Privacy Policy

KayaSend ("we", "us", "our") is the data controller responsible for your personal information. We are committed to protecting your privacy in accordance with the Kenya Data Protection Act No. 24 of 2019 ("DPA") and the regulations issued thereunder by the Office of the Data Protection Commissioner ("ODPC").

This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we retain it, and what rights you have. If you have any questions, contact us at hello@kayasend.com.

Identity and Contact Data: Full name, email address, phone number, date of birth, nationality, and residential address — collected when you register or complete KYC verification.

Identity Verification Data: Government-issued ID (national identity card, passport, or alien ID), KRA PIN certificate, and any source-of-funds documentation required under AML regulations.

Transaction Data: Details of every Transaction you initiate or receive through the Service, including amounts, currency, Biller information, Recipient details, timestamps, and Transaction status.

Blockchain Data: Wallet addresses and on-chain transaction records generated by your use of the Escrow Contract. This data is inherently public and immutable; it exists independently of KayaSend's systems.

Device and Technical Data: IP address, browser type and version, operating system, device identifiers, and pages visited — collected automatically when you interact with the Service.

Communications Data: Emails, support tickets, and any other correspondence you send us.

We process your personal data only where we have a lawful basis to do so under the DPA. Depending on the purpose, we rely on one or more of the following:

(a) Performance of a contract: Processing necessary to provide the Service you have requested, including executing Transactions, verifying Billers, and managing your account.

(b) Legal obligation: Processing required to comply with Kenyan law, including the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), the Anti-Money Laundering and Combating of Terrorism Financing Laws (Amendment) Act 2025, the National Payment System Act, and the Virtual Asset Service Providers (VASP) Act 2025. This includes KYC verification, transaction monitoring, and suspicious-activity reporting to the Financial Reporting Centre (FRC).

(c) Legitimate interests: Processing for fraud prevention, security, platform improvement, and analytics, where such interests are not overridden by your rights.

(d) Consent: Where you have provided explicit consent for optional processing activities such as marketing communications. You may withdraw consent at any time.

Account management: To create, maintain, and secure your account.

Identity verification (KYC): To verify your identity as required by Kenyan AML law and to screen you against international sanctions lists (including OFAC, UN, and EU sanctions lists).

Transaction processing: To execute Transactions through the Escrow Contract and confirm payments to Billers.

Regulatory compliance and reporting: To monitor Transactions for suspicious activity, report to the FRC where legally required, and respond to requests from the Central Bank of Kenya (CBK), ODPC, and other competent authorities.

Fraud and security: To detect, investigate, and prevent fraudulent or criminal use of the Service.

Customer support: To respond to your inquiries, complaints, and disputes.

Service improvement: To analyse usage patterns and improve the platform.

Communications: To send you Transaction confirmations, security alerts, policy updates, and (where you have consented) marketing messages.

Transactions executed through the Escrow Contract are recorded on a public blockchain. This means wallet addresses, transaction amounts, and timestamps are permanently visible to anyone who queries the blockchain. This data exists outside KayaSend's control and cannot be deleted, corrected, or restricted.

We encourage you to understand the nature of public blockchain records before transacting. If you have concerns about on-chain data visibility, please contact us before using the Service.

We do not sell your personal data to third parties. We may share your data only in the following circumstances:

Verified Billers: We share the minimum information necessary (e.g. account reference numbers, payment amounts) to process a bill payment on your behalf.

Technology partners and service providers: We work with third-party providers for identity verification, cloud infrastructure, analytics, and customer support. All such providers are bound by data processing agreements that prohibit them from using your data for their own purposes.

Regulatory authorities: We are legally required to share data with the FRC, CBK, ODPC, Kenya Revenue Authority (KRA), and other competent authorities where required by law or court order. This includes mandatory reporting of suspicious transactions and transactions exceeding USD 15,000 (or KES equivalent).

Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections.

Where we transfer your personal data outside Kenya — for example, to cloud infrastructure providers — we ensure that appropriate safeguards are in place, such as standard contractual clauses approved by the ODPC or transfers to jurisdictions with adequate data protection standards.

We retain your personal data for as long as your account is active and for as long as required to fulfil our legal and regulatory obligations. Under POCAMLA, we are required to retain KYC records, Transaction records, and suspicious-activity reports for a minimum of seven (7) years from the date of the transaction or account closure.

Where data is no longer required for legal purposes, we will securely delete or anonymise it. Blockchain records, by their nature, cannot be deleted; we retain only the minimum on-chain data necessary for Transaction execution.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include encryption in transit and at rest, access controls and role-based permissions, smart contract security audits, and regular security testing.

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the ODPC within 72 hours of becoming aware of the breach, as required by the DPA. Where the breach is likely to result in high risk to your rights and freedoms, we will also notify you directly without undue delay.

Under the DPA, you have the following rights in relation to your personal data:

(a) Right of access: You may request a copy of the personal data we hold about you.

(b) Right to rectification: You may request that we correct inaccurate or incomplete data.

(c) Right to erasure: You may request deletion of data we are not legally required to retain. Note that we cannot delete data where retention is required by AML or other laws.

(d) Right to object: You may object to processing based on our legitimate interests.

(e) Right to restrict processing: You may request that we limit how we use your data in certain circumstances.

(f) Right to data portability: Where processing is based on consent or contract, you may request your data in a structured, machine-readable format.

(g) Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at hello@kayasend.com. We will respond within 21 days. You also have the right to lodge a complaint with the ODPC at www.odpc.go.ke.

We use strictly necessary cookies to maintain your session and secure your account. We also use analytics cookies to understand how users interact with the Service so we can improve it. You can manage non-essential cookies through your browser settings; note that disabling cookies may affect Service functionality.

We do not use cookies for targeted advertising.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

The Service may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites and encourage you to review their policies before providing personal information.

We may update this Privacy Policy periodically. Where changes are material, we will notify you via email or an in-app notice at least 14 days before the changes take effect. The "Effective date" at the top of this page will always reflect the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

Data Controller: KayaSend — hello@kayasend.com

Supervisory Authority: Office of the Data Protection Commissioner (ODPC) — www.odpc.go.ke

If you have unresolved concerns about how we handle your data, you have the right to lodge a complaint with the ODPC.