Gypaid AfricaGypaid AfricaPayments and automation

Overview

Gypaid Africa Limited provides payment infrastructure, mobile money collections, bulk payments, mobile banking workflows, utility payments, bulk SMS, developer APIs and custom business automation systems for organizations in Uganda, East Africa and Africa.

This Privacy Policy explains how we collect, use, store, share and protect information when businesses, developers, customers, merchants, SACCOs, MFIs, schools, NGOs, agents, beneficiaries, suppliers, individual account holders and other users interact with our website, dashboards, APIs, mobile or web platforms, support channels and related services.

Information we collect

  • Business and account information: company or organization name, registration details, tax or compliance identifiers where required, business address, industry, service interests, authorized user names, roles, phone numbers, email addresses and contact preferences.
  • Personal account information: full name, phone number, email address, username or account identifier, password or authentication credentials, profile details, preferred language, notification preferences, account status, linked business or institution relationships, and records of consent or acceptance of policies and service terms.
  • Personal identity and verification information: national identification details, date of birth, gender where required, address, nationality, photo or document images, selfie or biometric verification outputs where legally permitted and required, next-of-kin or emergency contact details where configured, and other due diligence information needed to verify an individual account.
  • Personal wallet and payment information: mobile money number, bank account references, wallet identifiers, card or payment token references where available, payer or recipient details, saved beneficiaries, transaction limits, payment instructions, transaction history, balances or statements shown through an integrated service, fees, refunds, reversals and dispute records.
  • Personal login, security and device information: login timestamps, IP address, device identifiers, browser or app version, one-time password events, failed login attempts, password reset activity, suspicious activity indicators, session data and security alerts.
  • Merchant, institution and platform user information: administrator details, staff or agent profiles, role permissions, approval levels, login records and support requests needed to operate dashboards, workflows and enterprise systems.
  • Transaction and payment information: payment references, mobile money or bank transaction IDs, amounts, currency, payer or recipient phone numbers, beneficiary details, merchant identifiers, settlement records, reversal or refund records, payout files, reconciliation data and transaction status history.
  • Developer and API information: API keys or identifiers, sandbox and production environment activity, request metadata, webhook delivery logs, IP addresses, timestamps, error logs, integration references, SDK usage and system events needed to secure, monitor and support integrations.
  • Mobile banking, SACCO and MFI workflow information: member or customer references, account or wallet identifiers, balances or statement data provided through integrated systems, repayment references, alerts, approvals and transaction instructions where these services are configured.
  • Utility payment and SMS information: airtime, data, PayTV or bill payment details, recipient phone numbers, message content submitted by customers, message delivery statuses and provider references.
  • Website, device and usage information: IP address, browser type, device type, operating system, pages visited, forms submitted, referral source, date and time, approximate location derived from network data, cookies and similar analytics data.
  • Compliance and risk information: identity, due diligence, fraud prevention, sanctions screening, anti-money laundering, counter-terrorism financing, dispute, audit and regulatory information required for lawful payment and financial technology operations.

Legal bases for processing

We process personal information lawfully, fairly and transparently. The legal basis depends on the Gypaid Africa service being used, the role of the person whose data is involved and applicable data protection, payment, communications and financial services obligations.

We collect and use information only where:

  • It is necessary to provide contracted services, including collections, payouts, mobile banking workflows, utility payments, SMS, APIs, dashboards, reporting, support and custom software.
  • It is necessary to take steps before entering into a contract, such as responding to demo requests, API access requests, pricing enquiries, onboarding and due diligence.
  • It supports legitimate business interests such as fraud prevention, platform security, service improvement, analytics, customer support, reconciliation, dispute resolution, internal reporting and protecting legal rights.
  • You or your organization has given consent for a specific purpose, such as receiving marketing communications or allowing optional integrations.
  • We must comply with legal, regulatory, tax, accounting, court, law enforcement, payment network, mobile money, banking, communications, AML or CTF obligations.

Retention and security

We retain personal information only for as long as reasonably necessary to provide our services, support customers, maintain transaction records, resolve disputes, prevent fraud, meet audit requirements and comply with legal or regulatory obligations.

Payment, settlement, reconciliation, compliance, tax, accounting and audit records may be retained for longer periods where required by law, contractual obligations, mobile money or banking partners, or legitimate business needs.

We use commercially reasonable technical and organizational safeguards to protect information against unauthorized access, loss, misuse, disclosure, alteration and destruction. These safeguards may include access controls, role-based permissions, encryption in transit where appropriate, monitoring, logging, secure credential management and staff or contractor confidentiality obligations.

No electronic transmission or storage method is completely secure. We continuously work to improve our safeguards, but we cannot guarantee absolute security.

Collection and use of information

We collect, hold, use and disclose information to operate Gypaid Africa as a payment infrastructure and business automation provider. Personal information will not be processed in a manner incompatible with these purposes.

  • To onboard merchants, institutions, developers and enterprise customers.
  • To create, verify, secure, maintain and support individual personal accounts where Gypaid Africa provides account access, wallet-related workflows, personal payment features, beneficiary access, member access, student or parent access, agent access or customer-facing portals.
  • To process mobile money collections, bulk payouts, utility payments, SMS requests, banking workflows, refunds, reversals, settlements and reconciliations.
  • To provide dashboards, approval workflows, reports, transaction histories, API access, sandbox environments, webhooks and technical support.
  • To verify users, beneficiaries, recipients, businesses, institutions and transactions where required for security, risk, compliance or partner requirements.
  • To detect, prevent, investigate and respond to fraud, unauthorized access, abuse, suspicious transactions, chargebacks, disputes and service misuse.
  • To communicate service updates, transaction notifications, support responses, security alerts, billing information and administrative messages.
  • To improve reliability, performance, user experience, API documentation, integrations, products, analytics and customer support.
  • To build, configure, maintain and support custom software, field operations systems, POS, inventory, mobile banking and enterprise automation platforms.
  • To comply with contracts, service agreements, partner requirements, legal obligations, court orders, regulator requests and law enforcement requests.
  • To send marketing or business development communications about Gypaid Africa products and services where permitted, with opt-out options where applicable.

Individual and personal accounts

Where Gypaid Africa provides or supports personal accounts, we may collect and process individual account data to register the account, verify the account holder, secure access, process transactions, provide support, display transaction history, manage preferences and comply with payment, banking, mobile money, communications, AML, CTF and fraud-prevention obligations.

Personal accounts may be used directly by an individual or may be connected to a business, SACCO, MFI, school, NGO, merchant, agent network, employer, beneficiary program or other organization using Gypaid Africa services. In those cases, some personal account data may be visible to or controlled by that organization according to the relevant service configuration, user role, consent, contract and applicable law.

  • Profile and contact data: name, phone number, email address, account identifier, communication preferences and support history.
  • Identity and eligibility data: national ID or other identity details, date of birth, address, verification status, compliance checks and documents required for onboarding or regulated services.
  • Payment and wallet data: mobile money numbers, bank or wallet references, beneficiaries, payment instructions, transaction references, transaction history, balances shown through integrations, settlement records, refunds, reversals and dispute records.
  • Security data: password or credential status, login records, OTP events, device and browser details, IP address, failed login attempts, account lock events, fraud signals and risk review outcomes.
  • Service-use data: dashboards or portals accessed, forms submitted, utility purchases, SMS notifications, mobile banking requests, API-linked activity, customer support requests and preferences.
  • Linked organization data: employer, school, SACCO, MFI, NGO, merchant, agent network or enterprise references where your personal account is used to receive payouts, make payments, access member services, approve workflows or participate in a customer-managed program.

Disclosure of personal information to third parties

We may share information only where reasonably necessary for the services we provide, our legal obligations or legitimate business operations. Recipients may include:

  • Mobile money operators, banks, payment processors, utility providers, SMS aggregators, card or payment service providers and settlement partners involved in processing transactions.
  • Customer organizations that use Gypaid Africa services, where we process information on their behalf for their merchants, staff, members, students, beneficiaries, agents, customers or suppliers.
  • Cloud hosting, database, monitoring, analytics, communication, customer support, identity verification, fraud prevention, cybersecurity and software service providers.
  • Professional advisors, auditors, accountants, insurers, legal representatives and debt recovery providers where necessary.
  • Regulators, tax authorities, courts, tribunals, law enforcement agencies, mobile money or banking partners and other authorities where required by law, contract, investigation, dispute, audit or compliance obligation.
  • Employees, contractors, consultants and implementation partners who need access to deliver, support, maintain or improve Gypaid Africa services and who are subject to confidentiality or access control obligations.

International transfers of personal information

Gypaid Africa is based in Uganda. Information may be stored and processed in Uganda and in other countries where our hosting providers, technology providers, payment partners, support providers or enterprise customers operate.

Where information is transferred across borders, we take reasonable steps to ensure appropriate protections are in place, including contractual safeguards, access controls and provider due diligence where applicable.

Some jurisdictions may not provide the same level of data protection as your home jurisdiction. We transfer information only where necessary for service delivery, support, security, compliance or business operations.

Your rights and controlling your personal information

  • Access: You may request access to personal information we hold about you, subject to identity verification, customer authorization and legal or contractual limits.
  • Correction: You may ask us to correct inaccurate, incomplete or outdated information.
  • Deletion or restriction: You may request deletion or restriction of certain information, although we may need to retain transaction, compliance, audit, security or contractual records.
  • Objection and withdrawal of consent: Where processing is based on consent or direct marketing, you may withdraw consent or opt out using the contact details in this policy or any unsubscribe tools provided.
  • Customer-controlled data: Where we process information on behalf of a business, SACCO, MFI, school, NGO or enterprise customer, some requests may need to be directed to that customer as the organization responsible for the data.
  • Security and breach notices: We will comply with applicable laws regarding security incidents and data breach notifications.
  • Complaints: If you believe your privacy rights have been affected, contact us using the details below and we will review your concern.

Cookies

We may use cookies and similar technologies on our website, dashboards and developer portals to keep sessions secure, remember preferences, understand usage, improve performance, monitor errors and measure marketing or product engagement.

You may control cookies through your browser settings. Blocking some cookies may affect login, dashboard, API documentation, support or security features.

Roles when we process customer data

Gypaid Africa may process information as an independent business for our own website, sales, compliance, support and platform operations. We may also process information on behalf of customer organizations that use our payment, API, SMS, banking or software services.

When we process information on behalf of a customer organization, that organization is responsible for ensuring it has the right to submit, collect, use and instruct us to process the information. We process such information according to our agreement with that customer, applicable law and this policy.

Children, students and beneficiaries

Some Gypaid Africa customers, such as schools, NGOs, SACCOs and enterprises, may process information relating to students, members, beneficiaries, agents or recipients through our systems. We process such information only to provide the configured service, support the customer relationship, comply with applicable law and protect the security of the platform.

If you are a parent, guardian, student, member or beneficiary with questions about information submitted by an organization using Gypaid Africa, you may contact that organization directly or contact us for assistance routing your request.

Business transfers

If Gypaid Africa, any part of our business, or our assets are merged, acquired, reorganized, financed or transferred, information may be disclosed or transferred as part of that transaction, subject to appropriate confidentiality and continuity protections.

Limits of our policy

Our website, dashboards, API documentation, support materials or customer systems may link to third-party websites, platforms, mobile money providers, banks, utility providers or tools that we do not operate. We are not responsible for the privacy practices of those third parties.

Changes to this policy

We may update this Privacy Policy to reflect changes in our services, technology, legal obligations, payment partner requirements or business operations.

Where changes are material, we will take reasonable steps to notify affected customers or users through our website, platform, email, account notice or other appropriate channels. Continued use of our services after an updated policy becomes effective means the updated policy applies to that use.