Privacy Policy

1. Introduction

Fractal Technology Limited (“Fractal”, “we”, “us”, or “our”) operates a technology platform that facilitates the issuance and management of tokenised real-world asset (RWA) investment products. This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal data when you access or use our website, web application, APIs, and related services (collectively, the “Platform”).

This Privacy Policy applies to all users of the Platform, including issuers, investors, operators, professionals, and visitors. By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Platform.

This Privacy Policy should be read together with our Terms of Service.

2. Applicable Laws and Regulatory Framework

We process personal data in accordance with Applicable Law, including:

• Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) 2019, as administered by the Nigeria Data Protection Commission (NDPC).
• Money Laundering (Prevention and Prohibition) Act 2022 and regulations of the Nigerian Financial Intelligence Unit (NFIU), which require the collection and retention of identity and transaction data for anti-money laundering (AML) and counter-terrorism financing (CTF) purposes.
• Investments and Securities Act (ISA) 2007 and SEC Nigeria rules, which require certain disclosures and record-keeping obligations for securities-related activities.
• Where we process data of individuals located in the European Economic Area (EEA) or the United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and the UK GDPR, respectively.

3. Data Controller

Fractal Technology Limited is the data controller responsible for your personal data processed through the Platform. Our contact details are set out in Section 18 below.

Where we process personal data on behalf of an Issuer (for example, investor subscription data for a specific Offering), the Issuer acts as the data controller and Fractal acts as the data processor. In such cases, the Issuer's own privacy policy may also apply.

4. Personal Data We Collect

We collect the following categories of personal data:

4.1 Information You Provide Directly

4.2 Information Collected Automatically

When you access the Platform, we automatically collect:

• Device and browser data: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers.
• Usage data: Pages visited, features used, click patterns, session duration, referral source, and search queries.
• Location data: Approximate geographic location derived from your IP address.
• Log data: Server logs recording access times, error logs, and API request metadata.

4.3 Information from Third Parties

• Identity verification providers (e.g. Sumsub): KYC verification results, document authenticity checks, facial recognition matching results, sanctions and PEP screening results.
• Payment processors (e.g. Paystack): Payment confirmation, transaction references, bank account verification results.
• Authentication providers (e.g. Clerk): Authentication tokens, session data, email verification status.
• Public registers and databases: CAC corporate registry data, sanctions lists, politically exposed persons (PEP) databases, adverse media screening.

5. How We Use Your Personal Data

We process your personal data for the following purposes:

Where we rely on legitimate interests, we have conducted a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You may request details of this assessment by contacting us.

6. Sensitive Personal Data

In the course of KYC/KYB verification, we may process biometric data (facial images for liveness detection and document matching) through our identity verification provider. This processing is necessary for compliance with AML legal obligations and is carried out in accordance with Article 30 of the NDPA 2023.

We do not intentionally collect sensitive personal data such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation, except where required by law or where you voluntarily provide such information.

7. Cookies and Tracking Technologies

We use the following technologies:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled without affecting Platform functionality.
• Preference cookies: Remember your portal choice, theme, locale, currency, and region settings to improve your experience.
• Analytics cookies: Help us understand performance and usage patterns. We use aggregated, anonymised data where possible.
• Local storage: Used to store session tokens and application state on your device.

We do not use advertising or behavioural tracking cookies. You can manage cookie preferences through the Cookie Preferences link in the footer or in your browser settings. Disabling essential cookies may prevent you from using certain features of the Platform.

8. Data Sharing and Disclosure

We do not sell your personal data. We may share your personal data with the following categories of recipients:

8.1 Service Providers

All service providers are bound by data processing agreements that require them to process personal data only on our instructions and to maintain appropriate security measures.

8.2 Issuers and Platform Participants

When you subscribe to an Offering, we share your name, investor classification, and subscription details with the relevant Issuer. Issuers need this information to manage their Offering, allocate subscriptions, and fulfil their obligations. Issuers are prohibited from using your data for purposes other than managing the Offering.

8.3 Professional Service Providers

Valuers, inspectors, lawyers, and auditors engaged through the Platform may receive limited information about assets, businesses, and transactions necessary to perform their assigned tasks.

