Privacy Policy
01Introduction
Rezato Money Remittance Limited is a licensed payment service provider authorised by the Central Bank of Kenya (CBK) for foreign exchange and international money transfer services, and by the Bank of Tanzania (BoT) for international money transfer and payment service provider operations, trading as RezatoPay in Tanzania.
This Privacy Policy is issued in compliance with:
- The Kenya Data Protection Act, 2019 (“Kenya DPA”)
- The Kenya Data Protection (General) Regulations, 2021
- The Tanzania Personal Data Protection Act, 2022 (“Tanzania PDPA”)
- The Tanzania Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023
- The Kenya National Payment System Act, 2011 and Regulations, 2014
- The Tanzania National Payment Systems Act, 2015
- Applicable anti-money laundering (AML) and counter-terrorism financing (CFT) legislation in both jurisdictions
02Data Controller
The data controller responsible for your personal data is:
| Entity Name | Rezato Money Remittance Limited |
| Trading As | Rezato (Kenya) / RezatoPay (Tanzania) |
| Registered Offices | Kisumu, Kenya & Dar es Salaam, Tanzania |
| customercare@rezatoafrica.com | |
| Website | rezatoafrica.com |
03Personal Data We Collect
3.1 Data You Provide Directly
When you submit a demo request, contact us, or engage our services, we may collect:
- Full name
- Email address (work or personal)
- Company or organization name
- Business type and industry
- Phone number
- Message content and enquiry details
- For regulated services: government-issued identification, proof of address, tax identification numbers, and other KYC/AML documentation as required by law
3.2 Data Collected Automatically
When you visit our website, we may automatically collect:
- IP address and approximate geolocation
- Browser type, version, and operating system
- Pages visited, time spent, and navigation patterns
- Referring website or source
- Device identifiers
We minimise automatic data collection in line with the data minimisation principles of both the Kenya DPA (Section 25(d)) and the Tanzania PDPA (Section 5).
3.3 Data from Third Parties
We may receive personal data from:
- Our business partners (MTOs, financial institutions, fintechs) in the course of providing payment services
- Regulatory authorities and compliance databases for AML/CFT screening
- Publicly available sources for due diligence purposes
04How We Use Your Personal Data
We process personal data only for explicit, specified, and legitimate purposes:
| Processing Activity | Purpose | Legal Basis |
|---|---|---|
| Demo form submissions | Respond to enquiries and schedule demos | Consent (Kenya DPA s.30; Tanzania PDPA s.11) |
| Service delivery | Facilitate payment transactions and settlement | Performance of contract; Legal obligation |
| KYC/AML compliance | Verify identity, screen against sanctions | Legal obligation (POCAMLA 2009; Tanzania AML Act 2006) |
| Transaction records | Maintain records as required by CBK and BoT | Legal obligation |
| Website analytics | Understand usage to improve services | Legitimate interest |
| Communication | Send service updates, respond to queries | Consent; Legitimate interest |
| Security | Detect, prevent, and investigate fraud | Legitimate interest; Legal obligation |
05Cookies and Tracking Technologies
Our website uses minimal cookies. We do not use third-party advertising trackers.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Website functionality and security | Session |
| Analytics (if enabled) | Anonymous usage statistics | Up to 12 months |
| Preference | Remember your settings | Session |
You can control cookies through your browser settings. Where analytics cookies are used, we will obtain your consent before setting them, in accordance with both the Kenya DPA and Tanzania PDPA.
06Data Sharing and Disclosure
We do not sell your personal data. We may share data with:
Service Providers
- EmailJS — email delivery for demo form submissions, subject to their privacy policy
- Hosting providers (e.g., Cloudflare) — for website delivery and security
- Cloud infrastructure providers — for secure data storage
Regulatory and Legal
- Central Bank of Kenya (CBK) — as required under the National Payment System Act, 2011
- Bank of Tanzania (BoT) — as required under the National Payment Systems Act, 2015
- Financial Reporting Centre (FRC, Kenya) and Financial Intelligence Unit (FIU, Tanzania) — for AML/CFT reporting
- Law enforcement authorities — where required by law or court order
- Office of the Data Protection Commissioner (Kenya) and Personal Data Protection Commission (Tanzania)
Business Partners
- Partner financial institutions, banks, and mobile money operators — to execute payment transactions
07Cross-Border Data Transfers
Under Section 48 of the Kenya DPA, cross-border transfers require proof of adequate data protection safeguards or the data subject’s explicit consent. Under Sections 31–32 of the Tanzania PDPA, transfers outside Tanzania are restricted to countries with adequate data protection laws or where appropriate safeguards are in place.
Where data is transferred outside Kenya or Tanzania, we ensure:
- The recipient country provides adequate data protection, or
- Appropriate contractual safeguards (such as standard contractual clauses) are in place, or
- Your explicit consent has been obtained after being informed of potential risks
Kenya local storage requirement: In accordance with Section 50 of the Kenya DPA, we maintain at least one serving copy of personal data on servers or data centres located in Kenya.
08Data Retention
We retain personal data only as long as necessary:
| Data Type | Retention Period | Basis |
|---|---|---|
| Demo form enquiries | 12 months from submission | Legitimate interest; consent |
| KYC/AML records | Minimum 7 years after end of relationship | POCAMLA 2009; Tanzania AML Act 2006 |
| Transaction records | Minimum 7 years | CBK Regulations; BoT requirements |
| Website analytics | 12 months | Legitimate interest |
| Contractual records | 7 years after termination | Limitation of Actions Act (Kenya) |
Upon expiry of the retention period, personal data is securely deleted or anonymised.
09Your Rights
Under the Kenya DPA and the Tanzania PDPA, you have the following rights:
| Right | Description | Reference |
|---|---|---|
| Access | Request confirmation and a copy of your data | Kenya DPA s.26(a); Tanzania PDPA s.38 |
| Rectification | Request correction of inaccurate data | Kenya DPA s.26(c); Tanzania PDPA s.39 |
| Erasure | Request deletion, subject to legal retention | Kenya DPA s.26(d); Tanzania PDPA s.40 |
| Restriction | Request restriction of processing | Kenya DPA s.26(e) |
| Data Portability | Receive data in a structured format | Kenya DPA s.26(f) |
| Object | Object to processing or direct marketing | Kenya DPA s.26(g); Tanzania PDPA s.41 |
| Withdraw Consent | Withdraw consent at any time | Kenya DPA s.32; Tanzania PDPA s.12 |
| Automated Decisions | Not be subject to solely automated decisions | Kenya DPA s.35; Tanzania PDPA s.42 |
How to exercise your rights: Send your request to customercare@rezatoafrica.com. We will respond within 30 days. We may request identity verification.
Right to complain: Lodge a complaint with the Office of the Data Protection Commissioner (Kenya) at complaints@odpc.go.ke, or the Personal Data Protection Commission (Tanzania).
10Data Security
We implement appropriate technical and organisational measures including:
- Encryption of data in transit (TLS/SSL) and at rest
- Access controls and role-based permissions
- Regular security assessments and vulnerability testing
- Staff training on data protection
- Incident response and breach notification procedures
Breach notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and notify affected data subjects without undue delay where the breach poses high risk to their rights and freedoms.
11Children’s Data
Our website and services are not directed at children under 18. We do not knowingly collect data from children. If we discover we have collected a child’s data without appropriate consent, we will delete it in accordance with Section 33 of the Kenya DPA and the Tanzania PDPA.
12Third-Party Links
Our website may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to read their privacy policies.
13Changes to This Policy
We may update this policy to reflect changes in practices, legal requirements, or regulatory guidance. Material changes will be communicated via our website.
14Contact Us
Kisumu, Kenya
Dar es Salaam, Tanzania
+254 114 706 914