Privacy Policy

Effective Date: 16 February 2026

1. Introduction

Welcome to Paycilo.

This Privacy Policy explains how Webcilo Inc., a company incorporated in Nigeria, collects, uses, protects and discloses your information when you use:

• paycilo.com
• Our Application Programming Interfaces (APIs)
• Related support services

Collectively referred to as the Services.

Paycilo serves as a secure infrastructure for direct commerce, enabling you to share and manage your payment coordinates safely for receiving direct bank or wallet transfers.

This Policy is drafted to comply with:

• UK General Data Protection Regulation
• Data Protection Act 2018

2. Data Controller

The legal entity responsible for processing your Personal Data is:

Webcilo Inc.
Incorporated in Nigeria
Email: [email protected]

Webcilo Inc. is the sole operator of Paycilo.

3. Regulatory Position

Paycilo operates as a Technical Service Provider under Regulation 3(j) of the UK Payment Services Regulations 2017.

Important clarifications:

• We do not accept, hold or transmit funds.
• We do not execute payments.
• We are not a bank, Electronic Money Institution, or Payment Institution.
• We transmit payment information only.

All payments are executed directly between the payer and the payee through their own banking application or wallet.

Because we do not enter into possession of funds, we process data under Contractual Necessity and Legitimate Interests rather than under financial custody regulations.

4. Data We Collect

We collect data in three categories.

4.1 Identity Data

When you create an account, we may collect:

• Full name
• Email address
• Phone number
• Username
• Profile image
• Business name where applicable

For verified profiles, we may collect:

• Government issued identification
• Selfie or biometric verification

Verification may be processed through approved third party providers.

4.2 Financial Data

We store payment coordinates—not money or cash equivalent values. This includes:

• Bank account numbers
• Sort codes / Routing numbers
• International Bank Account Numbers (IBAN)
• Public crypto wallet addresses

Security Controls for Financial Data:

Control	Description
Encryption at Rest	Industry-standard AES 256 encryption for stored data.
Encryption in Transit	Robust TLS 1.3 encryption for data moving between systems.
Internal Access	Strict Role Based Access Controls (RBAC) to limit internal access to data.
Monitoring	Comprehensive logging and audit monitoring of data access and system activity.

4.3 Transaction Metadata

We may record signalling data including:

• Amount requested
• Currency
• Timestamp
• Description
• IP address
• Device information
• Browser information

We record intent and signalling data only. We do not record or process the actual movement of funds.

5. Legal Basis for Processing

In compliance with UK GDPR and other applicable laws, our processing activities are founded on the following legal bases:

Contractual Necessity: This is the primary basis for providing and maintaining your Paycilo profile and securely displaying your selected payment details to a payer.

Legitimate Interests: This is used to protect the integrity of our platform, specifically to prevent and investigate fraud, scams, abuse, infrastructure misuse, and payment related deception.

Consent: This is the basis for all non-essential activities, primarily marketing communications and the deployment of non-essential cookies. You have the right to withdraw this consent at any time.

6. How We Share Information

Information is shared only under specific, secure, and legally-defined circumstances:

With Counterparties (Payers): When you request a payment, we securely display your selected payment details to the payer to facilitate the direct transfer. You maintain full control over which details are shared.

With Infrastructure Providers: We engage compliant service providers essential for operating the Services, including:

• Cloud hosting providers
• Email service providers
• Identity verification providers
• Analytics and performance providers

All providers are bound by strict contractual data protection obligations (Data Processing Agreements) that mandate the same level of security and compliance we uphold.

For Legal Compliance: We will only disclose information if required by a valid, legally binding court order, subpoena, or lawful governmental authority.

7. International Data Transfers

Webcilo Inc. is incorporated in Nigeria.

Data may be processed in:

• Nigeria
• United Kingdom
• United States
• Other operational jurisdictions where service providers are located

Where required under UK GDPR, we use:

• International Data Transfer Agreement
• UK Addendum to Standard Contractual Clauses

We apply encryption and access control safeguards to all cross border transfers.

