Privacy Policy

Last updated: 11 July 2026

Aurra is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how we protect it. If you have questions, email us at contact@aurra.online.

1. Who We Are

Aurra is a WhatsApp-based AI banking assistant that enables Nigerian users to send money, buy airtime, and purchase data bundles by chatting naturally. We are not a bank. We work with licensed payment processors, including Anchor (CBN-licensed).

For privacy enquiries, contact: contact@aurra.online

2. Information We Collect

Information you provide:

  • Full name and WhatsApp phone number (required to create an account)
  • National Identification Number (NIN) — for identity verification with Anchor (CBN-licensed)
  • Bank Verification Number (BVN) — optional, for upgrading to Maximum KYC tier and higher transaction limits
  • Email address (optional, for account recovery)
  • 4-digit transaction PIN (stored as a one-way hash — we cannot read it)

Information collected automatically:

  • Transaction history (amounts, recipients, timestamps, status)
  • WhatsApp message content — only for processing your requests, never stored permanently
  • IP addresses — for security and fraud detection only
  • Device and session information — for account security
  • KYC tier status (Limited or Maximum)

Information we do NOT collect:

  • Your bank account password or internet banking credentials
  • Biometric data of any kind

3. How We Use Your Information

  • To process your payment instructions sent via WhatsApp
  • To verify your identity before each transaction using your PIN
  • To detect and prevent fraud, suspicious activity, and unauthorised access
  • To maintain your transaction history and spending summaries
  • To send you transaction confirmations and security alerts via WhatsApp
  • To comply with legal and regulatory obligations

We do not use your data for advertising, and we do not sell your data to any third party.

4. How We Share Your Information

We share your data only with the following parties, and only as necessary:

  • Anchor (CBN-licensed): Your name, phone number, and NIN are shared with Anchor to provision virtual bank accounts, verify your identity, and process transfers.
  • Meta (WhatsApp): Your messages pass through the WhatsApp Business API. Meta's own privacy policy applies to message transmission.
  • Infrastructure: Our database is hosted in the EU. All data is encrypted at rest and in transit.
  • Law enforcement: If required by a valid legal order, court order, or Nigerian regulation.

We never sell, rent, or trade your personal information.

5. Payment and Deposit Data

When you receive money via your virtual bank account (provided by Anchor), the deposit details (amount, date) are shared with us so we can credit your wallet. Your virtual account number and bank name are visible to anyone you share them with — treat them like any regular bank account.

6. Data Security

  • Your PIN is hashed with bcrypt (12 rounds) — it cannot be reversed or read by anyone
  • All data is encrypted in transit (HTTPS/TLS) and at rest
  • Three incorrect PIN attempts locks your account for 30 minutes
  • Transaction sessions expire after 10 minutes of inactivity
  • All sensitive operations are logged in an immutable audit trail
  • Webhook endpoints verify cryptographic signatures before processing any request
  • Rate limiting protects all API endpoints from brute-force attacks

7. Data Retention

  • Transaction records are retained for 7 years to comply with Nigerian financial regulations
  • KYC data (NIN, BVN) is retained for as long as your account is active and for 7 years after closure per regulatory requirements
  • Audit logs are retained for 2 years
  • If you delete your account, your personal details are anonymised within 30 days, but transaction records and KYC data may be retained as required by law

8. Your Rights

You have the right to:

  • Request a copy of all personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and personal data (subject to legal retention requirements)
  • Object to processing of your data for any purpose beyond service delivery

To exercise any of these rights, email contact@aurra.online. We will respond within 14 business days.

9. Children

Aurra is not intended for use by anyone under the age of 18. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will notify you via WhatsApp and update the "Last updated" date at the top. Continued use of Aurra after changes constitutes your acceptance of the new policy.

11. Contact Us

For any privacy-related questions or concerns: