Go back

Bybull Privacy Policy

Last Updated: February 21, 2026

Bybull ("we," "us," or "our") is operated by Tensfer Technologies. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Bybull platform, including our website, mobile applications, AI-powered trading assistant, and related services (collectively, the "Services").

This policy is drafted in compliance with the Nigeria Data Protection Regulation (NDPR) 2019, the Nigeria Data Protection Act (NDPA) 2023, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws.

1. Data Controller

Tensfer Technologies is the data controller responsible for your personal information. For questions about this policy or to exercise your rights, contact our Data Protection Officer at: privacy@bybull.ai

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: Name and email address (via Google OAuth sign-in).
  • Identity verification data: Bank Verification Number (BVN) for KYC compliance. BVN is verified through a licensed third-party provider and stored only as a one-way cryptographic hash.
  • Exchange API credentials: API keys and secrets you provide to link your cryptocurrency exchange accounts. These are encrypted at rest using AES-256-GCM and are never stored in plaintext.
  • Transaction PIN: A 4-6 digit PIN you set for transaction authorization. Stored only as a bcrypt hash.
  • Bank account details: Account number, account name, and bank institution for fiat on-ramp and off-ramp transactions. Encrypted at rest using AES-256-GCM.
  • AI chat interactions: Messages you send to the Bybull AI assistant for checking balances, and managing your portfolio. Personal identifiers are redacted before messages are sent to our AI provider.

2.2 Information Collected from Third Parties

  • Cryptocurrency exchange data: Portfolio balances, transaction history, account types (spot, futures, derivatives), and market data retrieved from exchanges you link via API.
  • Google account data: Name, email address, and profile identifier obtained during OAuth authentication.
  • Payment provider data: Transaction status, reference IDs, and settlement information from our payment processing partners.

2.3 Information Collected Automatically

  • Device information: IP address, browser type, operating system, and device identifiers.
  • Usage data: Pages visited, features used, timestamps, and interaction patterns.
  • Cookies and similar technologies: Session cookies for authentication and functional cookies for service delivery. See Section 10 for details.

3. Lawful Basis for Processing (NDPR/GDPR)

We process your personal data on the following legal bases:

  • Consent: For account creation, linking exchange accounts, processing transactions, and AI chat interactions. You provide consent through our consent modal upon first login.
  • Contractual necessity: To provide and maintain the Services you have requested, including executing trades, processing payments, and managing your portfolio.
  • Legal obligation: To comply with KYC/AML regulations, tax reporting requirements, and law enforcement requests as required by the Central Bank of Nigeria (CBN), FinCEN, and applicable laws.
  • Legitimate interest: For fraud prevention, security monitoring, service improvement, and abuse detection, where these interests are not overridden by your rights.

4. How We Use Your Information

  • To operate, provide, and maintain the Services, including processing on-ramp and off-ramp transactions, and managing portfolio data.
  • To verify your identity through KYC processes as required by Nigerian and international financial regulations.
  • To communicate with you about transactions, security alerts (e.g., account freeze notifications), price alerts, and service updates.
  • To detect, prevent, and respond to fraud, security threats, and violations of our terms, including AML velocity checks and transaction monitoring.
  • To comply with legal obligations, including record-keeping requirements and regulatory reporting.
  • To improve and develop the Services, using aggregated and anonymized data only.

5. AI-Powered Features and Data Processing

Bybull uses an AI-powered assistant (powered by OpenAI) to process trading commands and provide market information. The following safeguards apply:

  • Personal identifiers (email addresses, BVN, account numbers) are automatically redacted from conversations before they are sent to the AI provider.
  • Off-topic prompts are filtered locally without making AI provider API calls, reducing unnecessary data transmission.
  • Conversation history is stored in encrypted, server-side sessions and is not persisted beyond the active session.
  • Your transaction PIN is never collected through the AI chat interface and is handled through a separate secure input.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

  • With your linked exchanges: API credentials are used solely to execute your requested actions on your exchange accounts.
  • With payment processors: Transaction details necessary to complete on-ramp and off-ramp operations.
  • With identity verification providers: BVN data for KYC verification, transmitted securely and not retained by the provider beyond verification.
  • With our AI provider (OpenAI): Redacted conversation data for processing AI assistant commands. OpenAI processes this data under a data processing agreement and does not use it for model training.
  • With law enforcement: When required by valid legal process (court order, subpoena, or regulatory request).
  • Corporate transactions: In connection with a merger, acquisition, or sale of assets, with prior notice to affected users.

7. Data Security

We implement the following security measures:

  • AES-256-GCM encryption for API credentials and bank account details at rest.
  • Bcrypt hashing for transaction PINs and BVN data (irreversible, one-way hash).
  • HTTP-only, secure cookies for authentication tokens to prevent cross-site scripting (XSS) attacks.
  • Server-side API proxy to prevent token exposure to client-side JavaScript.
  • Content Security Policy (CSP) headers to mitigate injection attacks.
  • Rate limiting and account lockout mechanisms for PIN verification.
  • PII redaction in application logs and third-party notifications.
  • Input sanitization (DOMPurify) on all user-generated content rendered in the browser.

8. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy and as required by law. For specific retention periods, see our Record Retention Policy.

  • Account data: Retained while your account is active and for 5 years after deletion (CBN AML/CFT Regulations; FinCEN BSA).
  • Transaction records: Retained for 5 years to comply with financial record-keeping regulations (CBN, FinCEN).
  • AI conversation data: Session-based only; not persisted beyond the active session.
  • Security logs: Retained for 1 year for fraud detection and incident response.

9. Your Rights

9.1 Rights Under NDPR/NDPA (Nigerian Users)

You have the right to:

  • Be informed about the collection and use of your personal data.
  • Access your personal data and obtain a copy in a portable format.
  • Rectify inaccurate personal data.
  • Request erasure of your personal data (subject to legal retention requirements).
  • Restrict or object to certain processing activities.
  • Withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC).

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and categories of third parties with whom we share it.
  • Right to Delete: Request deletion of your personal information, subject to legal exceptions. You can initiate account deletion through the app.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising. A "Do Not Sell or Share" request is therefore not applicable, but you may submit one to privacy@bybull.ai for the record.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

9.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@bybull.ai. We will verify your identity and respond within 30 days (NDPR) or 45 days (CCPA). You may also delete your account directly through the Bybull app settings.

10. Cookies and Tracking

We use the following types of cookies:

  • Essential cookies: Authentication session cookies (httpOnly, secure) required for the Services to function. These cannot be disabled.
  • Session indicator cookies: A non-sensitive cookie indicating active session status for client-side navigation.

We do not use advertising or tracking cookies. We do not engage in cross-site tracking or behavioral advertising.

11. International Data Transfers

Your data may be processed in countries outside Nigeria, including the United States (where our AI provider is located). When transferring data internationally, we ensure adequate safeguards are in place, including:

  • Data processing agreements with all third-party processors.
  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Compliance with NDPC-approved transfer mechanisms under the NDPA.

12. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a person under 18, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through an in-app consent prompt requiring your renewed acceptance. The "Last Updated" date at the top of this page indicates the most recent revision. Continued use of the Services after a non-material update constitutes acceptance.

14. Contact Us

For privacy-related inquiries, data subject access requests, or complaints:

  • Email: privacy@bybull.ai
  • Data Protection Officer: privacy@bybull.ai
  • Supervisory Authority (Nigeria): Nigeria Data Protection Commission (NDPC) — ndpc.gov.ng