On this page
1. The Information We Collect
1.1 Personal Data You Provide Directly
We collect personal data you provide to us. For example:
Registration information. To gain full access to our website and services, you must register for a Paystack account. When you register for an account, we collect business data and personal data, which you voluntarily provide to us in order to complete the KYC (Know Your Customer) process (e.g. email address, bank details, name, telephone number). With your consent, we may also collect additional personal data such as survey responses.
Payment information. If you make a financial transaction, we collect credit card numbers, financial account information, and other payment details.
Communications. If you contact us directly, for example with an inquiry or a support request, we may receive additional personal data about you, including your email address and the content of your communications.
1.2 Personal Data We Collect Automatically
Device Information. We receive information about the device and software you use to access our Services, including internet protocol (IP) address, web browser type, operating system version, and device identifiers.
Location Information. When you use our Services, we may collect or infer your general location information. For example, your IP address may indicate your general geographic region.
1.3 Personal Data That We Receive from Others or Infer
Partners. We may retrieve additional personal data about you from third parties and other identification/verification services such as your financial institution and payment processor, where they have the authority to share your personal data with us. We may combine that data with other information we have about you.
Publicly available sources. Public sources of information such as open government databases.
Inferences. We may infer additional Personal Data based on the Personal Data described above. For example, for Visitors, we may infer your interests based on the web pages you view.
When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.
2. How We Use Personal Data
We use the personal data we collect to:
Enter into and perform your Merchant contract with Paystack, or to otherwise meet any contractual obligations we have committed to
Provide you with the required services
Respond to your questions or requests
Improve features, website content and analyse data to develop products and services
Address inappropriate use of our website
Prevent, detect and manage risk against fraud and illegal activities using internal and third party screening tools
Send you marketing content, newsletters and service updates curated by Paystack, however, we will provide you with an option to unsubscribe if you do not want to hear from us
Verify your identity and the information you provide in line with Paystack’s statutory obligations using internal and third party tools
Maintain up-to-date records of Merchants
Resolve disputes that may arise, including investigations by law enforcement or regulatory bodies
Any other purpose that we disclose to you in the course of providing Paystack services to you
3. How We Share The Personal Data You Provide
Financial services & payment processing. When you provide payment data, we will share payment and transactional data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services.
Affiliates. We enable access to personal data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide our services and operate our business.
Corporate transactions. We may disclose personal data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
Legal and law enforcement. We may access, disclose, and preserve personal data in accordance with applicable law and when we believe that doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
- Security, safety, and protecting rights. We will disclose personal data if we believe it is necessary to:
protect our merchants and others, for example to prevent fraud, or to help prevent the loss of life or serious injury of anyone;
operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
protect the rights or property or ourselves or others, including enforcing our agreements, terms, and policies.
Third party analytics and advertising companies also collect personal data through our website and apps including, marketing and communications data, demographic data, content and files, geolocation data, usage data, and inferences associated with identifiers and device information (such as cookie IDs, device IDs, and IP address) as described in the Cookies section of this statement. These third party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.
Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide personal data to any of those third parties, or allow us to share personal data with them, that data is governed by their privacy statements.
Finally, we may share de-identified information in accordance with applicable law.
Our cookies hold a unique random reference to you so that once you visit the site we can recognise who you are and provide certain content to you.
Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this may impact your experience using our website.
5. How We Protect your Information
Paystack has established adequate technical and organisational controls to protect the integrity and confidentiality of your Personal Information, both in digital and physical format, whilst preventing Personal Information from being accidentally or deliberately compromised.
Paystack is committed to managing your Personal Information in line with applicable data protection laws and best practices. We protect your Personal Information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorised access, disclosure and alteration, we also use industry recommended security protocols to safeguard your Personal Information. Other security safeguards include but are not limited to data encryption, firewalls, and physical access controls to our building and files and only granting access to Personal Information to only employees who require it to fulfil their job responsibilities.
In compliance with the Payment Card Industry Data Security Standard (PCI DSS Requirements”), we implement access control measures, security protocols and standards including the use of encryption and firewall technologies to ensure your card information is safe and secure in our servers, additionally, we implement periodical security updates to ensure that our security infrastructures are in compliance with reasonable industry standards.
Paystack also maintains a data breach procedure in order to deal with incidents concerning Personal Information or practices leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise processed. You may contact our DPO upon becoming aware of any breach of Personal Information or if your access credentials have been compromised, to enable us to take the necessary steps towards ensuring the security of your Personal Information or account.
6. Storage Limitation
We will retain your information for the following periods:
As long as reasonably necessary for the purpose of providing our services to you
For the duration your account is active and we have your consent
For the period needed to comply with our legal and statutory obligations
As needed to verify your information with a financial institution
Paystack is statutorily obliged to retain the data you provide in order to process transactions, ensure settlements, make refunds, identify fraud and to comply with applicable laws and regulatory guidelines. Under applicable tax laws, we are required to retain your transactional records for a period of seven (7) years following the completion of the transaction. We keep our storage limitation policy under regular review.
Upon expiration of the applicable storage limitation periods we will delete, erase, anonymise or pseudonymise any information we hold about you.
Therefore, even after closing your Paystack account, we will retain certain personal data and transaction data to comply with these obligations. All personal data shall be destroyed by Paystack where possible, or anonymised in other instances.
