Privacy Policy

How we collect, use, and protect your personal information

Last updated: December 5, 2025 | Effective: December 5, 2025

1. Introduction

Sunny Payments Limited ("Sunny Payments," "we," "us," or "our") is a licensed Payment Service Provider regulated by the Central Bank of Kenya (CBK) under the National Payment System Act, 2011. We are committed to protecting your privacy and ensuring the security of your personal and financial information in compliance with the Kenya Data Protection Act 2019, the General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS).

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our payment processing services, website, mobile applications, and APIs.

2. Information We Collect

2.1 Personal Information

Full name, date of birth, and national identification number
Contact information (email address, phone number, physical address)
Business registration details and KRA PIN (for business accounts)
Bank account and mobile money account details
Biometric data (where applicable for identity verification)

2.2 Payment Information

Payment card numbers (encrypted and tokenized per PCI DSS requirements)
Transaction history and payment details
Billing and shipping addresses
M-Pesa and mobile money transaction identifiers

2.3 Technical Information

IP address, device type, browser type, and operating system
Device identifiers and geolocation data
API access logs and integration data
Cookies and similar tracking technologies

3. How We Use Your Information

We process your personal data for the following purposes:

Payment Processing

To process transactions, verify payment details, and complete money transfers

Identity Verification

To comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements

Fraud Prevention

To detect, prevent, and investigate fraudulent transactions and security threats

Regulatory Compliance

To meet CBK, GDPR, PCI DSS, and other applicable regulatory requirements

Customer Support

To respond to inquiries, resolve disputes, and provide technical assistance

Service Improvement

To analyze usage patterns and enhance our products and services

4. Legal Basis for Processing

Under the Kenya Data Protection Act 2019 and GDPR, we process your data based on:

Contractual Necessity: Processing required to provide our payment services
Legal Obligation: Compliance with CBK regulations, AML laws, and tax requirements
Legitimate Interest: Fraud prevention, security, and service improvement
Consent: Where you have given explicit consent for specific processing activities

5. Data Sharing and Disclosure

We may share your information with:

Payment Networks: Visa, Mastercard, and M-Pesa for transaction processing
Financial Institutions: Banks and mobile money operators as required
Regulatory Authorities: CBK, Kenya Revenue Authority (KRA), and law enforcement when legally required
Service Providers: Cloud hosting, fraud detection, and identity verification partners (under strict contractual obligations)
Business Partners: Merchants and institutions you transact with (limited to transaction data)

We never sell your personal information to third parties.

6. Data Security

We implement industry-leading security measures to protect your data:

PCI DSS Level 1

Highest level of payment card security compliance

AES-256 Encryption

All sensitive data encrypted at rest and in transit

Tokenization

Card numbers replaced with secure tokens

Multi-Factor Auth

Enhanced account protection for all users

24/7 Monitoring

Continuous security surveillance and threat detection

Regular Audits

Annual penetration testing and security audits

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

Transaction Records: 7 years (as required by CBK and tax regulations)
KYC Documentation: 7 years after account closure
Account Data: Duration of account plus 5 years
Technical Logs: 12 months for security and debugging purposes

8. Your Rights

Under the Kenya Data Protection Act 2019 and GDPR, you have the following rights:

Right to Access:Request a copy of your personal data we hold

Right to Rectification:Request correction of inaccurate or incomplete data

Right to Erasure:Request deletion of your data (subject to legal retention requirements)

Right to Restriction:Request limitation of processing in certain circumstances

Right to Portability:Receive your data in a machine-readable format

Right to Object:Object to processing based on legitimate interests

Right to Withdraw Consent:Withdraw consent where processing is based on consent

To exercise these rights, contact our Data Protection Officer at privacy@sunnypay.com

9. International Data Transfers

Your data may be transferred to and processed in countries outside Kenya, including for cloud hosting and payment network processing. We ensure adequate safeguards are in place, including:

Standard Contractual Clauses approved by the Office of the Data Protection Commissioner (ODPC)
Transfers to countries with adequate data protection levels
Binding Corporate Rules where applicable

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will promptly delete it.

11. Policy Updates

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or prominent notice on our website. Continued use of our services after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related inquiries or to exercise your rights:

Data Protection Officer: Sunny Payments Limited

Email: privacy@sunnypay.com

Address: Westlands, Nairobi, Kenya

Phone: +254 700 000 000

You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke