M-Penny Ltd (Nairobi, Kenya) is the data controller for personal data processed through the M-Penny platform, and is (or is in the process of being) registered with the ODPC. Where we process data on behalf of your business — for example contact details of your own customers that you enter — your business is the controller and M-Penny acts as a data processor under the Terms.
| Category | Examples |
|---|---|
| Identity & business | Owner name, business name, KRA PIN, location, photo/logo, ID details where required for KYC |
| Contact & account | Phone number, email, username, hashed password/PIN, plan and subscription status |
| Payment identifiers | M-Pesa till/paybill/phone, bank references, transaction IDs (we do not store your M-Pesa PIN or full card numbers) |
| Financial records | Invoices, expenses, quotations, ledger, stock, payroll inputs, tax positions, and customer/supplier details you enter or import |
| Credit data | Where you apply for credit and consent: affordability, repayment and CRB-related data |
| Usage & device | Log data, device/browser type, IP address, app interactions, and cookies/local storage |
| Referral data | Referral codes, who referred whom, and reward/payout records |
We rely on: performance of our contract with you; compliance with legal obligations (for example tax and AML); your consent for optional processing such as credit assessment and marketing (which you may withdraw at any time); and our legitimate interests in securing, operating and improving the service, balanced against your rights.
Some providers (for example cloud and AI infrastructure) may process data outside Kenya. Where this happens, we ensure an appropriate basis and safeguards for the transfer as required by the Data Protection Act, including contractual protections and, where relevant, your consent.
Some features use artificial intelligence to summarise regulations, generate guidance, business intelligence and marketing content. Prompts are processed by our AI provider via secure server-side calls; we instruct our provider not to use your content to train their models. AI outputs are for information only and may be inaccurate — please review before relying on them. Our AI does not make legally or financially significant decisions about you without human involvement.
We protect data with encryption in transit and at rest, role-based access controls, audit logging, and secret management. Passwords and PINs are hashed and are not visible to M-Penny staff. No system is perfectly secure; you must keep your credentials and one-time passcodes confidential and tell us promptly of any suspected compromise. We will notify you and the ODPC of a notifiable personal-data breach as required by law.
We keep personal data for as long as your account is active and as needed to provide the service. Tax and accounting records are retained for the period required by Kenyan law (generally at least five (5) years). After applicable periods we delete or irreversibly anonymise data, except where we must keep it to meet legal, regulatory, audit or dispute-resolution obligations.
Subject to the Data Protection Act, you have the right to: be informed; access your data; correct inaccurate data; request deletion; restrict or object to certain processing; data portability; and withdraw consent. To exercise a right, contact privacy@mpenny.ke; we will respond within the timeframes the law requires. Some data may need to be retained for legal reasons even after a deletion request.
We send service and transactional messages necessary to operate your account. We send marketing only with your consent, and you can opt out at any time. The app uses cookies and local storage to keep you signed in, remember preferences and measure usage; you can control these through your device or browser, though some features may not work without them.
M-Penny is for businesses and is not directed to children under 18. We do not knowingly collect children's data; if you believe we have, contact us and we will delete it.
We may update this Policy from time to time. We will post the updated version with a new date and, for material changes, give notice in-app. Continued use after changes take effect means you accept the updated Policy.
Data protection queries and requests: privacy@mpenny.ke. M-Penny Ltd, Nairobi, Kenya. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (odpc.go.ke).
This Policy is provided in good faith and should be reviewed and finalised by a licensed Kenyan data-protection practitioner before commercial launch, and kept current as data flows, processors and regulations change.