LITSPEED LIMITED

Privacy Policy

Effective Date:

September 1, 2025

Version:

1.0

Next Review:

August 31, 2026

Classification:

Public Document

Compliance Statement

Litspeed Limited affirms that this Privacy Policy complies with the following standards and regulations:

  • Kenya Data Protection Act (2019) and Regulations (2021)
  • ISO/IEC 27701:2019 – Privacy Information Management System (PIMS)
  • ISO/IEC 27001:2022 – Information Security Management Systems
  • NIST Privacy Framework (2020)
  • SOC 2 Type II Trust Services Criteria – Privacy and Confidentiality

Introduction

Litspeed Limited ("Litspeed", "we", "us", "our" or "the Company") recognizes your fundamental right to privacy as enshrined under the Kenyan Data Protection Act, 2019, the EU General Data Protection Regulation (GDPR) where applicable, and other relevant data protection laws. As a law-abiding and regulated financial technology (FinTech) service provider, it is our priority to ensure that your Personal Data is collected, processed, and protected in compliance with all applicable laws and regulations.

In the course of our business and through your interactions with Litspeed or third-party platforms affiliated with us—whether through our websites, mobile applications, service portals, offices, or other digital and physical touchpoints—we may process your Personal Data, subject to the terms outlined in this Privacy Policy ("Policy").

This Policy describes how we handle, manage, and secure your Personal Data. It also outlines your rights as a data subject and details our data privacy practices, applicable across all Litspeed platforms, services, applications, tools, and interfaces, regardless of how they are accessed or used.

Definitions

Data / Personal Information

Refers to any data that identifies you directly or indirectly, including but not limited to:

  • Basic Identifiers: Name, ID/passport number, phone number, email address, physical address
  • Account Security: Account credentials, PINs, passwords, and transaction information
  • Digital Identifiers: Photographs, location data, online identifiers (IP, MAC, IMEI, IMSI)
  • Financial & Biometric: Financial records and biometric data
  • Demographic Data: Date of birth, gender, religion, nationality, race/tribe
  • Sensitive Information: Political opinions, union membership, health records, criminal history
  • Unique Identifiers: Any unique personal or economic data that relates to your identity

Processing / Process

Refers to any operation performed on your personal data, either manually or through automated means. This includes collection, recording, structuring, storage, retrieval, usage, disclosure, alignment, restriction, erasure, or destruction of data.

1.

Consent

We kindly ask that you review this Policy carefully and, where applicable, provide your consent by clicking 'Agree' or any other opt-in feature provided. By continuing to interact with our platforms and services, you expressly consent to the terms of this Policy, particularly regarding the collection and processing of your personal data.

Your consent may be withdrawn at any time, subject to applicable laws and contractual obligations, without affecting the lawfulness of processing carried out prior to the withdrawal.

2.

Age Eligibility

To access and use our services or any of our Platforms, you must be at least 18 years old or the legal age of majority in your jurisdiction.

Individuals under the age of 18 may only use our services with the direct involvement of a parent or legal guardian, and such use must occur under the guardian's registered account. We reserve the right to request proof of age or guardian consent where necessary to ensure compliance with this requirement.

Regardless of the user's age, all Personal Data collected and processed by Litspeed shall be handled in strict accordance with this Privacy Policy and the applicable data protection laws, including the Kenyan Data Protection Act, 2019 and GDPR (where applicable).

3.

Collection of Personal Data

In the course of your interactions with Litspeed Limited ("Litspeed" or "we"), whether directly or via third parties through our Platforms, we may collect your personal data in the following ways:

3.1 Automatic Data Collection

We may automatically collect certain data when you interact with our Platforms (e.g., website, apps, portals). This includes data collected through your computer, mobile device, or other access tools, such as cookies, web beacons, and API calls. This information helps us enhance your experience, personalize content, and improve platform security. You may manage your cookie preferences via your browser settings, although some cookies are essential for functionality and security.

3.2 Device and Location Information

When you download or use our digital platforms, we may receive location and device-specific data, such as IP address, device ID, operating system, and browser type. This information may be used to provide location-based services, prevent fraud, or comply with legal obligations. You may disable location services through your device settings if desired.

3.3 Information You Provide

We collect information directly from you when you:

  • Account Management: Create or update an account
  • Documentation: Submit identification documents or forms
  • Communication: Interact with us via email, letters, contracts, or surveys
  • Engagement: Participate in promotions, events, or research

3.4 Information from Third Parties

We may receive personal data about you from third-party sources, including financial institutions, agents, vendors, employers, service providers, referees, or public authorities, as permitted by law.

3.5 Social Media Interactions

When you engage with us via social media platforms such as LinkedIn, Facebook, X (Twitter), WhatsApp, or Instagram, we may collect any publicly available or provided information from those interactions (e.g., comments, direct messages, reactions, or profile data).

4.

Use of Personal Data

We collect and process your personal data for the following lawful purposes:

4.1 Service Operations

  • Platform Provision: To provide, operate, and maintain our services and digital platforms
  • Account Management: To create and manage user accounts and facilitate onboarding
  • Transactions: To process transactions and send related confirmations or notifications
  • Identity Verification: To verify your identity, especially during account creation, KYC processes, or password recovery

4.2 Security & Compliance

  • Customer Support: To offer responsive customer support and improve user satisfaction
  • Fraud Prevention: To detect, investigate, and prevent fraud, financial crime, and system abuse
  • Policy Enforcement: To enforce our terms of use, policies, and applicable user agreements
  • Legal Compliance: To fulfill legal, regulatory, or contractual obligations, including reporting to authorities

4.3 Service Enhancement

  • Personalization: To personalize services, marketing, and communication based on your preferences
  • Analytics: To analyze service performance and improve platform functionality and security
  • Infrastructure: To manage infrastructure and safeguard information systems
  • Feedback: To process user feedback, complaints, inquiries, and support requests

4.4 Communication & Marketing

  • Verification: To conduct background checks and verify information accuracy
  • Marketing: To enable marketing, advertising, and promotional communications (subject to consent)
  • Contact: To contact you through email, phone, SMS, or in-app messaging for operational or support purposes
  • Custom Requests: To fulfill any specific requests or purposes for which you have provided data
5.

Storage and Protection of Your Data

We are committed to ensuring the security, integrity, and confidentiality of your personal data. We employ a layered approach to data protection using physical, technical, and administrative safeguards designed to prevent loss, misuse, unauthorized access, disclosure, or alteration of your personal information.

5.1 Security Measures

  • Encryption: Data encryption (both at rest and in transit)
  • Infrastructure: Secure cloud infrastructure and access-controlled physical storage locations
  • Access Control: Multi-factor authentication and role-based access controls for authorized personnel only
  • Monitoring: Regular system audits, vulnerability scans, and access reviews

5.2 User Responsibilities

While we take all reasonable precautions to safeguard your data, we also expect our users to play an active role in protecting their accounts. This includes:

  • Confidentiality: Keeping passwords, PINs, usernames, and authentication tokens confidential
  • Session Security: Logging out after accessing our Platforms on shared or public devices
  • Autofill Settings: Disabling password autofill features where possible on third-party devices
6.

Processing and Sharing of Your Information

To fulfill our obligations to you and provide efficient, secure services, we may process your personal data—such as your name, contact information, account ID, billing details, and identification documents—in line with the lawful bases outlined in applicable data protection laws.

6.1 Third-Party Processing

We may process your data in collaboration with third parties, including but not limited to:

  • Financial Services: Financial institutions and payment processors
  • Credit Services: Credit reference bureaus and collections agencies
  • Technology: Technology service providers and infrastructure vendors
  • Regulators: Regulatory and supervisory authorities (e.g., CBK, KRA, ODPC)
  • Corporate: Our corporate affiliates and group companies
  • Legal: Legal or law enforcement entities, when compelled by a valid legal process

6.2 Disclosure Circumstances

We may also process or disclose your information in good faith when necessary to:

  • Legal Compliance: Comply with legal or regulatory obligations
  • Policy Enforcement: Enforce our terms of use and policies
  • Security: Detect, prevent, or respond to fraud, cyber threats, or criminal activity
  • Risk Management: Manage operational risks or imminent threats to safety or service integrity
7.

