M-Patanisho Limited ("M-Patanisho", "we", "our", or "us") operates the M-Patanisho marketplace platform at mpatanisho.com and its associated mobile applications. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our services. By accessing or using M-Patanisho, you agree to the practices described in this policy.
We collect information you provide directly, information generated through your use of the platform, and information from third-party services you connect to your account.
When you register, we collect your name, email address, phone number (required for M-Pesa payments), and profile photograph. For sellers and riders, we additionally collect national ID or business registration details for identity verification purposes.
We record all transactions conducted through the platform, including order details, payment amounts, M-Pesa transaction references, escrow hold and release events, and delivery confirmations. This data is retained for a minimum of seven years to comply with Kenyan financial regulations and Safaricom Daraja API requirements.
M-Patanisho processes payments exclusively through Safaricom M-Pesa via the Daraja API. We do not store your M-Pesa PIN or full M-Pesa credentials. We store your phone number and M-Pesa transaction identifiers (CheckoutRequestID, MpesaReceiptNumber) solely for order reconciliation and dispute resolution.
We automatically collect your IP address, browser type, operating system, pages visited, session duration, and referring URLs. This data is used for security monitoring, fraud detection, and improving platform performance.
With your permission, we collect your device location to enable delivery address auto-fill and rider proximity tracking. You may revoke location access at any time through your device settings.
We use your personal information for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Processing orders and M-Pesa payments | Contractual necessity |
| Holding and releasing escrow funds | Contractual necessity |
| Verifying seller and rider identity | Legal obligation (KYC) |
| Sending order status notifications via SMS/email | Contractual necessity |
| Detecting and preventing fraud | Legitimate interest |
| Complying with Safaricom Daraja API terms | Legal obligation |
| Improving platform features and performance | Legitimate interest |
| Responding to support requests and disputes | Contractual necessity |
M-Patanisho integrates with Safaricom's Daraja API to facilitate M-Pesa STK Push payments. When you initiate a payment, your phone number is transmitted to Safaricom to trigger the payment prompt. Safaricom's own privacy policy governs the processing of your data on their systems. M-Patanisho receives only the transaction outcome and receipt number from Safaricom; your M-Pesa PIN is entered directly on your handset and is never transmitted to or stored by M-Patanisho.
Escrow funds are held in a designated M-Pesa business account and released to sellers only upon confirmed delivery or dispute resolution. All escrow movements are logged with timestamps and are available to you in your order history.
We do not sell your personal information. We share your data only in the following circumstances:
We share data with trusted third-party service providers who assist us in operating the platform, including cloud hosting providers, SMS gateway providers, and email delivery services. All service providers are contractually bound to process your data only as instructed by us.
Your phone number and transaction details are shared with Safaricom as required to process M-Pesa payments. This sharing is governed by Safaricom's Daraja API terms and Safaricom's privacy policy.
We may disclose your information to law enforcement, regulatory authorities, or courts when required by Kenyan law, including the Communications Authority of Kenya, the Central Bank of Kenya, or pursuant to a valid court order.
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy.
We retain your personal data for as long as your account is active and for a minimum of seven years after account closure to comply with Kenyan tax and financial record-keeping obligations. Transaction records involving M-Pesa are retained for seven years as required by the Central Bank of Kenya's Payment Service Provider Regulations. You may request deletion of non-transactional data (such as profile information) at any time, subject to our legal retention obligations.
We implement industry-standard security measures to protect your personal information, including TLS encryption for all data in transit, bcrypt hashing for passwords, time-based one-time password (TOTP) two-factor authentication for all admin accounts, and regular security audits. However, no method of transmission over the internet is completely secure, and we cannot guarantee absolute security.
Under the Kenya Data Protection Act 2019, you have the following rights regarding your personal data:
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
M-Patanisho uses session cookies to maintain your login state and functional preferences. We use analytics cookies (via Umami Analytics, a privacy-preserving, cookie-less analytics tool) to understand aggregate platform usage. We do not use third-party advertising cookies or cross-site tracking technologies.
M-Patanisho is not directed at children under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us immediately at [email protected] and we will delete the information promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the platform and, where required by law, by sending you an email or SMS notification. Continued use of the platform after the effective date of any changes constitutes your acceptance of the updated policy.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer: