Privacy Policy
Last updated: May 2, 2026
Verdge is operated by Syxeaz Ltd ("Verdge", "we", "us"). This policy explains what personal data we collect when you use our platform — through the website or any messaging channel (WhatsApp, Telegram, SMS, email, and others) — how we use it, who we share it with, and the rights you have over it under the Nigeria Data Protection Act 2023 ("NDPA") and other applicable laws.
1. Who is responsible for your data
Syxeaz Ltd is the data controller for personal data processed in connection with the Verdge platform. You can contact us at:
- Email: hello@verdge.ai
- Data Protection contact: hello@verdge.ai (subject: "Privacy")
2. What we collect
2.1 Information you give us
- Account details: name, email address, phone number, password (hashed), preferences.
- Channel identifiers: when you reach our agents on a messaging channel, we record the identifier you use (WhatsApp number, Telegram chat ID, email address, SMS number, etc.) so we can recognize you on subsequent messages and link your interactions to your account.
- Content of your messages with our agents. These are processed by AI to generate replies and stored to maintain conversation context.
- KYC information (for tenants and where required for withdrawals): business registration documents, tax certificates, government IDs, and proof of address.
- Bank account details for withdrawals: we do not store full account numbers ourselves; we create a recipient record with our payment partner (Paystack) and only store the recipient code and a masked reference (e.g.
****1234).
2.2 Information we collect automatically
- Server log data: IP address, request timestamps, and error traces — kept short-term for security monitoring and operational debugging only. We do not build behavioural or advertising profiles from this.
- Service usage records: agent runs you initiate, transactions, wallet balance changes, referral activity, promo redemptions — needed to operate the platform and produce your account history.
We do not use cookies for analytics or advertising. We use only the minimum session storage required to keep you signed in. We do not collect device fingerprints or device identifiers on the web.
2.3 Information from third parties
- Payment processors (Paystack) confirm card/bank transactions and may share transaction status, the masked card BIN, and bank verification details.
- Service providers (e.g., VTPass, Baxi, Ebills, mobile network operators, distribution companies) confirm whether airtime, electricity tokens, or similar services were delivered to a recipient identifier you specified.
- Channel platforms (Meta WhatsApp Business API, Telegram, etc.) deliver your messages to us and pass back metadata including the message ID, sender identifier, and timestamps. Use of those platforms is subject to their own privacy policies in addition to this one.
- AI model providers (e.g., OpenAI, Anthropic) process the content of your messages on our behalf to generate agent replies, under data processing agreements that restrict their use of that content.
3. What we do NOT collect or store
- Full payment card numbers, CVVs, or PINs. Card payments are handled directly by Paystack on a tokenized flow; we never see or store these details.
- Full bank account numbers. Only a Paystack recipient code and a masked reference.
- Device fingerprints or hardware identifiers. We previously experimented with device-level identifiers; that has been deprecated and removed.
- Tracking cookies or third-party analytics scripts.
- Sensitive personal data (such as health, religious, or biometric data) — please do not share these with our agents. If you do, we will treat them as ordinary message content and process them only to respond, but we discourage you from doing so.
4. Why we use your data (legal basis)
We process your personal data on the following bases under the NDPA:
| Purpose | Legal basis |
|---|---|
| Create and manage your account; authenticate you across channels. | Performance of contract |
| Process your payments, transactions, and refunds. Communicate transaction status. | Performance of contract |
| Generate AI agent replies, including by sending message content to AI model providers. | Performance of contract |
| Run the referral and promo programs, including detecting and rejecting fraudulent referrals. | Performance of contract; legitimate interests in fraud prevention |
| Comply with anti-money-laundering, tax, and consumer protection obligations (KYC, transaction record retention, regulatory reporting). | Legal obligation |
| Detect and prevent fraud, abuse of service, and security incidents. | Legitimate interests |
| Improve the platform, including by analyzing aggregated usage and (where permitted) message content used to refine non-personal model behavior. | Legitimate interests |
| Send you product updates and marketing emails. | Consent (you can withdraw at any time) |
5. Sharing your data
We share personal data only with the following categories of recipients, and only as needed:
- Payment processor: Paystack Payments Limited, for card and bank transfers.
- Service providers: VTPass, Baxi, Ebills, and similar bill-payment aggregators, to deliver the airtime/electricity/cable subscription you purchase. They receive only the recipient identifier (e.g., your meter number, phone number to top up) and the amount.
- AI model providers: third parties such as OpenAI and Anthropic process the content of your conversations to generate agent replies on our behalf, under contractual confidentiality and data-handling obligations. Your conversations may be transferred to and processed in the United States or other countries where these providers operate (see Section 8).
- Channel platforms: Meta (WhatsApp), Telegram, Termii (SMS), Resend (email), Slack, Discord, Instagram, X (Twitter), and others through which you choose to interact with Verdge. Routing messages through these platforms is necessary to provide the Service.
- Cloud and infrastructure providers (e.g., AWS) for hosting, storage, and security.
- Tenants on the marketplace: if you interact with an agent operated by an independent tenant, that tenant can see the content of your messages with their agent and information necessary to fulfil your request, but does not see details of unrelated transactions.
- Professional advisers (lawyers, auditors, accountants) under confidentiality.
- Authorities: we may disclose data when legally required to do so by Nigerian law enforcement, regulators, or courts.
We do not sell your personal data, and we do not share it for advertising purposes outside our own service communications.
6. Conversations and AI processing
When you message a Verdge agent, your messages are processed by AI to generate a reply. This processing typically involves sending the message — and the recent context of your conversation — to a third-party AI model provider. We do not allow these providers to use your messages to train their public models, where the provider offers that contractual choice. We summarize and rotate context to limit how much of your history is sent in any single request.
Conversation messages are encrypted at rest. Each agent has its own encryption key, and your stored messages are encrypted with that key before being written to our database. As a result, Verdge platform staff cannot read the contents of your conversations with an agent — not for support, not for analytics. The encryption is enforced at the storage layer; bypassing it would require the tenant's own key, which we do not retain in plaintext.
What we can see (and need, to operate the service) are non-content metadata such as message timestamps, message counts, token usage for billing, and the channel each message arrived on. The actual text of your messages stays encrypted.
Please do not share information you do not want processed in this way, including banking PINs, full card numbers, or any data you would not want to appear in an AI prompt.
7. Account merging across channels
You can merge a chat from one channel into another account using the /link command on a channel or the corresponding web flow. When you do, the merged channel user's data — including conversations, wallet balance, transactions, and subscriptions — becomes part of the parent account. We will retain the original channel user record as a "linked" entity for audit purposes for the retention periods in Section 9.
8. International transfers
Some of our processors (notably AI model providers and certain cloud services) operate outside Nigeria, including in the United States and the European Union. Where we transfer personal data outside Nigeria, we rely on the following safeguards under the NDPA:
- contractual data protection clauses with the recipient that impose obligations equivalent to those under the NDPA;
- recipients located in jurisdictions recognized by the Nigeria Data Protection Commission as providing adequate protection, where applicable;
- your explicit consent, where the transfer is incidental to a service you have requested (e.g., asking an agent a question that requires AI processing).
9. How long we keep your data
| Category | Retention period |
|---|---|
| Account profile (name, email, phone, hashed password) | Active life of the account, plus 12 months after closure for fraud-prevention and dispute resolution. |
| Transaction records and wallet history (top-ups, payments, refunds, withdrawals) | Minimum of 7 years from the transaction date, to comply with Nigerian tax and AML record-keeping rules. |
| Conversation history with agents | Active life of the account, with rolling deletion of older context after 24 months unless you delete a conversation earlier. |
| Channel messages logs (delivery receipts, errors) | Up to 90 days for operational debugging. |
| KYC documents | 5 years from the end of the customer relationship, per Nigerian AML rules. |
| Marketing consent and preferences | Until you withdraw consent, plus a short audit trail. |
10. Your rights under the NDPA
You have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your personal data, subject to overriding obligations such as transaction record retention;
- Restrict or object to certain processing, including direct marketing;
- Withdraw consent at any time, where consent is the basis of processing;
- Receive a copy of your data in a portable format;
- Lodge a complaint with the Nigeria Data Protection Commission (ndpc.gov.ng) if you believe your rights have been violated.
To exercise any of these rights, email us at hello@verdge.ai with the subject "Privacy Request". We will respond within thirty (30) days. Where we cannot comply (for example because we must keep transaction records for tax purposes), we will tell you why.
11. Security
We protect your data using technical and organizational measures appropriate to the risk, including:
- TLS encryption in transit for all API and channel traffic.
- Conversation messages encrypted at rest with a per-agent key — Verdge platform staff cannot read message contents.
- Hashed passwords (one-way) — we never store plaintext passwords.
- Role-based access controls on internal systems, plus audit logging on privileged actions.
- No card details, CVVs, PINs, or full bank account numbers ever land on our servers — those flow directly through Paystack.
No system is perfectly secure; if we become aware of a personal data breach that is likely to affect you, we will notify you and the Nigeria Data Protection Commission as required by the NDPA.
12. Children
Verdge is not intended for, and may not be used by, anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the latest revision. For material changes, we will give you notice through the Service or by email. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact
For privacy questions, requests, or to lodge a complaint:
- Email: hello@verdge.ai (subject: "Privacy")
© Syxeaz Ltd. All rights reserved.