Privacy Policy

1. Data Controller and Data Protection Officer

SCORE360 SARL ("SCORE360"), a company incorporated under Ivorian law, registered with the Abidjan Commercial Court (RCCM), with its registered office at Koumassi, Cité Houphouët-Boigny, Lot 2056, Abidjan, Côte d'Ivoire, is the data controller in connection with the operation of the Platform.

In accordance with Law n° 2013-450 of 19 June 2013 on the protection of personal data in Côte d'Ivoire and the implementing regulations of the Telecommunications/ICT Regulatory Authority of Côte d'Ivoire (ARTCI), SCORE360 has filed a prior declaration of its data processing activities with ARTCI, the competent supervisory authority.

SCORE360 has appointed a Data Protection Officer (DPO), registered with ARTCI in accordance with Order n° 0099/MTND/CAB of 16 August 2024. For any data protection queries: privacy@score360.africa

2. Data Collected

SCORE360 processes the following categories of data in the course of providing its services:

Partner institution data: company name, registration numbers (RCCM, NIF), contact details of legal representatives, connection logs, configuration settings, billing data.

SME client data: pseudonymised identifiers, business sector, aggregated transactional flow data (volumes, frequencies, categories), repayment history transmitted by the partner institution under its own responsibility. This data never includes raw personal information (names, addresses, national identification numbers) of SME directors or employees.

Navigation data: IP addresses, session data, API usage logs, for security and technical monitoring purposes.

SCORE360 does not collect banking data directly from institutions' end clients. All sensitive data remains hosted within the isolated environment of the partner institution.

3. Legal Basis and Purposes of Processing

SCORE360's processing activities rely on the following legal bases under Law n° 2013-450:

— Performance of a contract: provision of the scoring service (dynamic calculation, grade generation, risk alerts) to the partner institution; — Legitimate interest: model improvement via federated learning, Platform security and monitoring — no raw data leaves the institution's environment; — Legal obligation: compliance with BCEAO, ARTCI, OHADA requirements and Ivorian tax law; — Consent: where commercial communications are addressed to partner institution representatives.

SCORE360 never sells, rents or transfers institution or client data to third parties for commercial purposes.

4. Institution's Obligations Regarding SME Client Consent

Under Article 53 of the UMOA Uniform Law on Credit Information Bureaux and BCEAO Instruction n° 002-01-2015 on the modalities for obtaining client consent by data providers to BICs, the partner institution is solely responsible for obtaining the prior, written and informed consent of its SME clients before any sharing or transmission of data to the SCORE360 Platform.

This consent must specify: the identity of the data controller (the institution), the purpose of processing (solvency assessment), the categories of data collected, the retention period, the data subjects' rights, and the identity of the technology service provider (SCORE360).

SCORE360 acts as a data processor within the meaning of Law n° 2013-450 and the GDPR (for institutions subject to European law). The Data Processing Agreement (DPA) signed with each partner institution sets out the processing instructions, security measures and conditions for the return or deletion of data in accordance with GDPR Article 28.

5. Technical Architecture and Data Sovereignty

SCORE360 is built on a Federated Learning architecture: each partner institution trains the models locally on its own servers. Only anonymised, encrypted model parameters (weights, aggregated gradients) transit to the central ENGINE™ module. No raw SME client data is transmitted to or stored on SCORE360's central servers.

Each institution has a technically isolated environment: dedicated virtual machines, a private VLAN, and an independent database. All infrastructure is hosted at Raxio CI datacenter (Tier III certified, Uptime Institute) in Abidjan, Côte d'Ivoire.

In accordance with the UMOA BIC Uniform Law requirement for data residency within member state territory, all processed data remains located within UEMOA territory. No data is transferred outside this area without the prior written consent of the partner institution.

6. Retention Periods

Data is retained for the period strictly necessary for the purposes for which it was collected:

— Account and contract data: duration of the service agreement + 5 years after termination (OHADA/Ivorian law obligations); — Scoring data relating to borrowers: maximum 5 years from the date of last update, in accordance with Article 41 of the UMOA BIC Uniform Law; — Security and access logs: 12 rolling months; — Billing data: 10 years (Ivorian tax obligation).

Upon expiry of the applicable retention periods, data is securely deleted or irreversibly anonymised. SCORE360 provides, at the institution's request, a certificate of deletion within 30 days.

7. Rights of Data Subjects

Under Law n° 2013-450 of 19 June 2013, any natural person whose data is processed by SCORE360 — directly or through a partner institution — has the following rights:

— Right of access: obtain confirmation of processing and a copy of the data; — Right to rectification: correct inaccurate or incomplete data; — Right to erasure ("right to be forgotten"): subject to statutory retention obligations; — Right to restriction of processing: suspend processing while a challenge is being verified; — Right to data portability: receive data in a structured, machine-readable format; — Right to object: object to processing based on legitimate interest.

These rights may be exercised by sending a written request to privacy@score360.africa. SCORE360 undertakes to respond within 30 calendar days. If the response is unsatisfactory, any person may file a complaint with ARTCI, the competent supervisory authority in Côte d'Ivoire.

8. Data Security

SCORE360 implements bank-grade technical and organisational security measures in accordance with the standards required by Law n° 2013-450 and BCEAO recommendations:

— Encryption of all network communications (TLS 1.3); — Role-based access control (RBAC) with full, immutable audit logging; — Secure aggregation of model parameters (differential privacy before transmission); — Continuous monitoring, intrusion detection, and real-time security alerts; — Regular penetration testing, code reviews, and independent security audits; — Strict isolation of partner institution environments (network and data separation).

These measures are subject to a documented annual audit. Results are available to partner institutions within the framework of the audit rights provided for in their DPA.

9. Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, SCORE360 undertakes to:

— Notify the affected partner institution within 72 hours of discovering the incident, with a description of the nature of the breach, the categories and volumes of data affected, and the measures taken and planned; — Document the incident in an internal breach register, in accordance with the obligations of Law n° 2013-450; — Assist the institution in its notification obligations to ARTCI and, where applicable, to the individuals affected.

SCORE360 maintains internal incident response procedures enabling the detection, containment and remediation of any breach as quickly as possible.

10. Data Processing Agreement (DPA) — institutions subject to GDPR

For partner institutions subject to European Union law or processing data of EU residents, SCORE360 enters into a Data Processing Agreement compliant with Article 28 of Regulation (EU) 2016/679 (GDPR).

This DPA covers in particular: documented processing instructions, confidentiality obligations of SCORE360 staff, technical and organisational security measures, conditions for authorising sub-processors, modalities for assisting with data subject rights and data protection impact assessments (DPIAs), deletion or return of data at contract end, and the responsible institution's audit rights.

SCORE360's sub-processors (Raxio CI hosting, monitoring service providers) are bound by equivalent contractual safeguards. An up-to-date list of sub-processors is available on request at privacy@score360.africa.

11. Cross-border Data Transfers

Data is hosted and processed exclusively in Côte d'Ivoire (Raxio CI, Abidjan), within the UEMOA area. SCORE360 does not transfer data outside this area without the prior written consent of the partner institution and appropriate contractual safeguards (standard contractual clauses or adequacy decision for transfers to the EU).

For institutions headquartered in UEMOA member states, data residency within UEMOA territory is a regulatory requirement under the UMOA BIC Uniform Law that SCORE360 guarantees structurally through its hosting architecture.

12. Cookies and Trackers

The Platform (institutional web application) uses strictly necessary cookies for service operation: authentication and session management, CSRF protection, display preferences. No advertising, commercial profiling or third-party tracking cookies are set.

The score360.africa public website may use anonymous analytical cookies (audience measurement). A consent banner compliant with Law n° 2013-450 is displayed on the first visit. Session cookies expire on browser closure or after 8 hours of inactivity.

13. Policy Updates

SCORE360 may update this policy at any time to reflect changes in the service, Ivorian regulations (ARTCI), BCEAO instructions or European law (GDPR). Material changes are notified to partner institutions electronically with a minimum of 30 days' notice before they take effect.

The date of the last update is shown at the top of this document. Continued use of the Platform after the effective date constitutes acceptance of the revised policy. Archived versions are available on request.

14. Contact and Supervisory Authority

Data Protection Officer (DPO): Email: privacy@score360.africa Post: SCORE360 SARL — DPO, Koumassi, Cité Houphouët-Boigny, Lot 2056, Abidjan, Côte d'Ivoire

Competent supervisory authority: ARTCI — Telecommunications/ICT Regulatory Authority of Côte d'Ivoire Website: artci.ci

Any data subject who believes their rights are not being respected may file a complaint with ARTCI, without prejudice to any other administrative or judicial remedy.