PesalyM-Pesa Analytics
Legal

Privacy Policy

Last updated: March 10, 2026ย ยทย  Effective: March 10, 2026

The Short Version

๐Ÿ“ต
No account access
We never connect to your M-Pesa or bank account. Ever.
๐Ÿ“ฑ
SMS only
We only read M-Pesa SMS messages stored on your device.
๐Ÿ”’
Your data, your control
You can delete all your data from the app at any time.

1. Overview

Pesaly Technologies Ltd ("Pesaly", "we", "our", or "us") operates the Pesaly mobile application (the "App") and the website at pesaly.co.ke (the "Site"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services.

By downloading, installing, or using the Pesaly App, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please do not use our services.

This policy applies to all users of the Pesaly App and website, including free and premium subscribers.

2. Information We Collect

We collect only the minimum information necessary to provide you with a useful financial analytics experience. We do not collect more than we need.

2.1 M-Pesa SMS Messages

With your explicit permission, Pesaly reads M-Pesa transaction confirmation messages from your device's SMS inbox. These messages contain transaction amounts, sender or recipient names, transaction codes, dates, and M-Pesa balance information. We only access messages sent by M-Pesa (Safaricom) โ€” we do not read personal SMS messages from contacts.

We never access your M-Pesa PIN, account credentials, or banking passwords.
Pesaly is not connected to Safaricom, M-Pesa, or any financial institution. We cannot initiate transactions, view your real-time balance via any API, or perform any action on your behalf.

2.2 Account Information

When you create a Pesaly account, we collect your name, email address, phone number, and a password (stored as a hashed value โ€” we never store your plaintext password).

2.3 Device Information

  • Device model and manufacturer
  • Android OS version
  • App version number
  • SIM slot configuration (for multi-SIM support)
  • Anonymous device identifier for crash reporting

2.4 Usage Data

We collect anonymised analytics about how features are used โ€” for example, which screens are visited most often and how frequently Smart Query is used. This data does not include the content of your queries or transactions.

2.5 Information You Voluntarily Provide

If you contact our support team, submit feedback, or participate in user research, we collect the information you choose to share with us at that time.

3. How We Use Your Data

We use the information we collect for the following purposes:

3.1 To Provide the Service

  • Parse and categorize your M-Pesa transactions
  • Generate spending summaries, charts, and reports
  • Power the Smart Query AI feature with your transaction history
  • Sync your transaction history to cloud storage (if enabled)
  • Send you transaction alerts and budget notifications

3.2 To Improve the App

  • Analyse anonymised usage patterns to improve features
  • Debug errors and fix crashes using anonymised device reports
  • Understand which features are most valuable to users
  • Develop new features based on user behaviour patterns

3.3 To Communicate With You

  • Send important account and security notifications
  • Respond to your support requests and feedback
  • Share product updates and new features (you can opt out anytime)
  • Notify you of changes to this Privacy Policy or our Terms of Service
We do not use your transaction data to train AI models or for advertising.
Your financial data is never used for targeted advertising, sold to data brokers, or shared with third-party marketers. Your M-Pesa data is yours alone.

4. Data Storage & Security

4.1 On-Device Storage

By default, all your transaction data is stored locally on your device. The app functions fully offline. Your data does not leave your device unless you explicitly enable Cloud Sync.

4.2 Cloud Storage (Optional)

If you choose to enable Cloud Sync (available on the Premium plan), your transaction data is encrypted using AES-256 encryption before being transmitted and stored on our secure servers hosted in the European Union. Data in transit is protected using TLS 1.3.

4.3 Security Measures

  • AES-256 encryption for all data at rest in cloud storage
  • TLS 1.3 for all data in transit
  • Passwords hashed using bcrypt with individual salt
  • Two-factor authentication available for account access
  • Regular third-party security audits
  • Principle of least privilege applied to all internal data access

While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We encourage you to use a strong, unique password for your Pesaly account.

5. Data Sharing

We do not sell, rent, or trade your personal information to third parties. Full stop. We share your data only in the limited circumstances described below.

5.1 Service Providers

We work with a small number of trusted third-party service providers who assist in operating our service. These providers are contractually bound to use your data only for the specific purpose of providing their service to us:

  • Cloud hosting infrastructure (data storage and processing)
  • Crash reporting and performance monitoring (anonymised)
  • Customer support ticketing software
  • Transactional email delivery (account notifications only)

5.2 Legal Requirements

We may disclose your information if required to do so by Kenyan law, a court order, or a valid legal process. We will notify you of such a request where legally permitted to do so.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of company assets, your data may be transferred to the successor entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your data for other purposes only with your explicit, informed consent.

6. App Permissions

Pesaly requests the following Android permissions. We explain exactly why each is needed:

READ_SMSRead SMS Messages
Required

Required to read M-Pesa transaction confirmation messages from your SMS inbox. This is the core function of the app. We filter to only process messages from M-Pesa sender IDs.

INTERNETInternet Access
Optional

Used for account authentication, Cloud Sync (if enabled), and Smart Query AI processing. The app functions in read-only mode without internet.

RECEIVE_BOOT_COMPLETEDStart on Boot
Optional

Allows Pesaly to listen for new incoming M-Pesa messages automatically when your device restarts, so no transactions are missed.

VIBRATE / POST_NOTIFICATIONSSend Notifications
Optional

Used to deliver budget alerts and transaction notifications. You can manage or disable these at any time in Settings.

You can revoke any optional permission at any time through your Android device settings under Apps โ†’ Pesaly โ†’ Permissions.

7. Data Retention

We retain your data only for as long as necessary to provide you with the service or as required by law.

  • Transaction data stored on your device: retained until you delete it or uninstall the app.
  • Cloud-synced transaction data: retained for the duration of your account. Deleted within 30 days of account deletion.
  • Account information: retained for the duration of your account plus 30 days after deletion.
  • Anonymised usage analytics: retained for up to 24 months.
  • Support correspondence: retained for up to 2 years.
  • Legal compliance records: retained for the period required by Kenyan law (typically 7 years).

You may request deletion of your data at any time as described in Section 8. When you delete data, it is permanently removed from active systems within 30 days and from backup systems within 90 days.

8. Your Rights

Under the Kenya Data Protection Act 2019 and applicable privacy laws, you have the following rights regarding your personal data:

Right to Access: Request a copy of all personal data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete personal data.
Right to Erasure: Request deletion of your personal data ("right to be forgotten").
Right to Data Portability: Request your transaction data in a structured, machine-readable format (CSV or JSON).
Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
Right to Object: Object to our processing of your data for marketing or analytics purposes.
Right to Withdraw Consent: Withdraw any consent you have given at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@pesaly.co.ke. We will respond to all requests within 30 days. In certain cases, we may need to verify your identity before processing a request.

You may also delete your account and all associated data directly within the Pesaly app under Settings โ†’ My Account โ†’ Delete Account.

9. Children's Privacy

Pesaly is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. M-Pesa accounts require users to be at least 18 years old, and our service is designed for adult M-Pesa users.

If you believe that a child under 18 has provided us with personal information without appropriate consent, please contact us immediately at privacy@pesaly.co.ke and we will take steps to delete such information promptly.

10. Policy Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. When we make material changes, we will:

  • Post the updated policy on this page with a new "Last Updated" date
  • Send a notification to your registered email address
  • Display an in-app notification on your next login
  • For significant changes, request your fresh acknowledgement before proceeding

Your continued use of Pesaly after any changes to this policy constitutes your acceptance of the updated policy. If you do not agree to the revised policy, please stop using the app and contact us to delete your account.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

Company
Pesaly Technologies Ltd
Address
Westlands, Nairobi, Kenya
Response Time
Within 2 business days

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC) if you believe your data rights have been violated. Visit odpc.go.ke for more information.

ยฉ 2026 Pesaly Technologies Ltd. This document was last updated on March 10, 2026.
Terms of ServiceContact