Privacy Policy
Last updated: 19 May 2026. Issued in compliance with the Data Protection Act, 2019 (Kenya).
1. Who controls your data
Pesa Mtandao (the operator of this platform) is the "data controller" of your personal data under the Kenya Data Protection Act, 2019. Our Data Protection Officer can be reached at privacy@pesamtandao.com.
2. What we collect
| Category | Examples |
|---|
| Identity | Name, date of birth, national ID / passport / alien ID number, photograph for KYC |
| Contact | Phone number, email address, residential / postal address |
| Account | Wallet balance, savings goals, group savings memberships, your PIN (stored as a one-way hash; we never see the plaintext) |
| Transactions | Send, receive, deposit, withdrawal, bill payment, airtime top-up — amount, time, counterparty, channel |
| KYC documents | Copies of the ID you upload; selfie taken at the branch; proof-of-address documents you submit |
| Device + session | IP address, browser type, last-login time, audit log of actions you take inside the account |
| Communications | Records of support requests, SMS / email we send you, your replies |
3. Why we use it
- To operate your account — authenticate you, process transactions, send confirmations.
- To meet Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) obligations under Kenyan law.
- To detect, prevent, and investigate fraud.
- To answer your questions and resolve disputes.
- To send you service-related messages (transaction confirmations, security alerts, important policy updates).
- To comply with court orders, regulator requests, and other legal duties.
We do not sell your data. We do not use it for advertising profiling.
4. Our legal basis
Under section 30 of the Data Protection Act we rely on one or more of these grounds for each use:
- Contract: operating your account so we can provide the services you signed up for.
- Legal obligation: KYC, AML, sanctions screening, suspicious-transaction reporting, regulator requests.
- Legitimate interest: fraud prevention, platform security, and improving the service. We balance this against your rights.
- Consent: any optional marketing communications. You can withdraw consent at any time.
5. Who we share it with
- Service providers who operate parts of the platform on our behalf and only process data on our instructions: SMS gateways (e.g. Africa's Talking) to send transaction alerts; email providers (e.g. Brevo) to send notifications; cloud hosting providers; identity-verification vendors.
- Banks and payment networks we use to settle transactions on your behalf.
- Regulators and authorities when required by law — the Central Bank of Kenya, the Financial Reporting Centre, the Kenya Revenue Authority, the Office of the Data Protection Commissioner, and courts.
- Law enforcement in response to a valid court order, search warrant, or other lawful request.
- Successors in the event of a merger, acquisition, or restructuring of Pesa Mtandao, subject to the same protections set out here.
6. How long we keep it
- Account records and transactions: at least 7 years after the account is closed, in line with the Proceeds of Crime and Anti-Money Laundering Act, 2009 and CBK record-keeping rules.
- KYC documents: same 7-year minimum.
- Audit logs (security events): 7 years.
- Marketing preferences: until you withdraw consent.
- Support correspondence: 3 years from the last interaction unless a dispute is open.
After the retention period we delete or irreversibly anonymise the data unless a longer period is required by law.
7. Your rights
Under Part V of the Data Protection Act you have the right to:
- Be informed of how your data is used (this policy).
- Request access to your personal data.
- Request correction of inaccurate data — most of this you can do yourself in your account; for the rest contact us.
- Request deletion of your data, subject to legal retention obligations (we cannot delete records we are required to keep for AML purposes).
- Object to processing based on legitimate interest.
- Request data portability — a copy of the data you provided to us in a structured, commonly-used format.
- Withdraw consent at any time for processing based on consent.
- Lodge a complaint with the Office of the Data Protection Commissioner.
To exercise any of these rights, email privacy@pesamtandao.com. We will respond within 30 days.
8. How we protect it
- All connections to the platform use HTTPS.
- PINs are stored as a one-way bcrypt hash — never as plain text.
- Access to production systems is limited to authorised staff with audited credentials.
- Every action taken in your account is recorded in an audit log.
- Sensitive operations (PIN change, phone change, large withdrawals) trigger one-time-passcode confirmation.
- We monitor for fraud, account takeover, and suspicious activity.
No system is completely secure. If we ever discover a breach affecting your data we will notify you and the Office of the Data Protection Commissioner without undue delay, as required by section 43 of the Act.
9. International transfers
Most of your data is stored on servers located in the European Union (Hetzner Online GmbH, Germany), which the Office of the Data Protection Commissioner recognises as offering adequate protection. Some service providers (e.g. email and SMS gateways) may process data in other countries — we use providers that contractually commit to the same standards required by the Kenya Data Protection Act.
10. Cookies and similar technologies
We use a single session cookie (pm_customer_session for customers, similarly named for other portals) to keep you signed in while you use the platform. This cookie is essential — without it you would have to log in on every page.
We do not use third-party advertising cookies, tracking pixels, or analytics that fingerprint you across sites.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by SMS or email at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
12. Complaints and contact
If you have a concern about how we handle your personal data, please contact us first at privacy@pesamtandao.com. We aim to respond within 14 days.
If we cannot resolve it together, you have the right to complain to:
Office of the Data Protection Commissioner
Britam Tower, Hospital Road, Upper Hill, Nairobi
www.odpc.go.ke