Privacy Policy

Last updated: February 2026

---

LipaPocket Ltd ("LipaPocket," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use the LipaPocket multi-currency digital wallet and cross-border remittance platform (the "Platform"), including our website, mobile applications, and API services.

By creating an account or using any part of the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.

1. Information We Collect

1.1 Information You Provide Directly

Category	Data Elements	When Collected
Account Registration	Full name, email address, phone number, country of residence, password	Account creation
Profile Information	Physical address, date of birth, nationality	Profile completion and KYC verification
KYC Documents (Basic Tier)	Government-issued photo ID (national ID card, passport, or driver's license)	Basic KYC verification
KYC Documents (Enhanced Tier)	Proof of address (utility bill, bank statement), live selfie photograph, source of funds documentation	Enhanced KYC verification
Beneficiary Information	Beneficiary name, phone number, bank account details, relationship to sender	Beneficiary registration for remittances
Payment Information	M-Pesa phone number, card details (processed by Genio Pago; we do not store full card numbers), bank account details	Deposits, withdrawals, and payment processing
Communication Data	Messages, support tickets, feedback, and correspondence with our team	Customer support interactions

1.2 Information Collected Automatically

Category	Data Elements	Purpose
Transaction Data	All wallet transactions (deposits, withdrawals, P2P transfers, currency conversions, remittances, crypto trades), amounts, currencies, timestamps, counterparties, transaction status	Service delivery, regulatory compliance, dispute resolution
Device and Access Information	IP address, browser type, operating system, device identifiers, screen resolution	Security, fraud detection, audit trail
Usage Data	Pages visited, features used, click patterns, session duration	Platform improvement and analytics
Audit Logs	Login events, action timestamps, IP addresses, user-agent strings, API call records	Security monitoring, regulatory compliance, fraud prevention

1.3 Information from Third Parties

We may receive information about you from:

• Payment processors (Genio Pago) — transaction confirmation data, payment status updates
• Identity verification services — KYC and sanctions screening results
• Referral program participants — your name and contact information if another user refers you

2. How We Use Your Information

We process your personal data for the following purposes:

2.1 Service Delivery

• Creating and managing your LipaPocket account and multi-currency wallets (KES, USD, EUR, GBP, TZS, UGX, NGN, and other supported currencies)
• Processing deposits via M-Pesa STK push, card payments, and manual deposit methods
• Processing withdrawals via M-Pesa and other supported channels
• Facilitating peer-to-peer (P2P) transfers between users, including cross-currency transfers with foreign exchange conversion
• Processing cross-border remittances through supported corridors
• Facilitating currency conversions between your wallets
• Generating and processing payment request links
• Enabling cryptocurrency trading functionality (buy/sell USDT, P2P marketplace)
• Managing your beneficiary list for recurring transfers
• Providing API access for developer integrations

2.2 Identity Verification and Compliance

• Verifying your identity through our tiered KYC process (NONE, BASIC, ENHANCED)
• Conducting anti-money laundering (AML) and counter-terrorism financing (CTF) checks
• Screening against international sanctions lists
• Monitoring transactions for suspicious activity
• Filing regulatory reports as required by law

2.3 Communication

• Sending transaction confirmations and status updates via SMS (through Cradle) and email
• Sending security alerts (login notifications, password changes, suspicious activity)
• Providing customer support and responding to inquiries
• Sending service announcements and policy updates

2.4 Security and Fraud Prevention

• Detecting and preventing unauthorized access, fraud, and abuse
• Maintaining comprehensive audit trails of all account activity
• Enforcing transaction limits based on KYC verification tier
• Investigating and resolving disputes

2.5 Platform Improvement

• Analyzing usage patterns to improve platform features and user experience
• Conducting internal research and analytics
• Diagnosing technical problems and optimizing performance

3. Legal Basis for Processing

We process your personal data on the following legal grounds:

Legal Basis	Applicable Processing Activities
Contract Performance	Processing transactions, managing wallets, facilitating remittances, processing deposits and withdrawals, managing beneficiaries, providing API services — all necessary to deliver the services you have contracted for.
Legal Obligation	KYC verification, AML/CTF screening, sanctions checks, suspicious activity reporting, financial record-keeping, responding to lawful requests from regulators and law enforcement.
Legitimate Interest	Fraud prevention, security monitoring, audit logging, platform improvement, analytics, enforcing our terms of service.
Consent	Marketing communications (where applicable), optional data sharing for referral programs, and any other processing where consent is specifically requested.

4. Data Sharing and Third-Party Disclosures

We do not sell your personal data. We share your information only as described below and only to the extent necessary for the stated purpose.

