Privacy Policy

1.1 Wawinet (“we,” “us,” or “our”) operates a Software-as-a-Service platform for Internet Service Providers (ISPs) in Kenya and the broader East African region. We are committed to protecting the personal data of all individuals whose information passes through our Platform.

1.2 For the purposes of the Kenya Data Protection Act, No. 24 of 2019 (“the DPA”), Wawinet acts as: (a) a Data Controller in respect of personal data of ISP operators and their staff who register and use the Platform; and (b) a Data Processor in respect of personal data of End Users that is entered into the Platform by ISP operators who themselves act as Data Controllers.

1.3 ISP operators are reminded that by using this Platform to manage customer data, they assume obligations as Data Controllers under Section 18 and Part IV of the DPA and are required to be registered with the Office of the Data Protection Commissioner.

1.4 This Privacy Policy applies to all visitors to wawinet.ne.ke, all registered ISP operators and their staff, the processing of End User data entered into the Platform by ISP operators, and any person whose data we process in connection with providing our services.

2.1 We process personal data in accordance with Section 30 of the DPA and, where GDPR applies, Article 6 of Regulation (EU) 2016/679. Our lawful bases for processing are set out below.

2.1.1 Performance of Contract (DPA s.30(1)(b)(i); GDPR Art.6(1)(b)): processing necessary to provide the Platform services to ISP operators who have entered into a subscription agreement with us, including account management, billing, and technical support.

2.1.2 Legal Obligation (DPA s.30(1)(b)(ii); GDPR Art.6(1)(c)): processing required to comply with applicable Kenyan law, including the Kenya Revenue Authority tax compliance requirements under the Tax Procedures Act, 2015, financial record-keeping obligations under the Companies Act, 2015, and reporting obligations under the Kenya Communications Act, 1998.

2.1.3 Legitimate Interests (DPA s.30(1)(b)(vii); GDPR Art.6(1)(f)): processing for fraud prevention, platform security, abuse detection, and service improvement where such interests are not overridden by the rights and freedoms of data subjects.

2.1.4 Consent (DPA s.32; GDPR Art.6(1)(a)): where we rely on consent, such as for non-essential cookies or marketing communications, we obtain express, unequivocal and informed consent as required by Section 32 of the DPA. Consent may be withdrawn at any time without affecting the lawfulness of processing based on prior consent.

3.1 Data About ISP Operators and Their Staff. We collect identity and contact data including full name, business name, business registration number, business email address, business telephone number, physical business address, and details of authorised representatives. We also collect account data, including username and password, which is stored as a cryptographic hash using bcrypt and never in plaintext.

We also collect financial data, such as M-Pesa transaction references, subscription payment history, invoice records, billing cycle information, and bank account details where provided. We do not store full M-Pesa PINs or card numbers.

In addition, we process business compliance documents, including business registration certificates, KICA licence documents, tax compliance certificates, and identity documents for authorised representatives, as required under our regulatory compliance obligations.

3.2 End User Data Processed on Behalf of ISP Operators. We process End User identity data, contact data, service data, financial data, network data, and authentication data strictly as instructed by ISP operators acting as Data Controllers. This includes full names, phone numbers, subscription details, payment history, IP address allocations, session logs, data usage volumes, and RADIUS authentication logs for PPPoE and hotspot network access.

3.3 What We Do Not Collect. We do not knowingly collect sensitive personal data unless specifically required for identity verification under regulatory obligations. We do not knowingly process children’s data, and we do not collect full financial credentials such as M-Pesa PINs or bank account passwords.

4.1 We use personal data of ISP operators for the provision of Platform services, processing M-Pesa subscription fees, sending platform notifications, generating invoices and reports, technical support and troubleshooting, account security and fraud detection, platform analytics and improvement, tax compliance and financial records, regulatory reporting where required, and marketing of new platform features only where consent has been given.

4.2 We use End User data entered by ISP operators solely to enable ISPs to manage customer billing and subscriptions, process M-Pesa payments through the Safaricom Daraja API, send SMS notifications as instructed by ISPs, generate financial records and invoices for ISPs, and operate RADIUS authentication for network access control.

