Kolet

Privacy Policy

Last updated:

This is a draft privacy policy. It will be reviewed by counsel before launch. Substantively it reflects what we actually intend to do — but treat the exact wording as provisional until reviewed.

1. Who we are

Kolet (“we”, “us”) is a Nigerian payment orchestrator that lets you send money, buy airtime, and pay bills through WhatsApp. We are a non-custodial service — the licensed wallet provider holds your funds and is jointly subject to Nigerian financial regulation.

2. What we collect

  • Identity data you provide during signup: full name, date of birth, address, BVN or NIN, gender, and contact email.
  • Phone number from your WhatsApp account.
  • Transaction data: amount, recipient, time, category (transfer, airtime, etc.), and the status reported by your wallet provider.
  • Conversation contextwhile you're using the bot — what you typed, what intent we inferred, what flow you chose. We do not store the full content of unrelated WhatsApp messages.
  • Device and session data: anonymized identifiers from WhatsApp's webhook payloads.

3. How we use it

  • To verify your identity with our wallet provider during signup (KYC).
  • To process the transactions you initiate.
  • To detect fraud and respond to security incidents.
  • To respond to support requests.
  • To comply with Nigerian financial regulation and lawful requests from regulators or law enforcement.

We do not sell your data. We do not use your data to train AI models that are visible to other users.

4. How we protect it

  • BVN and NIN are encrypted at rest with AES-256-GCM using keys held in a dedicated secrets manager. We can only recover them when calling your wallet provider on your behalf.
  • Your transfer PINis hashed using argon2id — it is never stored in plaintext, and we cannot recover it for you. If you forget it you'll need to reset it through the in-chat flow.
  • WhatsApp Flows(the multi-screen forms inside the chat) use Meta's end-to-end encryption protocol; the data you type is encrypted on your device before Meta sees it.
  • Every account-changing action is logged for forensic investigation.

5. Who we share it with

  • Your wallet provider — we share the identity fields they need to open and maintain your account.
  • Service providers — companies that help us run the service (cloud hosting, payment routing). They are bound by contracts requiring confidentiality and security.
  • Regulators and law enforcement — only when legally required.

6. How long we keep it

Transaction records: 7 years (Nigerian financial-records retention). Identity records: as long as your account is active, then 7 years after closure. Conversation context: 30 days. Logs: 90 days.

7. Your rights

Under the Nigeria Data Protection Act 2023, you have the right to access your data, correct it, restrict its processing, and (subject to legal and regulatory holds) request deletion. Contact privacy@heykolet.com to exercise any of these rights.

8. Changes to this policy

If we change this policy materially, we'll notify you via WhatsApp and post the updated version here with a new “last updated” date.