Home›Privacy Policy

Last updated: April 1, 2026

Privacy Policy

Plain language summary: We collect the minimum data needed to run an invoicing service — your business details, invoices, and payment info. We share your invoice data with KRA because that's the whole point of eTIMS. We store data on Convex servers in the United States. We will never sell your data to anyone. You can export or request deletion of your data at any time (within the limits of what the law requires us to keep).

1. Who We Are (Data Controller)

PesaStack Limited ("PesaStack," "we," "us") is the data controller for personal data processed through Risiti. We are a private limited company registered in the Republic of Kenya.

Product: Risiti (getrisiti.com)
Contact: hello@getrisiti.com
Data Protection Officer: As required by Section 24 of the Kenya Data Protection Act, 2019, PesaStack will appoint a Data Protection Officer and register with the Office of the Data Protection Commissioner (ODPC). Until appointment, direct all data protection queries to hello@getrisiti.com.

This Privacy Policy applies to all personal data we collect when you use Risiti on the web (getrisiti.com) or via mobile apps.

2. What Data We Collect

2.1 Account & Business Data

Business name and trading name
KRA Personal Identification Number (PIN)
Branch ID (if applicable)
Director or authorized user names
Phone number (used for login via OTP and SMS notifications)
Email address (if provided)
Business type and category

2.2 Invoice Data

Invoice line items: item descriptions, quantities, unit prices, discount amounts
Invoice totals, tax calculations, and applicable tax type codes
Buyer details: buyer name, buyer KRA PIN (if provided), buyer phone number (if provided for SMS delivery)
Invoice dates, invoice numbers, payment method codes
KRA receipt numbers and QR code data returned by KRA after invoice submission

Note: Invoice data is transmitted to KRA's eTIMS system as a core function of the Service. This is not optional — it is the reason Risiti exists.

2.3 Payment Data

M-Pesa phone number used for payment
M-Pesa CheckoutRequestID and MerchantRequestID (transaction identifiers)
M-Pesa receipt numbers for completed payments
Subscription plan, amount, and payment timestamps

We do not store your M-Pesa PIN, M-Pesa account balance, or any payment card details.

2.4 Usage Data

Features used, pages visited, and interaction patterns within the app
Error logs and crash reports (anonymized where possible)
Session timestamps and general usage frequency

2.5 Device Data (Mobile App)

Device type and model
Operating system version
App version
Push notification token (if you enable push notifications)

2.6 SMS Delivery Data

Recipient phone numbers for SMS delivery via Africa's Talking
SMS delivery status (sent, failed)

We do not read, store, or process the content of any SMS messages you receive. SMS is outbound only.

3. How We Use Your Data

Purpose	Legal Basis
To provide the invoicing service and transmit invoices to KRA via eTIMS	Contract performance + Legal obligation (Tax Procedures Act, 2015)
To process M-Pesa subscription payments	Contract performance
To send transactional SMS (invoice confirmations, payment receipts, KRA status)	Contract performance + Legitimate interest
To verify your identity via OTP at login	Contract performance + Security (legitimate interest)
To comply with Kenyan tax, financial, and data protection laws	Legal obligation
To improve the Service using aggregated, anonymized analytics	Legitimate interest
To send renewal reminders and service announcements	Legitimate interest (you can opt out)
To send marketing communications about new features or offers	Consent (you can withdraw at any time)

4. Who We Share Your Data With

PesaStack does not sell your data. Ever. We share data only with the parties listed below, and only to the extent necessary to provide the Service.

4.1 Kenya Revenue Authority (KRA)

Your invoice data is transmitted to KRA's eTIMS system via the OSCU API. This is the primary and mandatory function of Risiti. Sharing invoice data with KRA is required by Kenyan tax law. You cannot opt out of this and continue using the Service — it is the entire purpose of eTIMS invoicing.

4.2 Safaricom (M-Pesa)

When you make a subscription payment, your M-Pesa phone number and payment amount are shared with Safaricom's Daraja API to process the STK Push transaction. Safaricom's own privacy policy governs their handling of this data.

4.3 Africa's Talking (SMS)

Your phone number (and the phone numbers of invoice recipients, where provided) are shared with Africa's Talking solely for the purpose of delivering SMS notifications. Africa's Talking processes this data as a data processor on our behalf.

4.4 Convex (Cloud Infrastructure)

All Risiti data — including your business profile, invoices, and payment records — is stored on Convex cloud infrastructure. Convex operates servers in the United States. See Section 5 on international data transfers.

4.5 Law Enforcement & Regulatory Bodies

We may disclose data to Kenyan law enforcement agencies, courts, the ODPC, or other regulatory bodies when required to do so by law, court order, or to protect the rights, property, or safety of PesaStack, our users, or the public.

5. International Data Transfers

Risiti stores all data on Convex cloud servers located in the United States. The United States does not have an adequacy determination from Kenya's ODPC under Section 48 of the Kenya Data Protection Act, 2019.

PesaStack relies on appropriate contractual safeguards with Convex (data processing agreements) to ensure your data receives an adequate level of protection when transferred outside Kenya. By using Risiti, you consent to this transfer.

If you have concerns about international data transfers, contact us at hello@getrisiti.com.

6. Data Retention

Active account data: Retained for the duration of your subscription and for 30 days after account closure to allow data export.
Invoice data: Retained for a minimum of 7 years from the invoice date, in line with the record-keeping requirements of the Tax Procedures Act, 2015. This applies even after account closure. The data is hidden from your view after account closure but is not destroyed.
Payment records: Retained for 7 years for financial record-keeping compliance.
Usage and analytics data: Anonymized and aggregated within 12 months. Raw usage logs retained for up to 90 days.
SMS delivery logs: Retained for 12 months.
OTP verification records: Deleted within 24 hours of use.

7. Your Rights Under the Kenya Data Protection Act, 2019

As a data subject under the Kenya DPA 2019, you have the following rights:

Right of Access You can request a copy of all personal data we hold about you. Email hello@getrisiti.com. We will respond within 21 days.

Right to Rectification You can update inaccurate data directly in your account settings, or by contacting us. Note: invoice data already transmitted to KRA cannot be retroactively changed through Risiti.

Right to Deletion You can request deletion of your account and associated data. We will honour this request subject to our legal retention obligations — we cannot delete invoice data that KRA's 7-year retention requirement covers.

Right to Data Portability You can export all your invoices at any time from the app (Settings → Export). Exports are provided in JSON format.

Right to Object You can object to processing based on legitimate interest (e.g., marketing SMS). You cannot object to processing that is legally required (e.g., KRA transmission) or necessary to deliver the Service.

Right to Lodge a Complaint If you believe we have violated your data rights, you can lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.

To exercise any of these rights, email hello@getrisiti.com with the subject line "Data Rights Request." We will verify your identity before processing the request.

8. Security

PesaStack implements the following security measures to protect your data:

Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2 or higher.
Encryption at rest: Data stored on Convex infrastructure is encrypted at rest.
Access controls: Access to production data is restricted to authorized PesaStack personnel only, on a need-to-know basis.
OTP-based authentication: Account access requires phone-based OTP verification. We do not use passwords.
No M-Pesa PIN storage: We never store, log, or transmit your M-Pesa PIN.

No security system is 100% impenetrable. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ODPC as required by the Kenya Data Protection Act, 2019.

9. Children's Privacy

Risiti is a business tool intended for adults operating registered businesses in Kenya. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a minor has created an account, contact us at hello@getrisiti.com and we will delete the account.

10. Cookies & Web Tracking

For details on how Risiti uses cookies and tracking technologies on the web app, see our Cookie Policy.

In summary: we use session cookies for authentication, and anonymized analytics to understand how people use the app. We do not use third-party advertising trackers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email or SMS at least 30 days before the changes take effect. The updated policy will always be available at getrisiti.com/privacy.

Your continued use of Risiti after the effective date of changes constitutes acceptance of the updated policy.

12. Contact & Complaints

For any privacy-related questions, requests, or complaints:

Email: hello@getrisiti.com (subject: "Privacy")
Website: getrisiti.com
Company: PesaStack Limited, Nairobi, Kenya

If you are not satisfied with our response, you have the right to contact the Office of the Data Protection Commissioner (ODPC):
Website: odpc.go.ke · Email: info@odpc.go.ke