The length of storage of personal data shall, amongst other things, be determined by:
The contract terms agreed between Paystack and the Merchant or as long as it is needed for the purpose for which it was obtained; or
Whether the transaction or relationship has statutory implication or a required retention period; or
Whether there is an express request for deletion of Personal Data by the Merchant, provided that such request will only be treated where the Data Subject is not under any investigation which may require Paystack to retain such Personal Data or there is no subsisting contractual arrangement with the Data Subject that would require the processing of the Personal Data; or
Whether Paystack has another lawful basis for retaining that information beyond the period for which it is necessary to serve the original purpose.
7. Transfer of Personal Data
Where personal data is to be transferred to a country outside Kenya, Paystack shall put adequate measures in place to ensure the security of such Personal Information. Any transfer of Personal Information out of Kenya will be in accordance with the provisions of relevant and applicable data protection regulations. In particular, Paystack shall, among other things, use contractual terms to ensure protection of the personal data in accordance with standards that are at least comparable to the protection under the applicable laws in Kenya or ensure the country has adequate data protection laws.
Should you wish to transfer personal data to a country deemed to have inadequate data protection laws, Paystack will take all necessary steps to ensure that informed consent is obtained from you, and you are aware of the risks entailed with such transfer. In any instance, Paystack will ensure Personal Information is transmitted in a safe and secure manner. Details of the protection given when your Personal Information is transferred abroad, and details of the basis of such transfers shall be provided to you upon request.
8. Grounds for Processing of Personal Information
Processing of Personal Information by Paystack shall be lawful if at least one of the following applies:
The Data Subject (Merchant or Merchant representative) has given consent to the processing of his/her Personal Information for one or more specific purposes;
The processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which Paystack is subject;
Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
Processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in Paystack; and
Processing for the legitimate interests of Paystack or of a third party to whom it is supplied, except if the processing is unwarranted and may harm the data subject.
9. Choices and Rights
Merchants with Personal Information held by Paystack are entitled to the following rights:
Right to access any Personal Information collected and stored by Paystack;
Right to be made aware of the purpose of collection of their Personal Information;
Right to not be subject to a decision based solely on automated processing, including profiling;
Right to request rectification and modification of Personal Information which Paystack keeps;
Right to request the deletion of their data;
Right to data portability;
Right to withdraw consent;
Right to object to the processing of all or part of their Personal Information;
Right to institute civil proceedings and seek compensation through the Courts; and
Right to submit a complaint to the Data Commissioner.
Your request will be reviewed and answered by Paystack’s Data Protection Officer within the prescribed statutory period. You may review your account settings and update your Personal Information directly or by contacting us. Where there are any delays in responding to your request, you will be notified of the reasons for the delay and the period within which your request will be processed.
10. Compliance to Children’s Privacy
Our Services are all directed to people who are at least 18 years old or older.
We do not knowingly collect any “Personal Data” (as defined by the Data Protection Act) from anyone under 18 years of age without valid parental consent. If we become aware that we have collected such personal information without parental consent, we will take reasonable steps to delete it as soon as possible.
We also comply with other age restrictions and requirements in accordance with applicable local laws.
11. Policy Violations
You certify that the information provided to register as a Merchant is correct to the best of your knowledge. Furthermore, when providing the personal data of any other person, you confirm that you are only providing accurate and up-to-date data in accordance with their instructions, and are able to provide evidence of their consent to the data processing described in this Policy as and when required by Paystack. Please note that any attempt to mislead may result in prosecution and the deliberate provision of inaccurate data results in a privacy violation.
13. Contact Paystack’s Data Protection Officer (DPO)
For any further queries, our Data Protection Officer may be reached at the following address:
Third Parklands Avenue,
P.O. Box 14201 Westlands,
TO BE UPDATED
13. Gap Sheet
The following table illustrates the differences between this local Policy and the Global Policy:
Reference to provision of data being discretionary
“As the provision of your data is voluntary...”
The term “voluntary” is used in accordance with the Kenyan Data Protection Act.
(1) Company overview
Reference to all jurisdictions
(8) Transfer of Personal Information
Reference to Europe’s GDPR as a baseline standard
“It is our duty to ensure that such foreign jurisdictions have data protection legislation that is no less than the existing data protection regulations in force in Kenya and your personally identifiable information is treated in a safe and secure manner.”
Third Party Processor within Paystack jurisdictions
Third Party Processor within Kenya
Difference in subheading
(8.2) Transfer of Personal Information to a Foreign Country
Reference to transfer of data outside Paystack’s countries of operation
“Where Personal Information is to be transferred to a country outside Kenya, Paystack shall put adequate measures in place to ensure the security of such Personal Information. Any transfer of Personal Information out of Kenya will be in accordance with the provisions of relevant data protection regulations.”
(9) Grounds for Processing of Personal Information
Mention of harm of data subjects in relation to Legitimate Interests
“processing for the legitimate interests of Paystack or of a third party to whom it is supplied, except if the processing is unwarranted and may harm the data subject.”
Change of wording around undue harm to data subjects
(10) Choices and Rights
Reference to the rights to object to direct marketing and to be informed about appropriate safeguards when transferring data
Rights omitted from this Policy.
(10) Choices and Rights
Reference to lodging a complaint with the Supervisory Authority
Specific reference to Kenyan Regulator: "Right to submit a complaint to the Data Commissioner.”
(12) Contact Paystack’s Data Protection Officer
“For any further queries, our Data Protection Officer, may be reached at the following address: