Data Protection Policy
Version: 1.0
Effective Date: 29 November 2025
Owner: Board of Directors, QUEPAY LTD
1. Introduction and Scope
QUEPAY LTD (“QuePay”, “we”, “us”, “our”) is a Kenyan-registered technology company providing payment automation solutions through hardware (Smart ATM Controller – PLC), merchant web and Android platforms, and a consumer mobile application.
This Data Protection Policy governs all personal data processed by QuePay in the course of its business activities, including data of end-users, merchants, employees, and any other natural persons.
2. Definitions
- Personal data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, use, disclosure, etc.)
- Data subject: The natural person to whom personal data relates
- Controller: QUEPAY LTD
- Processor: Any third party processing personal data on our behalf
3. Data Protection Principles (Section 25, KDPA)
QuePay commits to processing all personal data in accordance with:
- Lawfully, fairly, and in a transparent manner
- For explicit, specified, and legitimate purposes only
- Adequately, relevantly, and limited to what is necessary
- Accurately and kept up to date where necessary
- Retained only for as long as necessary
- With appropriate security, integrity, and confidentiality
- With full accountability – QuePay takes responsibility for compliance
4. Categories of Personal Data Processed
| Category | Examples | Data Subjects |
|---|---|---|
| Identity data | Full name | Users & merchants |
| Contact data | Phone number, email address | Users & merchants |
| Transaction data | M-Pesa records, amounts, timestamps | Users & merchants |
| Technical data | Device ID, IP address, logs | Users & merchants |
| Usage data | Transaction history, features used | Users & merchants |
We do not collect special-category data or data of children under 18.
5. Lawful Bases for Processing (Section 30, KDPA)
| Processing Activity | Primary Lawful Basis | Secondary Basis |
|---|---|---|
| Provision of payment services | Performance of contract | Legal obligation |
| Transaction processing | Performance of contract & Legal obligation | — |
| Fraud prevention & security | Legitimate interests | Vital interests |
| Regulatory & tax reporting | Legal obligation | — |
| System analytics | Legitimate interests | — |
| Direct marketing | Explicit consent | — |
6. Data Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Transaction records | 7 years from transaction | PMLA, Tax Procedures Act |
| Account data | 7 years after closure | Same |
| Logs & device IDs | 1 year | Security |
| Backups | Max 90 days | Disaster recovery |
7. Data Subject Rights (Sections 26–32, KDPA)
You have the right to:
- Be informed • Access (within 14 days) • Rectification • Erasure • Restriction • Portability • Objection • Not be subject to automated decisions
Submit requests to: dpo@quepay.co.ke (free of charge)
8. Third-Party Processors & International Transfers
| Processor | Service | Location | Safeguards |
|---|---|---|---|
| DigitalOcean LLC | Cloud infrastructure | USA | DPA + SCCs |
| Amazon Web Services | Backup storage | USA | DPA + SCCs |
| Infobip | SMS gateway | Global | DPA + SCCs |
| Google Analytics / Microsoft Clarity | Analytics | USA | Anonymised + DPA |
| Safaricom PLC | M-Pesa API | Kenya | Joint-controller agreement |
9. Security of Processing (Regulation 19)
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- Role-based access control & mandatory MFA
- Annual penetration testing & vulnerability scans
- Daily backups (90-day max)
- Secure development lifecycle (SDL)
- Annual employee data protection training
10. Data Breach Notification
We will:
- Detect & contain within 24 hours
- Notify ODPC within 72 hours (where required)
- Inform affected data subjects without undue delay if high risk
- Document every breach (Section 43, KDPA)
11. Governance & Accountability
- DPO: Not yet appointed (start-up phase). Board assumes responsibility. Appointment by 31 Dec 2026 or earlier if required.
- DPIAs: Conducted for all new high-risk processing
- RoPA: Records of Processing Activities maintained
- All staff & contractors sign confidentiality clauses
12. Marketing & Consent
Direct marketing (SMS/email/WhatsApp) only with prior, explicit, documented consent — withdrawable at any time.
13. Complaints
Contact us first at dpo@quepay.co.ke
Or lodge a complaint with:
Office of the Data Protection Commissioner
Email: complaints@odpc.go.ke
14. Review & Updates
This Policy is reviewed annually or after any material change in processing activities.
Approved by the Board of Directors
QUEPAY LTD
29 November 2025