Privacy policy

This policy applies to visitors to our website, users of our dashboard and APIs, and end customers whose data is processed on behalf of our merchants. Where we process data on behalf of a merchant, we act as a data processorunder the merchant's instructions; that processing is governed by our Data Processing Agreement.

We collect information in three ways:

• Information you give us — name, email, phone number, business details, identification documents, and other information you provide when signing up, onboarding, or contacting support.
• Information we collect automatically — IP address, device and browser metadata, pages visited, and actions taken in the dashboard. We use first-party cookies and similar technologies to keep you signed in and to measure product usage.
• Information from third parties — identity and sanctions data from verification partners, fraud signals, and information from our banking, card-network, and mobile-money partners required to process transactions.

We use personal information to:

• Provide, operate, and improve the ReliaPay platform.
• Process payments, settlements, refunds, and disputes.
• Verify identities and meet our KYC, AML, CFT, and sanctions obligations.
• Detect, prevent, and investigate fraud and abuse.
• Communicate with you about your account, security, and product changes.
• Comply with applicable law and respond to lawful requests.

We do not sell personal data, and we do not use customer transaction data to advertise to consumers.

We rely on the following lawful bases under Kenya's Data Protection Act and equivalent laws across the region: contract (to deliver services you have signed up for), legal obligation (for example, anti-money-laundering law), legitimate interests (such as fraud prevention and product analytics), and consent (for non-essential cookies and marketing communications, where required).

We share personal information only when necessary, with:

• Banking, card-network, and mobile-money partners to settle transactions.
• Identity-verification, sanctions-screening, and fraud-detection vendors.
• Cloud-infrastructure providers under strict contractual safeguards.
• Professional advisers (auditors, lawyers) bound by confidentiality.
• Regulators, courts, or law enforcement where legally required.

A current list of sub-processors is available on the Data Processing Agreement page.

ReliaPay primarily stores customer data within the region in which it is collected. Where data is transferred internationally — for example to a global card network or fraud-screening vendor — we rely on appropriate safeguards such as Standard Contractual Clauses and equivalent mechanisms recognised by local regulators.

We retain personal data only as long as necessary to deliver our services, meet legal and regulatory obligations (typically seven years for transaction records under AML law), resolve disputes, and enforce agreements. After that period, data is deleted or irreversibly anonymised.

Depending on your location, you have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise these rights, contact privacy@reliapay.africa. We respond within 30 days.

You also have the right to lodge a complaint with your local data-protection authority, including the Office of the Data Protection Commissioner in Kenya.

We protect personal data with TLS encryption in transit, AES-256 at rest, tokenisation of card data, multi-factor authentication, least-privilege access, and continuous monitoring. Suspected vulnerabilities can be reported to security@reliapay.africa.

We may update this policy from time to time. Material changes will be communicated by email or through the dashboard at least 30 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.