Privacy Policy

Last updated: April 25, 2026

QipQop Trader respects your privacy. This policy describes what data we collect, why we collect it, how we protect it, and what rights you have over it. We comply with the Kenya Data Protection Act 2019 and apply GDPR principles where relevant.

1. What we collect

• Account data: name, email, phone number, password (hashed).
• KYC data: government-issued ID, selfie, address proof. Stored encrypted, access-restricted.
• Financial data: M-Pesa phone number, transaction IDs, deposit and withdrawal history, wallet balance. We do not store your M-Pesa PIN — that never leaves your handset.
• Trading data: every trade you place, its entry/exit prices, stake, payout, and outcome. Retained for audit.
• Technical data: IP address, browser, device, timestamps — for security and fraud prevention.

2. Why we collect it

• To operate the trading platform (legitimate interest + contract).
• To verify identity and prevent fraud (legal obligation — AML/KYC).
• To process deposits, withdrawals, and trades (contract).
• To communicate service updates and account alerts (legitimate interest).
• To comply with regulatory reporting (legal obligation).

3. Who we share it with

We share only what is necessary with:

• Safaricom (Daraja/M-Pesa): your phone number and transaction amounts, to process payments.
• Regulators: only when compelled by lawful order or for mandatory reporting.
• Service providers: hosting, email, SMS, and analytics — bound by data-processing agreements.

We do not sell your data. Ever.

4. How long we keep it

Financial and KYC records: 7 years after account closure (regulatory requirement). Trading records: 7 years. Account data: until you request deletion, subject to the 7-year retention above. Marketing consent: until withdrawn.

5. Your rights

Under the Kenya DPA 2019 and GDPR you have the right to:

• Access a copy of your data.
• Correct inaccurate data.
• Delete your data (subject to retention requirements above).
• Port your data to another provider.
• Object to processing based on legitimate interest.
• Withdraw consent to marketing at any time.
• Lodge a complaint with the Office of the Data Protection Commissioner (Kenya) or your local supervisory authority.

6. How we protect it

All data is encrypted in transit (TLS). Passwords are one-way hashed. KYC documents are stored in access-restricted, encrypted storage. Our infrastructure is firewalled, patched, and access-logged. We enforce least-privilege access internally.

7. Cookies

We use strictly-necessary cookies for session management. We do not use advertising cookies. Analytics cookies are optional and disabled by default.

8. Contact

For privacy questions or to exercise any of the rights above, contact our Data Protection Officer via the Contact page. We respond within 30 days as required by law.