Starks

Privacy Policy

Please Note: This policy applies to all the jurisdictions that Starks currently operates.

1. INTRODUCTION

Starks Associates Limited and all its Group entities (collectively "Starks", "we", "our", or "us") are committed to protecting the privacy and personal data of every individual who interacts with our services. This Data Privacy Policy ("Policy") governs how Starks collects, processes, stores, shares, and safeguards personal data across all twelve jurisdictions in which the Group is incorporated and operates.

2. SCOPE

2.1 This Policy applies to all data subjects, including End Users, Business Users, Visitors, and any other person whose personal data we process. It applies whether you interact with us in person, via our website, web application, mobile application, or through our financial services platforms.

2.2 Starks operates as a liquidity and treasury management company providing trade finance, global payments, multi-currency accounts, and foreign exchange risk management. Given the sensitive nature of financial services, we handle a range of personal and financial data, and this Policy explains our practices with full transparency and in accordance with every applicable law.

3. POLICY STATEMENT

3.1 This Policy reflects the current regulatory landscape as at April 2026, including the Nigeria Data Protection Act (NDPA) 2023 and the NDPA General Application and Implementation Directive (GAID) 2025, which became effective on 19 September 2025 and is now the operative implementation framework for Nigeria data protection compliance.

3.2 This Policy should be read alongside our Cookie Policy, Terms of Service, and AML/CFT/CPF Policy, all available at starksassociate.com.

4. DEFINITIONS

"CAR" means Compliance Audit Return, the annual audit report required to be filed with the NDPC under the GAID.

"Consent" means freely given, specific, informed, and unambiguous agreement to the processing of personal data, as required under the NDPA, GAID, UK GDPR, and equivalent laws.

"Data Controller" means any person or entity that, alone or jointly with others, determines the purposes and means of processing personal data.

"Data Processor" means any person or entity that processes personal data on behalf of and under instruction from a Data Controller.

"DCPMI" means Data Controller or Data Processor of Major Importance, as defined under Section 65 of the NDPA 2023 and further operationalised by the GAID 2025.

"DPCO" means Data Protection Compliance Organisation, an entity licensed by the NDPC to provide training, auditing, consulting, and compliance services under the NDPA and GAID.

"DPIA" means Data Protection Impact Assessment.

"DPO" means Data Protection Officer.

"GAID" means the NDPA General Application and Implementation Directive 2025.

"LIA" means Legitimate Interest Assessment.

"NDPA" means the Nigeria Data Protection Act 2023.

"NDPC" means the Nigeria Data Protection Commission.

"Personal Data" means any information relating to an identified or identifiable natural person (data subject), directly or indirectly, including an identifier such as a name, identification number, location data, online identifier, or by reference to factors specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity.

"PIPEDA" means the Personal Information Protection and Electronic Documents Act (Canada).

"POPIA" means the Protection of Personal Information Act 4 of 2013 (South Africa).

"Processing" means any operation performed on personal data, whether automated or not, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.

"RoPA" means Records of Processing Activities.

"Sensitive Personal Data" means personal data relating to: genetic and biometric data for the purpose of uniquely identifying a natural person; health data; data concerning a person's sex life or sexual orientation; racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; and, under the NDPA/GAID, criminal offence data and financial data classified as sensitive.

"SNAG" means Standard Notice to Address Grievance.

"UK GDPR" means the retained EU General Data Protection Regulation as incorporated into UK law.

5. PERSONAL DATA COLLECTION

5.1 Starks shall collect the following details from an end user(s):

5.1.1 Identity and Account Data. Such information shall include: Full legal name, date of birth, nationality, and gender; Government-issued identity documents (passport, national ID, driver's licence, voter's card); Taxpayer identification numbers; BVN (Nigeria), NIN (Nigeria), and equivalent identifiers in other jurisdictions; Biometric data used for identity verification (facial images/selfies matched to identity documents using automated comparison technology); and Proof of address documents.

5.1.2 Financial Transaction Data. Such information shall include: Bank account details (account numbers, sort codes, IBAN, SWIFT/BIC); Payment card details (processed through PCI-DSS compliant systems); Transaction history, amounts, dates, counterparty details, and payment references; FX trade details, forward contracts, and multi-currency account balances; and Source-of-funds and source-of-wealth declarations.

5.1.3 Contact and Communication Data. Such information shall include: Email address, phone number, and postal address; Support communications via email, telephone, chat, or social media; Survey responses, event registration data and feedback.

5.1.4 Online Activity and Technical Data. Such information shall include: IP address, browser type and version, device identifiers, and operating system; Pages visited, links clicked, session duration, and referral sources; Cookie identifiers and similar tracking technologies (see Cookie Policy); and Mouse activity indicators and interaction patterns (used for fraud detection).

5.2 Starks shall collect the following details from a business user(s): Business legal name, registration/incorporation number, registered address, and corporate structure documents; Beneficial ownership information (including Ultimate Beneficial Owners above applicable AML thresholds); Details of directors, authorised signatories, and shareholders meeting disclosure thresholds; Financial statements, bank references, and credit/risk information; Tax registration numbers, regulatory licences, and sector permits; Transaction data and KYC/AML documentation.

5.3 Data collected from visitors: Technical and online activity data (as above); Contact form submissions, newsletter subscriptions, and event registrations.

5.4 Sensitive Personal Data: Starks does not seek to collect special categories of sensitive personal data routinely. Where biometric matching technology is used for identity verification, such data is processed solely for that purpose on the basis of explicit consent or legal obligation and is not retained beyond the period necessary for verification. Any incidental processing of other sensitive data will be subject to heightened safeguards, explicit consent (unless an alternative lawful ground applies), and full documentation in our RoPA.

5.5 Children's Data: Our Services are not directed to persons under 18 years of age (or the higher applicable minimum age in any jurisdiction). We do not knowingly collect personal data from minors. Where required by applicable law (including POPIA in South Africa, which sets the minimum age at 18 for valid consent, and the NDPA/GAID in Nigeria), we comply with those age thresholds. Parents or guardians who believe a minor's data has been collected should contact [email protected] immediately.

6. PERSONAL DATA USAGE

Starks shall collect the personal data and use such data only for the following purposes:

6.1 Provision and Administration of Services: To onboard clients and verify identity in compliance with KYC/AML obligations; to execute payment transactions, currency conversions, and trade finance arrangements; to manage accounts, including billing, invoicing, and account statements; to provide customer support and resolve disputes.

6.2 Regulatory Compliance and Legal Obligations: AML, CFT, and CPF compliance across all twelve jurisdictions; KYC obligations including enhanced due diligence for high-risk clients; Reporting suspicious transactions to relevant Financial Intelligence Units; Sanctions screening (OFAC, UN, EU, UK, NDPC, and local lists); Regulatory record-keeping and tax authority reporting (FATCA, CRS, CbCR, and equivalents).

6.3 Fraud Detection and Security: Detecting, preventing, and investigating fraudulent transactions and unauthorised access; Automated transaction monitoring and anomaly detection; sharing fraud intelligence with partner institutions and law enforcement where legally permitted.

6.4 Service Improvement and Development: Analysing user interactions with our Services using aggregated, anonymised or pseudonymised data; developing new products and improving existing ones; Internal research, risk analysis, and performance monitoring.

6.5 Marketing and Communications: Sending you information about Starks products and services that may be relevant to you; conducting targeted advertising on platforms such as LinkedIn and Meta, subject to cookie and consent preferences; sending service-related notices, policy updates, and operational communications. You may opt out of marketing at any time using the 'unsubscribe' link in emails or by contacting [email protected].

6.6 Automated Decision-Making: Starks uses automated tools for fraud screening, AML/sanctions screening, and identity risk assessment. Where an automated decision produces a significant legal or comparable effect on you, you have the right to request human review. See Clause 15 for more details.

