Privacy Policy
This Privacy Policy describes how TandPay handles your personal data in compliance with Law N° 058/2021 of 13/10/2021 on the Protection of Personal Data and Privacy of the Republic of Rwanda.
Contents
- Who We Are (Data Controller)
- Data We Collect
- Why We Collect It (Legal Bases)
- Who We Share It With (Sub-processors)
- Where Your Data Is Stored
- How Long We Keep Your Data
- Your Rights Under Rwandan Law 058/2021
- How We Protect Your Data
- Cookies and Similar Technologies
- Children
- International Data Transfers
- Changes to This Privacy Policy
- Contact
1. Who We Are (Data Controller)
tandpay LTD is the data controller of your personal data.
- Registered office: KN 78 Street, Imena Village, Kiyovu Cell, Nyarugenge Sector, Nyarugenge District, City of Kigali, Rwanda
- TIN: 155683751
- NCSA Data Controller registration: Submitted 1 March 2026. Registration number will be posted here upon receipt.
- Data Protection Officer: Irene BAHATI, Founder & CEO — contactable at support@tandpay.com.
If you have any question about how we handle your data, or wish to exercise your rights under Rwandan Law 058/2021, please email support@tandpay.com.
2. Data We Collect
We collect only the data we need to operate the TandPay service.
a. Seller data (for registered Seller accounts)
- Mobile phone number (used as login identifier)
- Personal Identification Number (PIN), stored only as a bcrypt hash — never in plaintext
- Full name
- Business name
- Business location / address
- Mobile money (MoMo) phone number for receiving payouts
- Rwandan National ID (number and, when identity verification is active, scanned image)
- Profile photo and a selfie for automated identity verification (when enabled)
- Bio or business description
b. Buyer data
- Mobile phone number (used to identify you and send payment notifications)
- MoMo phone number used to pay
- Delivery information you provide for an order (where required)
c. Transaction data
- Order details, amounts, fees, status
- Delivery codes (stored as cryptographic hashes, never readable by staff)
- Payment-provider reference IDs (from Pawapay, MTN, Airtel)
- Dispute messages and evidence you submit
d. Device and technical data
- IP address
- Device identifier / fingerprint (used to remember trusted devices and reduce OTP prompts)
- User agent (browser or app version)
- Approximate geolocation derived from IP
e. Support data
- Emails and messages you send to support@tandpay.com
- Any attachments you include
3. Why We Collect It (Legal Bases Under Law 058/2021)
We only process your data when one of the following legal bases applies (Article 8 of Law 058/2021):
- Performance of a contract — we need to process your data to operate the TandPay service you have requested (process your payment, release funds in escrow, confirm delivery, resolve disputes).
- Legal obligation — we are required to retain transaction records and KYC data to meet BNR financial-records requirements, AML/CFT obligations, tax reporting, and any lawful regulatory order.
- Legitimate interest — we process limited data (device fingerprints, rate-limit logs, AML flags) to prevent fraud and keep the service secure. We have assessed that this interest does not override your privacy rights.
- Consent — we only send marketing messages with your explicit opt-in, given at signup or later. You can withdraw this consent at any time by emailing support@tandpay.com.
4. Who We Share It With (Sub-processors)
We share your data with a limited set of third-party service providers, each of whom is contractually obligated to handle your data securely and only for the purpose we specify. Our current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Pawapay Ltd. | Mobile money payment processing (MTN MoMo, Airtel Money) | United Kingdom |
| Pindo | SMS delivery (OTPs, transaction notifications) | Rwanda |
| Supabase Inc. | Database, authentication, application backend | European Union (Ireland) |
| Amazon Web Services (AWS) | Backups (S3), automated identity verification (Rekognition, Textract — when enabled) | European Union (Ireland) |
| Cloudinary | Storage of profile and product photos | United States / global CDN |
| Sentry | Error monitoring (limited technical logs and user identifiers) | United States |
| OpenRouter | Powering our WhatsApp assistant (when active) | United States |
We may also share your data:
- With regulators (BNR, NCSA, Rwanda Revenue Authority) when required by law
- With law enforcement in response to a valid legal order
- With successors in the event of a merger, acquisition, or corporate reorganisation
We will not sell your data to advertisers or data brokers.
5. Where Your Data Is Stored
Most of your data is stored on servers operated by Supabase and AWS in the European Union (AWS region eu-west-1, Ireland). This means your data is transferred from Rwanda to the European Union. By using TandPay, you acknowledge and consent to this international transfer.
We use sub-processors who provide adequate data-protection safeguards. The European Union has data-protection standards that meet or exceed those required by Rwandan Law 058/2021. Contracts with our sub-processors include standard data-protection clauses.
6. How Long We Keep Your Data (Retention Periods)
| Category | Retention period | Reason |
|---|---|---|
| Transaction records | 7 years after the transaction | BNR financial-records rule and Rwanda Revenue Authority tax records |
| Seller account data (name, National ID, KYC) | 7 years after account closure | AML/CFT and BNR audit requirements |
| Audit logs (payment status changes, admin actions) | 10 years | Dispute defence and legal hold |
| Buyer phone and transaction record | 7 years | Linked to the transaction retention above |
| Support emails and tickets | 3 years after resolution | Customer service reference |
| Marketing-consent records | Retained while consent is active; 2 years after opt-out for audit trail | Proof of consent |
| Device fingerprints, session logs, rate-limit entries | 90 days, rolling | Security operations |
| One-Time Passwords (OTPs) | Consumed immediately on use; expired codes purged within 24 hours | Authentication security |
When a retention period expires, we delete or anonymize the data. Some financial records are kept in an anonymized form (linked to a scrambled identifier rather than a personal name or phone number) to satisfy record-keeping rules while reducing your exposure.
7. Your Rights Under Rwandan Law 058/2021
Articles 13 to 23 of Law 058/2021 give you the following rights over your personal data. You can exercise them by emailing support@tandpay.com — we will respond within thirty (30) days.
- Right of access (Art. 13) — You can ask for a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — You can ask us to correct inaccurate or incomplete data.
- Right to erasure (Art. 17) — You can ask us to delete your data. We will do so unless we are legally required to keep it (e.g., transaction records we must keep for 7 years). In that case we will restrict processing to legal necessity only and delete the rest.
- Right to restriction of processing (Art. 18) — You can ask us to pause processing in specific circumstances (e.g., while a correction is being investigated).
- Right to data portability (Art. 19) — You can ask for your data in a structured, machine-readable format.
- Right to object (Art. 20) — You can object to processing based on our legitimate interest.
- Right not to be subject to automated decision-making (Art. 21) — We do not take decisions affecting you based solely on automated processing. All dispute resolutions are reviewed by a human administrator, not only by an algorithm.
- Right to withdraw consent — Where processing is based on your consent (e.g., marketing), you can withdraw it at any time.
- Right to lodge a complaint — You have the right to complain to the National Cyber Security Authority (NCSA) as Rwanda's data-protection supervisory authority if you believe we have breached your rights.
8. How We Protect Your Data (Security)
We take the following measures to keep your data secure:
- Encryption in transit — All communication with TandPay uses TLS (HTTPS).
- Encryption at rest — Database and backups are encrypted at rest at the infrastructure level.
- Hashed credentials — PINs are stored as bcrypt hashes, never in plaintext. Delivery codes are stored as SHA-256 hashes.
- Signed webhooks — Payment provider callbacks are verified using HMAC signatures.
- Row-level access control — Database policies restrict users to reading only their own data.
- Rate limiting — Atomic, persistent rate limits protect against brute-force and enumeration attacks.
- Audit logging — Every payment state change and administrative action is recorded in an append-only audit log.
- Monitoring — Automated AML rules (velocity, volume, repeated-pair, failed-attempt) flag suspicious activity.
- Backups — Daily encrypted backups are stored in AWS S3 (eu-west-1) with 7-year retention and cold-storage tiering.
No system is 100% secure. If we discover a personal-data breach that is likely to affect your rights, we will notify you and the NCSA in accordance with Article 27 of Law 058/2021.
9. Cookies and Similar Technologies
TandPay's website uses essential cookies only:
- Session cookie — keeps you logged in while you use the site.
- CSRF-protection cookie — protects against cross-site request forgery attacks.
We do not use Google Analytics, Meta Pixel, TikTok Pixel, or other third-party tracking or advertising cookies. We do not sell browsing data.
10. Children
TandPay is not directed at children. You must be at least eighteen (18) years old to use the service. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account or provided personal data to us, please contact support@tandpay.com and we will delete it promptly.
11. International Data Transfers
As described in Section 5, your data is transferred to and processed in the European Union (primarily Ireland, where our hosting providers operate their EU-West-1 region). The European Union is recognised as providing adequate data-protection standards.
Some of our sub-processors (Cloudinary, Sentry, OpenRouter) are based in the United States. Transfers to these sub-processors are governed by contractual safeguards, including Standard Contractual Clauses where appropriate.
By using TandPay, you consent to these international transfers for the purpose of operating the service.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated at least thirty (30) days before taking effect, via:
- In-app notice
- SMS to your registered phone number
- An updated "Last Updated" date at the top of this document
Your continued use of TandPay after the effective date of an update constitutes acceptance of the updated Privacy Policy. If you disagree with an update, you may close your account before the effective date.
13. Contact
For any privacy-related question, request, or complaint:
- Email (DPO / DSR): support@tandpay.com
- Phone: +250 787 609 066
- Post: Data Protection Officer, tandpay LTD, KN 78 Street, Imena Village, Kiyovu Cell, Nyarugenge Sector, Nyarugenge District, City of Kigali, Rwanda
You may also contact the National Cyber Security Authority (NCSA) of Rwanda if you wish to lodge a complaint with the supervisory authority.