1. Introduction
Duro Technologies Ltd ("Duro", "we", "us") provides payment infrastructure and subscription billing services to businesses in Nigeria and beyond. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our website, dashboard, checkout, customer portal, and APIs.
2. Information we collect
We collect information in three categories:
- Merchant data — business name, CAC documents, team member accounts, API keys, webhook endpoints, and billing configuration.
- Customer data — names, email addresses, phone numbers, payment method tokens (last four digits and rail type only), subscription history, and WhatsApp-linked identity tokens when customers opt in.
- Technical data — IP addresses, device identifiers, browser type, API request logs, and event telemetry used for fraud prevention and service reliability.
3. How we use information
- Process payments, subscriptions, refunds, and recovery retries across enabled rails.
- Deliver WhatsApp OTP verification, receipts, and dunning notifications.
- Provide analytics, fraud detection, and compliance reporting to merchants.
- Improve our products, debug incidents, and maintain platform security.
- Comply with legal obligations under Nigerian data protection law and applicable regulations.
4. Cross-merchant identity
When a customer saves a payment method to their phone via WhatsApp OTP, Duro creates a portable identity token. That token may be reused across merchants on the Duro network with explicit customer consent at each checkout. Customers can view linked merchants, revoke access, or delete their identity from the customer portal at any time.
5. Data sharing
We share data with payment processors (Nomba and rail partners), cloud infrastructure providers, and fraud-prevention services strictly to deliver our services. We do not sell personal data. We may disclose information when required by law or to protect the rights and safety of Duro, our merchants, and their customers.
6. Retention & security
We retain transaction records as required for financial compliance (typically seven years). Payment credentials are tokenized; Duro never stores full card numbers. All sensitive fields are encrypted in transit (TLS 1.3) and at rest (AES-256). Access to production data is restricted by role and audited.
7. Your rights
Depending on your jurisdiction, you may request access, correction, portability, or deletion of your personal data. Merchants can export customer records from the dashboard. End customers can manage their identity via the portal or by contacting privacy@duro.ng.
8. Contact
Questions about this policy: privacy@duro.ng. Duro Technologies Ltd, Lagos, Nigeria.