8.4 Regulatory and Legal Disclosures

We may disclose personal data to regulators, law enforcement, courts, or other governmental authorities when required by law or in response to valid legal process, including:

• Suspicious Transaction Reports (STRs) filed with the Nigerian Financial Intelligence Unit (NFIU).
• Reports to the Securities and Exchange Commission (SEC Nigeria).
• Tax information reported to the Federal Inland Revenue Service (FIRS).
• Compliance with court orders, subpoenas, or regulatory requests.
• Protection of our rights, safety, or property, or that of our Users or the public.

8.5 Corporate Transactions

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of assets, your personal data may be transferred to the successor entity. We will notify you of any such transfer and the choices available to you.

9. International Data Transfers

Your personal data may be transferred to and processed in countries other than Nigeria, including countries where our service providers are located. Where such transfers take place, we ensure that appropriate safeguards are in place, including:

• Standard contractual clauses approved by the NDPC or other relevant supervisory authority.
• Binding corporate rules or other recognised transfer mechanisms.
• Adequacy determinations by the NDPC, the European Commission, or the UK Information Commissioner's Office, where applicable.

You may request information about the safeguards we have put in place for specific transfers by contacting us.

10. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, subject to the following minimum retention periods:

When personal data is no longer required, we securely delete or anonymise it. Anonymised data that can no longer identify you may be retained indefinitely for statistical and analytical purposes.

11. Your Rights

Under the NDPA 2023 and, where applicable, the GDPR, you have the following rights in relation to your personal data:

• Right of access: Request a copy of the personal data we hold about you and information about how we process it.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data, subject to our legal retention obligations.
• Right to restrict processing: Request that we limit the processing of your personal data in certain circumstances.
• Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
• Right to lodge a complaint: File a complaint with the Nigeria Data Protection Commission (NDPC), or, for EEA/UK residents, the relevant supervisory authority.

11.1 How to Exercise Your Rights

To exercise any of these rights, contact us at privacy@fractal.finance. We will respond to your request within thirty (30) days. We may request verification of your identity before processing your request.

11.2 Limitations

Certain rights may be limited where we have a legal obligation to retain data (e.g. AML records), where disclosure would compromise an ongoing investigation, or where exercising the right would adversely affect the rights and freedoms of others. We will inform you of any such limitations when responding to your request.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption: Data in transit is protected using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 or equivalent standards.
• Access controls: Role-based access controls (RBAC) ensure that personal data is accessible only to authorised personnel on a need-to-know basis.
• Authentication: Multi-factor authentication and secure session management for all user accounts.
• Monitoring: Continuous monitoring for suspicious activity, with automated alerts and incident response procedures.
• Audit logging: All access to and modifications of personal data are logged with immutable audit trails.
• Vendor security: Third-party service providers are assessed for security practices before engagement and are required to maintain appropriate protections.

No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the NDPC (and, where applicable, other relevant authorities) within seventy-two (72) hours of becoming aware of the breach, and will notify affected individuals without undue delay.

13. Children's Privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at privacy@fractal.finance and we will take steps to delete such data.

14. Automated Decision-Making

We may use automated processes in the following areas:

• KYC/KYB verification: Automated identity document verification, facial matching, and sanctions screening. Results are reviewed by our compliance team before final decisions are made.
• Transaction monitoring: Automated systems flag potentially suspicious transactions for manual review.
• Investor classification: Based on information you provide, automated systems may classify your investor status (retail, sophisticated, or institutional).

You have the right to request human review of any decision made solely through automated processing that produces legal effects or significantly affects you. Contact us to exercise this right.

15. Third-Party Links

The Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Notify you through an in-platform notification or email to your registered address at least fourteen (14) days before the changes take effect.
• Where required by law, obtain your consent to the updated Privacy Policy.

Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

17. Data Protection Officer

In accordance with the NDPA 2023, we have designated a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and compliance. You may contact our DPO directly at dpo@fractal.finance for any data protection related matters.

18. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) or, for EEA/UK residents, the relevant data protection supervisory authority in your jurisdiction.