Your Rights

As a data subject, you are entitled to the following rights regarding your personal data collected and processed by Litspeed Limited:

7.1 Right of Access

You may request access to the personal data we hold about you at any time by contacting our Data Protection Officer via dpo@litspeed.com

7.2 Right to Data Portability

You have the right to request that your personal data be made available to you in a commonly used electronic format or transferred to a third party. However, we may decline repetitive, excessive, or unreasonably burdensome requests and will always communicate our decision with justification.

7.3 Right to Rectification

If you discover that the data we hold about you is inaccurate, incomplete, or outdated, you have the right to request correction. Supporting documentation may be required to validate such corrections.

7.4 Right to Withdraw Consent

You may withdraw your consent to the processing of your data at any time. Note that any processing carried out prior to withdrawal will remain valid and lawful.

7.5 Right to Restrict or Object to Processing

You have the right to restrict or object to the processing of your data, especially if it is being processed for direct marketing or if you contest the lawfulness of the processing.

7.6 Right to Erasure (Right to be Forgotten)

You may request that we delete your personal data. However, deletion may not apply where the data is required to fulfill legal or regulatory obligations or to complete contractual obligations.

7.7 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya or the relevant supervisory authority in your jurisdiction.

7.8 Right to Automated Decision-Making Information

Where applicable, you have the right to be informed of any automated decision-making, including profiling, and to receive meaningful information about the logic involved, and the consequences of such processing.

8.

Software

By using our digital platforms—including but not limited to apps, browser extensions, or downloadable software—you acknowledge and consent that such software may automatically download and install updates, bug fixes, and new features as part of our efforts to improve user experience, enhance security, and maintain compliance.

9.

Cross-Border Data Transfer

As a regulated fintech company, we may operate or partner with third parties in jurisdictions outside Kenya. In the course of providing our services, your personal data may be transferred or stored in locations outside your country of residence.

9.1 Transfer Conditions

Transfers will only occur under the following conditions:

  • Consent: Your explicit consent has been obtained
  • Contract Performance: The transfer is necessary for the performance of a contract with you or the implementation of pre-contractual measures at your request
  • Contract Interest: The transfer is required to conclude or perform a contract in your interest
  • Legal Claims: The transfer is necessary for the establishment, exercise, or defence of legal claims or to protect your vital interests
  • Adequacy: The receiving country has been deemed to offer an adequate level of protection by the relevant data protection authority

9.2 Safeguards

To further safeguard your data, we may:

  • Due Diligence: Conduct privacy due diligence on foreign partners
  • Contractual Clauses: Enter into data transfer agreements that include Standard Contractual Clauses (SCCs)
  • Third-Party Standards: Ensure any third-party recipient adheres to strict confidentiality and data protection obligations
  • Data Minimization: Where possible, anonymize or pseudonymize data before transfer
  • Registration: Register such transfers with the ODPC, where required
10.

Cookie Policy

10.1 What Are Cookies?

Cookies are small data files stored on your computer or device when websites are loaded in a browser. These files record specific information about your browsing activity and help us improve your user experience on our platforms.

10.2 Types of Cookies We Use

10.2.1 Session Cookies (Temporary Cookies)

These cookies are active only during your browsing session and expire once you close your browser. They temporarily store information like your login status or selections on forms to enhance navigation.

10.2.2 Persistent Cookies (Permanent Cookies)

These remain on your device after the session ends, helping us remember your preferences, settings, and login details for future visits.

10.3 Why We Use Cookies

  • Authentication: To identify you when you log in and personalize your experience in line with your account settings
  • Security: To ensure the safety of your sessions, detect suspicious activity, and prevent unauthorized access to your account
  • Preferences and Features: To store your choices (like language selection) and help autofill forms or deliver personalized content across visits
  • Performance, Analytics, and Research: To understand how users engage with our platforms and services, evaluate the effectiveness of emails and website content, and improve overall performance

10.4 Controlling and Managing Cookies

We will always request your consent before placing cookies on your device, except where cookies are strictly necessary (e.g., for platform security or fraud prevention).

You have full control over your cookie settings. You can accept or reject cookies when prompted, disable cookies via your browser or app settings, and clear stored cookies from your device at any time.

Important: Disabling cookies may limit your access to certain features or services on our platform, including personalized content or secure areas.

11.

Data Retention

11.1 Introduction

This Data Retention Policy outlines how Litspeed Limited manages and retains records and data ("Records") to support business operations, comply with legal and regulatory obligations, and ensure orderly and secure information management.

We are committed to safeguarding the confidentiality, integrity, and availability of data and ensures that all Records are retained only for as long as necessary for their intended purposes.

11.2 Definition of Records

"Records" refer to any data, documents (personal, transactional, or contractual), correspondence, policies, system logs, or confidential information—whether physical or electronic—created, received, and maintained by Litspeed.

11.3 Security and Storage Measures

  • Email records: All sensitive data transmitted via email shall be encrypted and password-protected
  • Physical records: Hardcopy documents shall be clearly labelled "Confidential" and stored in locked cabinets or secure rooms
  • Electronic records: All digital Records shall be stored in access-controlled environments, with multi-factor authentication and encrypted storage
  • Device protection: All computing devices shall be password-protected and regularly updated
  • Backups: Electronic data will be backed up regularly, with encrypted backups stored both onsite and offsite

11.4 Destruction of Records

Once the applicable retention period has expired, records shall be reviewed and either archived, anonymized, returned to the originator, or securely destroyed—depending on their sensitivity, legal obligations, and business relevance.

11.4.1 Secure Destruction Procedures

  • Hardcopy records: Confidential paper documents shall be shredded or incinerated
  • Electronic records: Shall be permanently deleted from all storage devices, including backup systems
  • Storage media: Devices such as USBs, CDs, and hard drives containing obsolete records shall be physically destroyed if individual data cannot be selectively deleted
  • Forensic resistance: Digital deletion shall be irreversible, such that data cannot be recovered using forensic methods
12.

Third-Party Contractors & Service Providers

12.1 Data Sharing with Third Parties

We may share your personal data with trusted third-party partners, including service providers, financial institutions, vendors, affiliates, contractors, and technology partners. This is done to support the delivery, improvement, personalization, administration, and analysis of our services and operations.

  • Service Enhancement: Performing and enhancing services offered through our platforms
  • Customer Support: Providing customer support
  • Development: Software/application development and maintenance
  • Verification: Verification and KYC functions
  • Payments: Processing payments and transactions
  • Analytics: Market research and analytics

12.2 Legal and Regulatory Data Sharing

Litspeed may also disclose your personal data to regulators, law enforcement bodies, government agencies, courts, or other authorized third parties where required to comply with applicable laws and regulations, necessary to enforce our contractual terms, or needed to protect our legal rights, property, or the safety of Litspeed, its clients, or the public.

12.3 Links to Third-Party Websites or Services

This Data Policy only applies to personal information collected by Litspeed via our owned platforms and services. Our website and digital channels may contain links to third-party websites or platforms not owned or controlled by us.

We are not responsible for the privacy practices or data protection policies of such third-party sites or platforms. Access to such third-party services is at your own risk.

12.4 Security of Shared Information

We will not share your personal data with any third party unless the third party has committed (via contract or policy) to apply adequate technical and organizational security measures to protect your data, there is a lawful basis for sharing such data, and the third party agrees to confidentiality terms and non-disclosure obligations.

13.

Dispute Resolution

If you have a concern or dispute related to how your personal data is handled by Litspeed:

• Contact us with your full name and the nature of your complaint • We will acknowledge your concern within 48 hours and attempt to resolve it amicably • If unresolved, we may engage in mediation as a preferred method of alternative dispute resolution before exploring other legal avenues

14.

Contact Us

Litspeed Limited – Data Protection Officer 📍 Nairobi, Kenya 📧 Email: dpo@scripay.com 🌐 Website: www.scripay.com/privacy

Please allow up to 2 business days for your request to be processed. Litspeed reserves the right to charge a reasonable fee where requests are manifestly unfounded, excessive, or repetitive.

15.

Amendments to this Policy

This Policy may be updated from time to time. All changes will be published on our official website and will take effect immediately upon publication. Continued use of our platforms following an update constitutes your acceptance of the revised terms.

Important Notice

By continuing to use our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of our services immediately.

Last updated: September 1, 2025 | Version 1.0