GET PAID. PROFESSIONALLY. INSTANTLY.
Privacy
We collect only what we need to run the platform. We never sell your data. You can request deletion at any time.
✓ We never sell your data
✓ Invoice data is yours to export
✓ WhatsApp messages used only for invoicing
✓ Encrypted in transit and at rest
✓ Delete your account any time
40+
Businesses
<15min
Settlement
₦0
Monthly fee
Privacy
Grymey Technologies Limited · RC No. 8749776 · Last updated: July 2026
Grymey Technologies Limited ("Grymey", "we", "our", or "us") operates grymey.com and the Grymey invoicing, payment, and wallet platform. This Privacy Policy explains how we collect, use, and protect your personal information when you use our services.
| Category | Examples |
|---|---|
| Account Information | Name, email address, phone number, business name |
| Business Information | Business address, bank account details for settlement, tax identification number |
| Transaction Data | Invoices you create, clients you bill, amounts collected, payment history |
| KYC Documents | Government-issued ID, proof of business registration, BVN or NIN (where required) |
| WhatsApp Messages | Messages sent to our bot solely for the purpose of invoice creation |
| Usage Data | How you interact with the platform, device information, IP address |
| Cookies | Session cookies for login; non-essential cookies with your consent |
Grymey is committed to the following data protection principles as required by the NDPA 2023:
| Principle | How Grymey Applies It |
|---|---|
| Lawfulness, Fairness, and Transparency | We process personal data only on valid lawful bases and with clear privacy notices. |
| Purpose Limitation | We collect data only for specified, explicit, and legitimate purposes. |
| Data Minimisation | We collect only the data strictly necessary for our services. |
| Accuracy | We take reasonable steps to keep data accurate and up to date. |
| Storage Limitation | We retain data only as long as necessary for the purposes collected. |
| Integrity and Confidentiality | We implement appropriate security measures to protect data. |
Under the NDPA 2023 and GAID 2025, Grymey relies on the following five lawful bases:
| Lawful Basis | When We Rely On It |
|---|---|
| Consent | When you voluntarily agree to specific processing activities, such as receiving marketing communications. You can withdraw your consent at any time. |
| Contract | When processing is necessary to perform our contract with you — creating your account, processing invoices, and settling payments. |
| Legal Obligation | When we are required to process your data to comply with Nigerian laws, including CBN AML/CFT requirements, tax laws, and KYC obligations. |
| Vital Interests | When processing is necessary to protect someone's life in emergency situations. |
| Public Interest | When processing is necessary for tasks carried out in the public interest or in the exercise of official authority. |
Grymey does not rely on "Legitimate Interest" as a lawful basis for processing your personal data.
Questions about the lawful basis for a specific processing activity? Contact us at privacy@grymey.com.
We do not sell your personal data. We share data only with trusted service providers necessary to operate our platform:
| Category | Purpose |
|---|---|
| Banking Partners and Payment Processors | For payment collection, settlement, and fund transfers |
| Cloud Infrastructure Providers | For database, hosting, and secure data storage |
| Communication Services | For email delivery and messaging |
| AI Services | For invoice processing and data extraction from natural language |
We engage third-party data processors under written contracts that ensure compliance with the NDPA 2023 and GAID 2025. A full list of our current data processors is available upon request.
We may disclose your information if required to do so by Nigerian law or regulatory authorities.
We use cloud infrastructure and service providers that may process your data outside Nigeria. Grymey ensures that:
| Data Category | Retention Period | Reason |
|---|---|---|
| KYC Documents | 5 years from account closure | CBN AML/CFT regulatory requirements |
| Transaction Records | 5 years from account closure | CBN and NFIU record-keeping requirements |
| Account Information | Until account closure or 5 years of inactivity | Service delivery and regulatory compliance |
| Marketing Data | Until consent is withdrawn | User preference management |
| WhatsApp Messages | Immediately after invoice creation | Purpose fulfilled; not permanently stored |
| Right | What It Means |
|---|---|
| Right to be Informed | You have the right to know what personal data we collect, why, how we use it, who we share it with, and how long we keep it. |
| Right of Access | You have the right to request a copy of the personal data we hold about you within 30 days of your request. |
| Right to Rectification | You have the right to correct any inaccurate or incomplete personal data we hold about you. |
| Right to Erasure | You have the right to request deletion of your personal data, subject to our regulatory retention obligations. |
| Right to Restrict Processing | You have the right to request that we limit how we use your personal data while we verify accuracy or lawful basis. |
| Right to Object | You have the right to object to processing for direct marketing or where we rely on public interest as a lawful basis. |
| Right to Data Portability | You have the right to request transfer of your personal data to another organisation where technically feasible. |
| Right to Lodge a Complaint | You have the right to lodge a complaint with the NDPC via the SNAG process introduced under GAID 2025. |
How to exercise your rights:
We acknowledge within 5 business days and respond substantively within 30 days.
Grymey conducts DPIAs for high-risk processing activities including KYC verification, fraud detection, automated decision-making, and processing of sensitive personal data (biometrics, BVN, NIN). Where a DPIA identifies an unmitigable risk, we consult the NDPC before proceeding.
Grymey has designated a Data Protection Officer (DPO) responsible for overseeing data protection compliance.
DPO Email: dpo@grymey.com
In the event of a personal data breach likely to result in high risk to data subjects, Grymey will:
All breach records are retained for a minimum of five years.
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Strictly Necessary | Session management, login state, security, and basic functionality | No |
| Non-Essential | Analytics, usage tracking, and performance improvement | Yes — explicit consent required |
You can change your cookie preferences or withdraw consent at any time via your browser settings or our cookie banner.
No system is completely secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.
Grymey does not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information.
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, sending you an email notification.
The "Last updated" date at the top of this policy indicates when it was last revised.
Grymey Technologies Limited
RC No. 8749776 · Lagos, Nigeria
Privacy: privacy@grymey.com
DPO: dpo@grymey.com
© 2026 Grymey Technologies Ltd