Whistleblowing

Last updated: February 16, 2023

Understand our whistleblowing policy and notify us of any illegal activities, wrongdoing, or criminal offenses.

Our Reporting Channels

All Stakeholders - Shareholders, Employees, Customers and other third parties that notice or identify any infractions should submit complaints to

Compliance Department

Carbon Microfinance Bank Limited. Address: 642C Akin Adesola Street, Victoria Island, Lagos
Email: compliance@carbonmfb.co

Central Bank of Nigeria

Email: anticorruptionunit@cbn.gov.ng; ethicsoffice@cbn.gov.ng 
Telephone: +234-9-46239246; +234-9-46236000

Introduction

Carbon Microfinance Bank Limited is a microfinance bank licensed by the Central Bank of
Nigeria to provide financial services. Carbon™ is a trademark of Carbon Microfinance Bank
Limited (“Carbon”). We are committed to protecting and respecting your privacy and this policy sets
out the basis on which any personal data we collect from you, or that you provide to us, will be
processed by us.

Please carefully review this Privacy Policy (“Policy”) to understand our views and practices regarding
your personal data and how we intend to handle it.

Scope of the Policy

By accessing "https://getcarbon.co" or using the Carbon mobile application available on the Google
Play Store or Apple App Store (collectively referred to as "our site"), you acknowledge and give consent
to the practices outlined in this Policy. Please note that clicking the “Connect with Facebook” button
implies your agreement to allow Facebook to share personal data held by them with us. You also consent
to the collection, use, storage, processing, and disclosure of your personal information as outlined in this
Policy.

The collection and processing of your personal data is in accordance with the Nigerian Data Protection
Act 2023 (the “Act”), National Information Technology Development Agency Act 2007 (the “NITDA
Act”), Nigeria Data Protection Regulation 2019 (the “Regulations”), and the provisions and prescriptions
of Section 5; Part 1 and Part 2 of National Information Systems and Network Security Standards and
Guidelines.

Information we may collect from you

We may collect and process the following data about you:

1 . Information you give us:

You may give us information about you by filling in forms on our site https://getcarbon.co and by allowing us to access your information on social media sites (including but not limited to Facebook, Twitter, and LinkedIn) or by corresponding with us by phone, e-mail, or otherwise. This includes information you provide when you register to use our site, apply for a loan, search for a feature (for example but not limited to, loan amounts, loan duration), your activity levels on boards or other
social media functions on the applicable social media sites, the applications you use on social media sites, and when you report a problem with our site. The information you give us may include your name, address, e-mail address and phone number, login information for social networking sites, financial and credit card information, personal description, current and former places of
employment, education, names of colleagues, contacts, and friends, photographs, and lists of family members.

2 . Information we collect about you:

With regard to each of your visits to our site, we may automatically collect the following information:

i. technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type, and version, time zone setting, browser plug-in types and versions, operating system, and platform;
ii. information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through, and from our site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away
from the page and any phone number used to call our customer service number.;
iii. anonymized repayment data.

3 . Information we receive from others:

We may receive information about you if you use any of the other websites we operate, the other services we provide and/or the social media sites which you login to via our site. We are also working closely with third parties (including, business partners, and subcontractors in technical, payment and delivery services, social media sites, advertising networks, analytics providers, search information providers, credit bureaus, and financial services and credit providers) and may receive information about you from them.

Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. By visiting our website, you consent to the placement of cookies and beacons in your browser and HTML-based emails in accordance with this Privacy Policy.

Uses made of the information

We use information held about you in the following ways:

1 . Information you give us:

We will use your information in the following ways and in each case, we note the lawful basis under the Act and the Regulation which we rely on to use your information:

a. To determine whether to provide a loan to you, the amount of such loan, and the terms and conditions applicable to such loan or for the provision of any of our products and services to you.
Lawful basis- Contract performance, consent, legal obligation.

b. To investigate or resolve any complaint and issues you may have.
Lawful basis- Contract performance, consent.

c. To exercise our rights under contracts we have entered into with you like recovering any payments due to us and where necessary to enforce recovery through debt collection agencies or taking other legal action, including instituting an action in the courts of law.
Lawful basis- Contract performance.

d. To fulfil our legal, compliance, regulatory and risk management obligations.
Lawful basis- Legal obligation

e. To establish a credit rating based on your information and provide that rating to third parties who may be interested in offering you financial products and services and this information is provided only to third parties selected by you or where you have agreed that we may share your score and information with.
Lawful basis: Consent

f. To provide you with information about other goods and services we offer that are similar to those that you have already purchased or enquired about; anonymized repayment data.
Lawful basis: Consent

g. For marketing and business development purposes subject to the marketing preferences you have selected on our website, to provide you, or permit selected third parties to provide you, with information about goods or services we feel may interest you.
Lawful basis: Consent

h. To notify you about changes to our standard terms of service or to our business.
Lawful basis: Contract performance

i. To ensure that content from our site is presented in the most effective manner for you and for your device.
Lawful basis- Contract performance

2 . Information we collect about you:

We will use this information:

a. To establish a credit rating for you.

b. We may combine this information with information you give to us. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).

c. We may carry out further processing of your data for archiving purposes in the public interest,
scientific or historical research purposes or statistical purposes.

3 . Information collected when you use our services

When you use our services, we collect location data which allows us to determine your precise or approximate location. This information is collected during the loan application process, and we use this data to enhance our credit risk and underwriting framework, as well as to prevent fraud.

We also collect the following information saved on your smartphone:
– SMS
– contacts
– installed applications
– browser history
– calendar

We collect this information through your mobile device operating system, by requesting your express consent to your device’s permissions on the App. The collection of this information may take place in the background even when you aren’t using our service if the permission you gave us expressly permits such collection.

Disclosure of your information

We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company, and its subsidiaries. We may share your information with selected third parties including:

i. Business partners, suppliers, and subcontractors for the performance of any contract we enter into with them or you (such as credit bureaus and debt collection agencies). We usually require that these third parties agree to process such information based on our instructions, in compliance with the Act and Regulations as well as other appropriate confidentiality and security measures.

ii. Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we may provide them with aggregate information about our users (for example, we may inform them that 500 men aged under 30 have clicked on their advertisement on any given day). We may also use such aggregate information to help advertisers reach the kind of audience they want to target (for example, women in Lagos State). We may make use of the personal data we have collected from you to enable us to comply with our advertisers’ wishes by displaying their
advertisement to that target audience.

iii. Analytics and search engine providers that assist us in the improvement and optimization of our site. We may disclose your personal information to third parties: a) In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. b) If Carbon or substantially all of its assets are acquired by a
third party, in which case personal data held by it about its customers will be one of the transferred assets.

iv. if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation/request, or in order to enforce or apply our terms of use and other agreements, or to protect the rights, property, or safety of Carbon, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

International data transfers

Information that we collect may be stored, processed in, and transferred between any of the countries in which we operate, in order to enable us to use the information in accordance with this Policy. Where personal data is to be transferred to a country outside Nigeria, we shall put adequate measures in place to ensure the security of such personal data. Any transfer of personal data out of Nigeria will be in
compliance with the relevant data protection laws and regulations.

Customer consent

By ticking the “I agree to the Terms and Conditions”, which you hereby adopt as your electronic signature, you consent and agree that:

1. We can provide materials and other information about your legal rights and duties to you electronically.

2. We are authorized to share, receive, and use data/information collected from your transaction with other affiliated third parties including but not limited to switching companies, mobile network operators, electricity companies, aggregators, credit bureaus, other financial institutions, e-commerce platforms, etc.

Where we store your personal data

The data that we collect from you is stored on our secure servers using JWT. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

Data retention

Unless a longer retention period is required or permitted by law, we will only hold your data on our systems for the period necessary to fulfill the purposes outlined in this Privacy Policy. We will retain your data for a minimum of 5 years (or such longer period as may be necessary) even after we have received a request for deletion from you in order to comply with our regulatory obligations. We will also retain your data if there is an outstanding obligation or duty from you.
In the event that we delete your data, it may persist on backup or archival media for legal, tax or regulatory purposes.

Your rights

You have the right to ask us not to process your personal data for marketing purposes and to withdraw your consent at any time. Please note that the withdrawal of your consent will not affect the lawful processing of data which we have obtained based on your previous consent. We will usually inform you (before collecting your data) if we intend to use your data for the aforementioned purposes or if we
intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us using the in-app support feature on the mobile application or using the complaint tab on the web portal at portal.getcarbon.co. Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites. You also have the right to ask for access to the personal data that we hold, to rectify inaccurate data, or erase the personal data we hold of you.

Remedies

Each of the parties will be entitled to enforce its rights in the event of a breach of the terms of this privacy policy, to recover damages caused by any breach of the provisions herein and to exercise all other rights existing under law. Any claim or dispute arising in relation to this privacy policy shall be subject to the jurisdiction of the courts of the Federal Republic of Nigeria. We shall not be liable for any breach where a claim in respect of such breach is not brought within one month of the date that such breach arose.

Limitation of liability

Notwithstanding any other provision in this Privacy Policy, neither Carbon, its affiliates, officers, directors, employees, attorneys or agents shall have any liability with respect to, and you hereby waive, release and agree not to sue any of them upon, any claim for any special, indirect, incidental, consequential damages suffered or incurred by you in connection with, arising out of, or in any way
related to, a breach of this privacy policy.

We shall not be held responsible for any personal data breaches that may occur under the following circumstances: events beyond our control; acts or threats of terrorism; an act of God which compromises our data protection measures; the transfer of your personal data to a third party based on your instructions; and the use of your personal data by a third party designated by you. We explicitly disclaim liability for any personal data breaches arising from the aforementioned circumstances.

Access to information

The Act gives you the right to access information held about you. Your right of access can be exercised in accordance with the Act. Any access request may be subject to a fee in providing you with details of the information we hold about you. You can request access to the information we hold about you by contacting dpo@getcarbon.co

Changes to this Policy

We may update this policy from time to time by publishing a new version on our website. If they're significant changes we'll let you know by email or in the app to allow you to exercise your rights.

Contact

Questions, comments, and requests regarding this privacy policy are welcomed and should be addressed to Carbon using dpo@getcarbon.co