7. LEGAL BASIS FOR PROCESSING DATA

We process personal data only where a lawful basis exists. The basis we rely on are:

7.1 Contract Performance: Processing necessary to perform our contract with you, or to take steps at your request prior to entering into a contract. This covers account opening, KYC, transaction execution, and service delivery.

7.2 Legal Obligation: Processing necessary to comply with a legal obligation, including AML/KYC laws, financial record-keeping requirements, tax reporting, sanctions screening, and any obligation imposed by financial regulators in our operating jurisdictions.

7.3 Legitimate Interests: Processing necessary for the legitimate interests of Starks or a third party, provided those interests are not overridden by the data subject's rights. Under the NDPA/GAID, we conduct a formal Legitimate Interest Assessment (LIA) using the Schedule 8 template prescribed by the GAID before relying on this basis. Our legitimate interests include fraud prevention, network security, service improvement, and business intelligence.

7.4 Consent: Where required by law, we obtain freely given, specific, informed, and unambiguous consent. This applies to direct marketing, behavioural advertising, biometric processing, and certain cookie deployments. Consent may be withdrawn at any time without affecting prior processing. Under the NDPA/GAID, consent must be demonstrably obtained and documented, and data subjects have the right to withdraw via a clear and simple mechanism.

7.5 Vital Interests: In rare emergency circumstances, we may process data to protect the vital interests of a data subject or another person.

7.6 Public Task / Public Interest: Where applicable law requires processing in the public interest, for example, in connection with mandatory regulatory reporting.

8. HOW WE SHARE PERSONAL DATA

Starks does not sell personal data. We share personal data only in the following circumstances, always with appropriate safeguards in place.

8.1 Starks Group Entities: Personal data may be shared within its subsidiaries under intra-group data sharing agreements incorporating applicable legal safeguards.

8.2 Service Providers and Data Processors: We engage third-party processors for hosting, identity verification, KYC/AML technology, payment processing, analytics, customer support, email delivery, and auditing. All processors are bound by Data Processing Agreements (DPAs). Under the NDPA 2023 and GAID 2025, all DPAs governing processing in or involving Nigeria must include, at a minimum:

a. identification of the parties;

b. purpose, scope, and lawful basis of processing;

c. location of data processing;

d. technical and organisational security measures (detailed in a schedule where technical);

e. DPIA outcomes where relevant;

f. evidence of NDPC registration;

g. confidentiality obligations;

h. tenure and termination;

i. indemnity and insurance provisions;

j. force majeure; and

k. restrictions on sub-processing.

We verify NDPC registration of Nigerian-based processors before engagement.

8.3 Financial Partners: We share data with correspondent banks, card networks (Visa, Mastercard), payment method providers, and financial institutions as necessary to execute transactions. Such sharing is governed by applicable financial services regulations in each jurisdiction.

8.4 Regulatory and Law Enforcement Authorities: We share data with financial intelligence units, tax authorities, courts, and regulators as required by law, including under AML/CFT obligations, FATCA/CRS information exchange requirements, and in response to valid legal process. Under the GAID, Starks will not facilitate the use of its platforms or networks to infringe on data privacy rights, and upon notification by the NDPC of misuse, will immediately restrict the offending party.

8.5 With Your Consent: Where we have your explicit consent, we may share data with named third parties for disclosed purposes. You may withdraw consent at any time.

9. INTERNATIONAL DATA TRANSFERS

Starks currently operates across twelve jurisdictions. Personal data collected in one country may be transferred to and processed in another. We apply the following safeguards for each relevant legal framework.

9.1 Transfers from Nigeria (NDPA 2023 and GAID 2025)

As a financial institution processing large volumes of personal data in Nigeria, Starks is classified as a DCPMI. Cross-border data transfers from Nigeria are governed by Section 43 of the NDPA 2023 and operationalised by Schedule 5 of the GAID 2025. Starks transfers data where: the destination country has been recognised by the NDPC; a SCC or BCR has been executed; consent has been obtained from the data subject; and the transfer is strictly necessary for contract performance. Schedule 5 of the GAID provides practical contractual language for cross-border transfer agreements. All such agreements must reflect the mandatory DPA clauses listed in Clause 8.2 above.

9.2 Transfers from the United Kingdom: Transfers from the UK rely on adequacy decisions, UK International Data Transfer Agreements (IDTAs), or approved derogations under UK GDPR Article 49, as guided by ICO guidance.

9.3 Transfers from South Africa: Under POPIA, transfers require that the recipient is bound by a law, binding corporate rules, or agreement providing substantially equivalent protection to POPIA, or that the data subject consents.

9.4 Transfers from Canada: Under PIPEDA and its provincial equivalents, personal information transferred abroad remains subject to Canadian privacy protections. We impose equivalent contractual obligations on all cross-border processors.

9.5 Transfers Across Other African Jurisdictions: For transfers among our African operating jurisdictions (Kenya, Uganda, Ghana, Rwanda, Malawi, Mauritius, Cameroon, Cote d'Ivoire), we apply appropriate contractual measures and comply with each jurisdiction's transfer rules. We support the African Union Malabo Convention as a framework for regional data flows.

9.6 Data Localisation: Where applicable law imposes data localisation requirements (including CBN directives in Nigeria and equivalent requirements in other jurisdictions), we ensure that the relevant categories of personal data are stored and processed within the prescribed territory.

10. DATA RETENTION

10.1 Starks retains personal data only as long as necessary for the purposes collected, or as required by law. Our retention standards are:

10.1.1 Transaction and financial records: minimum 5 years post-relationship; up to 7 years under Nigeria's EFCC Act and NDPA; 6 years under UK Money Laundering Regulations.

10.1.2 KYC/AML identity documents: minimum 5 years after account closure; up to 10 years in some jurisdictions.

10.1.3 Marketing data: deleted within 30 days of consent withdrawal or opt-out.

10.1.4 Technical/analytics data (cookies, logs): up to 24 months depending on type and jurisdiction.

10.1.5 Support and communication records: up to 3 years after last contact, unless a dispute or legal claim requires longer retention.

10.2 Storage Limitation under GAID: In accordance with the GAID 2025, where no time-bound obligation governs a specific data set, personal data shall be deleted within six (6) months of fulfilling its original purpose for which it was collected. Where retention beyond this period is required for legal purposes (including legal defence, active litigation, due diligence, or regulatory investigation), appropriate security measures shall be maintained, and the extended retention shall be documented in our RoPA.

10.3 At the end of any retention period, data is securely deleted, anonymised, or where deletion is not immediately technically feasible (e.g., in backup systems) isolated and restricted from further processing pending secure deletion.

11. DATA SUBJECT RIGHTS

Subject to applicable law, you may have the following rights. The availability of specific rights may vary by jurisdiction and is detailed further in Clause 12.

11.1 Right to Access: You may request confirmation of whether Starks processes your personal data and, if so, a copy of that data together with details of how and why it is processed.

11.2 Right to Rectification: You may request correction of inaccurate or incomplete personal data.

11.3 Right to Erasure: You may request deletion of your personal data where it is no longer necessary; where you withdraw consent and no other lawful basis applies; where you object and there are no overriding legitimate grounds; where processing is unlawful; or where erasure is required by law. This right is subject to our legal obligations to retain data for regulatory and financial record-keeping purposes, legal proceedings, or public health and safety purposes.

11.4 Right to Restriction of Processing: You may request that we restrict processing in certain circumstances, such as while contesting accuracy or pending an objection assessment.

11.5 Right to Data Portability: Where processing is based on consent or contract and is carried out by automated means, you may request a copy of your data in a structured, commonly used, machine-readable format, and ask that it be transmitted directly to another controller where technically feasible. Under the NDPA/GAID, this right applies only where the legal basis is consent or contractual necessity; it does not apply to processing carried out by Starks in the performance of its public or regulatory duties, unless there is a compelling legitimate interest of the data subject.

11.6 Right to Object: You have the right to object to processing for direct marketing at any time without giving reasons. You may also object to processing based on legitimate interests on grounds relating to your particular situation; Starks will cease such processing unless it can demonstrate compelling legitimate grounds overriding your interests, or the processing is for legal claims.

11.7 Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to decisions based solely on automated processing including profiling that produce significant legal or comparable effects, except where necessary for a contract, authorised by law, or based on explicit consent. See Clause 13 for details.

11.8 Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time through the mechanism provided at the time of collection, or by contacting [email protected]. Withdrawal does not affect lawfulness of prior processing.

11.9 Right to Lodge a Complaint: You have the right to lodge a complaint with the supervisory authority in your jurisdiction. Contact details are in Clause 12.

11.10 Standard Notice to Address Grievance (SNAG) (Nigeria): Under the GAID 2025, Nigerian data subjects (and their representatives or civil society organisations acting on their behalf) may issue a Standard Notice to Address Grievance (SNAG) to Starks if they believe their data privacy rights have been violated. The SNAG is a formal internal remediation request and may be submitted via email to [email protected] or by physical mail. Starks will respond to SNAGs via the NDPC's designated platform (or directly where no platform has been activated). The NDPC may investigate unresolved SNAGs. Issuing a SNAG is not a precondition to filing a complaint with the NDPC or taking legal action.

11.11 How to Exercise Your Rights: Submit a written request to: [email protected] | Subject: Data Subject Rights Request, [Your Name] and [Right Requested]. We will acknowledge within 5 business days and respond substantively within 10 calendar days (or within the shorter period required by applicable law). We may request proof of identity. No fee will be charged except for manifestly unfounded or excessive requests.

12. GOVERNING LAW / JURISDICTION (SPECIFIC PROVISIONS)

12.1 Nigeria

12.1.1 Primary Governing Law: Nigeria Data Protection Act 2023 (NDPA 2023) and NDPA General Application and Implementation Directive 2025 (GAID 2025), effective 19 September 2025.

12.1.2 Starks' Compliance Obligations under the NDPA and GAID: Registration and DCPMI Classification: As a financial services group processing personal data of more than 200 data subjects within any six-month period in Nigeria, Starks is registered with the NDPC as a Data Controller or Data Processor of Major Importance (DCPMI). Given the scale of our Nigerian operations (processing personal data of thousands of individuals), Starks is classified at the Ultra-High Level (UHL) sub-category. This classification carries the following obligations:

a. Annual registration renewal with the NDPC and payment of applicable fees (UHL: NGN 500,000–1,000,000 depending on volume, per the GAID audit fee schedule);

b. Compliance Audit Returns (CAR) filed annually by 31 March each year, through a licensed Data Protection Compliance Organisation (DPCO);

c. New entities are required to file their first CAR within 15 months of commencing operations;

d. Failure to file within the stipulated timeframe attracts a penalty of 50% of the applicable CAR filing fee.

12.1.3 Extraterritorial Scope: Under Article 1 of the GAID, the NDPA applies to all individuals processing personal data of Nigerian data subjects, regardless of whether the controller or processor is domiciled in Nigeria. Accordingly, all Starks Group entities that target or process personal data of individuals in Nigeria are subject to the NDPA and GAID. This applies whether such processing occurs domestically or through Starks' international operations. The GAID further provides that the following are entitled to data subject rights under the NDPA: data subjects in Nigeria (regardless of nationality); individuals whose data has been transferred to Nigeria; individuals whose data transits through Nigeria (with limited obligations); and Nigerian citizens abroad, subject to applicable international law.

12.1.4 Data Protection Officer (DPO): Starks has appointed a qualified Data Protection Officer (DPO) as required for DCPMI entities under the NDPA and GAID. The DPO's responsibilities include: Compiling and submitting semi-annual data protection reports to the authorised internal officer responsible for the RoPA (these reports form part of the RoPA); Engaging in all data processing decisions and maintaining ongoing oversight of compliance; Submitting to the NDPC's Annual Credential Assessment (ACA), subject to payment of applicable assessment fees; Overseeing DPIAs, LIAs, breach notifications, and data subject rights requests; and Serving as the primary point of contact with the NDPC.

