill
  • Biometric data collected through liveness detection checks (processed via DIDIT)

Identity verification is conducted through DIDIT, our licensed KYC/identity verification partner. By using Pody, you consent to your identity data being processed through DIDIT's systems as described in Section 7 of this Policy.

2.2 Student and Academic Data

As a student-focused credit platform, we collect academic information to establish your eligibility and creditworthiness:

  • Name of institution (university, polytechnic, or college of education)
  • Student matriculation or registration number
  • Faculty, department, and course of study
  • Academic level/year of study
  • Academic performance records or Cumulative Grade Point Average (CGPA) — where provided or accessible
  • Proof of student status (student identification card, admission letter, or valid enrolment document)
  • Enrollment and expected graduation date

Academic data is treated with the highest level of sensitivity. It is used solely to determine your eligibility for credit and to tailor your credit limit. We do not sell or monetise your academic data to any third party for non-credit purposes.

2.3 Contact and Communication Data

  • Email address
  • Phone number (primary and, where provided, alternative)
  • Residential and mailing address

2.4 Transaction Data

  • Bank account details (bank name, account number, account name)
  • Transaction history on the Pody Platform
  • Repayment records and schedules
  • Outstanding balance and credit utilisation
  • Payment method information (debit card details — tokenised and encrypted)
  • Information obtained from licensed Nigerian credit bureaus

2.5 Device and Technical Data

  • Device type, model, and operating system version
  • IP address and approximate geolocation
  • Mobile advertising ID and device identifiers
  • Browser type and version
  • App version and crash logs
  • Session activity data (pages visited, actions taken, timestamps)
  • Network provider and connection type

2.6 Usage and Behavioural Data

  • Login history and frequency
  • Features accessed and interactions within the Platform
  • Shopping and browsing behaviour within the Pody marketplace (where applicable)
  • Repayment behaviour and timeliness patterns

2.7 Communications Data

  • Customer support tickets, chat logs, and call recordings
  • Feedback, reviews, and survey responses
  • Marketing consent preferences

03. How We Collect Your Personal Data

We collect your personal data through the following means:

  • Directly from you, when you register on the Platform, submit an application, or contact our support team.
  • Automatically, through our mobile application and web platform using cookies, SDKs, and tracking technologies.
  • From third-party identity verification providers (DIDIT) during KYC onboarding.
  • From licensed credit bureaus in Nigeria (such as CRC Credit Bureau, FirstCentral Credit Bureau, or CreditRegistry), during credit checks or after your consent.
  • From your financial institution, where you authorise open banking or direct bank account connectivity.
  • From your educational institution, where you authorise us to verify your student status directly.
  • From error monitoring and performance tools, including Sentry, which collects crash and diagnostic data.

Where we rely on automated processes to make decisions about your credit eligibility, you have the right to request human review of such decisions as described in Section 11.

04. How We Use Your Personal Data

PurposeDetails
Identity VerificationKYC compliance, and fraud prevention pursuant to applicable Nigerian laws including the Money Laundering (Prohibition) Act and FCCPC digital lending guidelines.
Credit AssessmentEvaluating your eligibility and credit limit using academic standing, financial profile, and credit bureau data.
Service DeliveryProcessing BNPL transactions, managing instalment schedules, and sending payment reminders.
Account ManagementCreating, maintaining, and managing your user account and profile.
Regulatory ComplianceMeeting our obligations under the NDPA 2023, NDPR, Credit Reporting Act, FCCPA, and FCCPC guidelines on digital lending and BNPL platforms.
Dispute ResolutionInvestigating and resolving complaints, chargebacks, and disputed transactions.
Credit ReportingReporting your credit behaviour (positive and negative) to licensed Nigerian credit bureaus as required under the Credit Reporting Act 2017.
Security & FraudDetecting, investigating, and preventing fraud, money laundering, identity theft, and other prohibited activities.
Product ImprovementAnalysing usage patterns via anonymised and aggregated data to improve our services.
CommunicationsSending service notifications, repayment reminders, product updates, and — where you have opted in — marketing messages.
Legal ProceedingsPursuing or defending legal claims where necessary.

06. Special Protections for Student Data

We recognise that student data is a sensitive category of personal information. As a platform that serves Nigerian students, we are committed to handling your academic data responsibly, transparently, and in compliance with applicable regulations.

  • We do not sell your academic data to any third party, including educational institutions, corporate entities, advertisers, or data brokers.
  • Academic data is used solely for the purpose of determining credit eligibility and setting credit limits within the Pody Platform.
  • We do not use academic data to make decisions that adversely affect your educational rights or academic standing.
  • Students retain the right to request correction of inaccurate academic data held by Pody at any time.
  • Where we share your student status with merchants for verification purposes, we share only the minimum necessary information (e.g., confirmation that you are a valid student user) and not your full academic records.
  • We process biometric data (facial recognition and liveness detection) for the sole purpose of identity verification during onboarding. This processing is conducted by DIDIT on our behalf and is not used for any other purpose. Biometric data is not retained on Pody's servers beyond the verification process.

07. Third-Party Data Processors and Partners

We engage trusted third-party processors who handle your data on our behalf, strictly under our instruction and pursuant to Data Processing Agreements (DPAs) that comply with the NDPA 2023. Below are our key processors:

7.1 DIDIT — Identity Verification

DIDIT is our KYC (Know Your Customer) and identity verification provider. We share the following data with DIDIT: full name, date of birth, government-issued ID information, selfie photographs, and liveness detection data. DIDIT processes this data solely to verify your identity and confirm document authenticity. DIDIT's privacy practices are governed by DIDIT's own privacy policy, available on their website. By using Pody, you consent to DIDIT processing your identity data as described.

7.2 Sentry — Error Monitoring and Performance

We use Sentry, an application performance monitoring and error tracking tool, to identify bugs, crashes, and performance issues in our Platform. Sentry may collect device information, IP addresses, and anonymised usage data. We configure Sentry to minimise the capture of personally identifiable information. Sentry acts as a data processor under our instructions and is bound by its Data Processing Agreement with us.

7.3 Amazon Web Services (AWS) — Cloud Infrastructure

Pody's Platform, databases, and data storage infrastructure are hosted on Amazon Web Services (AWS). All data stored on AWS is encrypted at rest and in transit using industry-standard encryption protocols (AES-256 and TLS 1.2+). AWS operates as a data processor and does not access your personal data except as necessary to provide its cloud infrastructure services. AWS is certified under ISO 27001, SOC 2, and other recognised security standards.

7.4 Payment Processors

We work with licensed payment processors and switching companies to process instalment repayments and mandate setups. These processors operate under applicable Nigerian payment system regulations and are subject to PCI-DSS compliance standards.

7.5 Credit Bureaus

We share credit behaviour data with licensed Nigerian credit bureaus (CRC Credit Bureau, FirstCentral Credit Bureau, and/or CreditRegistry) as required under the Credit Reporting Act 2017. This includes both positive repayment history and adverse credit events (defaults, delinquencies). Your credit information may also be accessed from these bureaus during your application.

7.6 Nigerian Regulatory Authorities

We may be required to share your data with regulators including but not limited to the Federal Competition and Consumer Protection Commission (FCCPC), the Nigeria Data Protection Commission (NDPC), the Nigerian Financial Intelligence Unit (NFIU), and law enforcement agencies — when required to do so by law, court order, or regulatory directive.

7.7 Firebase — Analytics, Authentication, and Cloud Services

We use Firebase, a platform provided by Google, for authentication services, analytics, and backend support functions such as crash reporting and user engagement tracking. Firebase may collect device information, usage patterns, IP addresses, and anonymised behavioural data. Where Firebase Authentication is used, it securely processes login credentials and identity tokens. Firebase operates as a data processor under Google's privacy and security framework, and data is handled in accordance with applicable data protection laws.

7.8 Mixpanel — Product Analytics

We use Mixpanel to understand how users interact with the Platform, including feature usage, navigation flows, and engagement patterns. Mixpanel collects anonymised or pseudonymised event data such as page views, clicks, session duration, device type, and IP-based location data. This helps us improve user experience, product design, and platform performance. Mixpanel processes data on our behalf and does not use your data for its own purposes.

7.9 Nightwatch — End-to-End Testing and Monitoring

We use Nightwatch for automated end-to-end testing and monitoring of our Platform. Nightwatch helps us ensure system reliability by simulating user interactions and detecting functional issues across our web application. During testing, limited technical data such as session behaviour, page responses, and device/browser information may be processed. This data is used strictly for quality assurance and system stability and is not used for marketing or profiling purposes.

We do not sell, rent, or trade your personal data with any third party for their own marketing or commercial purposes. Any sharing of data is strictly for service delivery, compliance, or legal obligations as described in this Policy.

08. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, and thereafter as required by law. Our retention periods are guided by the following:

CategoryRetention Period
Identity (KYC) DataMinimum 5 years after account closure, in line with FCCPC digital lending guidelines and Nigerian anti-money laundering obligations.
Transaction RecordsMinimum 6 years after the date of the transaction, per applicable Nigerian tax, accounting, and platform compliance obligations.
Credit DataUp to 7 years from the date of last activity on your credit file, as required by the Credit Reporting Act 2017 and Nigerian credit bureau regulations. This applies even after account deletion.
Student/Academic DataRetained for the duration of your account plus 3 years for dispute resolution purposes.
Communication Logs2 years from the date of communication.
Device & Technical Data12 months from collection, unless required longer for security investigations.
Marketing DataUntil you withdraw consent or opt out, whichever is sooner.

After the applicable retention period, we will securely delete or anonymise your personal data so that it can no longer be linked back to you.

09. Data Security

We implement and maintain appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

  • End-to-end encryption for all data transmitted between your device and our servers (TLS 1.2 / TLS 1.3).
  • AES-256 encryption for all data stored at rest on AWS.
  • Tokenisation of all payment card data; we do not store raw card numbers.
  • Multi-factor authentication (MFA) for all internal staff access to production systems.
  • Role-based access controls (RBAC) ensuring that only authorised personnel access your data on a need-to-know basis.
  • Regular penetration testing and vulnerability assessments of our Platform.
  • Continuous real-time monitoring via Sentry and AWS CloudWatch for security anomalies.
  • An internal Data Breach Response Policy with a 72-hour notification obligation to the NDPC as required under the NDPA 2023.

Despite our best efforts, no system is completely invulnerable. In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify you promptly in accordance with the NDPA 2023.

10. Account Deletion and the Retention of Credit Data

IMPORTANT NOTICE: Nigerian financial regulations impose specific obligations on us regarding the retention of certain data even after you delete your Pody account. Please read this section carefully.

You have the right to request the deletion of your Pody account at any time. You may do so through the Platform's account settings or by submitting a written request to privacy@pody.network. We will acknowledge your request within 7 (seven) working days.

Upon account deletion, we will:

  • Deactivate your account and prevent further logins or transactions.
  • Delete or anonymise your personal data that is not subject to legal retention obligations.
  • Remove your marketing profile and opt you out of all promotional communications.
  • Cease active processing of your data for service delivery purposes.

10.1 Mandatory Retention After Account Deletion

Notwithstanding your account deletion request, Pody is legally required to retain certain categories of data after deletion. This is not optional for us and cannot be waived:

  • Credit and Repayment Records: In compliance with the Credit Reporting Act 2017 and applicable FCCPC guidelines, your repayment records, default events, and instalment history may be shared with and retained by licensed credit bureaus for a period of up to 7 (seven) years from the date of last activity.
  • KYC and Identity Data: Your identity verification data (NIN, BVN, biometric verification results) must be retained for a minimum of 5 (five) years after your last platform activity, as required by applicable Nigerian anti-money laundering obligations.
  • Transaction Records: All transaction records related to your use of Pody must be retained for a minimum of 6 (six) years as required by applicable Nigerian tax, accounting, and FCCPC compliance obligations.
  • Outstanding Obligations: If you have any outstanding repayments, fees, or dues at the time of your account deletion request, your account will not be fully deleted until all obligations are settled.
  • Legal Proceedings: If your account is the subject of any ongoing legal proceedings, regulatory investigation, or dispute, we will retain relevant data until the matter is fully resolved.

