Privacy Policy
Palpluss is committed to protecting your personal and business data. This policy explains what we collect, why we collect it, and how we keep it safe — including how we handle KYC and KYB information required for financial compliance.
Information We Collect
Account Information
When you register for a Palpluss account, we collect your full name, email address, phone number, and a securely hashed password. This information is used to authenticate you, communicate service updates, and secure your account.
Know Your Customer (KYC) Data
To comply with Kenya's Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) regulations, we are required to verify the identity of individual users accessing payment services. KYC data we collect includes: government-issued identification (National ID, Passport, or Alien Card), a selfie or liveness photograph for identity verification, date of birth, and residential address. This data is collected once and reviewed by our compliance team. It is stored encrypted at rest and is never sold, shared with advertisers, or used for any purpose beyond regulatory compliance and fraud prevention.
Know Your Business (KYB) Data
Business accounts are subject to KYB verification before being permitted to initiate live transactions. KYB data we collect includes: Certificate of Incorporation or Business Registration certificate, KRA PIN certificate, CR12 form (list of directors) for limited companies, business physical address, and details of the beneficial owners holding more than 10% of shares. This documentation is reviewed by our compliance team and retained for a minimum of seven (7) years as required by the Central Bank of Kenya and the Financial Reporting Centre Act.
Transaction Data
We record all payment events initiated through our platform — including STK Push requests and B2C disbursements — along with their status, timestamps, phone numbers involved, amounts, and M-Pesa reference codes. This data is necessary to provide the service, generate reports, support disputes, and meet our legal record-keeping obligations.
Technical and Usage Data
We automatically collect IP addresses, browser type, device identifiers, API request logs, and error traces when you use our platform or API. This data is used solely for security monitoring, debugging, and service improvement.
How We Use Your Data
Service Delivery
Your data is primarily used to provide and operate the Palpluss platform — authenticating your identity, processing payment requests, delivering webhook callbacks, and maintaining your transaction history.
Regulatory Compliance
KYC and KYB data is used strictly for identity verification and to meet our obligations under Kenyan financial regulation, including the National Payment System Act, the Central Bank of Kenya Prudential Guidelines, and the Financial Reporting Centre Act. We may be legally required to disclose certain records to regulatory authorities upon lawful request.
Fraud Prevention and Security
We analyse transaction patterns, API usage, and identity signals to detect and prevent fraudulent activity, money laundering, and unauthorized access. Automated systems and human reviewers may flag accounts for review based on suspicious behaviour.
Communications
We use your email and phone number to send transactional notifications (e.g. payment confirmations, low wallet balance alerts), service announcements, and security alerts. You may opt out of non-essential communications at any time from your dashboard settings.
Data Sharing and Third Parties
Safaricom / M-Pesa
To process STK Push and B2C transactions, we transmit the minimum necessary data to Safaricom's Daraja API on your behalf — including the recipient's phone number and transaction amount. This sharing is inherent to the service and consented to by your use of the platform.
Identity Verification Providers
KYC verification may be processed through licensed third-party identity verification vendors. These vendors operate under contractual data processing agreements that restrict them from using your data for any purpose other than verification.
No Sale of Data
We do not sell, rent, or trade your personal or business data to any third party for commercial purposes, including advertisers or data brokers.
Legal Disclosures
We may disclose data when required by law, court order, or a request from a competent regulatory authority such as the Financial Reporting Centre, the Communications Authority of Kenya, or a law enforcement agency acting under lawful authority.
Data Retention
KYC and KYB Records
Identity and business verification documents are retained for a minimum of seven (7) years following the closure of an account, as required by the Financial Reporting Centre Act and CBK guidelines. After this period, documents are securely destroyed.
Transaction Records
All payment transaction records are retained for seven (7) years to support dispute resolution, audits, and regulatory inspections.
Account Data
If you close your account, your personal profile data is anonymised within 90 days. Certain records required for compliance purposes will be retained for the legally mandated periods above.
Your Rights
Access and Correction
You have the right to access the personal data we hold about you and to request corrections where information is inaccurate. You can view most of your account information directly in the Palpluss Console. For KYC/KYB documents, contact our support team.
Data Portability
You may request a machine-readable export of your transaction history and account data at any time from your dashboard settings.
Deletion
You may request deletion of your account and associated personal data. Note that we are legally required to retain certain records (KYC, KYB, and transaction data) for regulatory periods regardless of this request. We will inform you of what can and cannot be deleted.
Complaints
If you believe your data rights have been violated, you may contact us at privacy@palpluss.com. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya.
How We Protect Your Data
Encryption
All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest — including KYC documents, API keys, and service wallet balances — is encrypted using AES-256.
Access Controls
Access to production systems and compliance records is restricted to authorised personnel only, enforced through role-based access controls, multi-factor authentication, and audit logging.
Incident Response
In the event of a data breach that poses a risk to your rights or freedoms, we will notify affected users and the Office of the Data Protection Commissioner within 72 hours of discovery, in accordance with the Kenya Data Protection Act, 2019.
Contact Us
For privacy-related queries or to exercise your rights, reach us at:
hello@email.palpluss.com