12.1.5 Records of Processing Activities (RoPA): Starks maintains a comprehensive RoPA as mandated by the NDPA and GAID. The RoPA documents all categories of processing activities, their purposes, lawful bases, data categories, retention periods, cross-border transfers, security measures, and DPO semi-annual reports.

12.1.6 Legitimate Interest Assessments (LIA): Where Starks relies on legitimate interests as a lawful basis for processing, we conduct a formal Legitimate Interest Assessment (LIA) using the Schedule 8 template prescribed by the GAID. LIAs are documented, retained, and made available to the NDPC upon request.

12.1.7 Data Protection Impact Assessments (DPIA): Starks conducts DPIAs using the Schedule IV template prescribed by the GAID in the following circumstances (and in any other case directed by the NDPC): Processing involving new or significantly changed technologies, including AI, blockchain, or IoT-based systems; Large-scale processing of sensitive personal data or biometric data; Systematic and extensive profiling of individuals with significant effects; Processing involving cross-border transfers to jurisdictions not yet assessed for adequacy; and Any processing activity likely to result in high risk to the rights and freedoms of data subjects.

12.1.8 Emerging Technologies: In compliance with the GAID's requirements on emerging technologies, before deploying any Artificial Intelligence (AI), Blockchain, or Internet of Things (IoT) systems that process personal data, Starks will: conduct and document a DPIA; obtain any required regulatory approval or notification; ensure that the technology is designed and deployed in compliance with the NDPA's data protection principles (including data minimisation, purpose limitation, and privacy by design); and maintain ongoing oversight of the technology's impact on data subject rights.

12.1.9 Data Processing Agreements (DPAs): All DPAs governing the processing of personal data in Nigeria incorporate the mandatory minimum clauses prescribed by the GAID, as detailed in Clause 8.2 of this Policy. Starks verifies the NDPC registration status of Nigerian-based processors prior to engagement and before renewal of processor relationships.

12.1.10 Compliance Audit Returns (CAR): As a UHL DCPMI, Starks files its annual CAR through a licensed DPCO by 31 March each year. The CAR covers: a risk-based assessment of all data processing activities; identification and assessment of data breaches during the audit period; evaluation of the effectiveness of technical and organisational measures; and recommendations for remediation. Starks also conducts an initial compliance audit within 15 months of the commencement of each new processing activity of major importance.

12.1.11 Privacy by Design and Default: Consistent with the NDPA and GAID, Starks implements privacy by design and by default in all new products, systems, and processes. Data protection considerations are embedded from the design phase, and only the minimum necessary personal data is processed by default.

12.1.12 Platform Accountability: Pursuant to the GAID, Starks will not permit its platforms, facilities, or networks to be used to infringe on the data privacy rights of any person. Upon notification by the NDPC of misuse of Starks' platform by a third party, Starks will immediately restrict the offending party pending investigation. Failure to act on NDPC directives constitutes an act of abetting a privacy breach, treated as a direct violation of the NDPA.

Supervisory Authority: Nigeria Data Protection Commission (NDPC) — No. 5 Uke Street, Garki 2, Abuja, FCT, Nigeria | Website: ndpc.gov.ng

12.2 United Kingdom

12.2.1 Governing Law: UK GDPR and Data Protection Act 2018 (DPA 2018).

12.2.2 Key Compliance Obligations: Registered as Data Controller with the UK ICO; UK-based Data Protection Representative appointed where required; Compliance with UK GDPR data subject rights (Articles 13–22) and 72-hour breach notification to ICO; Marketing communications compliant with PECR 2003; Cross-border transfers using UK IDTAs or adequacy mechanisms.

Supervisory Authority: Information Commissioner's Office (ICO).

12.3 Canada

12.3.1 Governing Law: PIPEDA (S.C. 2000, c. 5); BC PIPA (SBC 2003, c. 63); Alberta PIPA (SA 2003, c. P-6.5); Quebec Law 25 (Bill 64 amendments, effective 2022–2023). Note: Bill C-27/CPPA under Parliamentary consideration; Policy will be updated upon enactment.

12.3.2 Key Compliance Obligations: Knowledge and consent for collection (subject to exceptions); Privacy Officer appointed; Quebec Law 25: privacy impact assessments, enhanced transparency, data portability right (effective 2023); and Contractual protections for all cross-border processors.

Supervisory Authority: Office of the Privacy Commissioner of Canada (OPC). CAI (Quebec).

12.4 Mauritius

12.4.1 Governing Law: Data Protection Act 2017 (Act No. 20 of 2017) and Data Protection Regulations 2021. Mauritius holds EU adequacy status.

12.4.2 Key Compliance Obligations: Registration with Data Protection Office; compliance with DPA 2017 principles; FSC Mauritius data governance requirements for licensed financial entities.

Supervisory Authority: Data Protection Office Mauritius.

12.5 Kenya

12.5.1 Governing Law: Data Protection Act 2019 (No. 24 of 2019) and Data Protection Regulations 2021.

12.5.2 Key Compliance Obligations: Registered with ODPC; DPO appointed; DPIAs conducted for high-risk processing; CBK Prudential Guidelines compliance for payment service providers.

Supervisory Authority: Office of the Data Protection Commissioner (ODPC).

12.6 South Africa

12.6.1 Governing Law: Protection of Personal Information Act 4 of 2013 (POPIA), fully effective 1 July 2021.

12.6.2 Key Compliance Obligations: Eight conditions for lawful processing (Sections 8–25); Information Officers/Deputies registered with Information Regulator; Section 22 breach notification; SARB compliance.

Supervisory Authority: Information Regulator (South Africa).

12.7 Uganda

12.7.1 Governing Law: Data Protection and Privacy Act 2019 (DPPA 2019) and Data Protection and Privacy Regulations 2021.

12.7.2 Key Compliance Obligations: Registered with Personal Data Protection Office (PDPO); Bank of Uganda compliance; appropriate security safeguards implemented.

Supervisory Authority: Personal Data Protection Office (PDPO).

12.8 Ghana

12.8.1 Governing Law: Data Protection Act 2012 (Act 843).

12.8.2 Key Compliance Obligations: Registered with Data Protection Commission; Bank of Ghana compliance for payment service providers; data subject access and correction rights.

Supervisory Authority: Data Protection Commission (DPC) | dataprotection.org.gh

12.9 Rwanda

12.9.1 Governing Law: Law No. 058/2021 of 13/10/2021 (Personal Data Protection Law 2021).

12.9.2 Key Compliance Obligations: Registered with RURA; lawful processing bases implemented; BNR compliance for payment service providers.

Supervisory Authority: Rwanda Utilities Regulatory Authority (RURA).

12.10 Cameroon

12.10.1 Governing Law: Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercriminal (data protection provisions). A standalone data protection law is in development; this Policy will be updated upon enactment.

12.10.2 Key Compliance Obligations: Data protection principles under Law No. 2010/012; COBAC financial data requirements; internationally aligned best-practice standards.

Supervisory Authority: Agency for Information and Communication Technologies (ANTIC).

12.11 Cote d'Ivoire

12.11.1 Governing Law: Law No. 2013-450 of 19 June 2013 on Personal Data Protection; ECOWAS Supplementary Act on Personal Data Protection.

12.11.2 Key Compliance Obligations: Registration/declaration with ARTCI; authorisation for sensitive data processing; BCEAO financial data requirements.

Supervisory Authority: ARTCI Direction de la Protection des Donnees a Caractere Personnel.

12.12 Malawi

12.12.1 Governing Law: Electronic Transactions and Cyber Security Act 2016 (data protection provisions); Financial Services Act. A comprehensive standalone data protection law is in development; this Policy will be updated upon enactment.

12.12.2 Key Compliance Obligations: Data protection principles under the 2016 Act; Reserve Bank of Malawi regulatory requirements; international best-practice standards.

Supervisory Authority: Malawi Communications Regulatory Authority (MACRA). Reserve Bank of Malawi for financial data.

13. DATA SECURITY

13.1 Starks implements a comprehensive, risk-based information security programme. Our security measures include:

13.1.1 Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);

13.1.2 Multi-factor authentication for access to systems holding personal data;

13.1.3 Role-based access controls on a strict need-to-know basis;

13.1.4 Regular penetration testing, vulnerability assessments, and third-party security audits;

13.1.5 Intrusion detection and prevention systems;

13.1.6 Annual staff training on data protection and information security (with records maintained in our RoPA);

13.1.7 Comprehensive DPAs with all processors incorporating mandatory security schedules (in line with GAID requirements);

13.1.8 ISO 27001 alignment for our information security management system;

13.1.9 Scheduled monitoring, evaluation, and maintenance of data security systems as required by the GAID, to ensure ongoing confidentiality, integrity, and availability.

13.2 Data Breach Notification: In the event of a personal data breach, Starks will: 13.2.1 Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required under NDPA 2023, GAID 2025, UK GDPR, POPIA, and other applicable laws). Under the GAID, where a breach poses systemic or public risk, immediate notification to relevant authorities is required; 13.2.2 Notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms; and 13.2.3 Maintain a breach register documenting all breaches, their effects, and remedial actions taken.

14. THIRD-PARTY LINKS AND SERVICES

Our website and Services may contain links to third-party websites or services not operated by Starks. This Policy does not apply to those third-party services. We encourage you to review their privacy policies independently. Where Starks integrates third-party analytics or marketing tools, they operate subject to their own policies. See our Cookie Policy for details on third-party tracking technologies deployed on our Sites.

15. AUTOMATED DECISION-MAKING AND PROFILING

15.1 Starks deploys automated systems for the following purposes:

15.1.1 Fraud screening: Automated analysis of transaction patterns to detect potentially fraudulent activity. Flagged transactions may be declined or placed on hold pending human review;

15.1.2 AML/CFT/Sanctions screening: Automated checks against sanctions lists and AML watchlists; and

15.1.3 Identity risk scoring: Automated assessment of identity documents and risk profiles during onboarding.

15.2 Where an automated decision produces a significant legal or comparable effect on you, you have the right to: (i) request human review of the decision; (ii) express your point of view; and (iii) contest the decision. To exercise these rights, contact [email protected]. We will respond within 30 calendar days. Under the GAID, our automated systems are documented in our DPIA register and assessed for data subject impact prior to deployment.

16. DATA PROTECTION OFFICER

16.1 Starks has appointed a Data Protection Officer (DPO) across the Group. In Nigeria, the DPO's appointment and credentials are subject to the NDPC's Annual Credential Assessment (ACA) as mandated by the GAID.

16.2 The DPO's responsibilities include:

16.2.1 Monitoring compliance with the NDPA, GAID, and all applicable data protection laws;

16.2.2 Compiling and submitting semi-annual data protection reports as part of the RoPA (Nigeria GAID requirement);

16.2.3 Conducting and overseeing DPIAs, LIAs, and breach notification processes;

16.2.4 Handling data subject rights requests, including SNAGs (Nigeria);

16.2.5 Acting as the primary contact with the NDPC and other supervisory authorities;

16.2.6 Conducting or overseeing regular scheduled staff training on data protection.

Data Protection Officer for Starks Associates Limited:

Email: [email protected]

Postal Address: 15B Abayomi Shonogua Crescent, Lagos, Nigeria.

17. UPDATES TO THIS POLICY

We will update this Policy periodically to reflect changes in our data practices, applicable laws (including further NDPC directives and regulations) or our business operations. Where changes are material, we will: post the revised Policy with an updated effective date; notify registered users by email or dashboard notification; and, where required by law, seek renewed consent. We recommend reviewing this Policy periodically.

18. CONTACT INFORMATION

Privacy Team: [email protected]

General Support: [email protected]