Kuzapay Legal

Our policies and terms for using Kuzapay services

KUZAPAY PRIVACY POLICY

Effective Date: April 12, 2026 | Version: 1.1

At Kuzapay, we are dedicated to simplifying digital payment and finance workflows for individuals, businesses, and organizations while maintaining the highest standards of data protection. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the Kenya Data Protection Act (2019).

1. Data We Collect

We only collect data that is mechanically necessary to facilitate your payments and comply with Kenyan law:

  • Individual Users: Full Legal Name, National ID/Passport Number, Date of Birth, and M-Pesa Phone Number.
  • Business/Org Users: Business/Organization Name, Registration Number, and KRA PIN.
  • Technical Data: IP address and session data via our better-auth.session cookie.

2. How We Use Your Data

Your information is used strictly for:

  • KYC & Compliance: Verifying your identity as required by Central Bank of Kenya (CBK).
  • Transaction Facilitation: Ensuring funds are disbursed to the correct M-Pesa account.
  • Security: Monitoring for and preventing fraudulent activity or unauthorized access.

3. Data Protection & Encryption

We implement a "Security-First" architecture. All sensitive identity markers (such as National ID numbers and KRA PINs) are encrypted at rest using AES-256 encryption. We utilize secure, modern infrastructure (NeonPG and SvelteKit) to ensure your data is never exposed to unauthorized parties.

4. Data Sharing & Third Parties

We do not sell your personal data. We only share information with third parties when necessary to complete your transactions:

  • Safaricom (Daraja API): To process M-Pesa disbursements.
  • Regulatory Authorities: Only when legally mandated by the Financial Reporting Centre (FRC) or Kenyan law enforcement.

5. Your Rights as a Data Subject

Under the Kenya Data Protection Act, you have the following rights:

  • Right to Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can update incorrect or incomplete information.
  • Right to Erasure: You can request that we delete your data (subject to legal record-keeping requirements for financial transactions).

6. Data Retention

We retain transaction-related KYC data for a period of seven (7) years to comply with Kenyan financial record-keeping regulations. After this period, data is permanently de-identified or deleted.

DATA PROTECTION OFFICER (DPO)

  • Email: hello@kuzapay.app
  • Phone: +254 236 593 85
  • Location: Nairobi, Kenya