Privacy Policy

DePesa (“we,” “us,” or “our”) is a chama operations platform that helps groups in East Africa manage contributions, receipts, payout workflows, and dispute records across familiar channels like bank accounts, M-Pesa, and SACCO-linked workflows. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

Depending on your group setup, pooled funds may be held in a licensed bank account, M-Pesa channel, SACCO structure, or a hybrid combination. DePesa processes operational records and confirmations needed to run the group workflow.

Please read this policy carefully. By accessing or using DePesa, you acknowledge that you have read, understood, and agree to the practices described herein. If you disagree with any part of this policy, please discontinue use of our services.

1.Information We Collect

1.1 Information You Provide Directly

• Waitlist registration: When you join our waitlist, we collect your phone number and your name.
• Account creation: When you create a DePesa account (at launch), we may collect your full name, email address, phone number (for M-Pesa and channel operations), date of birth, and government-issued ID information required for Know Your Customer (KYC) compliance.
• Communications: If you contact us via email or social channels, we collect the content of your messages and any information you voluntarily provide.

1.2 Information Collected Automatically

• Usage data: IP address, browser type and version, operating system, referring URLs, pages viewed, time spent on pages, and links clicked.
• Device information: Device identifiers, screen resolution, language preferences, and timezone.
• Cookies and similar technologies: We use first-party cookies and local storage to maintain session state, remember your preferences, and improve your experience. We do not use third-party advertising cookies.

1.3 Ledger & Transaction Data

DePesa may process transaction and reconciliation records from payment and banking partners to provide contribution proof, payout confirmations, and audit trails. We keep these records only as needed for operations, compliance, and dispute handling, and we do not publicly expose your identity-linked financial data.

1.4 Financial Channel Data (Bank, M-Pesa, SACCO)

When your group uses bank transfers, M-Pesa, or SACCO-linked channels, we may receive transaction references, amounts, timestamps, account or member identifiers, and payment status metadata needed for reconciliation and support. We do not store your M-Pesa PIN or equivalent authentication secrets for third-party providers.

2.How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve our platform and services.
• Process contribution records, payout operations, and transaction confirmations.
• Evaluate policy rules and maintain dispute logs to support fair group operations.
• Verify your identity and comply with KYC/AML obligations under applicable law.
• Communicate with you about your account, transactions, and service updates.
• Send waitlist updates, launch announcements, and product news (you may opt out at any time).
• Detect, investigate, and prevent fraudulent transactions and other illegal activities.
• Analyze usage patterns to improve user experience and platform performance.
• Comply with legal obligations, court orders, or regulatory requirements.

3.Legal Basis for Processing

Where applicable under the Kenya Data Protection Act 2019 (DPA) or the EU General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the services you requested.
• Consent: Where you have given explicit consent (e.g., marketing emails). You may withdraw consent at any time.
• Legal obligation: Processing required to comply with KYC, AML, and other regulatory requirements.
• Legitimate interests: Processing for fraud prevention, security, and platform improvement, balanced against your rights.

4.Data Sharing & Disclosure

We do not sell your personal data. We may share your information with:

• Service providers: Third-party vendors who assist in operating our platform (e.g., cloud hosting, email delivery, analytics). These parties are contractually bound to process data only as instructed by us.
• Payment and custody partners: Safaricom (M-Pesa), banking institutions, SACCO partners, and other processors required to execute and reconcile transactions.
• KYC/AML providers: Identity verification services used to satisfy regulatory requirements.
• Regulatory & legal authorities: Where required by law, court order, or governmental authority, or to protect the rights, property, or safety of DePesa or its users.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

5.Cookies & Tracking Technologies

We use the following types of cookies:

• Essential cookies: Required for the platform to function (e.g., session tokens, CSRF protection). These cannot be disabled.
• Preference cookies: Remember your settings and preferences across visits.
• Analytics cookies: Help us understand how visitors interact with our site (e.g., page views, user flows). This data is aggregated and anonymized.

You can manage or disable cookies through your browser settings. Note that disabling essential cookies may impair the functionality of the platform.

6.Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by law:

• Waitlist data: Retained until you unsubscribe or request deletion, or for up to 24 months after last activity.
• Account data: Retained for the duration of your account and for up to 7 years after closure to comply with financial regulations.
• Transaction records: Retained for a minimum of 7 years in accordance with Kenyan financial regulations and AML requirements.
• Usage & analytics data: Retained for up to 24 months in aggregated form.

Some transaction records may need to be retained for compliance, dispute resolution, and financial reconciliation even after account closure.

7.Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

• TLS/HTTPS encryption for all data in transit.
• AES-256 encryption for sensitive data at rest.
• Role-based access controls limiting employee access to personal data on a need-to-know basis.
• Regular security audits and penetration testing of our infrastructure.
• Multi-factor authentication requirements for internal systems.

Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your information. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by law.

8.International Data Transfers

DePesa operates globally. Your data may be processed in countries outside Kenya or your country of residence, including countries that may have different data protection standards. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses or equivalent mechanisms recognized under applicable law.

9.Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your personal data, subject to our legal retention obligations.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent: Withdraw any previously given consent at any time, without affecting the lawfulness of prior processing.

10.Children's Privacy

DePesa is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18 without appropriate consent, we will promptly delete that information.

11.Third-Party Links & Services

Our platform may contain links to third-party websites and services (e.g., banking portals, M-Pesa portals, SACCO portals, social media). This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any external services you use.

12.Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email (if you are on our waitlist or have an account) or by displaying a prominent notice on our website. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of DePesa after the effective date of any changes constitutes your acceptance of the revised policy.

13.Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact: