Last updated: May 2025

Privacy Policy

MobileSasa Limited (“MobileSasa”, “we”, “us”) is registered as both a Data Controller and a Data Processor under the Kenya Data Protection Act 2019. This Privacy Policy explains how we collect, use, and protect personal data when you use the MobileSasa CSP Platform.

1. Data We Collect

We collect the following categories of personal data:

• Account data — name, email address, company name, and password hash when you register.
• Billing data — payment references and transaction records processed through PesaPay. We do not store card numbers or M-Pesa PINs.
• Technical data — IP addresses, browser/device information, and access logs for security and audit purposes.
• Support data — content of support tickets and communications you send us.
• Platform configuration data — domain names, environment variable keys (values are encrypted at rest using AES-256-GCM), and deployment logs.

We do not collect or process the personal data of your End Users. That data is processed on your behalf as described in our Data Processing Agreement.

2. Legal Basis for Processing

Under the Kenya Data Protection Act 2019 (Section 30), we process your personal data on the following lawful bases:

• Performance of a contract — to provision and operate the Platform for you.
• Legitimate interests — fraud prevention, platform security, and service improvement.
• Legal obligation — to comply with Communications Authority directives and financial regulations.
• Consent — for marketing communications, where we obtain this separately.

3. How We Use Your Data

• Provision and operate your CSP platform instance.
• Send transactional emails (account creation, billing, support replies).
• Investigate security incidents and prevent abuse.
• Comply with legal and regulatory obligations.
• Improve the Platform based on usage patterns (anonymised).

4. Data Sharing

We do not sell your personal data. We may share it with:

• PesaPay— for payment processing. Governed by PesaPay's own privacy policy.
• Infrastructure providers — the physical servers on which your platform runs are hosted in Kenya.
• Law enforcement — where required by court order or Communications Authority directive.

5. Data Retention

6. Security

We protect your data using:

• TLS 1.2+ for all data in transit.
• AES-256-GCM encryption for sensitive configuration values at rest.
• bcrypt password hashing (cost factor 12).
• Isolated Docker networks per tenant.
• Access control — only authenticated administrators can access system functions.

7. Cross-Border Transfers

All personal data is stored and processed in Kenya. We do not transfer personal data outside Kenya unless required by law or to fulfil a contract at your express request, in which case we apply the safeguards required by Section 48 of the Kenya Data Protection Act 2019.

8. Your Rights

As a data subject under the Kenya Data Protection Act 2019 (Part IV), you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion, subject to legal retention obligations.
• Restriction — request that we limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise these rights, email [email protected]. We will respond within 21 days. You may also lodge a complaint with the Office of the Data Protection Commissioner of Kenya.

9. Cookies

The Platform uses a single session cookie (mgr_session) to maintain your authenticated session. This cookie is httpOnly and Secure and expires after 24 hours. We do not use tracking or advertising cookies.

10. Data Protection Officer

Our designated Data Protection Officer can be reached at [email protected].

11. Changes to This Policy

We will notify you of material changes to this Policy by email at least 14 days before they take effect. The current version is always available at this URL.