4.1 Payment Processing Partners

Partner	Data Shared	Purpose
Genio Pago	Transaction amount, currency, payment method details, customer reference	Card payment processing, M-Pesa collection and disbursement services

4.2 Authentication and Security

Partner	Data Shared	Purpose
Keycloak (Self-hosted)	Administrator credentials, session tokens	Administrative authentication via OAuth2/OpenID Connect for platform management

4.3 Communication Services

Partner	Data Shared	Purpose
Cradle	Phone number, SMS message content	Sending transactional SMS notifications (OTPs, transaction confirmations, security alerts)

4.4 Internal Infrastructure

Technology	Data Processed	Purpose
Apache Kafka	Transaction events, system events (internal)	Internal event streaming for real-time processing of transactions, compliance checks, and notifications

4.5 Other Disclosures

We may also disclose your information to:

• Regulatory authorities and financial intelligence units — when required by law, including suspicious activity reports, transaction reports, and responses to lawful information requests
• Law enforcement agencies — in response to valid legal process such as court orders, subpoenas, or search warrants
• Professional advisors — lawyers, auditors, and accountants who are bound by professional duties of confidentiality
• Corporate transactions — in connection with a merger, acquisition, or sale of assets, where your data would be transferred as a business asset (with prior notice to you where feasible)

5. Data Retention

5.1 Retention Periods

Data Category	Retention Period	Reason
Financial transaction records	7 years	Regulatory requirements under Kenyan financial law, AML/CTF record-keeping obligations
KYC documents and verification records	7 years after relationship ends	AML/CTF regulatory requirements
Audit logs (IP, device, actions)	3 years	Security investigations, fraud prevention, dispute resolution
Account profile data	Duration of account + 30 days grace period after deletion request	Service delivery and account recovery
Communication records	2 years	Customer support quality, dispute resolution
Marketing consent records	3 years after consent withdrawal	Proof of consent compliance

5.2 Post-Retention Data Handling

When data reaches the end of its retention period, it is securely deleted or anonymized such that it can no longer be associated with an identifiable individual. Anonymized data may be retained indefinitely for statistical and analytical purposes.

6. Account Deletion

You may request deletion of your LipaPocket account at any time. The deletion process works as follows:

1. Deletion Request: Submit your account deletion request through the Platform settings or by emailing support@lipapocket.com.
2. 30-Day Grace Period: Your account enters a 30-day deactivation grace period during which you may cancel the deletion request and restore your account.
3. PII Anonymization: After the 30-day grace period expires, your personally identifiable information (name, email, phone number, address) is irreversibly anonymized. Your email address and phone number are released and become available for re-registration with a new account.
4. Financial Record Retention: Transaction records, KYC documents, and other financial data are retained for 7 years from the date of the transaction or account closure, as required by Kenyan financial regulations and AML/CTF obligations.
5. Outstanding Balances: Before deletion is processed, you must withdraw or transfer any remaining wallet balances. Accounts with outstanding balances cannot be deleted until funds are settled.

7. Cookies, Sessions, and Tokens

7.1 Session Cookies

We use session cookies (JSESSIONID) to maintain your authenticated session while you are logged into the Platform. These are strictly necessary cookies that are deleted when you close your browser or when your session expires.

7.2 JWT Tokens

For API access, we use JSON Web Tokens (JWT) to authenticate requests. JWT tokens are issued upon successful login and contain your user identifier and permissions. Tokens expire after a configured period and must be refreshed by re-authenticating.

7.3 Third-Party Cookies

We do not use third-party advertising or tracking cookies. The only cookies set are those strictly necessary for Platform functionality and security.

8. Children's Privacy

LipaPocket services are intended exclusively for individuals who are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. If we discover that we have collected personal data from a minor, we will promptly delete the account and associated information. If you believe a minor has created an account, please contact us immediately at support@lipapocket.com.

9. International Data Transfers

LipaPocket is headquartered in Nairobi, Kenya. As a cross-border remittance platform serving multiple countries, your personal data may be transferred to and processed in jurisdictions outside your country of residence, including but not limited to:

• Countries involved in your remittance corridors (e.g., United States, United Kingdom, Tanzania, Uganda, Nigeria)
• Jurisdictions where our payment processing partners (such as Genio Pago) operate
• Locations of our cloud infrastructure and data centers

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Data processing agreements with all third-party service providers
• Standard contractual clauses where applicable
• Encryption of data in transit and at rest
• Compliance with the Kenya Data Protection Act, 2019 and applicable data protection laws of destination countries

10. Data Security

We implement comprehensive technical and organizational measures to protect your data, including:

• Encryption: TLS/SSL encryption for all data in transit; AES-256 encryption for sensitive data at rest
• Access Controls: Role-based access control (RBAC), multi-factor authentication for administrative access
• Secure Authentication: Password hashing using industry-standard algorithms, OAuth2/OIDC protocols
• Monitoring: Real-time security monitoring, intrusion detection, and comprehensive audit logging
• Infrastructure: Firewalls, network segmentation, regular security patching
• Payment Security: Card data is processed directly by our PCI DSS-compliant payment partner (Genio Pago); we do not store full card numbers on our systems
• Incident Response: Documented incident response procedures for timely detection, containment, and notification of security breaches

While we strive to protect your personal information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to implementing and maintaining best-practice security controls.

11. Social Media & Communication Integration

LipaPocket offers optional integrations with third-party communication platforms to help you manage your messages and interactions more efficiently. This section explains how we handle data when you choose to connect these services.

11.1 Social Media Integration

When you connect platforms such as WhatsApp or Gmail to your LipaPocket account, we securely process your communication data to provide features like message management, autoreply, and cross-channel sync. These integrations are entirely optional and are activated only when you explicitly link a platform.

11.2 What We Collect

When you connect a social or communication platform, we may collect the following data from that platform, only with your explicit consent at the time you link it:

Category	Data Elements	When Collected
Chat History	Message threads, timestamps, and conversation metadata from connected platforms	Upon platform connection, with your consent
Contacts	Contact names, phone numbers, and email addresses from connected accounts	Upon platform connection, with your consent
Email Messages	Email content, subject lines, sender/recipient details, and attachments from connected email accounts	Upon email platform connection, with your consent
Message Content	Text, media references, and message metadata from connected messaging platforms	Ongoing, while platform remains connected

11.3 How We Use It

Communication data from connected platforms is used for the following purposes:

• Service Delivery: Powering message management, autoreply, message summaries, and cross-channel synchronization features that you have enabled
• Quality Assurance: Ensuring the accuracy and reliability of communication features across connected platforms
• System Improvement: Analyzing aggregated usage patterns to improve platform features and performance (your personal message content is not used for this purpose without anonymization)
• Compliance: Authorized administrative review of communication data where required for regulatory compliance or in response to lawful requests

11.4 Your Control

You remain in full control of your connected platforms at all times:

• You can disconnect any platform at any time through your account settings, which immediately stops further data collection from that platform
• You can request complete deletion of all communication data collected from a disconnected platform at any time by contacting support@lipapocket.com
• You can selectively enable or disable individual features (such as autoreply or message sync) without disconnecting the entire platform

11.5 Security

We take the security of your communication data seriously. All communication data from connected platforms is encrypted at rest and in transit using industry-standard encryption protocols. We do not sell or share your personal communication data with third parties. Access to communication data within our organization is strictly limited to authorized personnel on a need-to-know basis.

11.6 AI-Powered Features

When you enable features such as autoreply or smart summaries, our AI assistant may process your messages to generate contextual responses on your behalf or provide conversation summaries. You control which AI-powered features are active, and you can disable any of them at any time. AI-processed data is handled with the same encryption and access controls as all other communication data on the Platform.

12. Your Rights

Under the Kenya Data Protection Act, 2019 and other applicable data protection laws, you have the following rights regarding your personal data:

Right	Description
Right of Access	You may request a copy of the personal data we hold about you, including transaction history, profile data, and KYC records.
Right to Rectification	You may request correction of inaccurate or incomplete personal data. You can update most profile information directly through the Platform.
Right to Deletion	You may request deletion of your personal data, subject to the account deletion process described in Section 6 and our regulatory retention obligations.
Right to Data Portability	You may request a machine-readable export of your personal data and transaction history.
Right to Restrict Processing	You may request that we limit the processing of your personal data in certain circumstances, such as while a rectification request is pending.
Right to Object	You may object to processing of your data based on legitimate interests. Note that this may affect our ability to provide certain services.
Right to Withdraw Consent	Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

12.1 Exercising Your Rights

To exercise any of these rights, contact us at:

• Email: support@lipapocket.com
• Subject line: "Data Subject Request — [Your Right]"

We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. In certain cases, we may not be able to fully comply with your request due to regulatory obligations (e.g., we cannot delete transaction records within the 7-year retention period).

12.2 Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at www.odpc.go.ke.

13. Referral Program

If you participate in our referral program, we collect and process the contact information you provide for your referrals (name, email, or phone number) solely for the purpose of sending the referral invitation. Referred individuals are not added to our marketing lists unless they independently create an account and provide consent.

14. API Developer Data

If you use our API services, we collect and process API key identifiers, API call logs (endpoints accessed, timestamps, IP addresses, request/response metadata), and usage statistics. This data is used to provide the API service, enforce rate limits, detect abuse, and generate usage reports. API keys should be treated as confidential credentials and must not be shared or exposed in client-side code.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email or an in-platform notification at least 14 days before the changes take effect
• Where required by law, obtain your consent for material changes to data processing practices

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the changes.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at: