havenpay
DATA Protection
HavenPay Ltd (“HavenPay”, “we”, “our”, “us”) is committed to protecting the privacy, security, and integrity of all personal and financial information processed through our platform.
This Data Protection & Security Policy explains how we collect, store, secure, and manage data in compliance with the Kenya Data Protection Act (2019), relevant financial regulations, and global best practices.This Policy applies to all HavenPay users, partners, and stakeholders.
This Data Protection & Security Policy explains how we collect, store, secure, and manage data in compliance with the Kenya Data Protection Act (2019), relevant financial regulations, and global best practices.This Policy applies to all HavenPay users, partners, and stakeholders.
01
Data Protection Principles
HavenPay adheres to the following core principles:
- Lawfulness, fairness & transparency – We only process data for legitimate purposes and communicate how it is used.
- Purpose limitation – Data is only used for the services described here or as required by law.
- Data minimization – We collect only what is necessary.
- Accuracy – We work to ensure all personal data is accurate and up to date.
- Storage limitation – We retain data only as long as needed for legal, regulatory, or operational purposes.
- Integrity & confidentiality – We protect data using technical and organizational safeguards.
- Accountability – HavenPay complies with all regulatory requirements and maintains documentation of its data practices.
- Lawfulness, fairness & transparency – We only process data for legitimate purposes and communicate how it is used.
- Purpose limitation – Data is only used for the services described here or as required by law.
- Data minimization – We collect only what is necessary.
- Accuracy – We work to ensure all personal data is accurate and up to date.
- Storage limitation – We retain data only as long as needed for legal, regulatory, or operational purposes.
- Integrity & confidentiality – We protect data using technical and organizational safeguards.
- Accountability – HavenPay complies with all regulatory requirements and maintains documentation of its data practices.
02
What Data Do We Collect
To operate a secure and compliant financial service, we may collect:
Identity Data
- UNHCR ID and refugee registration information
- Government-issued IDs (where applicable)
- Biometric data (e.g., facial recognition, liveness checks)
- Name, gender, date of birth
- Address or digital location verification
Contact Data
- Phone number
- Email address
- Device identifiers
Financial Data
- Wallet balances
- Deposits, withdrawals, and transfers
- M-Pesa and bank-linked transaction history
- NGO or aid disbursement records (if relevant)
Behavior & Usage Data
- Login patterns
- Device information
- App interaction logs
- Predictive credit behavior signals
Location Data
- Geo-tagged digital addresses
- Approximate device location (where required for compliance or fraud detection)
Identity Data
- UNHCR ID and refugee registration information
- Government-issued IDs (where applicable)
- Biometric data (e.g., facial recognition, liveness checks)
- Name, gender, date of birth
- Address or digital location verification
Contact Data
- Phone number
- Email address
- Device identifiers
Financial Data
- Wallet balances
- Deposits, withdrawals, and transfers
- M-Pesa and bank-linked transaction history
- NGO or aid disbursement records (if relevant)
Behavior & Usage Data
- Login patterns
- Device information
- App interaction logs
- Predictive credit behavior signals
Location Data
- Geo-tagged digital addresses
- Approximate device location (where required for compliance or fraud detection)
03
Why We Process Your Data
We process data only for legitimate and legal purposes, including:
Service Delivery
- Creating and managing your HavenPay wallet
- Enabling savings, payments, transfers, and withdrawals
- Connecting you to M-Pesa and regulated financial institutions
Identity Verification (KYC)
- Accepting and validating UNHCR IDs
- Verifying biometrics
- Assigning KYC tiers and transaction limits
Regulatory Compliance
- Anti-Money Laundering (AML)Counterterrorism
- Financing (CTF)Fraud prevention
- Reporting obligations to regulators
Credit & Financial Development
- Building credit profiles using transactional behavior
- Assessing risk to unlock future credit or business tools
System Protection
- Detecting suspicious or unauthorized activity
- Auditing system logs
- Enhancing platform stability and security
We never sell personal data.
Service Delivery
- Creating and managing your HavenPay wallet
- Enabling savings, payments, transfers, and withdrawals
- Connecting you to M-Pesa and regulated financial institutions
Identity Verification (KYC)
- Accepting and validating UNHCR IDs
- Verifying biometrics
- Assigning KYC tiers and transaction limits
Regulatory Compliance
- Anti-Money Laundering (AML)Counterterrorism
- Financing (CTF)Fraud prevention
- Reporting obligations to regulators
Credit & Financial Development
- Building credit profiles using transactional behavior
- Assessing risk to unlock future credit or business tools
System Protection
- Detecting suspicious or unauthorized activity
- Auditing system logs
- Enhancing platform stability and security
We never sell personal data.
