Information Collection And Use

We collect several different types of information for various purposes to provide and improve our services to you.

Types of Data Collected Personal Data

As part of delivering our services, we may collect and process certain personally identifiable information ("Personal Data") to identify or communicate with you. This data may include, but is not limited to your full name (first, middle, and last), email address, phone number, home address, signature, date of birth, and government-issued identification (such as a driver’s license, international passport, or national identity card). We may also collect your bank verification number (BVN) for identity verification purposes.

Credentials

When you subscribe to our services, especially e-channel services like online and mobile banking, you may need to provide specific authentication information. This may include your User ID, PIN, token-generated responses, password hints, and similar security credentials. Where applicable, you may choose or be required to provide biometric data for account access and transaction verification. To safeguard your information, we use advanced security protocols, including data encryption and secure storage, to protect your credentials and ensure the integrity of your transactions.

Atm Card Services

By subscribing to our ATM card services, you will receive an ATM card containing unique security identifiers:

1. Personal Access Number (PAN) – the unique number on your card.
2. Personal Identification Number (PIN) – used for authentication during transactions.
3. Card Verification Number (CVV) – used for verifying card-not-present transactions.

To ensure the security of your card, you must keep these details confidential and prevent unauthorized access. If we issue a default PIN, you are required to change it immediately to activate and use your card. These identifiers may be requested during card-related transactions or online service enrollments for verification purposes.
When you make payments or transfers, we collect the necessary information, including your card number and security code. All payment-related data is handled in strict adherence to PCI DSS standards, ensuring secure processing, transmission, and storage

Usage Data

When you access our services via a web browser or mobile device, we may collect data to enhance your experience and ensure the functionality of our services. This data includes:

1. Technical Information: Your IP address, browser type and version, the pages you visit, timestamps of your visit, time spent on each page, and unique device identifiers.
2. Location Tracking:We may request permission to access and track your location to provide personalized, location-based services. You can manage or revoke location access through your device’s settings.
3. Mobile Feature Access:Our mobile services may require access to your device’s camera, calendar, Bluetooth, contacts, and storage. You can control these permissions in your device’s settings at any time.
4. Device Information:We automatically collect data such as your mobile device ID, model, manufacturer, operating system version, IP address, and diagnostic data to improve system performance.

Cookies And Tracking Technologies

We use cookies and similar tracking technologies to monitor how you interact with our services. These small data files help us collect anonymous information for analysis and service enhancement. If you prefer not to accept cookies, you may adjust your browser settings. However, please note that some service features may be restricted if cookies are disabled.

Use Of Analytics To Collect/Monitor/Analyze Data

We may use third-party Service Providers to monitor and analyze the use of our Service. Such service includes but is not limited to:

1. Google Analytics
   Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. For more information on the privacy policies of Google, please visit the Google Privacy & Terms web page located at Google LLC
2. Links to Other Sites
   Our service may include links to external websites that are not managed by us. By clicking on a third-party link, you will be redirected to that third party's website. We encourage you to carefully review the Privacy Policy of any site you visit, as we do not have control over and are not responsible for the content, privacy practices, or policies of any third-party websites or services.

Use Of Data

We collect personally identifiable information to provide you with the banking services you have subscribed to and to facilitate seamless transaction processing. Additionally, your data may be used beyond these purposes when necessary to comply with legal, regulatory, and contractual obligations, as well as other legitimate business interests. Specifically, your data may be used for the following purposes, including but not limited to:

1. • Delivering and maintaining our banking services.
2. • Informing you of changes to our services.
3. • Enabling participation in interactive features when chosen.
4. • Offering customer care and technical support.
5. • Analyzing data to enhance our services.
6. • Monitoring service usage for quality control.
7. • Identifying, preventing, and resolving technical issues.
8. • Facilitating account opening processes.
9. • Sending marketing and promotional communications for business-related purposes.
10. • Providing targeted advertising based on your interests and location, either for our business purposes or with your consent, and measuring the effectiveness of these advertisements.

Your information helps us enhance your banking experience while complying with legal and business requirements.

We may use your information to develop and display content and advertising (and work with third parties who do so) tailored to your interests and or location and to measure its effectiveness.

Transfer Of Data

The modern banking ecosystem is highly interconnected, involving multiple parties in the processing of transactions, such as personalization companies, switching firms, processors, acquirers, merchants, and card schemes. During these transactions, certain personal data may be shared among these entities.

Cool Microfinance is committed to safeguarding your personal data and will only share it as necessary for banking services, legal and regulatory compliance, contractual obligations, or other relevant purposes. If data sharing is required, stringent security measures will be in place to prevent unauthorized access. All collected data will be stored within Cool Microfinance’s systems in Nigeria, and any use of cloud services will adhere to strict governance policies.

We ensure that all reasonable steps are taken to protect your personal information. No transfer of data will occur to another organization or country without adequate security controls in place.

Transfer Of Personal Data To Foreign Country

Cool Microfinance is committed to ensuring the security of personal data when it is transferred outside Nigeria. In line with this commitment, the Bank will undertake a comprehensive assessment to verify whether the destination country is included on the NITDA White List of Countries with adequate data protection frameworks.

Any cross-border transfer of personal data will comply strictly with the Nigeria Data Protection Regulation (NDPR) 2019 and will only be conducted under the following legal grounds:

1. • With the Data Subject’s explicit consent;
2. • Where necessary to perform a contract with the Data Subject or implement pre-contractual measures;
3. • Where required to execute a contract between the Bank and a third party in the Data Subject’s interest;
4. • For reasons of overriding public interest;
5. • For the establishment, exercise, or defense of legal claims;
6. • To protect the vital interests of the Data Subject or others when the Data Subject cannot provide consent.

In every case, the Bank will ensure that the Data Subject is fully informed of potential risks associated with transferring data to a third-party country. This provision does not apply if the transfer is necessary for ongoing civil or criminal proceedings involving the Data Subject in the third-party country. If the destination country is not recognized on the White List and no qualifying conditions are met, the Bank will seek prior authorization from NITDA and the Office of the Honourable Attorney General of the Federation (HAGF) before facilitating the transfer.
The Bank is committed to maintaining the security of all data during transfer and will provide full details of protective measures upon request by the Data Subject.

Disclosure Of Data

We only share and disclose your information in the following situations:

• Legal Compliance and Regulatory Disclosures:

1. Cool Microfinance will disclose your personal information when legally obligated to do so. This may occur in response to applicable laws, governmental inquiries, court orders, judicial proceedings, or other legal processes. Such disclosures may also be made to public authorities for the purpose of national security or law enforcement as required by law.
• Safeguarding Legal Rights and Public Safety:

1. We may disclose your information when it is necessary to protect our legal rights or the safety of individuals. This includes investigations into potential policy violations, suspected fraud, illegal activities, or situations that pose a threat to personal safety. Additionally, we may share information as evidence in legal proceedings where we are involved.
• Collaboration with Service Providers and Third Parties:

1. Your personal data may be shared with trusted third-party service providers, vendors, contractors, or agents who assist us in delivering our banking services. These services include, but are not limited to, payment processing, data analytics, email delivery, website hosting, customer service, and marketing activities.
   To enhance service delivery and improve user experience, selected third parties may use tracking technologies on our digital platforms. This allows them to monitor user interactions, analyze trends, and understand engagement patterns. We do not sell, rent, or trade your personal information with third parties for marketing purposes, except as outlined in this policy.
• Business Restructuring and Transfers:

1. In the event of a business transaction, such as a merger, acquisition, sale of assets, or financing, your personal information may be transferred or shared with relevant parties. Such transfers will be conducted securely and in accordance with applicable data protection laws and our internal security protocols.

Security Of Data

We value the security of your personal information and have adopted appropriate technical and organizational measures to protect the data we collect and process. These measures are designed to ensure the confidentiality, integrity, and security of your information against unauthorized access, loss, or misuse.

Despite our commitment to protecting your data, no digital or internet-based system can be entirely secure. We cannot guarantee absolute security for information transmitted to and from our services. For your safety, we advise accessing our services only through secure networks and environments. We will continue to enhance our security measures to safeguard your personal information to the best of our ability

General Principles For Processing Of personal data

Cool Microfinance is fully committed to complying with the Nigeria Data Protection Regulation (NDPR) in all aspects of Personal Data processing. This commitment underscores our dedication to fostering a privacy-centric environment and ensuring that all personal information is handled with the utmost care and responsibility.

To uphold these standards, the Bank strictly adheres to the following fundamental principle:

1. • Lawfulness, Fairness, and Transparency:
   The processing of Personal Data shall be conducted lawfully, fairly, and with transparency. Any Personal Data collected or processed by the Bank must align with a specific, legitimate, and lawful purpose that has been clearly communicated to and consented to by the Data Subject. The Bank will only deviate from this principle where permitted by law or under other valid legal grounds as specified in the NDPR.

Data Accuracy

The Bank is committed to ensuring the accuracy and currency of Personal Data. To this end:

1. • All collected and processed data must be accurate and not misleading in a way that may harm the Data Subject.
2. • Reasonable steps will be taken to maintain updated Personal Data where necessary.
3. • Any discovered inaccuracies will be promptly corrected or deleted.

Purpose Limitation

The collection and processing of Personal Data will be limited to the purposes specified in the Bank’s Privacy Notice and to which the Data Subject has provided explicit consent. Personal Data will not be repurposed for any other use without obtaining fresh consent, except as permitted by law.

Data Minimization

Personal Data collection will be restricted to what is directly relevant, adequate, and essential for the specified processing purpose. When feasible, the Bank will anonymize data to minimize the identification of Data Subjects while fulfilling processing objectives

Integrity And Confidentiality

The Bank enforces rigorous controls to protect Personal Data from unauthorized access, modification, and disclosure, whether stored digitally or physically. Measures are in place to prevent unauthorized access or changes to Personal Data, ensuring its continued accuracy and trustworthiness.

1. • Any employee handling Personal Data without proper authorization is in breach of Bank policy and will face disciplinary action.
2. • Access to Personal Data is restricted to employees who require it for their official duties. Unauthorized use, sharing, or personal exploitation of this data is strictly prohibited.
3. • The Human Resources and ICT Departments are responsible for educating employees about their data privacy responsibilities at the beginning of their employment. This obligation remains binding even after the employee leaves the Bank.

Personal Data retention

All Personal Data collected, stored, and processed by the Bank shall be retained and disposed of in line with regulatory and legislative requirements. The Bank will conduct periodic reviews of the Personal Data in its possession to assess its accuracy, relevance, purpose, and the continued need for retention. The retention period for Personal Data is determined based on the following factors, subject to applicable laws and the Bank’s Document Retention Policy:

1. • Contractual Obligations: Personal Data will be retained for the duration of the contractual relationship with the Data Subject or as long as required to fulfill the purpose for which it was collected.
2. • Statutory Requirements:Where the Personal Data relates to a transaction or relationship with legal or regulatory retention obligations, it will be retained for the period specified by law.
3. • Data Subject’s Request for Deletion: Personal Data may be deleted upon the Data Subject’s express request, provided:
1. There is no ongoing investigation requiring the Bank to retain the data.
2. There are no existing contractual obligations necessitating the continued processing of the data.
4. • Lawful Basis for Extended Retention: The Bank may retain Personal Data beyond the initial purpose where there is a lawful basis to do so. This may include archiving, scientific research, historical research, or statistical purposes in the public interest, as permitted under the Nigeria Data Protection Regulation (NDPR).

The Bank will promptly delete or securely dispose of Personal Data that is no longer required, in accordance with its Document Retention Policy, unless there is a legal or regulatory obligation to retain such data.

Accountability

At Cool Microfinance, we uphold our commitment to data privacy by maintaining robust accountability measures in line with the Nigeria Data Protection Regulation (NDPR). This section outlines our approach to ensuring compliance, managing breaches, and enforcing internal accountability.
The Bank is dedicated to demonstrating ongoing compliance with the NDPR by regularly monitoring, reviewing, and improving its data privacy practices. This commitment ensures that the Bank remains aligned with regulatory requirements and industry best practices.

Any employee, contractor, or third party who violates this Privacy Policy will be subject to disciplinary action, which may include:

• Internal Disciplinary Measures: Breaches of the Privacy Policy may result in disciplinary actions, including suspension or termination of employment.
• Legal Consequences: Individuals who violate privacy laws may also be subject to civil or criminal liability, including fines and other legal penalties.

In the event of a potential or actual breach of Personal Data, the Bank will initiate a structured investigation process to identify and address the issue promptly and effectively:

• Validation of the Breach: Confirm the occurrence of a Personal Data breach and assess its scope and impact.
• Investigation Process: Conduct a thorough and impartial investigation, including the use of digital forensics, if necessary, to establish the cause and extent of the breach. All findings must be properly documented.
• Remediation and Resolution: Identify corrective measures to mitigate risks and track the resolution of identified vulnerabilities.
• Reporting to Top Management: Communicate findings and corrective actions to senior management for review and decision-making.
• Engagement with Authorities: Collaborate with relevant regulatory bodies and law enforcement as required by law and ensure appropriate internal and external communications are handled effectively.

Personal Data Retention Period

We are committed to retaining your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is mandated or permitted by law (such as for tax, accounting, or other legal obligations).

Upon receiving a request for account closure:

• Account Closure Process: Your account will be closed; however, historical records associated with the account will be retained as required for legal, regulatory, and compliance purposes.
• Cessation of Processing: Except where required by law, regulatory bodies, or law enforcement agencies, all further processing of personal information related to the closed account will cease upon closure.

Your Privacy Rights

In some regions (like the European Economic Area), you have certain rights under applicable data protection laws. These may include the right.

• • To request access and obtain a copy of your personal information,
  • To request rectification or erasure;
  • To restrict the processing of your personal information; and
  • If applicable, to data portability.
  
  

In certain circumstances as stated in section 2.8 of the Nigeria Data Protection Regulation, you may also object to the processing of your personal information. To make such a request, please use the contact details provided below. We will consider and act upon any request in accordance with applicable data protection laws.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.

If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here: European Data Protection Board

Account Information

If you wish to review, modify, or terminate your account, you may contact us using the details provided in this Privacy Policy.

• • Cookies and Similar Technologies:
  
1. Most web browsers accept cookies by default. If you prefer, you may adjust your browser settings to delete or reject cookies. Please note that disabling cookies may affect certain features or functionalities of our services. For information on opting out of interest-based advertising, please visit: Privacy Policy
• • Opting Out of Email Marketing:
  1. You may unsubscribe from our marketing communications at any time by clicking the "unsubscribe" link in any email we send or by contacting us directly. Although you will be removed from our marketing email list, we may still send essential service-related emails required for account management.
• • Other opt-out options include:
  
1. Setting your preferences when registering an account. Updating your communication preferences via your account settings. Contacting us through the information provided.
• • Automated individual decision-making or profiling
  
1. We do not engage in automated decision-making processes, including profiling, to make decisions that may significantly affect you. All decisions involving your personal information are made through human oversight to ensure fairness, accuracy, and transparency.



Training

The Bank is committed to ensuring that all employees involved in the collection, access, and processing of Personal Data receive comprehensive training on data privacy and protection. This training is designed to equip employees with the knowledge, skills, and competencies required to manage the compliance framework under this Privacy Policy and the Nigeria Data Protection Regulation (NDPR). The Bank shall develop and implement an annual capacity-building plan to enhance employees' understanding of data privacy and protection in accordance with the NDPR.




Data Protection Officer

The Bank shall appoint a Data Protection Officer (DPO) responsible for overseeing the Bank’s data protection strategy and ensuring compliance with the Nigeria Data Protection Regulation (NDPR). The DPO shall possess expert knowledge of data privacy and protection principles and maintain a thorough understanding of the NDPR’s provisions.



1. • The core responsibilities of the DPO include: Administering and enforcing the Bank’s data protection policies and practices;
2. • Monitoring compliance with the NDPR and other applicable data protection laws, including conducting awareness programs, training, and internal audits;
3. • Advising management, employees, and third-party service providers on their obligations under the NDPR;
4. • Acting as a primary contact point for all data protection-related matters;
5. • Regularly reviewing and updating the Bank’s data protection policies to ensure ongoing compliance;
6. • Overseeing the completion of Data Protection Impact Assessments (DPIA) and mitigating risks in the Bank’s data processing operations; and
7. • Maintaining a comprehensive database of all personal data collection and processing activities undertaken by the Bank.



Data Protection Audit

The Bank is committed to ensuring regulatory compliance through an annual data protection audit conducted by a licensed Data Protection Compliance Organization (DPCO).

The audit shall assess the Bank’s adherence to the NDPR and other applicable data protection laws. Upon completion, the DPCO will certify the audit report and submit it to the National Information Technology Development Agency (NITDA) as mandated by law.




Changes To this Privacy Policy

This Privacy Policy may be updated from time to time to reflect regulatory changes, business practices, or other operational adjustments. Any modifications will be published on this page and made accessible at our branches.

We recommend that you periodically review this Privacy Policy to remain informed about how we manage and protect your personal data. All updates will take effect from the date of publication unless otherwise stated.




Contact Us

If you have any questions or comments about this policy, you may contact our Data Protection Officer (DPO) by email at: management@coolbank.ng or by post to: Data Protection Officer.
Cool Microfinance Bank Limited C96-C101, Road 2,
Ikota Shopping Complex,
Lekki-Ajah Expressway, Lagos
Nigeria

If you have any further questions or comments about us or our policies,
email us at info@coolbank.ng or by post to: Cool Microfinance Bank Limited C96-C101, Road 2,
Ikota Shopping Complex,
Lekki-Ajah Expressway, Lagos
Nigeria.