After account deletion, the data retained under these mandatory categories will be held in a restricted-access archive. It will not be used for marketing, product development, or any purpose other than regulatory compliance, credit reporting, and legal proceedings.

11. Your Data Protection Rights

Under the Nigeria Data Protection Act 2023 (NDPA) and the NDPR, you have the following rights in respect of your personal data:

  1. 1Right of Access

    You have the right to request a copy of all personal data we hold about you. We will respond within 30 days of receiving a verifiable request.

  2. 2Right to Rectification

    You have the right to request correction of inaccurate or incomplete personal data we hold about you.

  3. 3Right to Erasure ("Right to be Forgotten")

    Subject to the mandatory retention obligations described in Section 10, you have the right to request deletion of your personal data. We will honour this right to the fullest extent permitted by applicable law.

  4. 4Right to Data Portability

    You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that we transmit it directly to another controller where technically feasible.

  5. 5Right to Object

    You have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests.

  6. 6Right to Restrict Processing

    You have the right to request that we restrict the processing of your data in certain circumstances, for example while we investigate a rectification request.

  7. 7Right to Human Review

    Where we make automated decisions that significantly affect you (including credit decisions), you have the right to request a human review of that decision by contacting us at privacy@pody.network.

  8. 8Right to Withdraw Consent

    Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

To exercise any of the above rights, please contact our Data Protection Officer at dpo@pody.network. We may require you to verify your identity before processing your request. We will respond within 30 (thirty) days. Requests that are manifestly unfounded or excessive may be subject to a reasonable administrative fee.

12. Cookies and Tracking Technologies

Our web Platform uses cookies and similar tracking technologies to enhance your user experience, maintain session state, perform analytics, and serve relevant communications. The categories of cookies we use are:

  1. 1Strictly Necessary Cookies

    Essential for the Platform to function. These cannot be disabled.

  2. 2Functional Cookies

    Remember your preferences (e.g., language, login state). Can be disabled but may impair functionality.

  3. 3Analytics Cookies

    Help us understand how users interact with the Platform using aggregated, anonymised data.

  4. 4Security Cookies

    Used to detect and prevent fraudulent activity.

You may manage or disable non-essential cookies through your browser settings or the cookie preference centre in the Platform. Disabling certain cookies may affect the functionality of some Platform features.

13. International Data Transfers

Some of our third-party processors (including AWS, Sentry, and DIDIT) may process your data outside Nigeria. When we transfer personal data outside Nigeria, we do so only in accordance with the NDPA 2023, ensuring that the receiving country offers an adequate level of data protection or that appropriate safeguards (such as standard contractual clauses or processor agreements) are in place. You may request details of such safeguards by contacting privacy@pody.network.

14. Data Processing for Persons Under 18

Pody's services are strictly available to Nigerian students who are 18 years of age or older. We do not knowingly permit individuals under 18 to register for or use the Platform.

If we become aware that a user under 18 has registered on the Platform, we will take immediate steps to suspend the account and delete their personal data in accordance with applicable data protection laws.

If you believe that a user under 18 years of age has registered on the Platform, please contact us immediately at privacy@pody.network and we will take prompt action to investigate and remove any associated data.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or product features. When we make material changes, we will notify you via email, in-app notification, or prominent notice on our Platform at least 14 (fourteen) days prior to the changes taking effect. Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes.

16. Data Protection Officer and Contact Information

We have appointed a Data Protection Officer (DPO) responsible for overseeing compliance with data protection obligations. Our DPO can be contacted at:

  • Data Protection Officer: Pody Network Limited
  • Email: dpo@pody.network
  • Privacy Queries: privacy@pody.network
  • Address: 14, Abayomi Street, Iwo Road, Ibadan, Oyo State. Nigeria
  • Regulatory Authority: Nigeria Data Protection Commission (NDPC), Abuja — ndpc.gov.ng

If you believe we have not adequately addressed your data privacy concerns, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng.

By using the Pody Platform, you confirm that you have read, understood, and agree to this Privacy Policy in its entirety.

Questions? privacy@pody.network