Privacy Policy

DePesa (“we,” “us,” or “our”) is a decentralized finance platform built on Solana that enables users in East Africa to deposit Kenyan Shillings (KES) via M-Pesa, earn DeFi yield, and withdraw back to M-Pesa. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

Please read this policy carefully. By accessing or using DePesa, you acknowledge that you have read, understood, and agree to the practices described herein. If you disagree with any part of this policy, please discontinue use of our services.

1.Information We Collect

1.1 Information You Provide Directly

• Waitlist registration: When you join our waitlist, we collect your phone number and your name.
• Account creation: When you create a DePesa account (at launch), we may collect your full name, email address, phone number (for M-Pesa integration), date of birth, and government-issued ID information required for Know Your Customer (KYC) compliance.
• Communications: If you contact us via email or social channels, we collect the content of your messages and any information you voluntarily provide.

1.2 Information Collected Automatically

• Usage data: IP address, browser type and version, operating system, referring URLs, pages viewed, time spent on pages, and links clicked.
• Device information: Device identifiers, screen resolution, language preferences, and timezone.
• Cookies and similar technologies: We use first-party cookies and local storage to maintain session state, remember your preferences, and improve your experience. We do not use third-party advertising cookies.

1.3 Blockchain & On-Chain Data

Transactions executed on the Solana blockchain are public by nature. Your Solana wallet address and associated on-chain transaction history are permanently recorded on the blockchain and are not within our ability to delete. We do not link your on-chain address to your identity without your explicit consent.

1.4 Financial & M-Pesa Data

When you connect your M-Pesa account, we receive transaction references, amounts, timestamps, and the phone number associated with your M-Pesa account. We do not store your M-Pesa PIN or any credentials that authenticate you with Safaricom.

2.How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve our platform and services.
• Process deposits, yield accrual, and withdrawals via M-Pesa and Solana.
• Verify your identity and comply with KYC/AML obligations under applicable law.
• Communicate with you about your account, transactions, and service updates.
• Send waitlist updates, launch announcements, and product news (you may opt out at any time).
• Detect, investigate, and prevent fraudulent transactions and other illegal activities.
• Analyze usage patterns to improve user experience and platform performance.
• Comply with legal obligations, court orders, or regulatory requirements.

3.Legal Basis for Processing

Where applicable under the Kenya Data Protection Act 2019 (DPA) or the EU General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the services you requested.
• Consent: Where you have given explicit consent (e.g., marketing emails). You may withdraw consent at any time.
• Legal obligation: Processing required to comply with KYC, AML, and other regulatory requirements.
• Legitimate interests: Processing for fraud prevention, security, and platform improvement, balanced against your rights.

4.Data Sharing & Disclosure

We do not sell your personal data. We may share your information with:

• Service providers: Third-party vendors who assist in operating our platform (e.g., cloud hosting, email delivery, analytics). These parties are contractually bound to process data only as instructed by us.
• Payment partners: Safaricom (M-Pesa) and other payment processors necessary to execute your transactions.
• KYC/AML providers: Identity verification services used to satisfy regulatory requirements.
• Regulatory & legal authorities: Where required by law, court order, or governmental authority, or to protect the rights, property, or safety of DePesa or its users.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

5.Cookies & Tracking Technologies

We use the following types of cookies:

• Essential cookies: Required for the platform to function (e.g., session tokens, CSRF protection). These cannot be disabled.
• Preference cookies: Remember your settings and preferences across visits.
• Analytics cookies: Help us understand how visitors interact with our site (e.g., page views, user flows). This data is aggregated and anonymized.

You can manage or disable cookies through your browser settings. Note that disabling essential cookies may impair the functionality of the platform.

6.Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by law:

• Waitlist data: Retained until you unsubscribe or request deletion, or for up to 24 months after last activity.
• Account data: Retained for the duration of your account and for up to 7 years after closure to comply with financial regulations.
• Transaction records: Retained for a minimum of 7 years in accordance with Kenyan financial regulations and AML requirements.
• Usage & analytics data: Retained for up to 24 months in aggregated form.

On-chain data stored on the Solana blockchain cannot be deleted due to the immutable nature of distributed ledgers.

7.Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• TLS/HTTPS encryption for all data in transit.
• AES-256 encryption for sensitive data at rest.
• Role-based access controls limiting employee access to personal data on a need-to-know basis.
• Regular security audits and penetration testing of our infrastructure.
• Multi-factor authentication requirements for internal systems.

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your information. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by law.

8.International Data Transfers

DePesa operates globally. Your data may be processed in countries outside Kenya or your country of residence, including countries that may have different data protection standards. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses or equivalent mechanisms recognized under applicable law.

9.Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to our legal retention obligations.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent: Withdraw any previously given consent at any time, without affecting the lawfulness of prior processing.

10.Children's Privacy

DePesa is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18 without appropriate consent, we will promptly delete that information.

11.Third-Party Links & Services

Our platform may contain links to third-party websites and services (e.g., Solana explorers, M-Pesa portals, social media). This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any external services you use.

12.Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email (if you are on our waitlist or have an account) or by displaying a prominent notice on our website. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of DePesa after the effective date of any changes constitutes your acceptance of the revised policy.

13.Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact: