Privacy Policy

AELLA MICROFINANCE BANK LIMITED (“Aella”) is committed to protecting the privacy, confidentiality, and rights of all individuals whose personal data we collect, process, and store in the course of providing financial services.

This Privacy Policy is developed in line with the Nigeria Data Protection Act (NDP Act) 2023 and the General Application and Implementation Directive (GAID) 2025.

It outlines our practices in the collection, use, disclosure, and safeguarding of personal data, ensuring transparency and accountability in data processing.

Aella Microfinance Bank is a duly licensed Microfinance Bank regulated by the Central Bank of Nigeria (“CBN”).

Part 1: Our Commitment to Data Processing Principles

We are committed to processing personal data in compliance with the NDP Act 2023 principles:

a. Lawfulness, Fairness, and Transparency

b. Purpose Limitation – Data collected solely for specified, explicit, and legitimate purposes.

c. Data Minimisation – Only necessary data is collected.

d. Accuracy – Ensuring data is accurate and up to date.

e. Storage Limitation – Retaining data only for as long as necessary.

f. Integrity and Confidentiality – Ensuring appropriate technical and organisational measures.

g. Accountability – Demonstrating compliance with the NDP Act 2023 and GAID 2025.

Part 2: Consent of Data Subject

a. We obtain consent before processing personal data unless processing is required by law, contract, vital interest, or legitimate interest.

b. Consent is freely given, specific, informed, and unambiguous.

c. Data subjects may withdraw consent at any time, without affecting the lawfulness of prior processing.

Part 3: Our Scope of Data Processing

We collect and process personal data from:

a. Customers – account holders, loan applicants, depositors, and guarantors.

b. Employees & Contractors – for HR, payroll, and compliance.

c. Third Parties – vendors, agents, and service providers.

Data categories may include:

a. Identification details (Name, NIN, BVN, Passport, Driver’s License).

b. Contact details (Email, Phone number, Address).

c. Financial information (Bank account details, Loan records, Transaction history).

d. Employment details (for staff and applicants).

e. Sensitive data (biometric information where applicable).

Part 4: Data Subject Rights

Under the NDP Act 2023 and GAID 2025, you have the following rights:

a. Right to access your personal data.

b. Right to rectify inaccurate or incomplete data.

c. Right to erasure (“right to be forgotten”).

d. Right to restrict processing.

e. Right to data portability.

f. Right to object to processing (including marketing communications).

g. Right not to be subject to automated decision-making/profiling.

Part 5: Data Retention and Security

a. Data is retained only as long as necessary to fulfill the purposes for which it was collected or as required by law.

b. We employ technical, organisational, and physical safeguards, including encryption, access control, firewalls, and staff training, to prevent unauthorised access, alteration, disclosure, or destruction.

Part 6: Mandatory Data Collection

Certain personal data is mandatory under laws and regulations such as Know Your Customer (KYC), Anti-Money Laundering (AML), and Counter-Terrorism Financing (CTF) requirements.
Failure to provide such data may result in our inability to provide services.

Part 7: Transfer of Data to Third Parties

We may share personal data with:

a. Regulatory authorities (e.g., NDPC, CBN, NDIC, EFCC, NFIU).

b. Credit bureaus and financial institutions.

c. Service providers engaged for core banking, IT support, payment processing, and debt recovery.

d. All transfers are governed by contracts ensuring confidentiality and compliance.

Part 8: Technical Information and Cookies

a. When you use our website or digital platforms, we may collect technical information such as IP address, browser type, and usage patterns.

b. Cookies may be used to enhance user experience and analyse web traffic. Users may opt out by adjusting browser settings.

Part 9: Personal Data Security and Integrity

We adopt ISO/IEC 27001-aligned security controls, periodic risk assessments, access restrictions, and incident response measures to preserve confidentiality, availability, and integrity of data.

Part 10: Job Applicants

Personal data provided by job applicants (such as CVs, academic and professional qualifications, references, and any other supporting documents) will be collected and processed solely for recruitment and selection purposes.

We will retain such data only for as long as necessary to complete the recruitment process. Records of unsuccessful applicants will be securely deleted within six (6) months of the recruitment exercise, unless a longer retention period is required by law or with the applicant’s express consent.

Successful applicants’ data will be incorporated into their employee records and processed in accordance with the Bank’s Employee Privacy Policy.

Part 11: Maintaining Accurate Information

Data subjects are encouraged to ensure their information is accurate and up-to-date. Requests for updates may be made through our Data Protection Help Desk.

Part 12: Children’s Privacy

We do not knowingly collect personal data from children under the age of 18 without verifiable parental or guardian consent.

Part 13: Caveat on Website Links

Our platforms may contain links to third-party websites. We are not responsible for the content or privacy practices of such websites.

Part 14: Transfer to Third Parties and Cross-Border Data Transfers

Where data is transferred outside Nigeria, we ensure:

a. Adequacy decision by the NDPC.

b. Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

c. Data subjects are informed, and consent is obtained where required.

Part 15: Data Protection Help Desk

We have a dedicated Data Protection Help Desk to address inquiries, complaints, and rights requests from data subjects.

Part 16: Data Deletion

Data subjects may request deletion of their data where processing is no longer necessary, subject to regulatory retention requirements.

Part 17: Data Subject Access Request (DSAR)

Requests for access, correction, or erasure of data may be submitted in writing to the Data Protection Officer. We shall respond within the timelines stipulated in the NDP Act 2023 and GAID 2025.

Part 18: Remediation

In the event of a data breach, we shall:

a. Notify the NDPC within 72 hours.

b. Notify affected data subjects where there is a high risk to their rights and freedoms.

c. Take prompt steps to remediate and mitigate risks.

Part 19: Policy on Lending and Credit Products

As a duly licensed MFB regulated by the Central Bank of Nigeria (“CBN”), all loan and credit facilities offered through our physical or digital channels are financed and administered by Aella.

In addition to the data processing practices described in this Privacy Policy, the following provisions apply specifically to loan applicants, borrowers, guarantors, and other persons whose data is processed in connection with credit products.

19.1 Lending-Related Data Collection

In connection with credit assessment and loan administration, we may collect and process:

a. Credit bureau reports and credit scores

b. Bank account and transaction history

c. Income and employment information

d. Repayment performance records

e. Guarantor details

f. Device and fraud-risk indicators (where legally permissible)

g. Communications relating to loan servicing and recovery

Certain information is mandatory under KYC, AML, CBN, and other regulatory requirements. Failure to provide required data may prevent loan approval.

19.2 Lawful Bases for Lending Data Processing

Lending-related data is processed on the basis of:

a. Performance of a contract (loan agreement)

b. Compliance with legal and regulatory obligations (including CBN and AML requirements)

c. Legitimate interest (credit risk management, fraud prevention, and debt recovery)

d. Consent (where specifically required, including certain marketing communications)

Processing of lending data is not based solely on consent.

19.3 Automated Decision-Making and Credit Scoring

We may use automated systems, credit scoring models, profiling tools, and AI-assisted risk assessment mechanisms to:

a. Assess creditworthiness

b. Determine eligibility and credit limits

c. Set loan pricing

d. Detect fraud and financial crime

Credit scoring may consider repayment history, income stability, credit bureau records, transaction behaviour, existing debt exposure, and fraud risk indicators.

Where automated processing significantly affects you (such as loan approval or rejection), you may request meaningful information about the logic involved and request human review, in accordance with the NDPA.

19.4 Credit Bureau Reporting

In accordance with applicable law and CBN requirements:

a. We may obtain credit reports from licensed credit bureaus.

b. We may report repayment performance, arrears, and defaults to licensed credit bureaus.

Such reporting may affect your credit profile within the Nigerian financial system and is conducted pursuant to legal and regulatory obligations.

19.5 Guarantor Data

Where a guarantor is required, we process guarantor data for credit risk mitigation and recovery purposes. Guarantors may be contacted in the event of borrower default. Borrowers are responsible for ensuring that guarantors are informed that their data will be shared with Aella for lending purposes.

19.6 Debt Recovery and Enforcement

In the event of default, we may disclose relevant personal data to guarantors, licensed recovery agents, legal advisers, courts, regulatory authorities, and credit bureaus strictly for lawful recovery and enforcement purposes.

19.7 Retention of Lending Data

Loan and credit-related data shall be retained:

a. For the duration of the credit relationship; and

b. For the minimum statutory retention period required under banking, AML, tax, and regulatory laws.

Retention may extend beyond loan closure where required for audit, regulatory, or litigation purposes.

19.8 Controller and Processor Roles

For lending activities, Aella Microfinance Bank acts as a Data Controller under the Nigeria Data Protection Act 2023. Third-party service providers engaged for credit assessment, analytics, loan servicing, IT support, or recovery act as Data Processors under binding contractual safeguards.

Part 20: Alteration of Privacy Policy

We may update this Privacy Policy to reflect changes in practices, legal requirements, or operational needs. All updates will be communicated through our website and banking platforms.