Privacy Policy

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

• Email address
• Password (stored in hashed form only; we never store plaintext passwords)
• Company or organization name (if provided)

1.2 Transaction & Usage Data

When you use our services, we automatically collect:

• API request logs, including timestamps, endpoints accessed, and response status
• IP address and user agent of API requests
• Credit purchase and consumption history
• M-Pesa phone number used for topping up credits (required for STK Push processing)

1.3 Hash Data

When you submit hashes for decoding, we process those hashes to return results. We do not store the specific hashes you query beyond what is recorded in API usage logs.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain our services
• Authenticate your identity and manage your account
• Process credit top-ups via M-Pesa STK Push
• Track API usage and credit consumption for billing purposes
• Detect and prevent fraud, abuse, and unauthorized access
• Comply with legal obligations under Kenyan law
• Communicate important service updates or security notices

3. Legal Basis for Processing

Under the Kenya Data Protection Act, 2019, we process your personal data on the following grounds:

• Contract performance: Processing is necessary to provide the services you have requested.
• Consent: You provide consent when registering and when initiating M-Pesa transactions.
• Legitimate interest: Fraud prevention, security monitoring, and service improvement.
• Legal obligation: Compliance with applicable Kenyan laws and regulations.

4. Data Sharing & Disclosure

We do not sell your personal data. We may share information only in the following circumstances:

• Payment processors: M-Pesa phone numbers and transaction amounts are shared with Safaricom's M-Pesa API solely for the purpose of processing credit top-ups.
• Legal requirements: We may disclose information if required by law, regulation, court order, or governmental request from a Kenyan authority.
• Organization members: Within a multi-tenant organization, administrators can view team members' usage data.

5. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• All data in transit is encrypted via HTTPS/TLS
• Passwords are stored using strong one-way hashing algorithms
• API keys are stored as irreversible hashes; the raw secret is shown only once at creation
• Optional HMAC request signing for replay protection
• Strict multi-tenant data isolation between organizations
• Rate limiting and abuse detection on all API endpoints

6. Data Retention

We retain your account information for as long as your account is active. API usage logs are retained for a reasonable period necessary for billing, auditing, and dispute resolution. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law.

7. Your Rights

Under the Kenya Data Protection Act, 2019, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Object: Object to processing of your personal data for direct marketing purposes.
• Portability: Request your data in a structured, machine-readable format.
• Complaint: Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.

To exercise any of these rights, contact us at support@tisra-limited.com.

8. Cookies & Session Data

We use essential cookies to maintain your login session and theme preference. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. No data is shared with advertising networks.

9. Cross-Border Data Transfers

Your data is processed and stored in Kenya. If any data is transferred outside Kenya, we will ensure adequate safeguards are in place as required by the Kenya Data Protection Act, 2019.

10. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website. Your continued use of the services after such changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact us at: