KiPay

Last updated: March 24, 2026

Privacy Policy

1. Introduction

KiPay provides payment infrastructure for businesses in Kenya. This policy explains how we handle your data. KiPay is a product of KiPay Technologies Limited, registered in the Republic of Kenya.

2. Information We Collect

  • Account information: name, email, business registration number, director ID (collected during KYC onboarding).
  • Payment metadata: transaction IDs, phone numbers, amounts, timestamps (we never store M-Pesa PINs or full card numbers).
  • Usage data: API request logs, dashboard activity, IP addresses.
  • Device information: browser type, OS (for fraud prevention).

3. How We Use Your Information

  • Processing and reconciling payments on your behalf.
  • Sending transactional notifications (KYC status, payment alerts).
  • Improving and securing the KiPay platform.
  • Complying with legal obligations (CBK, KRA, DPA 2019).

4. Information Sharing

We share data only as necessary:

  • Safaricom PLC: phone numbers and amounts for M-Pesa processing.
  • Payment processors: transaction data required to complete transfers.
  • Legal authorities: when required by Kenyan law.

We do not sell your data. Ever.

5. Kenya Data Protection Act 2019

KiPay complies with Kenya's Data Protection Act 2019. As a data subject you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data (subject to legal retention requirements).
  • Object to processing of your data.

To exercise these rights, email privacy@kipay.io.

6. Data Retention

  • Transaction records: retained for 7 years (CBK regulatory requirement).
  • Account data: retained while your account is active; deleted within 90 days of account closure, except where retention is legally required.
  • API request logs: retained for 90 days.

7. Security

  • Data encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Passwords hashed with bcrypt (cost factor 10).
  • Webhook payloads signed with HMAC-SHA256.
  • API keys hashed before storage, shown only once at creation.

8. Contact

For privacy requests or questions: privacy@kipay.io
KiPay, Nairobi, Kenya.