Privacy Policy

Vanray provides software that WiFi operators ("Operators") use to run their own hotspot businesses. For data about end-users (the people who buy WiFi through an Operator's captive portal), the Operator is the data controller and Vanray acts as a data processor on their behalf, in accordance with section 42 of the DPA.

For data about the Operators themselves (the people who sign up to use the Vanray dashboard), Vanray is the data controller.

• Operator account data: name, email, password hash, business name, billing details.
• End-user hotspot data: phone number (M-Pesa MSISDN), device MAC address, IP address, session start/end times, package purchased, voucher codes redeemed.
• Payment metadata: M-Pesa transaction IDs, amounts and timestamps, returned from Safaricom Daraja.
• Technical data: server logs, error reports, cookies strictly necessary for the dashboard to function.

M-Pesa payments are processed by Safaricom PLC via the Daraja API using the Operator's own credentials. Vanray receives transaction metadata (amount, timestamp, M-Pesa receipt, phone number) needed to credit the end-user with internet access. Vanray does not see or store M-Pesa PINs. Safaricom is an independent data controller for the payment itself.

We process personal data on the following lawful bases under section 30 of the DPA:

• Performance of a contract (delivering WiFi access after payment).
• Legitimate interests (running and securing the platform, preventing fraud).
• Compliance with a legal obligation (tax records, lawful intercept requests).
• Consent, where required (e.g. marketing communications).

Session and payment records are retained for up to 24 months by default to support reconciliation, dispute resolution and tax compliance. Operators may configure shorter retention. Audit logs are retained for 12 months. Account data is retained while an Operator's subscription is active, then deleted within 90 days of account closure unless we are legally required to keep it.

• Right to be informed of the use of your personal data.
• Right of access to your personal data.
• Right to correction of false or misleading data.
• Right to deletion of false or misleading data about you.
• Right to object to processing.
• Right to portability.

To exercise these rights, email [privacy@yourdomain.co.ke]. If you are an end-user of an Operator's hotspot, you should also contact the Operator directly, as they are the controller of your data.

We share data only with sub-processors strictly necessary to operate the service:

• Hosting and database infrastructure providers.
• Safaricom Daraja (payment processing).
• Communications providers for SMS/email receipts (if enabled).
• Law enforcement, where required by a valid Kenyan court order.

Some sub-processors may store data outside Kenya. Where this happens, we rely on the safeguards permitted under section 48 of the DPA, including standard contractual clauses and adequacy assessments.

We use encryption in transit (TLS), encryption at rest, role-based access controls, audit logging and the principle of least privilege. No system is perfectly secure — if you believe your data has been compromised, contact us immediately.

You can complain to the Office of the Data Protection Commissioner (ODPC) at complaints@odpc.go.ke or via odpc.go.ke. We'd appreciate the chance to address your concern first — email [privacy@yourdomain.co.ke].

We may update this Policy. Material changes will be notified by email to Operators and by a banner on the Vanray dashboard.

[Your Company Ltd]
[Your address], Kenya
Email: [privacy@yourdomain.co.ke]