Data Retention Policy

1.1 This Data Retention Policy (“Policy”) sets out how Wawinet retains, stores, and deletes personal data in compliance with Section 39 of the Kenya Data Protection Act, No. 24 of 2019 (“DPA”), the storage limitation principle under Article 5(1)(e) of the GDPR where applicable, the Tax Procedures Act, 2015, and the Companies Act, 2015.

1.2 This Policy applies to all personal data processed by the Platform, whether entered by ISP operators, collected from users, or generated by Platform systems.

1.3 This Policy should be read together with our Privacy Policy and Terms of Service.

2.1 The table below sets out our retention periods by data category. Where a legal obligation mandates a minimum retention period, we retain data for that minimum period. All other data is retained only as long as necessary for the purposes described.

3.1 Financial Records — 7-Year Requirement. The Tax Procedures Act, 2015 requires all persons carrying on business to maintain records of transactions for a minimum of seven years from the date of the transaction. This applies to all M-Pesa payment records, invoices, and subscription billing data. This retention obligation applies regardless of account termination status and overrides any erasure request to the extent it conflicts with this legal requirement.

3.2 Data Protection Limitation Principle. For all personal data not subject to a minimum legal retention period, we apply Section 39 of the DPA: data is retained only as long as reasonably necessary for the purpose for which it was collected. Once the purpose is fulfilled and no legal obligation requires retention, data is deleted.

3.3 Security and Legal Defence. Audit logs and security records are retained for 2–5 years to support investigation of security incidents, respond to regulatory inquiries, and establish or defend legal claims as permitted under DPA s.39(1)(b).

4.1 When an ISP operator cancels their account, the following deletion timeline applies: Day 0, account suspension and full preservation for export; Days 1–30, data export window; Day 31, non-financial personal data enters the deletion queue; Day 90, all End User personal data and ISP operator personal data excluding financial records is permanently and securely deleted; and Day 90+, only anonymised aggregate data and financial records remain.

4.2 When an ISP operator deletes an individual End User record within the Platform, the record is soft-deleted for 30 days to allow recovery in case of accidental deletion. After 30 days, the record is permanently purged from all systems including backups as they are overwritten.

4.3 The Platform operates scheduled automated processes to purge RADIUS authentication logs older than 90 days, network session logs older than 90 days, IP address allocation logs older than 90 days, SMS delivery logs older than 1 year, expired session and refresh tokens, and backup data older than 30 days.

5.1 Under Section 38 of the DPA and Article 20 of GDPR, you have the right to receive personal data concerning you or your End Users in a structured, commonly used, and machine-readable format.

5.2 To request a full data export, log into the Platform and navigate to Settings → Data Export, or email privacy@wawinet.ne.ke with the subject “Data Export Request” from your registered administrator email address. We will fulfil export requests within 30 days.

5.3 Export formats available include customer records as CSV and JSON, payment history as CSV and PDF, invoices as PDF, subscription history as CSV, SMS logs as CSV, and network configuration as JSON.

6.1 You may submit an erasure request under Section 40(1)(b) of the DPA and Article 17 of GDPR at any time.

6.2 We will comply with erasure requests within 30 days, subject to lawful exceptions including legal obligations, legal claims, ongoing contractual obligations, and public interest or research where data has been anonymised or pseudonymised.

6.3 Where we partially comply with an erasure request, we will clearly inform you of the data that has been deleted, the data that has been retained, the legal basis for retention, and when the retained data will be deleted.

7.1 During the applicable retention period, all personal data is protected by AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access control, encrypted backups, continuous monitoring for unauthorised access, and immutable audit logs recording all access to personal data.

7.2 When data reaches the end of its retention period, it is deleted using secure deletion methods designed to prevent recovery, including overwriting and cryptographic erasure where appropriate.

8.1 Our retention and deletion obligations apply regardless of where data is stored. Where data is stored on servers outside Kenya, our retention periods and deletion procedures remain applicable and are enforced through our contracts with infrastructure providers.

8.2 Backup copies of data held outside Kenya are subject to the same retention periods and deletion procedures as primary copies.

9.1 This Policy is reviewed annually or whenever there is a material change in applicable law or our data processing practices.

9.2 Material changes are communicated to ISP operators with 30 days’ advance notice via email and platform notification.

10.1 If you have concerns about how we retain or delete your personal data, contact privacy@wawinet.ne.ke. Our response time is within 30 days.

10.2 If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC) at www.odpc.go.ke pursuant to Section 56 of the Kenya Data Protection Act, 2019.

10.3 EU/EEA data subjects may additionally lodge a complaint with their local supervisory authority pursuant to Article 77 of GDPR.