04
Your Rights
Under the Kenya Data Protection Act and global standards, you have the right to:
- Access your personal data
- Correct or update inaccurate data
- Request deletion (where legally possible)
- Withdraw consent (for consent-based processing)
- Object to certain processing
- Request a copy of your data (“data portability”)
To exercise your rights, contact:
📩 privacy@havenpay.co
- Access your personal data
- Correct or update inaccurate data
- Request deletion (where legally possible)
- Withdraw consent (for consent-based processing)
- Object to certain processing
- Request a copy of your data (“data portability”)
To exercise your rights, contact:
📩 privacy@havenpay.co
05
How We Protect Your Data
HavenPay uses multiple layers of technical and organizational safeguards, including:
Technical Security
- End-to-end encryption (in transit and at rest)
- Secure cloud infrastructure with restricted access
- Biometric authentication for sensitive operations
- Device-level protection and session controls
- Zero-trust access architecture for internal systems
Operational Security
- Background checks for all employees with access to data
- Role-based access rights (least privilege model)
- Continuous fraud and AML/CTF monitoring
- Secure coding standards and penetration testing
- Incident detection and rapid response protocols
Infrastructure Security
- Firewalls and intrusion detection systems
- Encrypted backups
- Redundant data stores and disaster recovery plans
Technical Security
- End-to-end encryption (in transit and at rest)
- Secure cloud infrastructure with restricted access
- Biometric authentication for sensitive operations
- Device-level protection and session controls
- Zero-trust access architecture for internal systems
Operational Security
- Background checks for all employees with access to data
- Role-based access rights (least privilege model)
- Continuous fraud and AML/CTF monitoring
- Secure coding standards and penetration testing
- Incident detection and rapid response protocols
Infrastructure Security
- Firewalls and intrusion detection systems
- Encrypted backups
- Redundant data stores and disaster recovery plans
06
How Long We Keep Your Data
Retention depends on legal, regulatory, and operational needs:
Identity and KYC data:
- minimum of 7 years (regulatory requirement)
Financial transactions:
- as required by AML/CTF laws
Behavioral and device data:
- shorter periods, unless required for fraud monitoring
Aid disbursement records:
- per partner agreements and compliance
When data is no longer required, it is safely deleted or anonymized.
Identity and KYC data:
- minimum of 7 years (regulatory requirement)
Financial transactions:
- as required by AML/CTF laws
Behavioral and device data:
- shorter periods, unless required for fraud monitoring
Aid disbursement records:
- per partner agreements and compliance
When data is no longer required, it is safely deleted or anonymized.
07
How We Share Your Data
We share data only with trusted and legally compliant partners:
Financial Partners
- Regulated banks such as Choice Bank
- Mobile money providers such as M-Pesa
Identity & Verification Partners
- UNHCR (where applicable for identity verification)
- Approved biometric verification services
- Compliance tools for AML/CTF screening
NGOs & Humanitarian Partners
- When processing aid payments or verifying eligibility
Regulators
- Only when legally required
Technology & Security Vendors
- Cloud hosting
- Fraud detectionAnalytics
- Customer support infrastructure
All partners are bound by strict data protection agreements.
Financial Partners
- Regulated banks such as Choice Bank
- Mobile money providers such as M-Pesa
Identity & Verification Partners
- UNHCR (where applicable for identity verification)
- Approved biometric verification services
- Compliance tools for AML/CTF screening
NGOs & Humanitarian Partners
- When processing aid payments or verifying eligibility
Regulators
- Only when legally required
Technology & Security Vendors
- Cloud hosting
- Fraud detectionAnalytics
- Customer support infrastructure
All partners are bound by strict data protection agreements.
08
International Transfers
If data is transferred outside of Kenya or your country:
- We ensure equivalent protections via data protection agreements
- We comply with applicable cross-border data transfer rules
- Data is encrypted and access-controlled
- We ensure equivalent protections via data protection agreements
- We comply with applicable cross-border data transfer rules
- Data is encrypted and access-controlled
09
Data Breach Response
If a data breach occurs:
- We will investigate immediately
- Contain and mitigate impact
- Notify regulators and affected users (as required by law)
- Take corrective and preventive action
- We will investigate immediately
- Contain and mitigate impact
- Notify regulators and affected users (as required by law)
- Take corrective and preventive action
10
Children's Data
HavenPay is not intended for users under 18 unless permitted by regulation or supported by a guardian.
We do not knowingly process children’s data without proper authorization.
We do not knowingly process children’s data without proper authorization.
11
Changes to this Policy
We may update this Policy as our product evolves or legal requirements change.
Updates will be posted on our website with a revised “Last Updated” date.
Updates will be posted on our website with a revised “Last Updated” date.
12
Contact
For data protection questions, requests, or concerns:
HavenPay Ltd
Email: privacy@havenpay.co
Website: www.havenpay.co
HavenPay Ltd
Email: privacy@havenpay.co
Website: www.havenpay.co
