Grymey

Privacy

Privacy Policy

Grymey Technologies Limited · RC No. 8749776 · Last updated: July 2026

Grymey Technologies Limited ("Grymey", "we", "our", or "us") operates grymey.com and the Grymey invoicing, payment, and wallet platform. This Privacy Policy explains how we collect, use, and protect your personal information when you use our services.

1. Information We Collect

CategoryExamples
Account InformationName, email address, phone number, business name
Business InformationBusiness address, bank account details for settlement, tax identification number
Transaction DataInvoices you create, clients you bill, amounts collected, payment history
KYC DocumentsGovernment-issued ID, proof of business registration, BVN or NIN (where required)
WhatsApp MessagesMessages sent to our bot solely for the purpose of invoice creation
Usage DataHow you interact with the platform, device information, IP address
CookiesSession cookies for login; non-essential cookies with your consent

2. How We Use Your Information

  • To provide and operate the Grymey invoicing, payment, and wallet platform
  • To process payments and settle funds to your designated bank account
  • To send invoice notifications, payment confirmations, and reminders to your clients
  • To verify your identity and business through our KYC process
  • To comply with Nigerian financial regulations and legal obligations
  • To detect and prevent fraud and unauthorised account activity
  • To improve our platform based on usage patterns
  • To communicate with you about service updates and important notices

3. Data Protection Principles

Grymey is committed to the following data protection principles as required by the NDPA 2023:

PrincipleHow Grymey Applies It
Lawfulness, Fairness, and TransparencyWe process personal data only on valid lawful bases and with clear privacy notices.
Purpose LimitationWe collect data only for specified, explicit, and legitimate purposes.
Data MinimisationWe collect only the data strictly necessary for our services.
AccuracyWe take reasonable steps to keep data accurate and up to date.
Storage LimitationWe retain data only as long as necessary for the purposes collected.
Integrity and ConfidentialityWe implement appropriate security measures to protect data.

4. Lawful Basis for Processing Personal Data

Under the NDPA 2023 and GAID 2025, Grymey relies on the following five lawful bases:

Lawful BasisWhen We Rely On It
ConsentWhen you voluntarily agree to specific processing activities, such as receiving marketing communications. You can withdraw your consent at any time.
ContractWhen processing is necessary to perform our contract with you — creating your account, processing invoices, and settling payments.
Legal ObligationWhen we are required to process your data to comply with Nigerian laws, including CBN AML/CFT requirements, tax laws, and KYC obligations.
Vital InterestsWhen processing is necessary to protect someone's life in emergency situations.
Public InterestWhen processing is necessary for tasks carried out in the public interest or in the exercise of official authority.

Grymey does not rely on "Legitimate Interest" as a lawful basis for processing your personal data.

Questions about the lawful basis for a specific processing activity? Contact us at privacy@grymey.com.

5. Data Sharing

We do not sell your personal data. We share data only with trusted service providers necessary to operate our platform:

CategoryPurpose
Banking Partners and Payment ProcessorsFor payment collection, settlement, and fund transfers
Cloud Infrastructure ProvidersFor database, hosting, and secure data storage
Communication ServicesFor email delivery and messaging
AI ServicesFor invoice processing and data extraction from natural language

We engage third-party data processors under written contracts that ensure compliance with the NDPA 2023 and GAID 2025. A full list of our current data processors is available upon request.

We may disclose your information if required to do so by Nigerian law or regulatory authorities.

6. Cross-Border Data Transfers

We use cloud infrastructure and service providers that may process your data outside Nigeria. Grymey ensures that:

  • Transfers are made only to countries with adequate data protection laws, or
  • We implement appropriate safeguards (such as standard contractual clauses) as required by the GAID 2025
  • We comply with all NDPC requirements for cross-border data transfers

7. Data Retention

Data CategoryRetention PeriodReason
KYC Documents5 years from account closureCBN AML/CFT regulatory requirements
Transaction Records5 years from account closureCBN and NFIU record-keeping requirements
Account InformationUntil account closure or 5 years of inactivityService delivery and regulatory compliance
Marketing DataUntil consent is withdrawnUser preference management
WhatsApp MessagesImmediately after invoice creationPurpose fulfilled; not permanently stored

8. Your Rights Under the NDPA 2023

RightWhat It Means
Right to be InformedYou have the right to know what personal data we collect, why, how we use it, who we share it with, and how long we keep it.
Right of AccessYou have the right to request a copy of the personal data we hold about you within 30 days of your request.
Right to RectificationYou have the right to correct any inaccurate or incomplete personal data we hold about you.
Right to ErasureYou have the right to request deletion of your personal data, subject to our regulatory retention obligations.
Right to Restrict ProcessingYou have the right to request that we limit how we use your personal data while we verify accuracy or lawful basis.
Right to ObjectYou have the right to object to processing for direct marketing or where we rely on public interest as a lawful basis.
Right to Data PortabilityYou have the right to request transfer of your personal data to another organisation where technically feasible.
Right to Lodge a ComplaintYou have the right to lodge a complaint with the NDPC via the SNAG process introduced under GAID 2025.

How to exercise your rights:

  • Email: privacy@grymey.com — subject line "Data Subject Request"
  • In-App: Use the "Request My Data" feature in your account settings

We acknowledge within 5 business days and respond substantively within 30 days.

9. Data Protection Impact Assessments (DPIA)

Grymey conducts DPIAs for high-risk processing activities including KYC verification, fraud detection, automated decision-making, and processing of sensitive personal data (biometrics, BVN, NIN). Where a DPIA identifies an unmitigable risk, we consult the NDPC before proceeding.

10. Data Protection Officer

Grymey has designated a Data Protection Officer (DPO) responsible for overseeing data protection compliance.

DPO Email: dpo@grymey.com

11. Data Breach Notification

In the event of a personal data breach likely to result in high risk to data subjects, Grymey will:

  • Notify the NDPC within 72 hours of becoming aware of the breach
  • Notify affected data subjects directly without undue delay
  • Document all breaches including nature, categories of data affected, and remedial actions taken

All breach records are retained for a minimum of five years.

12. Cookies and Tracking

Cookie TypePurposeConsent Required
Strictly NecessarySession management, login state, security, and basic functionalityNo
Non-EssentialAnalytics, usage tracking, and performance improvementYes — explicit consent required

You can change your cookie preferences or withdraw consent at any time via your browser settings or our cookie banner.

13. Data Security

  • Encryption of data in transit (TLS 1.3)
  • Encryption of data at rest (AES-256)
  • Access controls limiting who can access your data
  • Regular security reviews of our platform and infrastructure
  • Employee training on data protection

No system is completely secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

14. Children's Privacy

Grymey does not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information.

15. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, sending you an email notification.

The "Last updated" date at the top of this policy indicates when it was last revised.

16. Contact Us

Grymey Technologies Limited

RC No. 8749776 · Lagos, Nigeria

Privacy: privacy@grymey.com

DPO: dpo@grymey.com

← Back to Sign Up

© 2026 Grymey Technologies Ltd