Privacy & Data Protection Policy
How paylod collects, uses, discloses, and safeguards personal data under the Kenya Data Protection Act, 2019 — as a data controller for merchant account data and a data processor for the payment data we handle on merchants' behalf.
Effective date: 17 July 2026
paylod is a hosted M-Pesa (Safaricom Daraja) Backend-as-a-Service. This policy explains what personal data we handle, why, on what lawful basis, who we share it with, how long we keep it, how we protect it, and the rights you have under the Data Protection Act, 2019 (the "Act") of the Republic of Kenya. It is written to be read alongside our Terms of Service.
We take a plain-language approach, but the two-role distinction below is the heart of this policy — please read it before the rest.
Who we are, and our two data-protection roles
paylod is operated by Moses Mrima Mbanga, an individual based in Kenya, under the name "paylod" ("paylod", "we", "us", "our"). paylod is a pre-revenue side project run by a single individual operator — it is not a registered company, has no company registration number, and has no registered office. The best way to reach us for any matter, including data-protection queries, is by email at [email protected].
Under the Act, paylod acts in two distinct roles, and your rights and our duties differ depending on which data is involved:
- As a data controller, we determine the purposes and means of processing the personal data of merchants and their team members — the people who sign up for and administer a paylod account.
- As a data processor, we process the personal data of a merchant's own customers (payers) strictly on the merchant's behalf and on their instructions, when the merchant uses paylod to request and confirm M-Pesa payments. For that customer data, the merchant is the data controller and paylod is only their processor.
| Controller role | Processor role | |
|---|---|---|
| Whose data | Merchant account holders and their team | The merchant's paying customers |
| Who decides why it is processed | paylod | The merchant |
| Examples of data | Email, name, organisation, billing email | Payer phone number (MSISDN), amount, M-Pesa receipt, account reference |
| Governed by | This policy | This policy and a Data Processing Agreement between paylod and the merchant |
Contact for privacy matters. As a solo operator, paylod does not have a formal Data Protection Officer (DPO); a DPO is not required at this scale. Data-protection queries and data-subject requests go directly to the operator, Moses Mrima Mbanga, by email at [email protected].
ODPC registration. paylod is not yet registered with the Office of the Data Protection Commissioner (ODPC). Registration will be completed when the project incorporates or crosses the registration thresholds under the Data Protection Act, 2019 and its regulations. Not being registered does not remove your rights as a data subject — the rights set out in this policy are honoured now.
The personal data we collect
As a controller — merchant and account data
When you create and run a paylod account, we collect and hold:
- Identity and contact data: your email address, and (if you provide it) your full name and profile avatar.
- Organisation data: your organisation's name, its billing email, and your role within it (owner, admin, developer, or viewer).
- Authentication data: credentials managed by our authentication provider (Supabase Auth), including a securely hashed password and session information. We do not store your password in plain text.
- Product and support data: applications you create, API key metadata (a non-secret prefix, creation and last-used timestamps — never the full key, which we cannot recover), webhook endpoint URLs you configure, and any correspondence you send us.
- Technical data: IP address, request timestamps, and security/audit logs generated when you use the dashboard and API.
As a processor — payment data handled for merchants
When a merchant uses paylod to run an M-Pesa payment, we process, on the merchant's behalf, the personal data contained in that transaction:
- the payer's phone number (MSISDN);
- the amount and an optional account reference the merchant supplies;
- transaction results returned by Safaricom — the M-Pesa receipt number, checkout/merchant request identifiers, result codes and descriptions, and settlement timestamp; and
- any metadata the merchant chooses to attach to a payment.
paylod never takes custody of funds — money moves directly between the merchant's own Safaricom shortcode and the customer. We process the transaction data only to route the payment request, host the Daraja callback, and deliver a signed webhook back to the merchant.
We do not intentionally collect special categories of personal data (for example health, religious or political data), and merchants must not send such data through the account reference or metadata fields.
Why we process personal data, and our lawful basis
Under section 30 of the Act, every processing activity needs a lawful basis. Ours are:
| Data and purpose | Role | Lawful basis |
|---|---|---|
| Create and administer your paylod account; authenticate you | Controller | Performance of a contract (our Terms of Service) |
| Provide the API — route payment requests, host callbacks, deliver webhooks | Processor (for the merchant) | Processing on behalf of, and on the documented instructions of, the merchant-controller; the merchant relies on contract / legitimate interest with its customer |
| Bill you and keep financial records | Controller | Legal obligation (tax and accounting law) and performance of a contract |
| Secure the service — audit logs, fraud and abuse prevention, rate limiting | Controller | Legitimate interest in keeping the platform and its users safe |
| Send you service, security and account notices | Controller | Performance of a contract / legitimate interest |
| Send optional product or marketing updates (if any) | Controller | Consent, which you may withdraw at any time |
| Comply with lawful requests from regulators or courts | Controller | Legal obligation |
Where we rely on consent, you can withdraw it at any time without affecting processing carried out before withdrawal. Where we rely on legitimate interest, we have balanced that interest against your rights and you may object (see Your rights below).
Who we share data with
We do not sell your personal data. We share it only with the parties needed to run the service, each acting as our sub-processor or as an independent controller:
- Safaricom PLC (M-Pesa / Daraja API). Payment requests are executed against Safaricom's Daraja API using the merchant's own Daraja credentials and shortcode. The payer's phone number and the transaction details necessarily pass to Safaricom, which processes them as an independent controller under its own terms. paylod is not affiliated with, endorsed by, or sponsored by Safaricom.
- Amazon Web Services (AWS). We host our infrastructure — including our self-managed Supabase (PostgreSQL) database — on AWS cloud infrastructure in the AWS Europe (Frankfurt) region,
eu-central-1, in Germany (EU). - Cloudflare, Inc. Our services sit behind Cloudflare for DNS, TLS, CDN, and DDoS/WAF protection. Cloudflare processes network-level data (such as IP addresses and request metadata) to route and protect traffic.
- Supabase. We use Supabase software for our database and authentication layer. Our Supabase deployment is self-hosted on our own AWS infrastructure.
- Service providers we engage for email delivery, error monitoring, and payment/billing, where applicable. A current list of sub-processors is available on request from
[email protected]. - Authorities, where we are required by law, court order, or a valid regulatory request to disclose data.
We place a written data-processing agreement, with appropriate safeguards, on each sub-processor that handles personal data on our behalf.
Where your data is stored, and cross-border transfers
Our infrastructure is hosted on AWS in the AWS Europe (Frankfurt) region (`eu-central-1`), in Germany (EU), and traffic is served through Cloudflare's global edge network. This means personal data is transferred from Kenya to, stored in, and accessed from outside Kenya — principally the European Union, a jurisdiction with strong, comprehensive data-protection law (the EU General Data Protection Regulation).
This Kenya-to-EU flow is a cross-border transfer, which we disclose under the transfer provisions of the Act. Where personal data leaves Kenya, we rely on the conditions for cross-border transfer under sections 48 and 49 of the Act and the Data Protection (General) Regulations, 2021 — namely the transfer to a jurisdiction that provides appropriate safeguards, backed by contractual data-protection commitments with our providers, the necessity of the transfer to perform our contract with you, or your consent. You may ask us for details of the safeguards that apply by emailing [email protected].
How long we keep personal data
We keep personal data only for as long as we need it for the purposes above, and then delete or anonymise it. The periods below are the operator's current policy:
- Account and organisation (profile) data: retained while your account is active, and deleted or anonymised within 90 days of account closure, unless a longer period is required by law.
- Payment and transaction metadata: retained for up to 12 months for operational and reconciliation purposes. Where longer retention is required by Kenyan tax or accounting law, we keep the relevant financial records for that period. Note that the merchant remains the primary record-keeper for their own customers' transaction data, as the controller of that data.
- Server and audit logs: kept for approximately 90 days, sufficient for security monitoring and incident investigation.
- Encrypted Daraja credentials: kept only while your application needs them, and deleted when the merchant removes the credentials or closes the account.
When acting as a processor, we retain the merchant's customer data for the period the merchant instructs, and delete or return it on termination of the Data Processing Agreement, save where law requires us to keep it.
How we protect personal data
We apply technical and organisational measures appropriate to the risk, including:
- Encryption in transit (TLS) for all traffic, terminated at Cloudflare and enforced end-to-end.
