Privacy Policy
Effective Date: April 3, 2026 • Version 1.0
Kynettic respects your privacy and is committed to protecting the personal data you share with us. This Privacy Policy explains how we collect, use, store, share, and protect your personal data (“Personal Data”) when you use the Kynettic platform — including account registration, KYC identity verification, peer-to-peer trading, fiat and cryptocurrency deposits and withdrawals, internal transfers, and the referral programme.
By creating an account or using the Platform, you consent to this Policy. We may update this Policy periodically and will notify you of material changes through the Platform or via email.
1. Data We Collect
1.1 Account Registration
When you register on Kynettic, we collect the following information:
- Email address — used for account creation, verification, and platform communications
- Password — stored securely and never held or transmitted in plaintext
- Referral code (optional) — links your account to a referring user for the purposes of the referral programme
Your identity is confirmed via a one-time verification code sent to your email address before your account is activated.
1.2 User Profile
Following registration, you may complete your profile with:
- Full name (first, middle, last)
- Username — displayed on P2P trade listings only if you opt in
- Profile photo — uploaded to and hosted on Cloudinary
- Country, date of birth, and phone number
Your full name is never disclosed to counterparties on P2P trades. You retain full control over whether your username appears publicly on trade listings.
1.3 Identity Verification (KYC)
To unlock the full suite of Platform features — including higher trading limits, fiat withdrawals, and cryptocurrency withdrawals — you must complete identity verification across up to three progressive tiers.
Tier 1 — BVN Verification
- Bank Verification Number (BVN)
- First name, last name, and date of birth (used to match BVN records)
Your BVN is securely encrypted at rest and is never exposed via the Platform or any API response.
Tier 2 — NIN Verification
- National Identification Number (NIN)
Your NIN is encrypted and stored using the same security standards applied to your BVN.
Tier 3 — Facial and Address Verification
- Selfie photograph — captured for liveness detection and identity matching
- Proof of address (utility bill) — uploaded as an image file
- Residential address — street, city, state, and country
Your selfie and utility bill are securely stored and transmitted to our identity verification partner for facial liveness analysis and address confirmation.
You must be 18 years of age or older to complete KYC verification.
1.4 Security Settings
- Transaction PIN (6 digits) — required to authorise withdrawals, transfers, and trades. Stored securely and never held in plaintext
- Two-factor authentication (2FA) — a time-based one-time password (TOTP) compatible with Google Authenticator and equivalent apps, used to verify your identity during login and sensitive operations
Cryptocurrency withdrawals, fiat withdrawals, and internal transfers all require your PIN and, where enabled, your 2FA code.
1.5 Wallet and Transaction Data
- Wallet balances — per supported currency, updated in real time
- Locked balances — funds held in escrow during active P2P trades
- Transaction history — type, amount, pre- and post-balance, timestamp, reference ID, and description
- On-chain deposit addresses — generated via Blockradar and associated with your account by network and currency
1.6 Fiat Deposits and Withdrawals (NGN)
For Nigerian Naira (NGN) operations via our banking partner Nomba:
- Virtual bank account — a unique NGN virtual account assigned to your profile
- Saved bank accounts — account number, account name, and bank name (for recurring withdrawals)
- Withdrawal records — recipient account number, bank name, amount, processing fees, applicable stamp duty, status, and reference
When you initiate a fiat withdrawal, your name, destination account number, bank code, and transfer amount are transmitted to Nomba to execute the transfer.
1.7 Cryptocurrency Deposits and Withdrawals
- Deposit addresses — generated per user per network and currency combination via Blockradar
- Withdrawal records — destination wallet address, currency, network, amount, fee, transaction hash, and status
- Blockchain transaction hashes — recorded for all confirmed on-chain deposits and completed withdrawals
For cryptocurrency account management, your email address and name are shared with our cryptocurrency infrastructure partner to create a sub-account linked to your Kynettic identity.
1.8 P2P Trading
- Advertisements — currency, pricing type (fixed or relative market-based), min/max order limits, quantity, trade direction (buy/sell), and optionally your username
- Orders — buyer and seller identifiers, order number, currency, amount, price, total value, applicable fees, and order status
- Fees — trade fees per order by role (maker/taker), including fee amount, percentage, and trade volume
Your counterparty on a trade sees only your username (if enabled) and the relevant order details. Full name and other personal data are never disclosed to counterparties.
Real-time cryptocurrency prices are fetched from CoinGecko using your selected currency pair. No personal data is transmitted to CoinGecko.
1.9 Internal Transfers
- Sender and recipient identifiers, currency, amount, and timestamp are recorded for all transfers
- Recipients can be identified by their Platform UID or registered email address
- Both PIN and 2FA (if enabled) are required to authorise any transfer
1.10 Referral Programme
- Referral code — a unique 6-character code assigned at registration
- Referral relationships — referrer identity, referral status, and reward timestamps
- Point transactions — points earned per completed P2P trade, including trade volume (USD equivalent) and the triggering order
- Quarterly claims — fiat (NGN) rewards claimed per quarter, including points redeemed and amount received
Referral leaderboard entries display masked email addresses only (e.g., j***@example.com).
1.11 Device, Network, and Session Data
- IP address — logged for rate limiting and abuse detection
- Device type — used to scope sessions (e.g., mobile vs. desktop)
- Session tokens — issued at login to maintain your authenticated session; sessions expire automatically after a period of inactivity
- Request identifiers — unique references attached to API requests for internal diagnostics
Failed login attempts are monitored per account and per IP address. Repeated consecutive failures will result in a temporary access suspension as a security measure.
1.12 Communications
Transactional emails are delivered via Resend and include:
- OTP codes for registration, login, password reset, and email address changes
- Security alerts
- Trade and transaction notifications (where email notifications are enabled)
Your email address and message content are transmitted to Resend solely for delivery. In-app notifications are stored in our database and include a title, body, read status, and timestamp.
1.13 Platform Reviews
If you submit a platform review, we collect your name, email address, and review content.
1.14 OAuth Login (Google and Apple)
If you sign in via Google or Apple, we receive an identity token from the respective provider. This token is verified by our servers to confirm your identity. We store only the verified email address returned and do not transmit your data back to Google or Apple beyond the verification request.
2. Why We Collect Your Data
We collect and process Personal Data to:
- Create and manage your account
- Verify your identity and comply with KYC and AML regulatory requirements
- Process P2P trades, cryptocurrency and fiat deposits and withdrawals, and internal transfers
- Detect and prevent fraud, unauthorised access, and platform abuse
- Enforce Platform rules, including duplicate identity detection via blind indexing
- Resolve disputes between trading counterparties
- Deliver transactional emails, in-app notifications, and security alerts
- Calculate and distribute referral rewards
- Retrieve real-time market prices for P2P trade pricing
- Maintain comprehensive audit trails for regulatory reporting
- Improve Platform features, performance, and the overall user experience
- Fulfil any legal obligations or respond to lawful government requests
3. Data Storage and Protection
3.1 Encryption at Rest
The table below summarises how different categories of data are stored and protected:
| Data Category | How It Is Protected |
|---|---|
| Bank Verification Number (BVN) | Encrypted at rest; never exposed via the Platform |
| National Identification Number (NIN) | Encrypted at rest; never exposed via the Platform |
| Password | Stored as a secure one-way hash; never held in plaintext |
| Transaction PIN | Stored as a secure hash; never held in plaintext |
| KYC documents (selfie, utility bill) | Stored securely in cloud storage |
| All other personal data | Stored in an encrypted database |
3.2 Encryption in Transit
All communications between your device and the Platform are encrypted using TLS/SSL. The Platform enforces HTTP Strict Transport Security (HSTS), preventing browsers from establishing unencrypted connections. All database connections are also established over encrypted channels.
3.3 Access Controls
- Sensitive identity data (BVN, NIN) is never returned in any API response
- Access to Personal Data within our systems is restricted on a need-to-know basis
- Session tokens expire automatically upon inactivity
- All withdrawal and transfer operations require PIN authentication and, where applicable, 2FA
3.4 Data Retention
- Transaction and KYC data is retained for a minimum of five (5) years in compliance with Nigerian financial regulations and AML requirements
- Session data expires automatically after a period of inactivity
- Account data is retained for the duration your account is active or as required by applicable law
- Upon account deletion, personal data is soft-deleted and may be anonymised or fully purged subject to applicable retention obligations
3.5 Your Responsibilities
You are responsible for maintaining the confidentiality of your password, PIN, 2FA codes, and wallet addresses. Kynettic will never request your password or PIN outside of the Platform. Please report any suspected unauthorised access to your account immediately through the Platform's support channels.
4. Disclosure of Personal Data
4.1 Third-Party Service Providers
We share your Personal Data with the following third-party service providers, strictly as necessary for Platform operations:
| Service Category | Data Shared | Purpose |
|---|---|---|
| Identity Verification Partner | Full name, date of birth, BVN, NIN, selfie photograph, utility bill, residential address | KYC identity verification, liveness detection, facial matching, and address confirmation |
| Blockchain Infrastructure Partner | Wallet creation requests; withdrawal: destination address, amount, currency, reference ID | On-chain deposit address generation and cryptocurrency withdrawal processing |
| Banking Partner | Full name, account reference; withdrawal: account number, account name, bank code, amount | NGN virtual account creation and fiat bank transfer execution |
| Cryptocurrency Account Partner | Email address, first name, last name, phone number (optional) | Cryptocurrency sub-account creation |
| Document Storage Provider | Selfie image, utility bill image | Secure KYC document storage and hosting |
| Market Data Provider | Currency pair (no personal data) | Real-time cryptocurrency price feeds |
| Email Delivery Provider | Email address, message content | Transactional email delivery |
All third-party providers are engaged under data processing agreements that require them to handle your data in accordance with applicable privacy laws.
4.2 Legal and Regulatory Disclosure
We may disclose Personal Data to regulatory authorities, law enforcement agencies, or courts where required by Nigerian law or applicable international regulations, including for:
- Anti-money laundering (AML) and counter-terrorism financing (CTF) compliance
- Responses to lawful subpoenas, court orders, or government demands
- Investigation of fraud, identity theft, or criminal activity
- National security or public safety requirements
4.3 Dispute Resolution
Where a P2P trade dispute arises, Platform administrators may access order records, wallet transaction histories, and, where relevant, identity information to investigate and resolve the dispute fairly.
4.4 Cross-Border Data Transfers
Your data may be processed by our third-party providers in jurisdictions outside Nigeria. We ensure that appropriate safeguards are in place for all cross-border transfers in compliance with applicable data protection law.
4.5 Anonymised and Aggregated Data
We may share aggregated, anonymised data — such as platform-wide trading volume statistics — with research or analytics partners. Such data cannot be used to identify you personally.
5. Cookies and Tracking Technologies
Kynettic does not use browser cookies for session management. Authentication is handled via secure tokens stored client-side. We may use standard web analytics tools to monitor Platform performance and usage patterns. These tools do not collect your password, PIN, wallet addresses, or financial data.
6. Your Rights
Subject to applicable Nigerian and international data protection laws, you have the following rights with respect to your Personal Data:
- Right of Access — request a copy of the Personal Data we hold about you
- Right to Rectification — update or correct inaccurate profile information via the Platform
- Right to Erasure — request account deletion; certain data may be retained for legal compliance purposes
- Right to Restriction — request that we limit the processing of your data in specific circumstances
- Right to Object — opt out of marketing communications via your notification settings
- Right to Data Portability — request a structured export of your data in a machine-readable format
- Right to Complain — lodge a complaint with Kynettic or with the relevant data protection authority
To exercise any of these rights, please contact us through the Platform. We may require identity verification before fulfilling your request.
7. Minors
Users must be 18 years of age or older to use Kynettic. We do not knowingly collect data from individuals under the age of 16. If we identify that an account belongs to a minor, we will immediately restrict or permanently delete that account. If you believe a minor has registered on the Platform, please contact us without delay.
8. Lawful Processing Without Consent
We may collect and process Personal Data without your explicit consent where required or permitted by law, including in circumstances involving:
- National security, defence, or law enforcement obligations
- Public health or substantial public interest
- Criminal investigation or legal proceedings
- Protection of life or property
- Platform fraud prevention, abuse detection, or regulatory compliance
9. Contact Us
For questions, access requests, complaints, or concerns relating to your Personal Data, please contact us through the Platform's support channels.
We are committed to responding to all enquiries in a timely and transparent manner.