Legal
Privacy Policy
Last Updated: May 2026
Asapstack Technologies ("the Company," "we," "us," or "our") is committed to protecting the privacy and personal data of all registered users, business operators, and platform participants (collectively, "Users" or "Data Subjects") who utilize our mobile applications, web interfaces, and digital transaction networks (collectively, "the Platform").
This Privacy Policy ("Policy") provides mandatory disclosures regarding how the Company collects, processes, stores, shares, and protects personal data in strict accordance with the Kenya Data Protection Act, 2019, and the associated Data Protection (General) Regulations, 2021. By creating an account or using the Platform, you acknowledge the data practices described in this Policy.
1. Data Controller and Data Processor Status
Under the statutory framework of the Republic of Kenya, Asapstack Technologies operates primarily as a Data Controller concerning the account information and identity credentials collected during user registration. In certain functional capacities involving transactional data transmission for third-party vendors or fulfillment operations for logistics networks, the Company also acts as a Data Processor.
2. Categories of Personal Data Collected
The Company restricts data collection strictly to information necessary for the functional execution of the Platform's intermediary services (Data Minimization). The categories of data collected include:
2.1 Registration and Profile Data
- Identifiable Personal Data: Full legal name, gender, and contact email address.
- Commercial Entity Identifiers: Official business names, shop names, brand names, and stall designations.
- Role-Specific Data: Physical license plate numbers and vehicle registration data for transport operators (Riders).
2.2 Contact and Communication Data
- Mobile Phone Numbers: Primary cellular lines utilized as the primary account identifier and access handle.
- Messaging System Data: WhatsApp communication handles explicitly designated by the user for logistics coordination and automated digital receipts.
2.3 Financial and Transactional Data
- Mobile Money Credentials: Safaricom M-Pesa phone numbers explicitly provided and verified by the User for automated collection prompts (STK push) and outbound balance distributions.
- Ledger Telemetry: Cryptographic transaction records, ledger adjustments, commission logs, and operational history within the Platform.
2.4 Physical Location Data
Structured physical address points for commercial pickup locations, restricted to: City, Street Name, Building Name, Floor Level, and Room/Stall Designation.
3. Lawful Bases for Processing
The Company processes personal data under clearly defined legal pillars as set out in Section 30 of the Kenya Data Protection Act, 2019. The Company relies upon the following lawful grounds:
| Processing Activity | Data Types Involved | Primary Lawful Basis |
|---|---|---|
| Account Creation & Login | Phone Number, Password, OTP | Contractual Necessity |
| M-Pesa Payouts & Collections | M-Pesa Phone Number, Ledger Values | Contractual Necessity & Legal Obligation |
| Physical Order Fulfillment | Shop Location, WhatsApp, Plate Numbers | Performance of a Contract & Legitimate Interests |
| Regulatory Compliance Auditing | Transaction Histories, System Audit Logs | Statutory Legal Obligation |
4. Data Retention and Storage Limitation
4.1 Retention Period
The Company retains personal data only for the minimum duration necessary to fulfill the specific purposes enumerated in Section 3 of this Policy, or as mandated by prevailing commercial, tax, and anti-money laundering legislation in the Republic of Kenya.
4.2 Deactivation and Deletion
Upon the formal closure or permanent deactivation of a User account, the Company shall anonymize or securely delete all core registration profiles within a reasonable period, except where the preservation of historical financial transactional records is required to comply with statutory legal obligations or to defend against active legal disputes before an arbitral tribunal.
5. Data Security and Integrity Protections
The Company implements rigorous technical and organizational security measures designed to prevent unauthorized access, accidental loss, data alteration, malicious disclosure, or criminal interception of personal data (Data Protection by Design and Default).
- Encryption Protocols: All sensitive credentials, transaction packages, and financial communication paths are encrypted in transit and at rest using industry-standard cryptographic keys.
- Access Control Restrictions: System data access within the Company's internal corporate environment is limited strictly on a "need-to-know" basis to authorized security personnel.
- Authentication Hardening: The platform mandates unique phone-to-password linkages backed by purpose-scoped One-Time Password (OTP) validation steps to protect account integrity.
6. Disclosure and Third-Party Data Transfer
The Company does not sell, lease, or distribute user contact lists or personal profiles to third-party marketing firms or advertising networks. Personal data is disclosed to external entities strictly under the following operational exceptions:
6.1 Integrated Infrastructure Partners
Data is securely transferred to functional third-party processors necessary to execute your requests, including:
- Licensed telecommunication operators (Safaricom PLC) to route automated mobile money transactions.
- Licensed SMS communication gateway providers to transmit verification PINs and system alerts.
6.2 Regulatory and Statutory Mandates
The Company shall disclose personal data to law enforcement, judicial bodies, tax authorities, or the Office of the Data Protection Commissioner (ODPC) if explicitly required to do so by a valid legal order, statutory directive, or regulatory audit protocol under Kenyan law.
6.3 Cross-Border Transfers
The Platform utilizes secure cloud hosting architectures located in highly protected data repositories. Where data moves across national borders for server efficiency or system backup redundancy, the Company ensures that the receiving jurisdiction maintains data privacy protections equivalent to or greater than those provided by the Kenya Data Protection Act, 2019.
7. Statutory Rights of the Data Subject
Registered Users hold comprehensive rights regarding their personal data under Section 26 of the Kenya Data Protection Act, 2019. Users may exercise these rights at any time through their profile dashboard or by contacting company administration:
- Right of Access: The right to receive formal confirmation regarding whether the Company holds their personal information and to request a digital breakdown of that data.
- Right of Rectification: The right to update, correct, or amend inaccurate or outdated data items (such as profile details, WhatsApp numbers, or brand names).
- Right of Erasure (Deletion): The right to demand the total deletion of personal profiles, subject to the statutory retention exclusions detailed in Section 4.2.
- Right to Object: The right to object to the processing of data for specific automated workflows or analytical profiles.
8. Data Breach Notification Framework
In strict compliance with Regulation 36 of the Data Protection (General) Regulations, 2021, in the unintended event of a confirmed system data breach or unauthorized network compromise that poses a material threat to the rights and freedoms of Data Subjects:
- The Company shall formally report the nature of the breach to the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours of definitive confirmation.
- The Company shall notify affected Users via the primary phone number or registered email registered on file within a reasonable timeline, outlining the specific mitigation steps being taken to secure their profiles.
9. Amendments to This Policy
The Company reserves the right to modify, amend, or update this Privacy Policy periodically to reflect structural updates to the Platform or changes in prevailing data legislation. Any updates will be published on the Platform with a revised "Last Updated" date. Continued utilization of the app following the publication of an amended version constitutes an official acknowledgment of the updated policy terms.