Privacy Policy

This privacy policy describes how PostaPay protects the personal data it processes, why and how we collect and use your personal data and how you can exercise your rights in relation to the processing of your personal data. This privacy policy should be read together with the Terms and Conditions of Use for other products and services. Where there is a conflict, this privacy statement will preva
This statement applies to all customers, suppliers, agents, merchants, dealers and all visitors frequenting any of PostaPay services.
Reference to:
Definitions
“You”, “Your” means: customer

“Personal data” or “personal information” means: Information about you or information that identifies you as a unique individual, such as your name/s and surname combined with your physical address, contact details and/or passport/identity number.
“Processing” collectively means handling, collecting, using, altering, merging, linking, organizing, disseminating, storing, protecting, retrieving, disclosing, erasing, archiving, destroying, or disposing of your personal information.
“Sensitive personal information” includes data revealing your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation.


Any supplier who has been contracted by PostaPay and executed a Supplier contract.
“PostaPay”, “we” or “us”, “our” and “ours” means Paylon Limited
The word “includes” means that what follows is not necessarily exhaustive and therefore the examples given are not the only things or situations included in the meaning or explanation of that text.

Collection of personal data

PostaPay will only collect personal data about you in so far as is necessary to achieve the purposes set out in this privacy statement. We collect your personal information with your knowledge and consent with exception to cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.
Personal information collected
  • Identification Information:
    • Name
    • Date of Birth
    • National Identity Card/Passport details
  • Images:
    • Facial images
    • selfies for authentication purposes and in compliance with legal and regulatory requirements .
  • Contact Details:
    • Phone number or email address
    • If provided, BudgetPals will use this information to contact you. We may also obtain your contact list information to facilitate your transactions.
    • Camera and Images data- We use this data for Know Your Customer (KYC) information for user verification and validation as required by the law.
  • Biometric Data:
    • Fingerprints and facial images for authentication purposes and in compliance with legal and regulatory requirements.
  • Location Information:
    • To enable us to provide location-based services and aid us in fraudulent activity detection.
  • Device Information:
    • Information about the device you use to access the app, including:
      • Device type
      • Operating system
      • IP address
      • The duration for which your session lasted
      • Unique device identifiers
PostaPay will collect your personal information when you do any of the following:
  • Make an application, buy or use any of our product and/or service or from third parties on our electronic and digital platforms.
  • Use any of our product and/or service on a mobile or other device
  • Ask PostaPay for more information about a product or service or contact PostaPay with a query or a complaint;
  • When you visit, access PostaPay premises;
  • Attend an event sponsored by PostaPay.
  • Make an application to PostaPay or interact with us as a supplier, agent or dealer;
  • Visit, access or use any of our online platforms/ websites;
  • Subscribe to any of our online services, Short Message Service (SMS), email or social media platforms;
  • Respond to or participate in a survey, marketing promotion, prize competition or special offer;
  • We may also collect your information from other organizations including fraud prevention agencies and government agencies

When we require personal information from you in order to fulfill a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, we will inform you and indicate the consequences of failing to do so.

These examples are non-exhaustive, which is reflective of the varied nature of the personal information we may collect.

When do we collect information?

We collect information from you when you register on our site, fill out a form or enter information on our site.

How do we use your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website r use certain other site features in the following ways;

Use of personal data
  • Responding to any of your queries or concerns;
  • Verifying your identity information through publicly available and/or restricted government databases in order to comply with applicable regulatory requirements;
  • Carrying out credit checks and credit scoring;
  • To comply with any legal, governmental or regulatory requirement or for use by our lawyers in connection with any legal proceedings;
  • In business practices including quality control, training and ensuring effective systems operations;
  • To protect our network including to manage the volume of calls, texts and other use of our network;
  • To understand how you use our network, products and services for purposes of developing or improving products and services;
  • Preventing and detecting fraud or other crimes and for debt recovery;
  • Provide aggregated data (which do not contain any information which may identify you as an individual) to third parties for research and scientific purpose;

Transfer of personal data

Any transfer of personal data collected by our app will only occur for the stated purposes outlined in our privacy policy and in accordance with applicable data protection laws. Personal data will only be transferred to individuals or organizations that have adequate data protection controls in place, ensuring your information is safeguarded and treated with the utmost confidentiality. We maintain strict contractual agreements and conduct due diligence to ensure that any recipients of personal data adhere to the same level of data protection standards as required by applicable laws

Retention of personal data

PostaPay will retain your personal data only for as long as is necessary to achieve the purpose for which they were collected. We may retain your personal data and/or information for a period of up to seven (7) years or as may be required by law and maintains specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the following retention criteria:
  • Where we have an ongoing relationship with you.
  • To comply with a legal obligation to which it is subject.
  • Where retention is advisable to safeguard or improve the PostaPay legal position.

Marketing

PostaPay will only contact you for marketing purposes where you have provided us with your consent to do so. Consent will be sought before any such marketing applications commence.

How do we protect your information?

We use vulnerability scanning and/or scanning to PCI standards. We use regular Malware Scanning.
Your personal information is contained behind secured networks and is only accessible by a limited number of people who have special access rights to such systems and are required to keep the information confidential. In addition, all sensitive information you supply is encrypted via Secure Socket Layer (SSL) technology.
We implement a variety of security measures when a user enters, submits or accesses their information to maintain the safety of your personal information. For your convenience, we may store your personal and crucial information kept for more than 60 days in order to automate the process.
We aim to collect only what we need, keep it up-to-date and remove it when we no longer need it.
We take reasonable steps to ensure that the personal information we process is limited to what we require in connection with the purposes set out in this Policy; it is accurate and, where necessary, kept up to date; and it is erased or rectified without delay if it is inaccurate. From time to time we may ask you to confirm the accuracy of your personal information.
For some of our online services, you can review or update certain account information by logging in and accessing the “Client Center” or a similar user profile section. If you cannot change the incorrect information online, or you prefer to request changes offline, please contact your PostaPay age using the contact information listed on your account statements, records, or other account materials.

Do we use ‘cookies’?

We may store some information (using "cookies") on your computer when you visit our websites. This enables us to recognize you during subsequent visits. We use cookies for storing and honoring your preferences and settings, enabling you to sign in, providing interest-based advertising, combating fraud, analyzing how our products perform, and fulfilling other legitimate purposes.
We may also use this data in aggregate form to develop customized services - tailored to your individual interests and needs. Should you choose to do so, it is possible (depending on the browser you are using), to be prompted before accepting any cookies, or to prevent your browser from accepting any cookies at all. This will however cause certain features of the web site not to be accessible.

Third-party disclosure

We do not sell, trade or otherwise transfer to outside parties your Personally Identifiable Information.

Third-party links

Occasionally, at our discretion, we may include or offer third-party services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

How does our site handle Do Not Track signals?

We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.
Does our site allow third-party behavioral tracking?
It's also important to note that we allow third-party behavioral tracking

COPPA (Children Online Privacy Protection Act)
When it comes to the collection of personal information from persons under the age of 18 years old, the Children's Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States' consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.

We do not onboard minors (any person under 18 years of age) except where you additionally register on their behalf as their parent and/ or legal guardian. If you allow a child to use our services, you should be aware that their personal information could be collected as described in this statement.

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur:

We will notify you via email within 7 business days

We also agree to the Individual Redress Principle which requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.

International Data Transfers

From time to time we may need to transfer your personal information outside the Republic of Kenya.

Where we send your information outside Kenya, we will make sure that your information is properly protected in accordance with the applicable Data Protection Laws.

CAN SPAM Act

The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.

We collect your email address in order to send information, respond to inquiries or other requests or questions.

To be in accordance with CANSPAM, we agree to the following:

- Not use false or misleading subjects or email addresses.
- Identify the message as an advertisement in some reasonable way.
- Include the physical address of our business or site headquarters.
- Monitor third-party email marketing services for compliance, if one is used.
- Honor opt-out/unsubscribe requests quickly.
- Allow users to unsubscribe by using the link at the bottom of each email.

If at any time you would like to unsubscribe from receiving future emails, you can email us by following the instructions at the bottom of each email and we will promptly remove you from ALL correspondence.

Your rights

You have the right in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law to:
  • Be informed that we are collecting personal data about you.
  • Request access to your personal information that we have on record. This right entitles you to know whether PostaPay holds personal data of you and, if so, obtain information on and a copy of those personal data.
  • Request PostaPay to rectify any of your personal data that is incorrect or incomplete.
  • Object to and withdraw your consent to processing of your personal data. This right entitles you to request that PostaPay no longer processes your personal data. The withdrawal of your consent shall not affect the lawfulness of processing based on prior consent before its withdrawal. We may also continue to process your personal information if we have a legitimate or legal reason to do so.
  • Request the erasure of your personal data. This right entitles you to request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.
  • Request the restriction of the processing of your personal data: This right entitles you to request that PostaPay only processes your personal data in limited circumstances, including with your consent.
  • Request portability of your personal data. This right entitles you to receive a copy (in a structured, commonly used, and machine-readable format) of personal data that you have provided to PostaPay, or request PostaPay to transmit such personal data to another data controller in an electronic format.

Non-Compliance with this Statement

We shall have the right to terminate any agreement with you for failure to comply with the provisions of this statement and reject any application for information contrary to this statement.

Amendments to this Statement

PostaPay reserves the right to amend or modify this privacy statement from time to time and your continued use of our products and services constitutes your agreement to be bound by the terms of any such amendment or variation.

Contacting Us

If there are any questions regarding this privacy policy, you may contact us using the information below;

care@postapay.co.ke
+254 111 045 400