PRIVACY POLICY

Effective Date: March 2, 2026

At ISHOWMESK ENTERPRISES LLP, we respect your privacy and are committed to safeguarding the personal information you share with us. This Privacy Policy describes how we collect, use, store, disclose, and protect personal data when you access or use LUMEN LOAN through our mobile application, website, business premises, or related services (collectively, the “Platform” or “Services”).

This Privacy Policy is established in accordance with the Nigeria Data Protection Act (NDPA) 2023 and other applicable privacy and data protection requirements. We encourage you to read this Policy carefully so you understand your rights and how your personal data is handled.

---

1. Your Agreement

By downloading, accessing, or using the Platform, and by providing personal information to us, you confirm that you have reviewed and accepted the terms of this Privacy Policy. Where we rely on consent as a legal basis, your continued use of our Services indicates your consent to the processing activities described here.

If you do not agree with this Policy, please discontinue use of the Platform.

---

2. Data Collection & Processing Overview

To provide secure, reliable, and tailored financial services, LUMEN LOAN may request or collect personal information needed to verify identity, assess eligibility, manage risks, and comply with regulatory requirements.

We apply strong security practices in handling personal data. Personal information is encrypted during transmission and securely processed through our servers hosted at:
https://verster.ishowmeskllp.com (HTTPS-enabled).

Except where legally required or explicitly authorized by you, we do not sell or share your personal data with unaffiliated third parties.

---

2.1 Types of Personal Information We May Collect

Depending on how you use the Platform, we may collect and process the following categories of information:

1. Identity Data
Such as full name, gender, and date of birth.
Purpose: identity verification, compliance, credit evaluation.

2. Contact Data
Such as phone number, email address, and emergency contact details.
Purpose: account creation, authentication, security alerts, communication.

3. Financial Data
Such as monthly income and bank account details.
Purpose: risk evaluation, loan processing, transaction settlement.

4. Employment Data
Such as occupation, industry, and employment status.
Purpose: eligibility assessment and creditworthiness evaluation.

5. Image Data
Such as facial image/selfie or document images.
Purpose: identity checks, KYC compliance, fraud prevention.

6. Usage & Interaction Data
Such as in-app activity, configuration choices, feature usage patterns, and user behavior in the app.
Purpose: improving product performance and user experience, service security.

7. Sensitive or Special Categories (If Applicable)
Such as information that may be considered sensitive under applicable law (e.g., religion or other legally protected categories).
Purpose: collected only when required for specific services and strictly handled under NDPA safeguards.

---

2.2 Information We Access During Active App Use

During your active usage, the Platform may request or access the following in order to deliver key functions:

A. Camera and Gallery Access

We may request access to your camera and photos/gallery to enable:

• Capturing or uploading identity documents
• Face verification selfies

These permissions are used only for onboarding, KYC verification, and service delivery.

---

3. Data Retention

We retain personal information only for the duration necessary to achieve the purposes described in this Policy, including business operations, legal obligations, regulatory requirements, and dispute resolution. When data is no longer required, it will be securely deleted, anonymized, or otherwise disposed of in line with NDPA standards.

---

4. Permissions & Personal Data Processing Disclosure

This disclosure explains the categories of personal data we may collect and use when providing services in Nigeria, the related device permissions, the purposes of processing, and the compliance basis. We process personal data in accordance with applicable Nigerian data protection laws and regulatory requirements, including the Nigeria Data Protection Act, 2023 (NDPA) and relevant guidance, and where applicable we also take into account the NDPR 2019 framework.

LUMEN LOAN protects your information during transmission. Data submitted in the app is sent securely over HTTPS and stored on our servers (https://verster.ishowmeskllp.com/). We do not disclose your personal data to third parties without your permission, unless required by law or necessary to deliver the services you request.

Personal Identification & KYC Information

Data we may process:

• Full name, gender, date of birth/age
• Nationality/citizenship
• Residential address/location
• Government-issued identification details (e.g., national ID/passport/driver’s licence numbers), depending on the onboarding flow and applicable requirements

Source:

• Information you enter and/or upload in the app; and, where you authorize it, verification results from compliance partners

Purpose:

• Identity verification, KYC checks, and fraud prevention
• Eligibility assessment and risk controls
• Compliance with applicable legal and regulatory obligations (including AML/CFT-related requirements)

Profile & Application Data

Data we may process:

• Education level, employment status, occupation, income range, marital status, housing type
• Any other information you choose to provide in application forms or questionnaires

Purpose:

• Credit/risk assessment and pricing (where applicable)
• Improving risk management models and service processes
• Customer support and dispute handling

Banking & Payment Information

Data we may process:

• Bank account details, bank name, payment identifiers
• Transaction records, disbursement/repayment history, reconciliation information
• Where applicable, transaction reference numbers and confirmations from payment channels/service providers

Purpose:

• Evaluating applications and repayment capacity
• Disbursements, collections, and payment reconciliation
• Compliance reviews and AML/fraud controls

Note:

• We do not use this data for advertising or unrelated marketing profiling.

Camera Permission

With your permission, we may use your device camera to:

• Capture a selfie for liveness checks
• Scan or photograph identity documents for authenticity checks

Purpose:

• Prevent identity impersonation, forged documents, and fraudulent applications
• Increase the reliability of identity verification

Protective measures:

• The camera is not used in the background; captured images are used only for identity verification and fraud-prevention purposes.

Emergency Contacts

In certain cases, we may request emergency contact details.

Data we may process:

• Name, relationship, and phone number of the emergency contact(s) you provide

Source:

• Only contact details you manually select and/or enter (as prompted in the app)

Purpose:

• Supporting identity verification processes and enabling contact in emergency situations

Important:

• We do not collect or upload your full address book.

Installed Applications Information

Where authorized or permitted by the system, we may collect limited information about apps installed on your device, such as:

• Package name, category, and installation status (we do not collect in-app content)

Purpose:

• Device risk assessment and fraud prevention (e.g., identifying abnormal environments or high-risk patterns)
• Supporting risk controls (not used for ad targeting)

Device Information

While you use our Android app, we may process:

• Device model, OS version, and basic hardware/display parameters
• IP address and network operator information
• Android-related identifiers (only where necessary and lawful for security and fraud prevention)

Purpose:

• Account security, fraud prevention, and risk management
• Ensuring service compatibility, stability, and performance

Note:

• These identifiers are not used for cross-app advertising tracking or marketing profiling.

Approximate Location

With your permission, we may collect approximate location data (e.g., general coordinates, accuracy radius, timestamp, and region-level location description).

Purpose:

• Anomaly detection and device-consistency checks
• Fraud prevention and risk controls required for compliance

Note:

• We do not collect location in the background unless you provide explicit consent.

Access & Interaction Logs

We may process service usage and operational data, such as:

• Account identifiers, login/verification events (e.g., OTP verification results), session logs
• In-app interaction events and customer support communications (where applicable)

Purpose:

• Account maintenance and secure authentication
• Troubleshooting and audit trails
• Product improvement and customer support

Information Obtained from Partners / Third Parties

Where lawful and necessary, we may obtain information from authorized third parties and partners, including:

• Identity verification providers and sanctions/PEP screening providers
• Credit reference agencies / credit bureau partners (where applicable)
• Payment partners, banks, and settlement partners
• Fraud prevention and security service providers

Purpose:

• Validating submitted information and performing compliance screening
• Credit assessment, fraud prevention, and risk management
• Meeting applicable regulatory obligations

Your Choices & Controls

• You can manage permissions (e.g., camera, location, contacts) in your device settings. Disabling certain permissions may affect specific features.
• We apply appropriate organizational and technical measures to protect personal data and retain it only for as long as necessary to fulfill the purposes described (details may be provided in our Privacy Policy/Data Retention Policy).

---

5. When We May Share Personal Information

We may disclose your personal information only in limited scenarios, such as:

• Where required by applicable laws, regulatory directives, or lawful requests.
• To prevent fraud, financial crime, or imminent harm.
• With credit bureaus, professional service providers, or processors involved in compliance and risk assessment.
• To protect our legal rights, security, or property.
• During corporate transactions (merger, acquisition, restructuring), subject to confidentiality protections.
• When you have provided explicit consent.

---

6. Cookies (Website Use)

Our website may use secure, encrypted session cookies to ensure functionality, maintain your session, and protect your access. These cookies do not collect unnecessary personal information and typically expire after logout or timeout. You may disable cookies in your browser settings; however, some features may not work as intended.

---

7. Your Rights Under NDPA 2023

Under the Nigeria Data Protection Act (NDPA) 2023, you have rights that allow you greater control over your personal data, including device and location data where applicable. These rights include:

• Right to access personal data
• Right to correction/rectification
• Right to erasure (right to be forgotten)
• Right to restrict processing
• Right to object to processing
• Right to data portability
• Right to challenge automated decision-making
• Right to withdraw consent

We will respond to verified requests within a reasonable timeframe and in line with legal requirements.

---

7.1 Right of Access

You may ask whether we hold personal data about you and request:

• a copy of your data (electronic format, or paper upon request)
• explanation of processing purposes and retention
• information about data sharing recipients (if any)
• details about automated decision-making that affects you

---

7.2 Right to Rectification

If your data is inaccurate, incomplete, or outdated, you may request corrections. Where correction is not possible, we may record your dispute or add a note indicating contested accuracy.

---

7.3 Right to Erasure (“Right to Be Forgotten”)

You may request deletion of your personal data when:

• it is no longer needed for the purpose collected
• processing was unlawful
• deletion is required by law
• you withdraw consent (where consent is the lawful basis)
• you object and there is no overriding legitimate interest
• you object to direct marketing

We may decline or limit deletion where retention is necessary for:

• compliance with Nigerian law/regulatory obligations
• establishment or defense of legal claims
• public interest or lawful authority

Where deletion cannot be completed, we will restrict processing where legally feasible.

---

7.4 Right to Object

You may object to processing based on legitimate interests (including profiling). We will stop processing unless we demonstrate compelling legitimate grounds. You may also object at any time to direct marketing and related profiling, and we will stop immediately.

---

7.5 Right to Restrict Processing

You may request restriction where:

• accuracy is contested
• processing is unlawful and restriction is preferred
• data is needed for legal claims
• an objection is under review

During restriction, we process data only with consent or for legal obligations, security, or public interest reasons.

---

7.6 Data Portability

Where processing is based on consent or contract and is carried out by automated means, you may request:

• your data in a structured, commonly used, machine-readable format; or
• direct transfer to another controller (if technically feasible).

---

7.7 Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing (including profiling) that has legal or similarly significant effects, such as credit scoring decisions. You may request human review, provide your viewpoint, and challenge the outcome.

We may process automated decisions only where permitted by law, necessary for contract performance, or based on explicit consent, and always with appropriate safeguards under NDPA.

---

7.8 Withdrawal of Consent

Where we rely on consent (e.g., location permissions, GAID, optional marketing), you may withdraw consent at any time.

• Withdrawal does not affect processing that occurred before withdrawal.
• After withdrawal, we will stop processing the relevant data as soon as practical.
• Some services may be limited if the withdrawn data is essential for functionality.

---

8. Security Measures

We implement technical and organizational safeguards to protect your personal data, such as:

• encryption and secure transmission
• firewalls and access controls
• controlled physical access and monitoring
• internal security training and audits
• secure server infrastructure

You are responsible for keeping login credentials confidential and notifying us promptly if you suspect unauthorized access.

---

9. Data Breach Handling

If a personal data breach occurs, our Data Protection function will assess, contain, and investigate the incident. We aim to take appropriate action within 7 days. Where your data may be impacted, we will notify you as required and, where applicable, within 48 hours after resolution.

---

10. Applicable Law

This Policy is governed by the Nigeria Data Protection Act (NDPA) 2023 and other relevant Nigerian laws and regulations.

---

11. Updates to This Policy

We may revise this Privacy Policy from time to time to reflect operational changes, regulatory updates, or improvements to our Services. The latest version will be posted through official channels and will become effective upon publication.

---

12. Cross-Border Transfers

With your explicit consent where required, we may transfer your personal data outside Nigeria for service delivery and operational needs. All international transfers will be handled using NDPA-compliant safeguards and appropriate security protections.

---