CSChapaswali
Sign in
Legal

Privacy Policy

Last updated · 13 June 2026

This policy describes our handling of personal data under the Kenya Data Protection Act, 2019. We comply with the Office of the Data Protection Commissioner's (ODPC) registration requirements.

1. What we collect

  • Email address — for sign-in and transactional notifications.
  • Display name — shown to other players in matches.
  • M-PESA phone — used to deposit and cash out. Stored normalised to E.164.
  • Match activity — which questions you answered, when, and the result.
  • Wallet ledger — every credit and debit on your account, with M-PESA receipt numbers where applicable.
  • Device + IP — we log IP, browser, and device on sign-in for fraud prevention. Logs are retained 90 days.

2. What we don't collect

  • We don't track you across other websites or services.
  • We don't store your M-PESA PIN. Daraja STK Push handles authentication on your phone — the PIN never reaches us.
  • We don't sell, rent, or trade your personal data to third parties.

3. How we use your data

  • To run matches and credit your wallet.
  • To process M-PESA deposits and payouts (we send your phone number to Safaricom Daraja).
  • To send transactional emails (welcome, payouts, support).
  • To comply with anti-fraud, anti-money-laundering, and BCLB requirements (cash mode).
  • To improve the service — analysing aggregate match outcomes, question quality, and platform performance.

4. Who we share data with

  • Safaricom (Daraja) — phone number + amount when you deposit or cash out.
  • Resend — your email address and message body when we email you.
  • Convex — backend infrastructure provider, hosting your data.
  • BCLB / regulators — when legally compelled.

5. Security

Sensitive credentials (M-PESA API secrets) are encrypted at rest with AES-256-GCM. Sign-in is via email and password; passwords are hashed (Scrypt), never stored in plain text. Production traffic is HTTPS-only. Account access is rate-limited.

6. Retention

  • Wallet ledger entries: retained for 7 years for accounting and BCLB reporting.
  • Match activity: retained 2 years for dispute resolution.
  • Sign-in audit logs: 90 days.
  • Closed support tickets: 1 year, then archived without personal identifiers.

7. Your rights

Under the Kenya Data Protection Act, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion (subject to retention requirements above — financial records may be preserved).
  • Object to processing for direct marketing.
  • Withdraw consent for marketing emails at any time.

Exercise these rights by emailing support@chapaswali.com or opening a support ticket. We respond within 7 business days.

8. Children

ChapaSwali is for users 18 and older. We do not knowingly collect data from children. If you believe a child has signed up, contact support and we'll close the account immediately.

9. Changes

We'll email notice of material changes at least 7 days before they take effect. Date of last update is shown at the top.

Questions?

Email us or open a ticket.

support@chapaswali.comOpen a support ticket