DRAFT — requires review by qualified counsel before publication.

This document is a professional draft prepared for internal review. It is not legal advice.

Placeholders to resolve before publication: {{EFFECTIVE_DATE}}, {{PRIVACY_CONTACT}},

{{COMPANY_LEGAL_NAME}}, {{COMPANY_ADDRESS}}.

Privacy Policy

Version 1.0.0 — Effective {{EFFECTIVE_DATE}}

This Privacy Policy explains how {{COMPANY_LEGAL_NAME}}, {{COMPANY_ADDRESS}} ("Njangi On-Chain", "we", "us") processes personal data when you use Njangi On-Chain (the "Service"). The Service is built to keep personal data to a minimum: we hold no private keys, we never see your card details, and the only personally identifying routing data we store off your device is encrypted so that we can destroy access to it on request.

Data controller: {{COMPANY_LEGAL_NAME}}. Privacy contact: {{PRIVACY_CONTACT}}.

1. Data We Process

We do not collect government ID documents, card numbers, or fiat banking details. Identity verification (KYC) for fiat purchases is performed by ramp partners on their own platforms (Section 5).

2. Purposes of Processing

We process personal data to:

• create and authenticate your account and derive your wallet address (OAuth identity, salt);
• operate savings circles and show you and your circle relevant state;
• send WhatsApp notifications you or your circle admin set up (e.g. "it's your turn to collect");
• manage Free/Premium subscriptions and billing through Stripe;
• secure the Service, prevent fraud and abuse, and debug errors;
• comply with legal obligations and respond to lawful requests;
• record your acceptance of legal documents;
• with your consent, contact you about launches (waitlist).

We do not sell personal data and do not use it for third-party advertising.

3. How the Architecture Protects You

• Non-custodial wallets. Your wallet is derived via zkLogin; we never hold your private keys and cannot transact for you.
• Encrypted WhatsApp data. WhatsApp phone numbers and group IDs are encrypted with AES-256-GCM before leaving our server environment and stored on Walrus decentralized storage. The blockchain holds only an opaque blob pointer and a random nonce. Phone-number lookups use a keyed one-way hash (HMAC), not the number itself.
• Pseudonymous chain data. The blockchain records your Sui address and transactions, not your name. Be aware that blockchain analysis can sometimes link an address to a person — see Section 7.
• Opaque compliance anchors. Where a partner confirms its KYC checks, only a cryptographic hash may be anchored on-chain. The hash contains no name, phone number, document data, or country.

4. Processors and Recipients

We share personal data with the following categories of recipients, only as needed:

Processors act under contracts requiring confidentiality and security. Ramp partners and OAuth providers are independent controllers for the data they collect on their own platforms.

5. Fiat Purchases (Ramp Partners)

When you buy crypto with fiat, you do so on the partner's platform. The partner — not Njangi On-Chain — collects your KYC information (ID documents, selfies, payment details) under its own license and privacy policy. We never receive those documents. We receive only the purchase status and the destination address, which we use to update the app and, where applicable, record an opaque compliance hash on-chain.

6. Stripe Subscription Data Flow

If you subscribe to Premium:

1. You are redirected to a Stripe-hosted checkout page. Card details are entered there and processed entirely by Stripe.
2. Stripe sends us webhook events containing your Stripe customer ID, subscription ID, plan, and status. We store these alongside your Sui address and OAuth identifiers to grant Premium features.
3. We never receive or store full card numbers, CVCs, or bank credentials.

Stripe processes your billing data under its own privacy policy and certifications (PCI-DSS).

7. On-Chain Data Is Permanent — An Important Limitation

The Sui blockchain is a public, append-only ledger replicated across independent operators worldwide. Data recorded on-chain — your wallet address, circle membership and transaction history, and opaque hashes — cannot be modified or deleted by us or anyone else, ever. This is a structural property of blockchains, not a choice we can reverse.

We minimize what goes on-chain (no names, no phone numbers, no emails — only addresses, amounts, and opaque pointers/hashes). But you should assume that anything your address does on-chain is permanently public, and that third parties may attempt to link addresses to identities.

8. Retention

• OAuth identity, salt, recovery hashes: kept while your account exists; deleted on verified deletion request (Section 9), subject to the limits below.
• WhatsApp routing data: kept while the link is active; access destroyed on unlinking or deletion request (see Section 9).
• Billing records: kept as required by tax and accounting law (typically up to 10 years).
• Legal acceptance records and data needed to establish or defend legal claims: kept for the applicable limitation period.
• Logs and technical data: kept for a short rolling window, then deleted or anonymized.
• On-chain data: permanent (Section 7).

9. Your Rights and How Deletion Works

Subject to applicable law (including Cameroonian data-protection law and, where it applies, the GDPR), you may request: access to your data, correction, deletion, restriction, objection, and a portable copy. Contact {{PRIVACY_CONTACT}}; we will verify the request comes from the account holder and respond within the legally required time.

What deletion does:

• Off-chain personal data is deleted. Database rows holding your OAuth identifiers, email, salt record, recovery hashes, phone-number HMAC index, join requests, and preferences are removed (except records we must keep by law, e.g. billing and acceptance records).
• Encrypted WhatsApp envelopes become permanently unreadable. Walrus blobs are immutable, so we delete the cryptographic key material needed to decrypt your envelope. Without the key, the ciphertext is permanently undecryptable by us or anyone else (cryptographic erasure).
• On-chain data cannot be deleted. Your Sui address, transaction history, and any opaque hashes remain on the public blockchain indefinitely (Section 7). Deletion severs the link between that address and the identity data we held, but it does not — and cannot — erase the chain.
• Warning: deleting your salt record may make your wallet address unrecoverable through the Service. Withdraw or transfer funds before requesting deletion.

If you believe your rights have been violated, you may lodge a complaint with your local data-protection authority.

10. Security

We use TLS in transit, AES-256-GCM for stored PII envelopes, keyed hashing for phone lookups, access controls and secrets management for server keys, and signature verification on partner webhooks. No system is perfectly secure; we will notify you and the competent authority of personal-data breaches as required by law.

11. International Transfers

Our infrastructure providers, OAuth providers, Stripe, Meta, and ramp partners may process data outside your country, including in the United States and the European Union. Where required, we rely on appropriate safeguards (such as contractual protections) for such transfers. Blockchain and Walrus data is, by design, replicated globally.

12. Children

The Service is not directed at, and may not be used by, persons under 18. We do not knowingly process children's data; if you believe we have, contact {{PRIVACY_CONTACT}}.

13. Changes to This Policy

We may update this Policy. Each version carries a version number and effective date. Material changes will be notified in the app and/or by email before they take effect, and the app may ask you to acknowledge the new version.

14. Contact

{{COMPANY_LEGAL_NAME}}, {{COMPANY_ADDRESS}} — {{PRIVACY_CONTACT}}