Data Privacy Policy

Document ID: DPP-001 Version: 1.0 Classification: Internal Effective Date: January 2026 Next Review: July 2026 Owner: Keshless Compliance Team

---

1. Legal Basis and Scope

1.1 Purpose

This Data Privacy Policy establishes how Keshless collects, processes, stores, and protects personal information. It ensures compliance with applicable data protection regulations and demonstrates our commitment to safeguarding customer privacy.

1.2 Legal Framework

Regulation	Applicability	Key Requirements
POPIA (South Africa)	Cross-border transactions	Lawful processing, data subject rights, breach notification
GDPR (European Union)	EU data subjects	Consent, data minimization, right to erasure
Eswatini Data Protection	Local operations	Personal information protection
FATF Recommendations	AML/CFT	Customer due diligence, record keeping

1.3 Scope

This policy applies to all personal data processed by Keshless, including:

• User registration and profile data
• KYC (Know Your Customer) documentation
• Transaction records
• Vendor business information
• Employee and contractor data
• Support and communication records

1.4 Data Controller

Keshless (Pty) Ltd Eswatini Email: privacy@keshless.app

---

2. Data Classification

2.1 Classification Levels

Level	Description	Examples	Access
Restricted	Highly sensitive personal data	ID numbers, passwords, biometrics	Need-to-know, encrypted
Confidential	Sensitive business/personal data	Transactions, KYC status	Role-based access
Internal	General business data	Analytics, configurations	Internal employees
Public	Non-sensitive information	FAQs, marketing content	Unrestricted

2.2 Special Categories

Data requiring enhanced protection:

• Government-issued identification numbers
• Biometric data (selfies for KYC)
• Financial account information
• Location data
• Health information (if collected)

---

3. Data Inventory (PII Mapping)

3.1 User Personal Data

Field	Data Type	Classification	Purpose	Legal Basis
firstName, lastName	Name	Confidential	Account identification	Contract
surname, names	Full name	Confidential	KYC verification	Legal obligation
phoneNumber	Contact	Confidential	Authentication, notifications	Contract
email	Contact	Confidential	Communication	Contract
personalIdNumber	Government ID	Restricted	KYC verification	Legal obligation
dateOfBirth	Demographics	Restricted	Age verification, KYC	Legal obligation
sex, gender	Demographics	Confidential	ID verification	Legal obligation
chiefCode	Location	Confidential	KYC (Eswatini traditional authority)	Legal obligation
sourceOfFunds	Financial	Confidential	AML compliance	Legal obligation
occupation	Employment	Confidential	Risk assessment	Legitimate interest
expectedMonthlySalary	Financial	Confidential	Transaction monitoring	Legitimate interest
password	Credential	Restricted	Authentication	Contract
walletPin	Credential	Restricted	Transaction authorization	Contract
profilePhoto	Image	Confidential	Profile display	Consent
referralCode	Identifier	Internal	Marketing	Consent
preferences	Settings	Internal	User experience	Contract

3.2 KYC Documents

Field	Data Type	Storage	Retention	Purpose
idFrontImage	Document scan	GCS: kyc/*	5 years post-closure	Identity verification
idBackImage	Document scan	GCS: kyc/*	5 years post-closure	Identity verification
selfieImage	Biometric	GCS: selfies/*	5 years post-closure	Liveness verification
ocrExtractedData	Extracted text	PostgreSQL	5 years post-closure	Verification audit trail

3.3 Financial Data

Field	Data Type	Classification	Purpose
walletBalance	Currency	Restricted	Account balance
WalletTransaction.*	Transaction records	Confidential	Financial history
JournalEntry.*	Accounting entries	Confidential	Double-entry ledger
LedgerEntry.*	Detailed postings	Confidential	Audit trail

3.4 Vendor Business Data

Field	Data Type	Classification	Purpose
businessName	Business identity	Confidential	Account identification
businessRegistration	Government ID	Restricted	Business verification
taxNumber	Government ID	Restricted	Tax compliance
primaryContact	Contact	Confidential	Communication
address, location	Location	Confidential	Service delivery
leaseAgreement	Document	Restricted	Business verification
directorIdFront/Back	Document scan	Restricted	Director verification
formJ, formC	Legal documents	Restricted	Company registration

3.5 AML/Compliance Data

Field	Data Type	Purpose	Retention
currentRiskScore	Risk metric	AML monitoring	7 years
riskRating	Risk category	AML monitoring	7 years
isPEP, pepDetails	PEP status	Enhanced due diligence	7 years
isSanctioned, sanctionsDetails	Sanctions status	Compliance	7 years
CustomerRiskProfile.*	Risk assessment	AML monitoring	7 years
Alert.*	Compliance alerts	Investigation	7 years
SAR.*	Suspicious activity reports	Regulatory reporting	7 years

---

4. Data Collection and Processing

4.1 Collection Methods

Method	Data Collected	Purpose
User Registration	Phone, name, password	Account creation
KYC Submission	ID documents, selfie	Identity verification
Profile Updates	Personal details	Account management
Transactions	Payment details, amounts	Financial services
API Integrations	Business data	Vendor services
Support Requests	Communication content	Customer support

4.2 Processing Activities

Activity	Purpose	Legal Basis	Data Subjects
Account Management	Service delivery	Contract	Users, Vendors
KYC Verification	Regulatory compliance	Legal obligation	Users, Vendors
AML Screening	Regulatory compliance	Legal obligation	Users, Vendors
Transaction Processing	Service delivery	Contract	Users, Vendors
Fraud Detection	Security	Legitimate interest	Users, Vendors
Marketing	Business development	Consent	Opted-in users
Analytics	Service improvement	Legitimate interest	All users (anonymized)

4.3 KYC/AML Processing

Identity Verification Flow:

1. User submits ID documents
          │
          ▼
2. Documents stored in GCS (keshless-documents bucket)
          │
          ▼
3. Gemini 2.5 Flash - OCR extraction of ID details (primary)
   └─ AWS Textract - OCR extraction (fallback)
          │
          ▼
4. Sanctions Screening - UN Security Council list
          │
          ▼
5. PEP Screening - Politically Exposed Persons database
          │
          ▼
6. Risk Scoring - 0-100 score calculated
          │
          ▼
7. Manual Review (if required) - Human verification
          │
          ▼
8. Verification Decision - VERIFIED, REJECTED, NEEDS_REVIEW

---

5. Data Storage

5.1 Storage Locations

Data Type	Storage System	Location	Encryption
User/Vendor records	PostgreSQL (Cloud SQL)	europe-west1	At rest (AES-256)
KYC documents	GCP Cloud Storage	Global edge	At rest (encrypted)
Audit logs	PostgreSQL	europe-west1	At rest + hash chain
Backups	GCP Cloud Storage	keshless-backups	AES-256-GCM (secrets)
Application logs	Cloud Logging	GCP	At rest

5.2 GCS Storage Structure

keshless-documents/
├── kyc/                    # User KYC documents
│   ├── {userId}-front.jpg  # ID front image
│   └── {userId}-back.jpg   # ID back image
├── selfies/                # User verification selfies
│   └── {userId}-selfie.jpg
├── vendor-kyc/             # Vendor verification documents
│   ├── {vendorId}-lease.pdf
│   ├── {vendorId}-director-front.jpg
│   └── {vendorId}-formj.pdf
└── vendor-media/           # Vendor logos, media
    └── {vendorId}-logo.png

5.3 Database Security

PostgreSQL (Cloud SQL):

• Instance: eneza-40ab5:europe-west1:eneza-postgres
• SSL/TLS required for connections
• Authorized networks only
• Automated backups (point-in-time recovery)
• Private IP (VPC connector)

---

6. Data Retention

6.1 Retention Schedule

Data Category	Retention Period	Basis
Transaction Records	5+ years from transaction	Financial regulations
KYC Documents	5 years post-account closure	AML regulations
Audit Logs	7 years	Regulatory compliance
SAR Records	7 years	AML regulations
OTP Codes	5 minutes	Security (auto-deleted)
Failed Login Attempts	90 days	Security monitoring
Application Logs	90 days	Operational
Inactive Accounts	3 years after last activity	Business decision

6.2 Automated Retention Enforcement

OTP Auto-Expiry:

// OTPs automatically expire after 5 minutes
model OTP {
  expiresAt DateTime
  // Cleanup job removes expired OTPs
}

Backup Cleanup:

• Daily backups: 2 years retention
• Monthly backups: 5 years retention
• Automated cleanup job runs weekly (Mondays 5:00 AM UTC)

6.3 Retention Exceptions

Data may be retained longer than standard periods when:

• Required by ongoing legal proceedings
• Subject to regulatory investigation
• Needed for dispute resolution
• Part of active fraud investigation

---

7. Data Subject Rights

7.1 Rights Overview

Right	Description	Implementation
Access	View personal data held	Data export via dashboard/API
Rectification	Correct inaccurate data	Profile editing, support request
Erasure	Delete personal data	Account deletion workflow
Portability	Receive data in machine-readable format	JSON export
Restriction	Limit processing	Account suspension option
Object	Object to processing	Marketing opt-out

7.2 Right to Access

Request Process:

1. User submits access request via app or email
2. Identity verification (OTP)
3. Data compiled within 30 days
4. Provided in readable format (PDF/JSON)

Data Included:

• Profile information
• Transaction history
• KYC status
• Risk profile (redacted)
• Consent records

7.3 Right to Erasure (Account Deletion)

Deletion Workflow (Implemented in Schema):

model User {
  deletionRequested    Boolean   @default(false)
  deletionRequestedAt  DateTime?
  deletionScheduledFor DateTime?
  deletedById          String?
}

Process:

1. User requests account deletion
2. deletionRequested set to true
3. deletionRequestedAt recorded
4. deletionScheduledFor set to 30 days future
5. User notified and can cancel within 30 days
6. After 30 days, data anonymized/deleted

Exceptions to Erasure:

• Active regulatory investigation
• Pending transactions
• Legal hold requirement
• Outstanding balance

7.4 Response Timeframes

Request Type	Response Deadline
Access Request	30 days
Rectification	30 days
Erasure	30 days (+ 30 day cooling-off)
Portability	30 days
Objection	30 days

---

8. Third-Party Data Processors

8.1 Sub-Processors

Processor	Service	Data Processed	Location	DPA Status
Google Cloud Platform	Infrastructure	All application data	Belgium (europe-west1)	Standard contractual clauses
GCP Cloud Storage	Document Storage	KYC documents, selfies, vendor documents	europe-west1	Standard contractual clauses
Google AI (Gemini)	OCR verification (primary)	ID documents	EU region	Google Cloud DPA
AWS Textract	OCR verification (fallback)	ID documents	EU region	AWS DPA
Twilio	SMS messaging	Phone numbers, OTPs	US	Twilio DPA
Clickatell	SMS fallback	Phone numbers, OTPs	South Africa	Standard agreement

8.2 Third-Party Security Requirements

All processors must:

• Sign Data Processing Agreement (DPA)
• Demonstrate compliance with applicable regulations
• Implement appropriate security measures
• Report data breaches within 24 hours
• Allow audit rights

8.3 Cross-Border Transfers

Transfer	Mechanism	Safeguards
EU to US (Twilio)	Standard Contractual Clauses	DPA, encryption
EU to South Africa	Adequate protection	POPIA compliance
Within EU	No additional safeguards	GDPR applies

---

9. Data Breach Notification

9.1 Breach Definition

A personal data breach is a security incident leading to:

• Accidental or unlawful destruction
• Loss
• Alteration
• Unauthorized disclosure
• Unauthorized access

9.2 Notification Requirements

Audience	Timeframe	Trigger
Central Bank of Eswatini	Within 72 hours	Any breach affecting customer data
Financial Intelligence Unit	Within 72 hours	Breach involving AML data
Affected Data Subjects	Without undue delay	High risk to rights and freedoms
Supervisory Authority	Within 72 hours	POPIA/GDPR requirement

9.3 Breach Response

See Incident Response Plan for detailed procedures.

Summary:

1. Contain - Stop the breach, preserve evidence
2. Assess - Determine scope and impact
3. Notify - Regulators (72h), affected persons
4. Document - Full incident record
5. Remediate - Fix vulnerabilities, prevent recurrence

---

10. Privacy by Design

10.1 Design Principles

Principle	Implementation
Data Minimization	Collect only necessary data for stated purposes
Purpose Limitation	Use data only for specified purposes
Storage Limitation	Delete data when no longer needed
Accuracy	Keep data accurate and up-to-date
Security	Appropriate technical measures
Accountability	Document and demonstrate compliance

10.2 Technical Measures

Measure	Description
Encryption at rest	AES-256 for databases and storage
Encryption in transit	TLS 1.3 for all connections
Pseudonymization	User IDs instead of direct identifiers
Access controls	Role-based, need-to-know
Audit logging	All access and changes logged
Data masking	PII masked in logs and displays

10.3 Privacy Impact Assessment

New features involving personal data require:

1. Data flow mapping
2. Risk assessment
3. Mitigation measures
4. Approval from Compliance Officer

---

11. Consent Management

11.1 Consent Requirements

Processing Activity	Consent Required	Withdrawal Method
Account creation	Yes (Terms of Service)	Account deletion
KYC verification	Yes (explicit)	N/A (regulatory requirement)
Transaction processing	Yes (implied by use)	Service termination
Marketing communications	Yes (explicit opt-in)	In-app toggle
Analytics	No (legitimate interest)	Opt-out available
AML monitoring	No (legal obligation)	N/A

11.2 Consent Records

Consent is recorded with:

• Timestamp
• Version of terms/privacy policy accepted
• Method of consent (checkbox, signature)
• IP address at time of consent

---

12. Employee Data Protection Responsibilities

12.1 Training Requirements

All employees handling personal data must complete:

• Data protection awareness training (annually)
• Role-specific privacy training
• Incident response training

12.2 Access Principles

• Need-to-Know: Access only data necessary for role
• Least Privilege: Minimum permissions required
• Segregation of Duties: Critical functions separated
• Regular Review: Quarterly access audits

12.3 Prohibited Activities

Employees must not:

• Access data without legitimate business purpose
• Share personal data without authorization
• Store personal data on personal devices
• Transfer data to unauthorized systems
• Discuss personal data in public areas

---

Appendix A: Demonstration Procedure

A.1 Data Privacy Demonstration

For regulatory presentations, demonstrate:

1. Data Encryption:

# Show password hashing (bcrypt)
# In database: password = "$2b$12$..." (bcrypt hash, not plaintext)

# Show PIN hashing
# In database: walletPin = "$2b$12$..." (bcrypt hash)

2. Account Deletion Flow:

# Request deletion
curl -X POST https://keshless-api-dev.../api/users/request-deletion \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json"

# Response includes:
{
  "deletionRequested": true,
  "deletionScheduledFor": "2026-02-22T00:00:00.000Z",
  "message": "Deletion scheduled. Cancel within 30 days if needed."
}

3. OTP Auto-Expiry:

# Create OTP
curl -X POST .../api/auth/request-otp -d '{"phoneNumber": "+26878422613"}'

# Wait 5+ minutes, then try to verify
curl -X POST .../api/auth/verify-otp -d '{"phoneNumber": "+26878422613", "otp": "123456"}'

# Response: 400 - OTP expired

4. Audit Trail:

• Navigate to Admin Dashboard
• View audit logs showing all data access
• Demonstrate hash chain integrity

A.2 Dashboard Demo

Navigate to /compliance-demo in the admin dashboard to:

1. View data encryption examples
2. Test account deletion workflow
3. Observe OTP auto-expiry
4. Review immutable audit trail with hash verification

---

Appendix B: Data Flow Diagrams

B.1 User Registration Flow

User App                  API                    Database
   │                       │                        │
   │ Register request      │                        │
   │──────────────────────>│                        │
   │                       │ Hash password          │
   │                       │ (bcrypt 12 rounds)     │
   │                       │                        │
   │                       │ Store user             │
   │                       │───────────────────────>│
   │                       │                        │
   │                       │ Generate OTP           │
   │                       │───────────────────────>│
   │                       │                        │
   │                       │ Send OTP               │
   │                       │──────────> Notification Service
   │                       │                        │
   │ OTP sent              │                        │
   │<──────────────────────│                        │

B.2 KYC Document Flow

User App          API              Gemini AI         GCS Storage
   │               │                │                  │
   │ Upload ID     │                │                  │
   │──────────────>│                │                  │
   │               │ Store document │                  │
   │               │────────────────────────────────-->│
   │               │                │                  │
   │               │ Generate signed URL               │
   │               │<──────────────────────────────────│
   │               │                │                  │
   │               │ OCR extraction │                  │
   │               │───────────────>│ (Gemini 2.5)    │
   │               │                │                  │
   │               │ Sanctions check│                  │
   │               │ (Internal)     │                  │
   │               │                │                  │
   │ Result        │                │                  │
   │<──────────────│                │                  │

---

Document Control

Version	Date	Author	Changes
1.0	January 2026	Compliance Team	Initial release

Approval:

Role	Name	Signature	Date
Compliance Officer	_____________	_____________	_____________
CTO	_____________	_____________	_____________
CEO	_____________	_____________	_____________