01Introduction
This Privacy and Data Protection Policy (the “Policy”) explains how the Trove group — Trove Payment Limited (Canada) and Trove Technologies Limited (Nigeria) — collects, uses, stores, shares, and protects personal data. It is written for the counterparties we onboard, the individuals who represent them, our employees, our suppliers, visitors to our website, and anyone else whose personal data we process.
Trove Payment Limited is a Canadian Money Services Business registered with FINTRAC under registration C10001321, incorporated in British Columbia under number BC1536964. Trove Technologies Limited is its Nigerian services affiliate. Both entities are committed to handling personal data lawfully, fairly, and transparently, and to meeting the standards set by the Nigeria Data Protection Act 2023 (“NDPA”), the Personal Information Protection and Electronic Documents Act of Canada (“PIPEDA”), and the anti-money-laundering record-keeping rules that apply to licensed MSBs under Canada’s Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”).
Where our obligations under anti-money-laundering and counter-terrorist-financing law conflict with a request from a data subject — for example, a request to erase records we are legally required to retain — the statutory obligation prevails. This Policy explains how that works in practice.
02Definitions
In this Policy:
- “Personal Data” means any information relating to an identified or identifiable natural person, directly or indirectly — including name, identification numbers, address, contact details, photograph, biometrics, and online identifiers.
- “Data Subject” means the individual whose Personal Data is being processed.
- “Processing” means any operation performed on Personal Data, including collection, recording, organisation, storage, access, use, disclosure, transfer, and deletion.
- “Controller” means the entity that determines the purposes and means of Processing. For most Processing described in this Policy, Trove Payment Limited is the Controller; Trove Technologies Limited acts as a joint Controller for Nigeria-employment Personal Data and as a Processor for counterparty data handled under the intercompany services agreement.
- “Counterparty” means a licensed financial institution, payment institution, money services business, or similar entity that Trove engages with commercially.
- “Counterparty Representative” means an individual (director, officer, employee, or authorised signatory) of a Counterparty whose Personal Data we process in the course of onboarding or servicing that Counterparty.
03Personal Data We Collect
The Personal Data we collect depends on the relationship we have with the Data Subject.
3.1 Counterparty Representatives
When a licensed counterparty engages with Trove, we are required by Canadian anti-money-laundering law to conduct Know-Your-Business (“KYB”) checks that extend to the individuals behind that counterparty. The data we collect typically includes:
- Full legal name, date of birth, nationality, residential address, country of residence, and occupation
- Identification document details and certified copies — passport, national ID, or equivalent
- Role and title within the counterparty (director, officer, beneficial owner, authorised signatory)
- Ownership or control percentage where the individual is a beneficial owner of 20% or more
- Politically Exposed Person (PEP) status and adverse-media screening results
- Sanctions-list screening results
- Source-of-funds and source-of-wealth declarations where applicable
- Business contact details — work email and work phone
- Signature specimens on counterparty documentation
- Communications exchanged in the course of the commercial relationship
3.2 Employees, contractors, and candidates
For current and former employees, contractors, and job candidates, we collect the data necessary to operate an employment relationship, including:
- Name, date of birth, contact details, next-of-kin, and emergency contact information
- Identification documents (Nigerian NIN, International passport, driver’s licence, permanent voter’s card)
- Educational and professional qualifications and references
- Bank account details for salary payment
- Statutory registration numbers — Tax Identification Number, Pension RSA PIN, NHF number
- Criminal record checks where the role requires (for example, FINTRAC-related roles)
- Performance, training, and disciplinary records
- System access logs and Company-issued device activity data for IT and security purposes
- Photographs for identity documents and internal directories (with consent)
3.3 Suppliers and service providers
We collect business contact details, bank information, and tax identifiers for the individuals who act for our suppliers. For suppliers that handle Personal Data on our behalf, we collect sufficient information to conduct vendor due diligence.
3.4 Website visitors
Our website collects minimal visitor data, limited to what is necessary to operate the site and understand general use patterns:
- IP address and device identifiers
- Browser type and version, operating system, and approximate location inferred from IP
- Pages viewed, time on page, referring source, and navigation path
- Information you submit through contact forms, including name, role, company, email, and message
We do not run consumer-targeted advertising and we do not participate in cross-site behavioural advertising networks. Cookie practices are set out in Section 12.
04How We Collect Personal Data
We collect Personal Data through several routes, depending on the relationship:
- Directly from you — when you submit a counterparty onboarding pack, complete an employment application, respond to our queries, send us email, or use our website.
- From the counterparty that represents you — when your employer or principal submits its own onboarding materials which include your Personal Data.
- From regulated third-party sources — corporate registries (Companies House, CAC, provincial corporate registries), sanctions lists (OFAC, UK HMT, UN, EU), PEP databases, and adverse-media screening providers.
- From our service providers — for example, our KYB / identity-verification partners, banking partners, and our payroll provider for employees.
- From automated observation of our systems — system access logs, device information, and web analytics data generated when you visit our website or use our systems.
05Legal Basis for Processing
We Process Personal Data only where we have a lawful basis to do so. Depending on the Processing activity, the basis is one of the following.
| Legal Basis | When We Rely On It |
|---|---|
| Legal obligation | Processing required to comply with Canadian anti-money-laundering law (PCMLTFA), FINTRAC record-keeping, Nigerian tax and employment law, and court or regulator orders. Covers most onboarding, transaction monitoring, and retention Processing. |
| Contract performance | Processing necessary to perform our commercial agreement with a counterparty, or our employment agreement with a staff member. |
| Legitimate interest | Processing necessary for our legitimate business interests where those interests are not overridden by the Data Subject’s rights. Examples: fraud prevention, system security, operational analytics, and responding to unsolicited enquiries. |
| Consent | Where none of the bases above applies and the Processing is not otherwise mandatory — for example, optional marketing communications, use of identity photos in internal directories, or non-essential cookies. Consent is freely given, specific, informed, and revocable. |
| Vital interests | Processing necessary to protect the life or physical safety of any person — rarely relied upon but reserved for emergencies. |
06Purposes of Processing
We Process Personal Data for specific and documented purposes:
- Counterparty onboarding and due diligence. Verifying identity, beneficial ownership, regulatory status, and risk profile of counterparties and their representatives in line with FINTRAC rules.
- Transaction execution and settlement. Operating the commercial relationship — trade instructions, settlement, reconciliation, reporting, and queries.
- Ongoing monitoring and regulatory reporting. Transaction monitoring, suspicious transaction reports, large cash transaction reports, electronic funds transfer reports, and other filings required by FINTRAC.
- Employment and HR administration. Recruitment, payroll, benefits, performance management, training, compliance training, discipline, and statutory filings in Nigeria and Canada.
- System, network, and physical security. Authentication, access control, device management, incident investigation, and access-log review.
- Internal audit, risk, and governance. Management reporting, internal controls, audit, and board oversight.
- Fraud prevention and financial crime controls. Sanctions screening, adverse-media monitoring, PEP checks, and investigations of suspected fraud or breach.
- Business communications and website operation. Responding to contact-form submissions, sending operational notifications, and operating our website.
07Who We Share Personal Data With
We share Personal Data only where we have a lawful basis and only with the categories of recipient set out below. We do not sell Personal Data to any third party and we do not share it for third-party marketing purposes.
| Recipient | Examples | Basis |
|---|---|---|
| Group entities | Between Trove Payment Limited (Canada) and Trove Technologies Limited (Nigeria) under the intercompany services agreement | Legitimate interest; legal obligation |
| Banking & settlement partners | Trove’s Canadian and Nigerian banking partners; stablecoin custodians; counterparty banks used for settlement | Contract performance; legal obligation |
| Regulated technology providers | KYB and identity-verification services; sanctions and PEP screening; transaction-monitoring tooling; CRM, accounting, email | Contract performance; legitimate interest |
| Professional advisers | Lawyers, auditors, tax advisers, and compliance consultants — all engaged under confidentiality | Legitimate interest; legal obligation |
| Regulators & law enforcement | FINTRAC; Nigerian Financial Intelligence Unit (NFIU); Nigeria Data Protection Commission (NDPC); courts; other regulators | Legal obligation |
| Successor entities | In the event of a merger, acquisition, reorganisation, or asset sale, subject to equivalent protection | Legitimate interest; contract performance |
| Employees & contractors | Within the Trove group on a strict need-to-know basis under the employee confidentiality obligations | Legitimate interest; contract performance |
Where we share Personal Data with a service provider, we require that provider to Process the data only on our documented instructions, implement appropriate security measures, assist us with Data Subject requests, notify us of any breach, and delete or return the data at the end of the engagement. These obligations are captured in a written data processing agreement before any Personal Data is shared.
08International Transfers
Trove is a cross-border business. Personal Data is routinely transferred between Canada (where Trove Payment Limited is registered) and Nigeria (where Trove Technologies Limited operates), and in limited cases to other jurisdictions where our banking partners, counterparties, or service providers are based.
We ensure that international transfers are made with appropriate protections:
- Where the destination is a jurisdiction recognised as providing adequate data protection under applicable law, no further transfer mechanism is required.
- Where the destination is not recognised as adequate, we rely on contractual safeguards — typically a written data transfer agreement incorporating recognised standard contractual clauses — and we assess the recipient’s ability to protect the data before transfer.
- Transfers pursuant to a legal obligation (for example, responding to a regulatory request from FINTRAC or the NFIU) are made on that basis.
For questions about the specific transfer safeguards applicable to your Personal Data, contact the Data Protection Officer at dpo@trovepayment.com.
09Your Rights as a Data Subject
Under the NDPA, PIPEDA, and other applicable laws, you have rights in relation to your Personal Data. All rights are subject to the legal obligations that apply to a licensed MSB, particularly record-retention requirements under Canadian anti-money-laundering law.
| Right | What It Means |
|---|---|
| Access | You can ask us whether we hold Personal Data about you, and request a copy in a readable format. |
| Rectification | You can ask us to correct Personal Data that is inaccurate or incomplete. |
| Erasure | You can ask us to delete Personal Data where we no longer have a lawful basis to Process it. Note: Personal Data held under our AML retention obligation cannot be erased until the retention period has elapsed — typically 5 years from the end of the business relationship. |
| Restriction | You can ask us to stop certain Processing while we investigate a question you have raised about your data. |
| Objection | You can object to Processing we carry out on a legitimate-interest basis. We will reconsider the Processing and either stop or explain why a compelling legitimate ground requires it to continue. |
| Data portability | Where Processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used format. |
| Withdrawal of consent | Where Processing is based on your consent, you can withdraw that consent at any time without prejudice to Processing already carried out. |
| Complaint to a regulator | You can lodge a complaint with the Nigeria Data Protection Commission (ndpc.gov.ng) or the Office of the Privacy Commissioner of Canada (priv.gc.ca). |
9.1 How to make a request
Send your request, in writing, to dpo@trovepayment.com with enough detail for us to identify you and the relevant Processing. We may ask you to confirm your identity before we respond. We aim to respond within 30 days; where a request is complex, we may extend by a further 30 days and will tell you within the first window.
There is no fee for a standard request. Where a request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable administrative fee or decline to act — in writing, with reasons.
10Retention
We retain Personal Data only for as long as we need it for the purpose we Processed it, and for as long as we are required to retain it by law. The principal retention periods are:
| Category | Retention | Basis |
|---|---|---|
| Counterparty onboarding records KYB, CDD, beneficial ownership, identification |
5 years from the end of the business relationship | PCMLTFA |
| Transaction records & reports filed with FINTRAC | 5 years from the date of the record or report, whichever is longer | PCMLTFA |
| Employment records Payroll, tax, personnel file |
7 years from end of employment; pension and NHF records per statutory retention | FIRS, LIRS, PenCom |
| Unsuccessful job candidates | 12 months from decision, unless erasure requested or retained for future roles by consent | Legitimate interest |
| Website enquiry data | 24 months from last activity | Legitimate interest |
| System access & security logs | 12 to 24 months depending on system; longer where needed for an active investigation | Legitimate interest; legal obligation |
| Marketing contact data | For as long as consent is in force; erased on withdrawal | Consent |
When a retention period ends, we either delete the Personal Data or anonymise it irreversibly so that it can no longer be associated with an individual.
11Security
Personal Data is protected by a combination of technical, organisational, and physical controls. The principal controls are:
- Encryption in transit for all Personal Data transmitted across networks — TLS for web traffic and email, and encrypted channels for system-to-system integrations.
- Encryption at rest for sensitive Personal Data stored in our business systems, and full-disk encryption on Company-issued laptops.
- Access control on a least-privilege basis — Personal Data is accessible only to employees and service providers whose role requires it. Access is logged and reviewed periodically.
- Multi-factor authentication on every system that supports it.
- Mobile device management on all Company laptops, covering encryption, remote-wipe, and security policy enforcement.
- Vendor due diligence and written data processing agreements for third parties that Process Personal Data on our behalf.
- Staff training on data protection and information security at onboarding and annually.
- Physical security at the Lagos office, including controlled access, CCTV where installed, and a locked comms cabinet.
We do not warrant that any system can be fully secure. What we do commit to is that we take seriously the expected standard of care for a licensed MSB and its services affiliate, and that we review our controls at least annually and after any material incident.
12Cookies & Tracking
Our website uses a small number of cookies and similar technologies. Our approach is deliberately minimal because we are a B2B infrastructure business, not a consumer marketing platform.
12.1 Essential cookies
Required for the website to function — for example, to maintain session state and protect against common web attacks. Essential cookies do not require consent.
12.2 Analytics cookies
Where we use an analytics service, its purpose is to understand aggregate site use. We configure analytics to collect the minimum necessary data, and not to share it with advertising networks.
12.3 No behavioural advertising
We do not place cookies used for third-party behavioural advertising. We do not sell our website visitor data to any third party.
12.4 Your choices
Your browser provides controls to view, accept, and delete cookies. Disabling essential cookies may affect site functionality.
13Personal Data Breach Response
A “personal data breach” is a security incident that results in the unauthorised access, disclosure, alteration, or loss of Personal Data we hold. Where we become aware of a breach, our response is:
- Internal escalation: any suspected breach is reported to the Head of Compliance & MLRO within 1 hour of discovery.
- Containment and investigation: affected systems are isolated, evidence preserved, and a factual timeline established as quickly as possible.
- Regulator notification: where the breach is likely to result in a risk to Data Subjects’ rights and freedoms, we notify the Nigeria Data Protection Commission within 72 hours (where NDPA applies) and / or the Office of the Privacy Commissioner of Canada as soon as feasible (where PIPEDA applies).
- Data Subject notification: where the breach is likely to result in a high risk to rights and freedoms, affected individuals are notified without undue delay, using plain language.
- Records: every breach is recorded in the breach register whether or not it was notifiable, with the facts, the assessment, and the actions taken.
14Children’s Data
Our products and services are directed at licensed financial institutions and their authorised representatives — adult professionals acting in a business capacity. We do not knowingly collect Personal Data from children under 18. Where we learn that we have collected the Personal Data of a child without appropriate consent, we delete that data promptly.
15Automated Decisions
We do not make decisions about counterparty onboarding or transaction authorisation that have a legal or similarly significant effect on an individual, based solely on automated processing. Our KYB and transaction-monitoring tools flag matters for human review; the final decision is always taken by a named individual in the compliance or commercial team.
16Contact
If you have a question about this Policy, about how we handle your Personal Data, or if you wish to exercise any of the rights described in Section 9:
Data Protection Officer
17Changes to This Policy
We review this Policy at least annually and on any material regulatory or operational change. Where we make a material change, we will:
- Publish the updated Policy on our website
- Update the version number and effective date at the top of the page
- Notify existing counterparties and employees directly of changes that affect their rights or the way we Process their Personal Data
Where a change requires fresh consent, we will ask for it before relying on it.
18Governing Law
This Policy is governed by the laws of the Federal Republic of Nigeria (for Processing carried out in Nigeria or involving Nigerian Data Subjects) and the laws of the Province of British Columbia and the federal laws of Canada (for Processing by Trove Payment Limited). Where NDPA and PIPEDA both apply, we comply with whichever imposes the higher standard.