1. DATA CONTROLLER AND CONTACT INFORMATION
This Privacy Policy supplements LemFi's main Privacy Policy and explains specifically how LemFi processes personal data in connection with the EarnBack referral programme. In the event of any conflict between this document and the main Privacy Policy, this document prevails in respect of EarnBack data processing. This Policy applies to both the Referrer and the Referee (the referred contact).
1.1 The data controller responsible for personal data processed in connection with the EarnBack Programme is:
Pomelo Added Services Ltd. 4, Elbe close, Off Panama Crescent, Maitama, Abuja, Maitama FCT, Nigeria, Registration Number: 1807354.
1.2 LemFi has appointed a Data Protection Officer (DPO) who can be contacted at:
Email: dataprivacycounsel@lemfi.com
Post: Data Protection Officer, Pomelo Added Services Ltd, 4, Elbe close, Off Panama Crescent, Maitama, Abuja, Maitama FCT, Nigeria.
1.3 Where LemFi operates through a local subsidiary or partner in a Participating Market, that entity acts as a co-controller in respect of data subjects in that market. Details of applicable co-controllers are available upon request from dataprivacycounsel@lemfi.com.
2. SCOPE AND APPLICABLE PRIVACY FRAMEWORKS
2.1 LemFi operates across multiple jurisdictions. The following privacy frameworks are applicable to personal data processed under the EarnBack Programme, depending on the data subject's location:
General Data Protection Regulation (GDPR – EU) and UK GDPR: Applicable to data subjects in the European Union and United Kingdom respectively;
Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation: Applicable to data subjects in Canada;
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): Applicable to California residents;
National data protection laws in applicable African Participating Markets, including without limitation the Nigeria Data Protection Act 2023, Ghana Data Protection Act 2012, Kenya Data Protection Act 2019, and any other applicable national legislation.
2.2 This Policy is drafted to satisfy the highest applicable standards across these frameworks, including transparency, purpose limitation, data minimisation, and respect for data subject rights.
3. PERSONAL DATA WE COLLECT
3.1 Data Collected from the Referrer
When you opt into the EarnBack Programme and use its features, LemFi processes the following categories of personal data about you:
Identification and Account Data: Your full name, LemFi user ID, and account verification status;
Contact Data: Your registered email address;
Programme Activity Data: Details of your Referral Link, referral history, contacts selected for invitation, Qualifying Transaction attribution, and Reward disbursement records;
Device and Technical Data: Device type, operating system, IP address, and app version, collected automatically when you use the Programme;
Financial Data: Your designated Disbursement Method (bank account or mobile money wallet details) for Reward payment.
3.2 Data Collected from the Referee (Referred Contact)
When you select a contact from your device's directory and proceed to share the Referral Link:
- Phone Number: The phone number as stored in your device contacts.
This data is extracted and processed by LemFi for the purposes described in Section 4 below. The Referee is an identifiable natural person in respect of whom LemFi assumes data controller obligations as set out in this Policy.
3.3 Data We Do Not Collect
LemFi does not collect or store the entirety of your device contact list. Only the data of the specific contacts you affirmatively select within the EarnBack interface is extracted and processed.
4. PURPOSES AND LEGAL BASES FOR PROCESSING
LemFi processes personal data in connection with the EarnBack Programme for the following purposes and on the following legal bases:
| Processing Purpose | Data Processed | Legal Basis (GDPR/UK GDPR) | Equivalent Basis (Other Frameworks) |
|---|---|---|---|
| Referral tracking and Reward attribution | Referrer ID, Referral Link, Referee name and phone, Qualifying Transaction data | Performance of contract (Art. 6(1)(b)) | Contractual necessity / Consent (CCPA, PIPEDA) |
| Sending or enabling the referral invitation to the Referee | Referee name, phone number | Legitimate interest (Art. 6(1)(f)): facilitating financial product referrals between consenting parties | Legitimate interests / Opt-in consent where required by local law |
| Fraud prevention and programme integrity | All programme activity data, device/technical data, transaction data | Legitimate interest (Art. 6(1)(f)); Legal obligation (Art. 6(1)(c)) where AML/CFT applies | Legitimate interests / Legal compliance |
| Reward disbursement to Referrer | Referrer financial account details, Reward amounts | Performance of contract (Art. 6(1)(b)) | Contractual necessity |
| Regulatory compliance, AML/CFT, and record-keeping | All data categories above | Legal obligation (Art. 6(1)(c)) | Legal obligation |
Notice to Referees: If you have received a referral invitation, your name and contact details were provided to LemFi by the person who invited you. LemFi has processed this data on the basis of legitimate interest in facilitating the referral. You have the right to request deletion of your data if you do not wish to proceed with onboarding. See Section 9 for how to exercise this right.
5. DATA RETENTION
5.1 LemFi retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by Applicable Law. The applicable retention periods are summarised below:
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| Referee contact data (phone) — where Referee does NOT register | [90] days from date of extraction | Limited window to fulfil referral purpose; deleted upon expiry if no registration occurs |
| Referee contact data (phone) — where Referee registers | Duration of Referee's LemFi account, plus [5] years | Contractual and regulatory necessity; AML/CFT compliance |
| Referral Programme activity and attribution records | [5] years from Programme opt-out or last referral activity | Financial records retention obligations; fraud investigation |
| Reward disbursement records (financial data) | [7] years from disbursement date | Tax, financial records, and regulatory retention obligations |
| Fraud investigation records | [7] years from date of investigation closure | Regulatory compliance and litigation risk management |
| Device and technical data | [12] months from collection | Security monitoring and operational purposes |
5.2 Where LemFi is required by law to retain data for a longer period than set out above, the legal retention obligation will prevail.
5.3 Upon expiry of the applicable retention period, personal data will be securely deleted or irreversibly anonymised. Anonymised or aggregated data derived from the EarnBack Programme may be retained indefinitely for analytics and product improvement purposes.
7. DATA SECURITY
7.1 LemFi implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, without limitation, end-to-end encryption in transit, encryption at rest, access controls and role-based permissions, regular security audits and penetration testing, and incident response procedures.
7.2 In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of data subjects, LemFi will notify affected individuals without undue delay, and will notify relevant supervisory authorities within the timeframes required by Applicable Law.
9. DATA SUBJECT RIGHTS
9.1 Depending on your location, you may have the following rights in respect of your personal data processed in connection with the EarnBack Programme:
Right of Access: To request a copy of the personal data LemFi holds about you;
Right to Rectification: To request correction of inaccurate or incomplete data;
Right to Erasure (Right to be Forgotten): To request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent;
Right to Restriction: To request that LemFi restricts processing of your data in certain circumstances;
Right to Portability: To receive your personal data in a structured, machine-readable format;
Right to Object: To object to processing based on legitimate interests;
Right to Opt-Out of Sale (CCPA/CPRA): California residents have the right to opt out of the sale or sharing of their personal information (noting LemFi does not sell personal data);
Right to Withdraw Consent: Where processing is based on consent, to withdraw consent at any time without affecting the lawfulness of prior processing.
9.2 To exercise any of the above rights, or to request deletion of your data as a Referee who has not registered as a LemFi user, contact LemFi's Data Protection Officer at:
Email: dataprivacycounsel@lemfi.com.
In-app: Profile > Delete Account
9.3 LemFi will respond to all verified data subject requests within:
[30] calendar days under GDPR/UK GDPR (extendable to [90] days for complex requests with notice);
[45] calendar days under CCPA/CPRA (extendable by a further [45] days with notice);
[30] business days under PIPEDA;
Timeframes required by applicable African national legislation.
9.4 Requests for erasure of Referee data will be processed as follows: where the Referee has not registered with LemFi, their contact data will be deleted within [5] business days of the verified request. Where the Referee has registered and is an active LemFi user, the main Privacy Policy governs deletion, and erasure may be limited by regulatory retention obligations.
9.5 If you are dissatisfied with LemFi's response to a data subject request, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.
10. CHILDREN'S PRIVACY
10.1 The EarnBack Programme is not directed at or intended for use by individuals under the age of 18. LemFi does not knowingly collect personal data from minors. If LemFi becomes aware that a minor's data has been collected without appropriate consent, it will take prompt steps to delete such data.
11. CHANGES TO THIS PRIVACY POLICY
11.1 LemFi may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification and/or email to affected users at least [14] days before taking effect. The effective date of the current version is set out at the top of this document.
11.2 Continued participation in the EarnBack Programme following the effective date of any updated Policy constitutes acceptance of the updated terms.
SCHEDULE 1 — REWARD SCHEDULE: MARKET-SPECIFIC TERMS
This Schedule is incorporated into and forms part of the EarnBack Programme Terms & Conditions. LemFi will populate the market-specific fields below prior to the Programme launch in each Participating Market. Until populated, the Schedule shall be treated as a placeholder. LemFi may update Schedule 1 at any time.
| Market | Reward |
|---|---|
| Nigeria | 10,000 NGN |
| Ghana | 100 GHS |
| Kenya | 1,000 KES |
| XOF Currency Zone | 5,000 CFA |
| XAF Currency Zone | 5,000 CFA |
| Market | Welcome Bonus | Minimum Qualifying Amount |
|---|---|---|
| European Union | €10 | €100 |
| United Kingdom | £10 | £100 |
| United States | $20 | $100 |
| Canada | $20 | $100 |
Notes:
Rewards are denominated in local currency of the Participating Market in which the Referrer holds their LemFi account.
Minimum Qualifying Transaction refers to a send transaction initiated by the Referee, net of fees. Transaction type eligibility (e.g. international transfer only, or including domestic) to be confirmed per market.
LemFi reserves the right to run limited-time promotional Reward rates, which will be communicated in-app and on the LemFi website.
SCHEDULE 2 — DATA RETENTION MATRIX: EARNBACK PROGRAMME
For Data Protection & Compliance Reference
This Schedule sets out LemFi's data retention framework for the EarnBack Programme, aligned with GDPR/UK GDPR, PIPEDA, CCPA/CPRA, and applicable African data protection legislation. It is a reference document for internal compliance and for disclosure to data subjects upon request.
| Data Category | Data Subject | Retention Period | Deletion/Anonymisation Trigger |
|---|---|---|---|
| Referee contact data (non-registrant) | Referee | 5 years | Auto-deleted upon expiry or upon verified erasure request. No further processing after expiry. |
| Referee contact data (registered user) | Referee / LemFi User | Account lifetime + 5 years | Account closure followed by regulatory retention period. Subject to AML/CFT obligations. |
| Referral attribution and programme activity logs | Referrer | 5 years | Deletion triggered [5] years post opt-out or last programme activity, whichever is later. |
| Reward disbursement financial records | Referrer | 7 years | Statutory financial records retention. Supersedes any erasure request during this period. |
| Fraud investigation records | Referrer / Referee | 7 years from investigation close | Litigation and regulatory risk management. Subject to legal hold where proceedings are ongoing. |
| Device / technical / IP data | Referrer | 12 months | Rolling deletion; anonymised aggregates may be retained for security analytics. |