- Encryption at rest for your Daraja secrets. Your Daraja consumer key, consumer secret, passkey, and initiator password are encrypted at rest with a versioned key and are write-only: no paylod tool, dashboard screen, or API endpoint can read them back after they are stored. They are decrypted only in-process, server-side, at the moment a payment is executed, and never travel back over the wire.
- API keys are never stored in recoverable form — we keep only a hash and a short non-secret prefix, so a database disclosure cannot reveal a usable key.
- Row-Level Security (RLS) in our database, so each organisation can access only its own data.
- Signed, verifiable webhooks (HMAC signatures) so merchants can confirm that a callback genuinely came from paylod and reports the true settled amount.
- Rate limiting, audit logging, and network protection (Cloudflare WAF/DDoS) against abuse.
- Access controls limiting staff access to personal data to what their role requires.
No system is perfectly secure, and we cannot guarantee absolute security, but we work to protect your data in line with the Act and current good practice.
Personal-data breach notification
- As a processor: if we become aware of a personal-data breach affecting a merchant's customer data, we will notify the affected merchant (as controller) without undue delay so they can meet their own notification duties.
- As a controller: where a breach affects data for which we are the controller, we will notify the ODPC within 72 hours of becoming aware of it where feasible, in line with section 43 of the Act, and we will communicate the breach to affected data subjects where it is likely to result in a real risk to their rights and freedoms, as soon as reasonably practicable.
Your rights as a data subject
Under Part V of the Act you have the right to:
- be informed of the use to which your personal data is put;
- access the personal data we hold about you;
- rectify false or misleading data;
- request erasure of data we no longer have a lawful reason to keep;
- restrict or object to processing, including processing based on legitimate interest and any direct marketing;
- data portability, where technically feasible; and
- withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact the operator directly by email at [email protected]. We will respond within the timelines set by the Act. Much of your account data can also be viewed and corrected directly in your dashboard settings.
If your request concerns data we process as a processor on a merchant's behalf (for example, a payer asking about their transaction), we will refer you to — or forward your request to — the relevant merchant, who is the controller of that data.
Complaints. If you believe we have mishandled your personal data, please tell us first so we can put it right. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at odpc.go.ke.
Cookies and analytics
paylod uses only strictly necessary cookies — chiefly the session cookies set by our authentication provider to keep you signed in and to protect the security of your session. These are essential to operate the dashboard and cannot be switched off without breaking sign-in.
We do not use third-party advertising cookies, cross-site tracking, or behavioural advertising networks. If we introduce optional analytics in future, we will update this policy and, where the law requires it, ask for your consent first.
If you are a merchant — your responsibilities as a controller
When you use paylod to collect payments from your own customers, you are the data controller of that customer data and paylod is your processor. You are responsible for:
- having your own lawful basis to collect and process your customers' data;
- giving your customers their own privacy notice and honouring their rights;
- only sending us data you are permitted to process, and never placing special-category or unnecessary personal data in the account reference or metadata fields; and
- keeping your API keys, callback URL, and mint tokens confidential (see our security guidance).
Our processing of your customers' data on your behalf is governed by a Data Processing Agreement (DPA), described next.
Data Processing Agreement
The relationship in which paylod acts as your processor is governed by a Data Processing Agreement that sets out the subject-matter, duration, nature and purpose of processing, the types of personal data and categories of data subjects, and the obligations and rights of each party under section 42 of the Act.
Placeholder / stub. A standalone Data Processing Agreement is a separate document that must be prepared and reviewed by a qualified lawyer, then referenced or attached here. Until it is executed, this section is a stub. Contact [email protected] to request the current DPA.
Children
paylod is a tool for businesses and developers and is not directed at children. We do not knowingly collect the personal data of children. If you believe a child has provided us data, contact us at [email protected] and we will delete it.
Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the effective date at the top of the page and, where appropriate, notify you. Your continued use of paylod after a change takes effect means you accept the updated policy.
How to contact us
- Operator: Moses Mrima Mbanga, an individual based in Kenya, operating the Service under the name "paylod" (not a registered company; no registered office — please contact us by email)
- Support, legal, privacy and data-subject requests:
[email protected](single contact for all matters) - Data Protection Commissioner (Kenya): odpc.go.ke