Privacy Policy

1. Introduction

This Privacy Policy explains how Crane collects, uses, stores, discloses, and otherwise processes personal data. Crane is the customer-facing product through which users access the relevant services. For legal, contractual, compliance, and regulatory purposes, the service is operated by Pandar Resources Limited ("Pandar", "we", "us", or "our").

This Privacy Policy is designed to reflect the Nigeria Data Protection Act, 2023 (NDPA), generally accepted data protection principles, and, where applicable, equivalent international standards for lawful, fair, and transparent processing. It should be read together with the Crane Terms and Conditions and the Crane AML/KYC Policy.

2. Scope

This Privacy Policy applies to personal data processed in connection with the Crane mobile application, website, onboarding workflows, customer support channels, verification processes, transaction monitoring systems, and related compliance and operational functions.

It covers personal data obtained directly from users, indirectly through authorised third-party service providers, and automatically through device and platform usage.

3. Personal Data We Collect

• Identity and registration data, including full name, date of birth, residential address, phone number, email address, BVN, NIN, passport or other government-issued identification details, photographs, and any related verification records.
• Financial and account data, including bank account details, withdrawal information, transaction history, transaction references, wallet allocation information, and payment-related records.
• Technical and device data, including IP address, device identifiers, operating system information, app logs, browser data, cookies or equivalent technologies, location signals where enabled, and fraud or security telemetry.
• AML/KYC and risk data, including sanctions screening results, politically exposed person checks, risk classification outcomes, source-of-funds information where requested, enhanced due diligence records, and internal fraud or compliance alerts.
• Customer communications and support data, including complaints, support tickets, in-app communications, emails, phone call records where lawfully recorded, and responses provided to us by users or authorised representatives.

4. How We Collect Personal Data

• Directly from users when they register, complete verification, submit documents, contact support, respond to compliance reviews, or use the service.
• From integrated service providers and infrastructure partners involved in wallet allocation, verification, conversion execution, settlement, sanctions screening, identity checks, fraud prevention, cloud hosting, analytics, messaging, or customer support.
• Automatically from devices, systems, and logs generated through use of the Crane platform or related digital channels.

5. Lawful Bases and Purposes of Processing

We process personal data only where there is a valid legal basis and a legitimate operational reason to do so. Depending on the context, our lawful bases include performance of a contract, compliance with legal and regulatory obligations, protection against fraud and abuse, legitimate business interests that do not override user rights, and consent where consent is legally required or operationally appropriate.

• To open and administer user accounts, verify identity, provide access to the platform, and enable use of available services.
• To comply with AML/CFT, sanctions, fraud prevention, regulatory reporting, recordkeeping, tax, dispute-handling, and law-enforcement cooperation obligations.
• To review account activity for risk management, suspicious activity detection, service abuse prevention, error handling, and internal control purposes.
• To process and support customer instructions, including account changes, complaints, support requests, verification escalations, and service notifications.
• To maintain, secure, improve, and audit the Crane platform and its related operational infrastructure.
• To send marketing or promotional communications only where permitted by law and, where applicable, based on user consent or opt-in preferences.

6. Disclosure of Roles Within the Service Model

In the current operating model, Crane is the product through which users interact with the service. Pandar Resources Limited acts as the operating and contractual entity. Certain specialist services are provided through licensed or regulated third-party partners. Where relevant, personal data may therefore be processed by such partners strictly for the purposes of identity verification, transaction execution, settlement, infrastructure provisioning, fraud prevention, sanctions screening, regulatory cooperation, and related operational needs.

For clarity, personal data may be shared with licensed digital asset and infrastructure partners, payment service providers, verification providers, hosting and security vendors, regulators, law enforcement agencies, auditors, and professional advisers, but only to the extent reasonably necessary and on a lawful basis.

7. Sharing, Transfers, and International Processing

• We may disclose personal data to regulators, courts, law enforcement agencies, tax authorities, and other competent bodies where disclosure is legally required or reasonably necessary to protect rights, users, or the integrity of the service.
• We may share personal data with third-party processors and service providers under written contractual controls that require confidentiality, security, restricted use, and lawful processing.
• Some processing, storage, support, or security services may involve cross-border transfers. Where personal data is transferred outside Nigeria, we will take appropriate steps to ensure adequate safeguards, including contractual protections, vendor due diligence, and equivalent technical or organisational measures where required.

8. Data Retention

• AML/KYC, transaction, and compliance records may be retained for at least seven (7) years after account closure, or for such longer period as may be required by law, regulatory expectation, legal process, or legitimate risk management needs.
• Marketing preference data will generally be retained until consent is withdrawn or the relevant communication preference is changed, unless a longer retention period is required for suppression, audit, or compliance reasons.
• General account and service data will be retained for as long as necessary to provide the service, resolve disputes, enforce rights, prevent abuse, or meet legal, regulatory, and operational obligations.

9. User Rights

Subject to applicable law and legitimate exceptions, users may request access to personal data, correction of inaccurate data, restriction or objection to certain forms of processing, withdrawal of marketing consent, or deletion where deletion is not prevented by legal retention obligations, regulatory requirements, fraud prevention needs, or overriding legitimate interests.

Requests may be directed to support@usecrane.co. We may request additional information to verify identity before acting on a request.

10. Data Security

We maintain administrative, technical, and organisational measures designed to protect personal data against unauthorised access, misuse, alteration, accidental loss, unlawful destruction, or inappropriate disclosure. These measures may include encryption, role-based access controls, monitoring, segregation of access, logging, vendor controls, secure development practices, staff confidentiality obligations, and incident response procedures.

No system can be guaranteed to be completely secure. Users remain responsible for protecting their own credentials, devices, and communication channels.

11. Children and Restricted Users

Crane is not intended for persons under the age of 18 or any person who lacks legal capacity to enter into binding obligations. We do not knowingly provide the service to such persons.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulation, operations, product design, partner arrangements, or internal controls. Material changes may be communicated through the app, website, email, or other appropriate notice channels. Continued use of the service after the effective date of an updated policy will be treated as acceptance to the extent permitted by law.