TruePay Technologies Limited
Privacy Policy
How TruePay Technologies Limited Collects, Uses & Protects Your Data
1. Introduction
Your privacy matters to us. TruePay Technologies Limited ('TruePay', 'we', 'us', 'our') is committed to protecting the personal data of every person who uses our platform. This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and the rights you have over your information.
This Policy applies to all users of the TruePay website, mobile applications, APIs, and any related services (collectively, the 'Platform'). By accessing or using the Platform you acknowledge that you have read and understood this Policy.
TruePay is incorporated in Kenya and operates under the Data Protection Act, 2019 (Kenya) and all subsidiary legislation thereunder. Where we process data of persons in other jurisdictions, we apply equivalent standards.
2. Who We Are & How To Contact Us
3. What Personal Data We Collect
We collect personal data in the following categories:
| Category | Examples |
|---|
| Identity Data | Full name, date of birth, national ID / passport number, KRA PIN, selfie / photograph for KYC verification. |
| Contact Data | Email address, phone number, postal address. |
| Financial Data | Bank account details, mobile money wallet numbers, transaction history, payment card details (tokenised - we never store raw card numbers). |
| Device & Technical Data | IP address, browser type, device identifiers, operating system, time-zone settings, cookie identifiers. |
| Usage Data | Pages visited, features used, clicks, session duration, search queries on the Platform. |
| Communications Data | Messages sent through our support channels, complaints, and survey responses. |
| KYC / Compliance Data | Government-issued ID documents, proof of address, source of funds declarations, and other AML/CFT documentation. |
| Location Data | Approximate location derived from IP address; GPS location only if you grant explicit permission in the mobile app. |
- Important: We do not collect sensitive personal data (health, biometric beyond KYC selfie, religion, political opinion) unless strictly required by law or with your explicit consent.
4. Legal Basis For Processing
| Basis | Purpose |
|---|
| Contract Performance | To provide the payment and financial services you have requested. |
| Legal Obligation | To comply with AML/CFT, tax, regulatory, and court-ordered requirements. |
| Legitimate Interests | Fraud prevention, platform security, product improvement, and analytics - always balanced against your rights. |
| Consent | Marketing communications and non-essential cookies - you may withdraw consent at any time. |
5. How We Use Your Personal Data
- Create and manage your TruePay account.
- Process payments, transfers, and transactions.
- Verify your identity and comply with KYC / AML obligations.
- Detect, investigate, and prevent fraud, money laundering, and unauthorised access.
- Communicate with you about your account, transactions, and service updates.
- Respond to support requests and resolve complaints.
- Comply with applicable laws, regulations, and lawful requests from authorities.
- Improve, personalise, and develop the Platform using aggregated / anonymised data where possible.
- Send you marketing communications only with your explicit consent, and you may opt out at any time.
- Conduct internal audits, risk assessments, and compliance reporting.
- Important: We will never sell your personal data to third parties for their own marketing purposes. We will never use your data in a way that is incompatible with the purposes stated in this Policy without obtaining your prior consent.
6. Who We Share Your Data With
We share personal data only in the following circumstances and with appropriate safeguards:
| Recipient | Purpose |
|---|
| Payment Partners & Banks | Banks, mobile money providers, and payment processors required to complete your transactions - bound by contractual data protection obligations. |
| KYC / Identity Verification Providers | Third-party identity verification and AML screening providers under strict data processing agreements. |
| Regulators & Law Enforcement | The Financial Reporting Centre (FRC), Central Bank of Kenya, Kenya Revenue Authority, courts, and other authorities where legally required. |
| IT & Cloud Service Providers | Hosting, database, analytics, and security vendors - all subject to data processor agreements and prohibited from using your data for their own purposes. |
| Professional Advisors | Lawyers, auditors, and accountants under duties of confidentiality. |
| Business Transfers | In the event of a merger, acquisition, or sale of assets - you will be notified and your rights preserved. |
7. Data Retention
| Data Type | Retention Period |
|---|
| Account & KYC records | 7 years from account closure (POCAMLA requirement). |
| Transaction records | 7 years from date of transaction. |
| AML / STR records | 7 years from date of report. |
| Marketing consent records | Until consent is withdrawn + 3 years. |
| Support / communications | 3 years from resolution of query. |
| Cookie / analytics data | 13 months (rolling). |
8. Your Data Rights
Under the Data Protection Act, 2019 you have the following rights:
To exercise any of the above rights, email [email protected] with your full name and account details. We will respond within 30 days in accordance with the Act.
| Right | Meaning |
|---|
| Right of Access | Request a copy of the personal data we hold about you. |
| Right to Rectification | Request correction of inaccurate or incomplete data. |
| Right to Erasure | Request deletion of your data where there is no legitimate reason to retain it - subject to legal retention obligations. |
| Right to Restriction | Request that we restrict processing in certain circumstances. |
| Right to Data Portability | Receive your data in a structured, machine-readable format. |
| Right to Object | Object to processing based on legitimate interests, including direct marketing. |
| Right to Withdraw Consent | Withdraw consent at any time without affecting prior lawful processing. |
| Right to Lodge a Complaint | Complain to the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke. |
9. Security Of Your Data
We implement technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:
- End-to-end encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls - staff access data only on a need-to-know basis.
- Regular penetration testing and vulnerability assessments.
- Multi-factor authentication for all internal systems.
- Incident response procedures - data breaches reported to the ODPC and affected users within 72 hours.
- Regular staff training on data protection and security.
- Important: No internet transmission is 100% secure. While we use best-practice security measures, you are responsible for keeping your account credentials confidential. TruePay will never ask for your password via email, SMS, or phone call.
10. Minors
The TruePay Platform is intended for use by persons aged 18 years and above. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data without parental consent, please contact [email protected] immediately and we will delete such data without undue delay.
11. International Data Transfers
Where we transfer personal data outside Kenya, we ensure adequate protections are in place - including contractual safeguards, recipient country adequacy assessments, and compliance with ODPC guidance. We will not transfer data to a jurisdiction that does not provide an adequate level of protection without appropriate safeguards.
12. Changes To This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email and/or prominent notice on the Platform at least 14 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy. The current version and all previous versions are available at www.truepay.live/legal.
This Privacy Policy was last reviewed and approved by the Board of TruePay Technologies Limited on 02 May 2026.