Privacy Policy

Introduction

At Busha, we prioritize your privacy, irrespective of how you engage with us. We are committed to protecting your personal data and ensuring that it is handled in accordance with Kenya's Data Protection Act, 2019 and applicable regulations.We collect and process various categories of personal data based on our relationship with you, which may include:

• Merchants using Busha Commerce to accept crypto asset payments;
• Individuals interacting with our website, platform, wallet, or financial products;
• Job applicants or potential employees using our recruitment and onboarding systems.


‍

Busha Digital Limited, registered and operating in accordance with Kenyan law, is the designated data controller responsible for your personal data (collectively referred to in this policy as “Busha”, “we”, “us” or “our”).Busha Digital Limited is the data controller and responsible for your Personal Data (collectively referred to as “Busha”, "we", "us" or "our" in this privacy policy).This Privacy Policy outlines how we collect, use, disclose, and protect your personal data, the types of data we collect, the legal bases for processing, your rights under Kenyan law, and the safeguards in place to protect your information.The hyperlinked privacy notices sets out how we collect your data, the types of data we collect, why we collect your data, your rights as a data subject and other important information relating to your personal data.We may update this policy from time to time to reflect legal or operational changes. Significant changes will be communicated through appropriate channels, while version history is maintained for transparency.Should you have any inquiries or require clarification regarding this Privacy Policy or how we manage your personal data, please contact our Data Protection Officer at: compliance@busha.co.

‍

Types of personal data and other information collected

We collect various categories of personal data and related information from users who interact with our services, either voluntarily or as necessary for the fulfillment of our legal and contractual obligations. This information helps us deliver, improve, and personalize our services. Data collected includes, but is not limited to:

1. Personal Identification Data: This includes your full name, date of birth, nationality, gender, mobile number, email address, physical address (including proof of residence), employment status and sector, and national identification number, passport number or similar identifiers, in accordance with Section 31 of the Data Protection Act.
2. Usage Data: Information on how you access and use our platform, such as your device’s Internet Protocol (IP) address, browser type and version, pages visited, date and time of visit, time spent on pages, and diagnostic data used to analyze service functionality.
3. Tracking & Cookies Data: We use cookies and similar tracking technologies (e.g., beacons, tags, scripts) to enhance user experience and collect analytics. These include:

‍

• Session Cookies - to operate the service;
• Preference Cookies - to store preferences;
• Security Cookies – to ensure platform integrity;
• Necessary Cookies – to support essential service functionality.

‍

You may manage cookie settings through your browser, though some features may be limited. Please refer to our Cookie Notice for more details.

1. Biometric Information: Collected during identity verification processes, such as selfies or facial scans, strictly for authentication and compliance purposes.
2. Official Identification Documents: Copies of your national ID, passport, or driver's license, as required for compliance with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA).
3. Transaction Data: Information on your Busha account transactions, including transaction IDs, amounts, recipient details, and related metadata.
4. Correspondence Data: Any information voluntarily submitted via support channels, surveys, feedback forms, or complaint records.
5. Device and Location Data: Includes geolocation, IP address, device fingerprinting, browser metadata, and clickstream data to optimize performance, security, and compliance.


‍

‍

How we collect your data

We collect your personal data and related information from both public and non-public sources, using lawful and transparent means in accordance with Section 25 and 29 of the Data Protection Act, 2019. The primary sources include:

• Direct disclosures from you during onboarding, registration, profile updates, or any other interaction where you voluntarily submit information via our platform or services.
• Communications with our support teams, whether through email, live chat, telephone, social media, or other customer service channels.
• Engagement with our emails, website notices, or marketing materials, including data gathered through user activity monitoring and email tracking tools.
• Publicly available online sources, including social media platforms, corporate websites, and digital footprints, particularly when needed to comply with regulatory requirements.
• Searches in publicly accessible databases or registries for purposes of due diligence, verification, and compliance (e.g., sanctions lists, company registries).
• Participation in user surveys, promotional campaigns, or contests, where you submit data voluntarily for feedback or engagement purposes.
• Your interactions on the Busha platform, including transaction details, navigation history, feature usage, and account activity.
• Third-party providers, including:

‍

• Identity verification services
• Credit reference bureaus
• Financial institutions and payment service providers
• Regulatory and law enforcement authorities

‍

The collected data is used internally to enhance service delivery, respond to inquiries, develop new features, and ensure compliance with legal obligations. It may also be reviewed to maintain platform security and integrity.All personal data is retained only for as long as necessary to fulfill its intended purpose or to comply with legal and regulatory obligations. Any retained data is handled with confidentiality and safeguarded against unauthorized access.If material changes are made to our data collection methods, we will notify you via a prominent notice on our platform. Except as legally required or contractually agreed, we do not sell, lease, or distribute personal data to third parties.

‍

Use/Processing of Personal Data

We process your personal data lawfully, fairly, and transparently, solely for purposes necessary for our business operations and in accordance with the legal bases established under Sections 30 and 31 of the Data Protection Act, 2019.The lawful grounds under which we may process your personal data include:

1. Contractual Necessity: When processing is essential to fulfill our contractual obligations to you under Busha’s Terms of Use.
2. Consent: Where you have expressly given us consent to process your personal data for specified purposes. You may withdraw your consent at any time.
3. Legal Obligation: Where processing is required for us to comply with a legal obligation, such as financial, tax, regulatory, or anti-money laundering laws.
4. Legitimate Interests: Where we have a legitimate business interest that does not override your rights and freedoms, such as fraud prevention or service enhancement.
5. Public Interest: Where processing is necessary for reasons of substantial public interest under the law.

‍

Specifically, your personal data may be processed for the following purposes:

1. To verify your identity in compliance with Know Your Customer (KYC), Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Counter Proliferation Financing (CPF) regulations, as required by the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) and applicable Central Bank of Kenya guidelines.
2. To create, manage, and maintain your Busha account, including service access and user authentication.
3. To detect, investigate, and prevent fraudulent or unauthorized access or use of our platform.
4. To manage our business and your relationship with us more effectively, including staff training, internal audits, quality control, and service monitoring.
5. To continuously improve our products and services and innovate new features to meet user needs.
6. To inform you of enhancements, new features, or changes to our services that may benefit you.
7. To provide marketing and promotional messages that are relevant to your interests—subject to your marketing preferences and rights to object.
8. To respond to your queries, support requests, complaints, or feedback.
9. To comply with legal and regulatory requirements, participate in legal proceedings, or assist law enforcement agencies where required.
10. To support business continuity activities, including audits, risk management, acquisition, restructuring, or sale of business assets.


‍

All processing activities are conducted with appropriate safeguards and accountability measures, ensuring that your data is not used in ways incompatible with the stated purposes unless required by law or with your further consent.

‍

Transfer of Data

Your personal data may be transferred to and maintained on servers or systems located in jurisdictions outside of Kenya. These jurisdictions may not have data protection laws equivalent to those in Kenya.By agreeing to this Privacy Policy and providing us with your personal data, you expressly consent to such transfers, in accordance with Sections 48–50 of the Data Protection Act, 2019. We will only transfer your personal data outside Kenya under one or more of the following conditions:

1. The recipient country has been legally recognized by the Office of the Data Protection Commissioner (ODPC) as having adequate data protection standards;
2. Appropriate safeguards have been implemented, such as binding corporate rules, standard contractual clauses, or legally binding agreements between the entities;
3. The data subject has explicitly consented to the proposed transfer after being informed of any potential risks;
4. The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
5. The transfer is required for public interest reasons, legal claims, or to protect the vital interests of the data subject.


‍

Busha Digital Limited will ensure that any such transfer complies with applicable laws and that adequate security measures are in place to protect your data. We do not sell, lease, or rent your personal data to third parties. All transfers will be strictly controlled and only carried out with entities that are subject to strict data protection obligations.

‍

Your rights over your data

Under Kenya's Data Protection Act, 2019, you are entitled to exercise certain rights over the personal data we hold about you. These rights allow you to maintain control and oversight over your information. They include the right to:

1. Access your personal data and request confirmation that we are processing it;
2. Correct or update any inaccurate or outdated personal data;
3. Withdraw consent or object to processing, where processing is based on your consent or our legitimate interest (this does not affect the lawfulness of processing based on consent before its withdrawal);
4. Know the purpose for which your personal data is being processed;
5. Restrict processing, especially if the accuracy of the data is contested or processing is unlawful;
6. Request erasure of your personal data under certain conditions (also known as the "right to be forgotten");
7. Receive a copy of your data in a structured, commonly used, and machine-readable format (data portability);
8. Refuse or object to the use of your personal data for direct marketing;
9. Contest the accuracy of your data, after which we have a right to a reasonable period to verify and rectify the disputed information.


‍

To exercise any of these rights, please contact us at compliance@busha.co. You may also submit a formal request via our Data Subject Access Request portal (where applicable).If the processing is based on your consent or a contract and is carried out by automated means, you have the right to request the transmission of your personal data to another controller, where technically feasible.Please note: In cases where legal or regulatory obligations require us to retain certain data (e.g., for compliance, audit, or security purposes), full erasure or restriction may not be possible until the expiration of the mandatory retention period.

‍

How to exercise your rights

To exercise any of the data rights outlined above, you may submit a request by contacting our Data Protection Officer at compliance@busha.co. Upon verification of your identity, we will provide the relevant personal data and respond to your request in accordance with Section 26 and 39 of the Data Protection Act, 2019.
Please note the following conditions:

1. We may charge a reasonable fee or decline to act on a request that is manifestly unfounded, excessive, or repetitive. For the purpose of this policy, more than four similar requests within a 60-day period may be considered excessive.
2. We aim to respond within reasonable timeframes, not exceeding 30 days as stipulated under the Act, unless an extension is warranted.
3. Your right to erasure does not extend to data that we are required to retain by law, such as:

1. Tax records
2. Audit logs
3. Transaction and subscription data
4. Information retained in secure backup systems, which is isolated and protected from further processing


‍

All requests will be processed in good faith, and where technically feasible, we will comply with your instructions regarding data transfer or deletion.

‍

If you believe your rights under this Privacy Policy have been violated, you may seek redress in accordance with our Terms of Service. Please note that any claim must be lodged within two years from the date of the alleged breach.

‍

Complaints

If you believe that we have violated your data protection rights or failed to comply with any provision of the Data Protection Act, 2019, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), the statutory authority responsible for data protection in Kenya.Before approaching the ODPC, we encourage you to contact us directly so we can attempt to resolve your concerns promptly and amicably. You can reach our Data Protection Officer via compliance@busha.co.

‍

How Long Do We Keep Your Personal Data

We retain your personal data only for as long as is reasonably necessary to fulfill the purposes for which it was collected, including the satisfaction of any legal, regulatory, accounting, compliance, or reporting requirements under Kenyan law.


To determine the appropriate retention period, we consider several factors:

• The volume, nature, and sensitivity of the data;
• The potential risk of harm from unauthorized use or disclosure;
• The purposes for which the data was collected and whether those purposes can be fulfilled by other means;
• Legal and regulatory requirements as prescribed under Kenyan law, including statutes related to anti-money laundering, tax, and financial recordkeeping.


‍

In line with the Storage Limitation principle under the Data Protection Act, 2019:

• You may request deletion of your data when it is no longer necessary for the purpose for which it was collected (see “How to Exercise Your Rights”).
• In cases where complete deletion is not legally permissible (e.g., for audit or compliance purposes), we will securely isolate and protect the data from further processing.
• In some cases, we may anonymize your data so that it can no longer be associated with you. Anonymized data may be retained indefinitely for research, analytical, or statistical purposes.

‍

Once data retention is no longer justified, we take appropriate steps to securely delete or depersonalize the data from our systems and from the systems of any third parties processing data on our behalf.

‍

Security of personal data

We take the protection of your personal data seriously and implement robust technical and organizational measures to secure it from unauthorized access, alteration, disclosure, or destruction.In compliance with Part VII (Section 41–44) of Kenya’s Data Protection Act, 2019, our security practices include:

• Encryption and pseudonymization of sensitive personal data;
• Role-based access controls and multi-factor authentication for internal systems;
• Secure transmission protocols for online data transfers;
• Regular internal and external security audits and vulnerability assessments;
• Staff training on data privacy and cybersecurity awareness;
• Incident response plans for handling data breaches.

‍

While we strive to implement industry-standard security measures, no method of electronic storage or transmission over the internet can be guaranteed to be completely secure. Therefore, we cannot assure absolute security, but we continually assess and improve our safeguards.

‍

Disclosure of Personal Data

We treat your personal data as confidential and will not share it with third parties except as outlined in this Privacy Policy or as permitted by law. Your data may be shared with:Busha employees and authorized personnel, solely for operational purposes;Financial institutions, payment service providers, and partners involved in delivering our services;Third-party vendors providing infrastructure, analytics, customer support, and marketing services;Verification and compliance firms conducting KYC, AML, and background screening;Professional advisers including legal, regulatory, tax, audit, and risk consultants.We will disclose your personal data to third parties only:Where you have explicitly authorized or requested such disclosure;Where we are required to do so by law, court order, or government regulation, including obligations under the Data Protection Act, 2019 or other applicable statutes (e.g., POCAMLA);To enforce our contractual rights or protect our legal interests, including defending against claims or protecting the rights, safety, and property of Busha, our users, or others;In connection with a merger, acquisition, corporate restructuring, or transfer of business, in which case appropriate safeguards and data transfer agreements will be applied.All third-party recipients are subject to strict data protection and confidentiality obligations and may only use your personal data for the purpose specified by Busha.

‍

Data Processing Principles

In all data processing activities, we strictly adhere to the principles set out in Section 25 of Kenya’s Data Protection Act, 2019. These principles ensure that your personal data is processed in a lawful, transparent, and responsible manner:Lawfulness, Fairness, and Transparency: We process personal data legally, fairly, and in a transparent way, always informing you of your rights and how your data will be used.Purpose Limitation: Your data is collected for clearly defined, legitimate purposes. We do not use it for any other purpose unless you provide explicit consent or the law permits it.Data Minimization: We collect only the data that is necessary for the specific purpose. We do not gather excessive or irrelevant information.Accuracy: We ensure that personal data is accurate, complete, and up-to-date. You have the right to request corrections at any time.Storage Limitation: We retain your personal data only as long as necessary to fulfill the purpose of collection or as required by law or regulation.Integrity and Confidentiality (Security): We apply appropriate organizational and technical safeguards to ensure the confidentiality, integrity, and availability of your data, preventing unauthorized access or accidental loss.Accountability: As a data controller, Busha is responsible for demonstrating compliance with these principles and is committed to maintaining internal controls and oversight mechanisms.These principles guide every aspect of how we handle personal data—from collection to deletion—and reinforce our commitment to protecting your privacy rights.

‍

Service providers

We engage third-party companies and individuals (“Service Providers”) to support various aspects of our services, including platform development, analytics, customer support, compliance, and infrastructure.
These Service Providers are granted access to your personal data only to the extent necessary to perform their functions on our behalf. All such providers are bound by contractual obligations to:Maintain the confidentiality and security of your personal data;Process the data only for the authorized purpose and not for their own benefit;Comply with applicable data protection regulations, including the Data Protection Act, 2019.

‍

External sites

Our platform may contain links to external websites or resources that are not controlled by Busha. When you follow a third-party link, you will be subject to that party’s privacy practices.We strongly encourage you to read the privacy policies of any third-party site you visit. Busha assumes no responsibility for the content, privacy practices, or data handling procedures of external websites or services.

‍

Children's policy

While we implement robust security measures, no system is completely secure. You are responsible for safeguarding your login credentials and any access information related to your Busha account.Busha shall not be liable for any data breaches or unauthorized access resulting from your negligence or failure to secure your personal account information. By using our services, you agree to assume responsibility for maintaining your account confidentiality.

‍

Changes to privacy policy

We may update this Privacy Policy periodically to reflect changes in legal, regulatory, or operational requirements. Significant changes will be communicated through:

• Email notifications;
• Notices on our website or platform;
• Updated "effective date" at the top of this document.


‍

We recommend that you review this policy periodically to stay informed about how we protect your personal data. Changes will take effect once posted on this page, unless otherwise stated.

‍

Client's liability

While we implement robust security measures, no system is completely secure. You are responsible for safeguarding your login credentials and any access information related to your Busha account.Busha shall not be liable for any data breaches or unauthorized access resulting from your negligence or failure to secure your personal account information. By using our services, you agree to assume responsibility for maintaining your account confidentiality.

‍

Contact us

If you have any questions about this Privacy Notice, please contact our Data Protection Officer via compliance@busha.co