4.3 We do not use End User data for our own marketing, profiling, analytics, or any purpose beyond providing the contracted service to the ISP operator.

5.1 We do not sell, rent, or trade personal data.

5.2.1 Safaricom Limited (M-Pesa): phone numbers and payment amounts are transmitted to Safaricom through the Daraja API for payment processing. Safaricom acts as an independent Data Controller for M-Pesa transactions.

5.2.2 TalkSasa (SMS Delivery): phone numbers and message content are transmitted to TalkSasa for SMS delivery. TalkSasa processes this data as a Data Processor under our instructions.

5.2.3 Cloud Infrastructure Providers: our Platform is hosted on cloud infrastructure. Providers are bound by Data Processing Agreements ensuring compliance with the DPA and GDPR.

5.2.4 Professional Advisors: lawyers, accountants, and auditors subject to legal professional privilege and confidentiality obligations.

5.2.5 Law Enforcement and Regulatory Bodies: where required by law or court order, we disclose data to competent authorities after assessing the legal validity of the request.

5.3 All third-party processors are subject to written agreements requiring them to process data only on our documented instructions, maintain appropriate security measures, and comply with applicable data protection law, as required by Section 42(2) of the DPA.

6.1 We implement technical and organisational measures appropriate to the risk, as required by Sections 41 and 42 of the DPA and Article 32 of GDPR.

Data at rest is protected with AES-256 encryption, data in transit is protected by TLS 1.3, role-based access control restricts access to personnel with a documented need, passwords are hashed using bcrypt, and all access to personal data is logged with timestamps and user identifiers for security audit and incident investigation purposes.

6.2 Personal Data Breach Notification. In the event of a personal data breach that poses a real risk of harm to data subjects, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware, as required by Section 43(1)(a) of the DPA, and notify affected data subjects without undue delay in accordance with Section 43(1)(b) of the DPA, unless the affected data is encrypted in a manner rendering it unintelligible to unauthorised persons.

7.1 Under Part IV of the Kenya Data Protection Act, 2019, you have the right to information, access, rectification, erasure, restriction of processing, data portability, objection, and not to be subject to automated decision-making. We will respond within 30 days as required by Section 38(6) of the DPA, subject to lawful extensions where permitted.

To exercise these rights, contact privacy@wawinet.ne.ke. If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner pursuant to Section 56 of the DPA. Where GDPR applies, you may also lodge a complaint underArticle 77 of GDPR.

8.1 Your personal data is primarily processed and stored on servers located in Kenya or within the East African Community.

8.2 Where we transfer personal data outside Kenya to cloud infrastructure providers or third-party processors, we ensure that appropriate safeguards are in place as required by Part VI of the DPA and, where applicable, Chapter V of GDPR, including adequacy decisions, Standard Contractual Clauses, or binding corporate rules as appropriate.

8.3 In accordance with Section 50 of the DPA, certain categories of data related to Kenyan residents may only be processed through servers or data centres located in Kenya as prescribed by the Cabinet Secretary.

9.1 We use essential cookies required for the Platform to function, including session management, CSRF protection, and authentication tokens. These cannot be disabled. We do not use advertising cookies, third-party tracking cookies, or social media cookies.

9.2 Session tokens are stored as HttpOnly, Secure cookies with SameSite=Lax protection to mitigate CSRF attacks. Access tokens expire after 15 minutes; refresh tokens expire after the period set in your organisation’s security policy.

Please refer to our Data Retention Policy at wawinet.ne.ke/data-retention for full details of how long we retain each category of personal data.

11.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified by email to the registered ISP administrator address, by prominent notice within the Platform, and with at least 30 days advance notice before taking effect.

11.2 The version history is maintained and prior versions are available upon request.

Data Controller: Wawinet Platform · Email: privacy@wawinet.ne.ke

Data Protection Officer (DPO): dpo@wawinet.ne.ke

For complaints, contact the Office of the Data Protection Commissioner of Kenya (ODPC): www.odpc.go.ke