Processing purposes + lawful basis — ZevID¶
For each distinct purpose ZevID processes personal data: what data is touched, the lawful basis under NDPA, who runs the processing, and whether automated decisions or profiling are involved.
NDPA §25 recognises six lawful bases: consent, contract, legal obligation, vital interest, public interest, legitimate interest.
Purpose: Account creation + authentication¶
What it is. Create a ZevID account on signup, authenticate the user on every subsequent sign-in.
Data processed. Email, password (hash), names, IP address, User-Agent, sessions, OTPs, login events. See data-inventory.md → Identity + Behavioural sections.
Lawful basis. Contract (NDPA §25(1)(b)) — necessary to provide the ZevID account the user signed up for.
Who processes. ZevID engineering team; ZeptoMail handles delivery of the email OTP and welcome email as a processor — see third-parties.md.
Automated decision-making. No.
Profiling. No.
Retention. Per retention.md.
Purpose: Multi-factor authentication¶
What it is. Strengthen sign-in with TOTP and/or SMS as a second factor; offer recovery codes for device loss; app-specific passwords for non-TOTP-capable apps.
Data processed. TOTP secret (encrypted), recovery code hashes, phone numbers (encrypted) used for SMS factor, OTPs (channel sms, purpose mfa_sms:<phoneId>).
Lawful basis. Consent (NDPA §25(1)(a)) — MFA is opt-in; the user toggles enrolment from Security → Authentication in the portal.
Who processes. ZevID engineering team; Termii handles SMS delivery as a processor.
Automated decision-making. No.
Profiling. No.
Retention. Per retention.md — user-controlled.
Purpose: Phone verification¶
What it is. Verify the user controls a phone number; surface it as an SMS sign-in factor + step-up factor that other Zev products can invoke for anti-abuse.
Data processed. Raw input → normalised E.164 → encrypted column + peppered hash. Last-2-digit hint persisted plaintext for UI display.
Lawful basis. Consent (opt-in feature; user adds phones via Security → Phones).
Who processes. ZevID engineering team; Termii (SMS dispatch).
Automated decision-making. No.
Profiling. No.
Retention. Per retention.md — user-controlled.
Purpose: KYC outcome storage (canonical record)¶
What it is. Store the canonical "has this user been KYC-verified?" outcome — written by a KYC-running product (today: ZevPay) and read by every other Zev product.
Data processed. Verified name, date of birth, BVN hash, NIN hash, face-match boolean, verifier identity, timestamp.
Lawful basis. Legal obligation (NDPA §25(1)(c)) — Nigerian financial regulator (CBN) and the underlying AML/CFT framework require Zev's regulated products to perform KYC and retain records.
Who processes. ZevPay's KYC pipeline runs the verification with its own vendor; ZevID stores the outcome only. Plaintext BVN/NIN never reaches ZevID — only the hash.
Automated decision-making. The face-match boolean is the output of an automated process at the KYC vendor. NDPA §32 applies if this decision has legal or similarly significant effect on the user. The downstream effect is determined by the consuming product (e.g. ZevPay gating account tiers on face-match). ZevID itself does not make decisions on face-match; it stores the boolean.
Profiling. No.
Retention. Per retention.md — 7 years post-account-deletion under CBN AML.
Purpose: Cross-product user state (enrollment registry)¶
What it is. Track which Zev products each user is enrolled in, at what tier, with what sub-entities. Other products read this; the owning product writes it via the internal endpoint.
Data processed. Per-product tier string and metadata JSONB blob.
Lawful basis. Contract (NDPA §25(1)(b)) — the user contracted with each product to use it; the cross-product Zev experience requires knowing what they're enrolled in.
Who processes. Each owning product writes; ZevID stores; ZevID dispatches user.product.tier.changed webhooks to subscribed products.
Automated decision-making. No.
Profiling. No.
Retention. Per retention.md.
Purpose: Cross-product authorisation (ZPIP consent)¶
What it is. Let one Zev product call another on the user's behalf, gated by explicit user consent.
Data processed. zpip_consent_requests, zpip_scope_grants, zpip_token_log.
Lawful basis. Consent (NDPA §25(1)(a)) — the user clicks Allow on the consent screen per scope.
Who processes. ZevID issues tokens; calling product uses them; target product accepts them. The consent record itself lives in ZevID.
Automated decision-making. No.
Profiling. No.
Retention. Per retention.md.
Purpose: Security events + audit¶
What it is. Detect anomalous activity, support incident response, satisfy NDPC accountability (NDPA §38).
Data processed. Every authentication action (login_events); every admin-panel action (admin_audit_logs); every ZPIP token issuance (zpip_token_log).
Lawful basis. Legitimate interest (NDPA §25(1)(f)) — protecting the ecosystem against fraud, account takeover, and abuse.
Who processes. ZevID engineering team for incident review; admin staff for support cases.
Automated decision-making. Per-account OTP-attempt + MFA-attempt lockouts via LockoutService. Short-lived, mechanical — not algorithmic profiling. NDPA §32 does not apply.
Profiling. No.
Retention. Per retention.md.
Purpose: Transactional + security notifications¶
What it is. Email the user on signup, new-device sign-in, password change, security-setting change. SMS them OTP codes for phone-verification + SMS-MFA flows.
Data processed. Email address, first name, event-specific context. SMS recipient + 6-digit code.
Lawful basis. Contract — account-security notifications are necessary to provide a secure account. SMS for MFA: consent.
Who processes. ZeptoMail (email); Termii (SMS).
Automated decision-making. No.
Profiling. No.
Retention. Per retention.md.
Purpose: Zev Credit ledger¶
What it is. Non-withdrawable spending power tied to each ZevID. Grants enter via referrals, promos, prepayments, refunds, signup bonuses; debits happen when products cascade against the ledger.
Data processed. Account id, grant amounts, transaction history, source attribution.
Lawful basis. Contract + legal obligation (financial-record retention under CBN).
Who processes. ZevID owns the ledger; products call into the cascade to debit.
Automated decision-making. No (cascade is mechanical FIFO).
Profiling. No.
Retention. 7 years (CBN financial-record retention).
Purposes NOT applied¶
- Marketing email / SMS — ZevID sends transactional + security-only communications.
- User analytics / tracking pixels — none in ZevID's user-facing pages.
- Behavioural advertising / sharing data with ad networks — none.
- Sale of user data to third parties — none.