Privacy Policy
Clusteer ("Clusteer", "we", "us", "our") is a stablecoin-to-Naira transaction platform operated by Outbuild Ltd (RC 8076384), a company registered in Nigeria. Crypto-asset exchange, custody, and related functions are provided through a licensed third-party exchange and custody partner; Clusteer provides the user-facing platform and Naira settlement experience.
This Policy explains how we collect, use, share, and protect your personal data when you use Clusteer, and your rights under the Nigeria Data Protection Act 2023 (NDPA), the NDPC's General Application and Implementation Directive 2025 (GAID), and related laws.
By using Clusteer, you acknowledge that you have read and understood this Policy. Please read it alongside our Terms of Service and our Cookie Policy.
Who We Are (Data Controller)
The data controller responsible for the personal data you provide to Clusteer is Outbuild Ltd, operating the Clusteer platform.
Certain processing necessary for the crypto-exchange leg of your transactions — including digital-asset custody, exchange execution, settlement, and elements of identity verification — is carried out by our licensed exchange and custody partner, which acts as a separate or joint data controller, or our data processor, for that processing under appropriate data-protection terms.
As a processor of identity, biometric, and financial data, Outbuild Ltd is a data controller of major importance under the NDPA/GAID.
The Personal Data We Collect
To provide a regulated financial service, we (and, for verification and the crypto leg, our exchange and custody partner) collect:
Identity data — full name, date of birth, gender, nationality, residential address; government identification numbers (such as BVN and NIN) and identity documents (e.g. passport, driver's licence, voter's card, national ID).
Biometric data — a facial image and "liveness" data captured during identity verification.
Contact data — email address, phone number.
Financial and transaction data — your Nigerian bank account details; records of your buy/sell transactions; amounts; stablecoin wallet addresses you send to or receive from; and related transaction details.
Verification and compliance data — the results of identity, sanctions, politically-exposed-person (PEP), and screening checks; your risk rating; and, where applicable, source-of-funds information.
Technical and usage data — device information, IP address, log data, and information collected via cookies and similar technologies (see our Cookie Policy).
How We Collect Your Data
- Directly from you — when you register, complete verification, or transact.
- Automatically — through your use of the platform (technical/usage data, cookies).
- From third parties — our exchange and custody partner and licensed identity-verification providers and authoritative databases used to verify your identity; blockchain networks (publicly visible wallet and transaction data); and our banking, payment, custodial, and liquidity partners.
Why We Use Your Data, and Our Lawful Basis
We process your personal data on the following lawful bases under the NDPA:
| Purpose | Lawful basis |
|---|---|
| Verifying your identity and meeting Know Your Customer (KYC), Anti-Money Laundering (AML), and counter-terrorism-financing obligations | Compliance with a legal obligation |
| Processing sensitive personal data (biometric/liveness data) for identity verification and fraud prevention | Necessary for compliance with a legal obligation / for the establishment, exercise or defence of a legal claim, and, where required, your explicit consent (see Section 5) |
| Providing the Clusteer service (processing your buy/sell orders, settlement, support) | Performance of a contract with you |
| Detecting, preventing, and investigating fraud and financial crime; transaction monitoring; sanctions and PEP screening | Legal obligation and legitimate interests |
| Maintaining records required by law | Legal obligation |
| Improving and securing the platform | Legitimate interests |
| Optional communications (e.g. marketing, where offered) | Consent |
Sensitive Personal Data (Including Biometrics)
Your facial image and liveness data are sensitive personal data under Section 30 of the NDPA. We process them only on a lawful ground permitted for sensitive data (identity verification and fraud prevention required by AML law, and/or your explicit consent). We:
- collect them only to verify your identity and prevent impersonation and fraud;
- protect them with enhanced security measures, including encryption and strict access controls;
- do not use them for any purpose beyond verification and fraud prevention; and
- retain them only for as long as the law requires (see Section 8).
Where identity/biometric verification is performed by our exchange and custody partner or a licensed verification provider, that party processes this data under appropriate data-protection terms.
International Transfers
The NDPA prohibits transfers of personal data outside Nigeria by default (Sections 41–43). Where personal data is transferred or stored outside Nigeria (for example, by our exchange and custody partner, a KYC provider, or our hosting/service providers), we rely on one of the lawful bases the NDPA permits:
- transfer to a country/region the NDPC has determined provides an adequate level of protection (Section 42); or
- where no adequacy decision applies, appropriate safeguards such as Standard Contractual Clauses (SCCs) or binding corporate rules that give you enforceable rights (Sections 41 and 43); or
- a specific statutory derogation under Section 43 (e.g. necessity for performance of your contract).
How Long We Keep Your Data
We keep your personal data for as long as you are a customer and, after your relationship with us ends, for at least five (5) years from the end of the business relationship or the completion of the relevant transaction (whichever is later), as required by Nigeria's Money Laundering (Prevention and Prohibition) Act 2022 (or longer where a law or authority requires).
How We Protect Your Data
We apply appropriate technical and organisational measures to protect your data, including encryption, access controls on a need-to-know basis, access logging, secure backups, and staff confidentiality obligations. No system is completely secure, but we work to protect your information and to respond promptly to any incident.
Your Rights Under the NDPA
Subject to legal limits (including our retention obligations), you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request erasure of your data (except where we must keep it by law);
- object to or request restriction of certain processing;
- request portability of data you provided to us;
- not be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, except as permitted by law (Section 37);
- withdraw consent for any processing based on consent (e.g. marketing); and
- lodge a complaint with the Nigeria Data Protection Commission (NDPC).
To exercise any right, contact us at legal@clusteer.com. We will respond within the timeframe required by law. We may need to verify your identity before acting on a request. Where a right relates to data held by our exchange and custody partner or a verification provider, we will direct or assist your request to the relevant party.
Children
Clusteer is not intended for, and may not be used by, anyone under 18. We do not knowingly collect data from minors.
Changes to This Policy
We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, where appropriate, notify you. Continued use of Clusteer after changes take effect constitutes acceptance of the updated Policy.
Contact Us
Questions about this Policy or your data:
*Clusteer is a product operated by Outbuild Ltd (RC 8076384). Crypto-asset exchange and custody services are provided by a licensed third-party partner.*