In plain English: We collect the data needed to process payments and run your account. We do not sell your personal data to advertisers. We share data only with payment processors necessary to complete transactions. You can request deletion of your data at any time, subject to legal retention requirements.
1. Data Controller
The data controller is Bitnova Technologies Ltd, incorporated in Kenya. For all privacy matters, contact us at privacy@bitnova.co.ke.
2. What We Collect
| Category | Data | Source |
|---|
| Account data |
Name, email, phone number, password (hashed) |
You, on registration |
| Business data |
Business name, registration number, KRA PIN, directors, address |
You, during KYC |
| Transaction data |
Payment amounts, references, phone numbers, M-Pesa receipts, PayPal order IDs, crypto invoices |
You and payment processors |
| Technical data |
IP address, browser, device type, API request logs, session tokens |
Automatically collected |
| Communication data |
Support tickets, emails, chat transcripts |
You, when contacting support |
| Payer data |
Customer phone numbers, names, emails submitted via payment links or API |
You (as merchant) and your customers |
3. How We Use Your Data
- Processing payments — Routing STK push requests, crediting wallets, issuing disbursements
- Account management — Login, password resets, API key management, team access
- KYC & compliance — Verifying identity, meeting AML obligations, reporting to regulators
- Customer support — Responding to queries, investigating disputes, resolving failed transactions
- Security — Detecting fraud, rate limiting, IP blocking, session management
- Product improvement — Aggregated analytics on feature usage (no individual profiling)
- Communication — Transaction receipts, security alerts, service updates, and (with consent) product announcements
We do not use your data for advertising, profiling, or selling to third parties.
4. Legal Basis for Processing
| Processing activity | Legal basis |
|---|
| Processing payments and running your account | Contract performance |
| KYC verification and AML reporting | Legal obligation |
| Fraud detection and security | Legitimate interests |
| Marketing emails and product news | Consent (opt-in) |
| Retaining transaction records | Legal obligation (tax / financial records) |
5. Data Sharing
We share your data only where necessary:
- Safaricom / M-Pesa Daraja — Phone numbers and amounts for STK push processing
- PayPal — Order amounts and return URLs for card/PayPal payment sessions
- NOWPayments — Invoice amounts for crypto payment sessions
- Banks — Account numbers and amounts for disbursements
- Regulators — When required by law (CBK, FRC, KRA, police)
- Cloud infrastructure — Hosting providers operating under data processing agreements
We do not share data with advertisers, data brokers, or analytics companies that profile individuals.
6. Data Retention
| Data type | Retention period |
|---|
| Account data (active accounts) | Duration of account + 12 months after closure |
| Transaction records | 7 years (Kenya tax/financial records requirement) |
| KYC documents | 7 years after account closure |
| API logs and technical data | 90 days rolling |
| Support tickets | 3 years |
| Marketing consent records | Until withdrawn + 12 months |
After retention periods expire, data is securely deleted or anonymised.
7. Security
We implement the following measures to protect your data:
- TLS encryption for all data in transit
- Passwords stored as bcrypt hashes — never in plain text
- API keys are hashed; secrets shown only once at creation
- Webhook payloads signed with HMAC-SHA256
- CSRF protection on all authenticated forms
- Rate limiting on API and login endpoints
- Session tokens scoped and revocable
- Regular security reviews and dependency updates
No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to security@bitnova.co.ke.
8. Your Rights
Access
Request a copy of all personal data we hold about you
Rectification
Correct inaccurate or incomplete data
Erasure
Request deletion of your data, subject to legal retention requirements
Object
Object to processing based on legitimate interests
Portability
Receive your data in a machine-readable format
Restriction
Restrict processing while a dispute is under review
To exercise any of these rights, email privacy@bitnova.co.ke. We will respond within 30 days. We may need to verify your identity before processing requests.
9. Cookies
We use only essential cookies required for the Platform to function:
| Cookie | Purpose | Expiry |
|---|
session | Keeps you logged in during your browser session | Session end |
csrf_token | Protects forms against cross-site request forgery | Session end |
remember_me | Optional persistent login if selected | 30 days |
We do not use advertising cookies, tracking pixels, or analytics SDKs that share data with third parties.
10. Third-Party Services
Our Platform integrates with the following third-party services, each with their own privacy policies:
We are not responsible for the privacy practices of these providers. We encourage you to review their policies.
11. Children's Privacy
BitnovaPay is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us immediately at privacy@bitnova.co.ke and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app notification at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.