8. Data Retention

Active accounts
Data is retained while your account remains active.

Deleted accounts
Identity data is erased within 30 days of a confirmed deletion request, subject to legal obligations.

Transaction metadata
Anonymised or hashed records may be retained for up to 6 years to defend legal claims and prevent fraud.

9. Your Rights

Under UK GDPR and applicable laws, you have the right to exercise control over your Personal Data, including the right to:

• Access: Request a copy of the Personal Data we hold about you.
• Correction: Have inaccurate or incomplete data corrected.
• Right to be Forgotten: Request the deletion of your personal data, subject to legal limitations.
• Object to Marketing: Opt-out of marketing communications at any time.
• Data Portability: Request your data in a structured, commonly used, and machine-readable format.

To exercise any of these rights, please contact our dedicated Privacy Team at: [email protected]

We will require identity verification to ensure the security of your data before processing any request.

10. Security Measures

We employ a multi-layered security architecture to protect your data, including:

• Data Encryption: AES 256 encryption at rest and TLS encryption in transit.
• Access Control: Strict Role Based Access Control (RBAC) across our systems.
• Infrastructure: Secure, reliable hosting environments.
• Vulnerability Management: Periodic penetration testing and vulnerability assessments by independent third parties.

Note: While we employ state-of-the-art safeguards, no system connected to the internet can be guaranteed as 100% secure. We continuously monitor and upgrade our security posture.

11. Direct Commerce Risk Disclosure

Paycilo functions as a secure communication and data infrastructure tool, not as a financial guarantor.

Important:

• We Cannot Reverse or Refund Payments: We do not possess the functionality to reverse bank transfers or refund payments, as all funds movement occurs outside of our infrastructure.
• Consumer Protection: Direct bank and crypto payments arranged via our infrastructure are generally not covered by consumer protection schemes such as Section 75 of the UK Consumer Credit Act 1974.
• User Responsibility: You are solely responsible for verifying the identity and trustworthiness of any person or entity before initiating a bank or crypto transfer to them.

Given the elevated risk of Authorised Push Payment (APP) fraud, particularly in the United Kingdom, users must exercise extreme diligence and caution before sending any funds.

12. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Services.

Cookies may be used for:

• Essential functionality such as authentication and security
• Fraud detection and abuse prevention
• Analytics and performance measurement
• Remembering user preferences

Non essential cookies are deployed only where consent is obtained, in accordance with the Privacy and Electronic Communications Regulations 2003.

You may manage cookie preferences through your browser settings or our cookie banner where available.

13. Do Not Track Signals

Some browsers transmit Do Not Track signals.

At present, there is no universally accepted technical standard for recognising and responding to such signals. Where legally required, we honour user consent preferences through our cookie management mechanisms. In other cases, our systems may not automatically respond to browser based Do Not Track signals.

14. Children’s Data

Paycilo is not intended for individuals under 18 years of age.

We do not knowingly collect personal data from children. If we become aware that personal data has been collected from a child without appropriate consent, we will take steps to delete such information.

15. Automated Decision Making

We may use automated systems for fraud detection, risk monitoring and abuse prevention.

These systems do not make legally binding decisions that produce significant legal effects without human review.

You may request human review of decisions affecting your account by contacting [email protected].

16. Data Breach Notification

In the event of a personal data breach that is likely to result in risk to individuals, we will notify the appropriate supervisory authority in accordance with UK GDPR requirements.

Where required, we will also notify affected users without undue delay.

17. Supervisory Authority and Complaints

If you are located in the United Kingdom and believe your data rights have been infringed, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office: https://ico.org.uk

However, we strongly encourage users to contact our Privacy Team first so we can utilize our internal processes to attempt to resolve your concerns directly and quickly.

18. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in legal, regulatory, or operational requirements.

Where changes are material and substantially alter your rights or how we process your data, we will provide you with appropriate advance notice via email or a prominent notification on our website.

19. Contact

Webcilo Inc.
Email: [email protected]