Wapi Pay (“we,” “us,” or “our”) respects your privacy. This Privacy Policy explains
how we collect, use, disclose, store, and protect personal information when you use
the Wapi Pay mobile application, websites, and related services (collectively, the
“Services”). It should be read together with our Terms of Service.
By registering an Account, using the Services, or accepting this policy where prompted
(including at login or signup), you expressly consent to the practices described below.
If you do not agree, please do not use the Services.
Who we are
Wapi Pay provides digital financial and money-movement services. The data controller
responsible for your personal information is the Wapi Pay entity identified in your
contract or in-app notices, operating in accordance with applicable law, including,
where relevant, the Data Protection Act and regulations in Kenya and other
jurisdictions in which we operate.
Contact (general privacy enquiries): [email protected]
Email and other contact methods may be updated in the app or on our official website.
Scope of this policy
This policy applies to personal information we process in connection with:
- Creating and managing your Account, including phone number, country of residence, and security settings.
- Verifying your identity (KYC) and meeting legal obligations.
- Processing transactions, including deposits, withdrawals, transfers, and conversions.
- Customer support, security, fraud prevention, and service improvement.
- Marketing where permitted and subject to your choices.
It does not govern third-party sites or apps that we do not control; their policies
apply when you leave our Services.
Information we collect
We may collect the following categories of information, depending on how you use the
Services and what the law requires:
Information you provide
- Phone number and country of residence used to register and sign in.
- Name, date of birth, address, identification numbers, and documents submitted for KYC.
- Recipient details, including names, account numbers, phone numbers, and bank details that you enter for transfers.
- Communications with support, including chat, email, and calls.
- Preferences and survey responses.
Information collected automatically
- Device identifiers, model, operating system, and app version.
- Network and connection information, such as IP address and mobile operator where available.
- Usage data, including screens accessed, crash logs, and performance metrics to improve stability and security.
- Security signals relating to login attempts and authentication, including biometric enrolment where you opt in.
Information from third parties
- Verification and sanctions/AML screening providers.
- Banks, payment networks, mobile money operators, and other financial partners involved in your Transactions.
- Regulators or law enforcement when they lawfully share data with us.
- Credit reference, fraud-prevention, or identity bureaus where permitted.
How we use your information
We use personal information for purposes including:
| Purpose |
Examples |
| Provide the Services |
Process transfers, deposits, withdrawals, and show balances and history. |
| Verify identity and comply with law |
KYC, AML/CTF screening, sanctions checks, tax and regulatory reporting. |
| Security and fraud |
Detect abuse, protect Accounts, investigate suspicious activity. |
| Customer support |
Respond to enquiries and disputes. |
| Improvement and analytics |
Understand usage patterns, fix bugs, develop features, often using aggregated or de-identified data. |
| Communications |
Service messages and optional marketing where allowed and with your consent where required. |
| Legal enforcement |
Defend our rights, comply with court orders and lawful requests. |
We process personal information where we have a lawful basis under applicable data
protection law, such as performance of a contract, legal obligation, legitimate
interests (balanced against your rights), or consent where required.
Legal and regulatory disclosure
We may disclose your information when required by law, regulation, court order, or
competent authority, or to protect the rights, property, or safety of Wapi Pay, our
users, or others. This includes cooperation with AML/CTF and sanctions investigations.
Sharing with third parties
We may share personal information with:
- Companies in the Wapi Pay group (subsidiaries and affiliates) for operations and compliance.
- Regulators, supervisors, and governmental authorities.
- Agents, contractors, and service providers (hosting, IT, customer tools) bound by confidentiality and data-processing terms.
- Payment partners, including banks, mobile networks, and card schemes necessary to complete Transactions.
- Professional advisers, including lawyers and auditors under confidentiality obligations.
- Successors in a merger, acquisition, or asset transfer, with notice as required by law.
We require recipients who process personal information on our behalf to implement
appropriate security and confidentiality measures.
International transfers
Your information may be processed in Kenya and in other countries where we or our
partners operate. Where we transfer data across borders, we use safeguards permitted
by law, such as contracts or adequacy decisions, to protect your information.
Retention
We retain personal information only as long as necessary for the purposes above, including:
- Seven (7) years after the last relevant transaction or relationship activity for many financial and KYC records, unless a longer period is required by law.
- Shorter periods for certain logs or marketing lists, as appropriate.
- Secure deletion or anonymization when retention ends, subject to legal holds.
Security
We implement technical and organizational measures designed to protect personal
information against unauthorized access, loss, or alteration, including encryption
where appropriate, access controls, and staff training. No system is completely
secure; you should protect your device, PIN, and credentials.
Data Breach Notification. In the event of a personal data breach, we will notify the
Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of
the breach, as required by section 42 of the Data Protection Act 2019. Where the breach
is likely to result in a high risk to your rights and freedoms, we will also notify you
without undue delay, describing the nature of the breach, the likely consequences, and
the measures taken or proposed to address it.
For security, fraud prevention, and compliance, we may monitor electronic
communications in line with applicable law and our policies.
Your rights
Depending on your location, you may have rights to:
- Access a copy of your personal information.
- Correct inaccurate data.
- Delete or restrict processing in certain cases.
- Object to processing based on legitimate interests or to direct marketing.
- Data portability where technically feasible.
- Withdraw consent where processing is consent-based, which may affect our ability to provide some Services.
To exercise rights, contact us using the details in Section 1. We may need to verify
your identity before responding. We aim to respond within 21 days for valid requests,
subject to legal extensions.
If we cannot provide a Service without certain data, declining to provide it may mean
we cannot open or maintain your Account.
Marketing and communications
Where permitted, we may send you information about products or services by mail,
phone, SMS, email, or in-app message. You may opt out of marketing (other than
essential service messages) by contacting [email protected]
or using in-app settings where available.
If third parties run campaigns on our behalf, we limit what they receive, for example
by not sharing unnecessary financial details, and require compliance with law.
Cookies and similar technologies (web)
If you use our websites, we may use cookies and similar technologies to:
- Maintain secure sessions after login.
- Remember preferences.
- Produce anonymous analytics and measure marketing effectiveness.
Essential cookies are needed for basic operation. Non-essential cookies, such as
analytics, may be controlled through your browser or provider opt-out tools, for
example the Google Analytics opt-out:
https://tools.google.com/dlpage/gaoptout.
Blocking some cookies may limit functionality.
Children’s privacy
The Services are not directed at children under the age of 18. We do not knowingly
collect personal information from children. If you believe we have done so, contact us
and we will take steps to delete the information where appropriate.
Automated decision-making
We may use automated tools for fraud detection, risk scoring, or compliance screening.
Where required by law, you may have the right to human review of decisions that
significantly affect you.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will post the revised version
in the app and/or on our website and adjust the “Last updated” date. Material changes
may require additional notice or consent where the law requires. Continued use after
the effective date constitutes acceptance of the updated policy, except where your
explicit consent is required.
This Privacy Policy does not create contractual or legal rights beyond what is granted
by applicable data protection and consumer laws.
Contact and complaints
For privacy questions or requests:
- Email: [email protected]
- In-app: Help / Support, as provided in the current version of the app.
If you are in a jurisdiction that provides a right to complain to a supervisory
authority, in Kenya, the Office of the Data Protection Commissioner (ODPC), contactable
at www.odpc.go.ke,
you may do so in addition to contacting us.
Thank you for trusting Wapi Pay with your information.