Privacy Policy

1. Introduction

This Privacy Policy (“Policy”) describes how Elicate Technologies Limited (“Elicate Pay”, “we”, “us”, or “our”), a company registered in the Republic of Zambia, collects, uses, stores, shares, and protects personal information through our mobile money payment gateway platform (“Platform”).

Our Platform is powered by Flutterwave Inc. (“Flutterwave”), which processes the underlying financial transactions. This Policy covers data handling by Elicate Pay; Flutterwave's processing of payment data is additionally governed by Flutterwave's own privacy policy.

By using Elicate Pay, you consent to the collection and use of your information as described in this Policy. If you do not agree with this Policy, please do not use the Platform.

2. Who This Policy Applies To

This Policy applies to:

• Merchants: Businesses and individuals who register for a Merchant Account to accept payments through Elicate Pay.
• Customers (Payers): Individuals who make payments to Merchants through the Elicate Pay Platform, including through Payment Links, checkout pages, or merchant-integrated payment forms.
• Website Visitors: Anyone who visits the Elicate Pay website, documentation pages, or any other publicly accessible page on the Platform.

3. Information We Collect

3.1 Merchant Registration Data

When you create a Merchant Account (via email/password or Google authentication), we collect:

• Full legal name
• Business name
• Email address
• Phone number (mandatory)
• Password (stored as a secure hash via Firebase Authentication — we never store plain-text passwords)
• Google account information (if signing up with Google): name, email, profile picture

3.2 Customer (Payer) Transaction Data

When a Customer makes a payment through Elicate Pay, we collect:

• Customer name (as provided by the Merchant or entered by the Customer)
• Mobile phone number
• Mobile money network (MTN, Airtel, or Zamtel)
• Transaction amount
• Transaction reference
• Transaction status and timestamps

Important: We do NOT collect or store mobile money PINs, wallet balances, or any mobile money account credentials. The USSD payment approval happens entirely within the mobile network operator's secure system.

3.3 API Usage Data

We automatically collect data about your use of our API, including:

• API endpoints accessed
• Request timestamps
• API key identifiers (hashed, not the actual key values)
• Response status codes
• Error messages (for debugging and monitoring)

3.4 Dashboard & Website Usage Data

When you visit our website or use the merchant dashboard, we may collect:

• Browser type and version
• Device type and operating system
• IP address
• Pages visited and time spent on pages
• Referral source

This data is collected through Vercel Analytics, our hosting provider's privacy-friendly analytics service.

3.5 Webhook Delivery Data

When we deliver webhooks to your server, we record:

• Webhook endpoint URL
• Delivery status (success/failure)
• HTTP response codes from your server
• Delivery timestamps and retry attempts

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Core Service Delivery

• Processing mobile money payments on your behalf.
• Authenticating your API requests and dashboard access.
• Managing your Merchant Account, including account verification and status management.
• Issuing and managing API keys.
• Delivering webhook notifications about transaction status changes.
• Generating transaction reports and analytics visible in your dashboard.

4.2 Security & Fraud Prevention

• Detecting and preventing fraudulent transactions.
• Monitoring for unauthorized access to accounts or the API.
• Investigating suspicious activity and potential Terms of Service violations.
• Complying with Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements.

4.3 Communication

• Sending important account notifications (verification status, security alerts, policy changes).
• Providing customer support when you contact us.
• Sending service updates and technical notices about the Platform.

4.4 Platform Improvement

• Analyzing usage patterns to improve the Platform's performance, reliability, and features.
• Debugging and fixing technical issues.
• Developing new features and services.

4.5 Legal Compliance

• Complying with applicable laws, regulations, and legal processes in Zambia and other relevant jurisdictions.
• Responding to lawful requests from government authorities and law enforcement agencies.
• Enforcing our Terms of Service and protecting our legal rights.

5. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Flutterwave (Payment Processor)

To process mobile money payments, we share the following data with Flutterwave:

• Customer phone number
• Customer name
• Payment amount and currency
• Mobile money network
• Transaction reference
• Merchant email (used for transaction receipts)

Flutterwave processes this data in accordance with its own privacy policy and security standards, including PCI-DSS Level 1 compliance and ISO 27001 certification. Flutterwave does not receive your API keys, passwords, or any data beyond what is strictly necessary for payment processing.

5.2 Firebase / Google Cloud

Your account data and transaction records are stored in Google Cloud Firestore, and authentication is managed by Firebase Authentication. Google processes this data in accordance with Google Cloud's data processing terms and privacy practices.

5.3 Vercel (Hosting Provider)

Our Platform is hosted on Vercel. Basic request metadata (IP addresses, request headers) may be processed by Vercel for purposes including DDoS protection, performance optimization, and analytics. Vercel does not have access to your account credentials or transaction data.

5.4 Upstash (Webhook Queue)

We use Upstash QStash for reliable webhook delivery. Webhook payloads (containing transaction data) are temporarily queued through Upstash for delivery to your webhook endpoint. This data is encrypted in transit and at rest.

5.5 Legal & Regulatory Disclosures

We may disclose your information if required to:

• Comply with a legal obligation, court order, or government request.
• Protect the rights, safety, or property of Elicate Pay, our merchants, or the public.
• Enforce our Terms of Service.
• Respond to requests from the Bank of Zambia, the Financial Intelligence Centre, or other regulatory bodies.

5.6 Business Transfers

If Elicate Technologies Limited is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

6. Data Security

We take the security of your data seriously and implement multiple layers of protection:

6.1 Encryption

• In Transit: All data transmitted to and from Elicate Pay is encrypted using TLS 1.2+ (HTTPS). This includes API calls, dashboard access, webhook deliveries, and Flutterwave communications.
• At Rest: Data stored in Google Cloud Firestore is encrypted at rest using Google's default encryption (AES-256). Webhook queue data in Upstash is also encrypted at rest.

6.2 Credential Security

• Passwords: Merchant passwords are managed by Firebase Authentication and are never stored in plain text. Firebase uses industry-standard bcrypt hashing.
• API Secret Keys: Secret keys are hashed using SHA-256 before storage. We store only the cryptographic hash — the original key cannot be recovered from our database. If you lose your secret key, we cannot retrieve it; you must rotate to a new one.
• Flutterwave Keys: Our Flutterwave API credentials are stored as encrypted environment variables and are never exposed to merchants or in client-side code.

6.3 Flutterwave Security Inheritance

Because all payment processing flows through Flutterwave, your transactions benefit from Flutterwave's enterprise-grade security infrastructure:

• PCI-DSS Level 1: The highest level of payment security certification, requiring annual audits by a Qualified Security Assessor.
• ISO 27001: International standard for information security management.
• SOC 2 Type II: Independent verification of security, availability, and confidentiality controls.
• Real-Time Fraud Monitoring: Machine learning-based fraud detection systems that analyse transaction patterns in real-time.
• Multi-Factor Authentication: For all administrative access to Flutterwave's systems.

No sensitive financial data (mobile money PINs, wallet credentials) ever passes through or is stored on Elicate Pay's servers. The USSD payment approval flow is handled entirely within the mobile network operator's and Flutterwave's secure infrastructure.

6.4 Infrastructure Security

• Hosting: Elicate Pay is hosted on Vercel's enterprise infrastructure, which provides automatic DDoS protection, a global CDN, and edge network security.
• Database: Google Cloud Firestore with automatic encryption, access controls, and audit logging.
• Access Controls: Strict role-based access controls for all internal systems. Administrative access requires multi-factor authentication.

6.5 Incident Response

In the event of a data breach or security incident that affects your personal information, we will:

• Investigate and contain the breach promptly.
• Notify affected users without undue delay.
• Report the breach to relevant regulatory authorities as required by law.
• Take corrective action to prevent recurrence.

7. Data Retention

We retain your data for the following periods:

• Account Data: For as long as your Merchant Account is active, plus 7 years after account closure (to comply with financial record-keeping requirements).
• Transaction Records: For a minimum of 7 years from the transaction date, as required by Zambian financial regulations and tax laws.
• API Usage Logs: For 12 months from the date of the API request.
• Webhook Delivery Logs: For 90 days from the delivery attempt.
• Website Analytics: Aggregated and anonymized — retained indefinitely. Individual session data is retained for 12 months.

After the retention period expires, we will securely delete or anonymize the data so that it can no longer be associated with you.

8. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access: You can request a copy of the personal information we hold about you. Much of this is already available through the merchant dashboard.
• Correction: You can request that we correct any inaccurate or incomplete personal information. You can also update most of your information directly through the dashboard settings.
• Deletion: You can request that we delete your personal information. Note that we may need to retain certain data for legal compliance (see Section 7). Deletion of your data will require account closure.
• Restriction: You can request that we restrict the processing of your personal information in certain circumstances.
• Portability: You can request a machine-readable copy of the personal information you provided to us.
• Objection: You can object to our processing of your personal information in certain circumstances.

To exercise any of these rights, please contact us at privacy@elicatepay.com. We will respond to your request within 30 days.

Please note that some requests may be limited by our legal obligations (e.g., we cannot delete transaction records required for financial compliance).

9. Cookies & Tracking Technologies

Elicate Pay uses minimal cookies and tracking technologies:

9.1 Essential Cookies

These are required for the Platform to function and cannot be disabled:

• Authentication Tokens: Firebase authentication tokens stored in your browser to keep you signed in.
• Session Data: Temporary data needed to maintain your session state.

9.2 Analytics

We use Vercel Analytics to understand how our website is used. Vercel Analytics is privacy-friendly and does not use cookies for tracking. It collects anonymized page view data and basic performance metrics.

9.3 No Third-Party Advertising

We do NOT use any advertising cookies, tracking pixels, or third-party ad networks on our Platform. We do not sell or share your browsing behaviour with advertisers.

10. Children's Privacy

Elicate Pay is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a person under 18, we will take steps to delete that information promptly.

11. International Data Transfers

Your data may be processed in countries outside Zambia due to the nature of our service providers:

• Flutterwave: Headquartered in the United States with operations across Africa. Payment data is processed within their global infrastructure.
• Google Cloud / Firebase: Data may be stored and processed in Google's data centres, which are located globally.
• Vercel: Hosting infrastructure with global edge locations.
• Upstash: Webhook queue processing may occur in various data centre locations.

All our service providers maintain appropriate data protection standards. Where data is transferred internationally, it is protected by encryption in transit and contractual data processing agreements.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes:

• We will update the “Last updated” date at the top of this page.
• We will notify you via email or through the merchant dashboard.
• We will provide at least 30 days' notice before material changes take effect.

Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes.

13. Zambian Data Protection Law

Elicate Pay operates in compliance with the Data Protection Act No. 3 of 2021 of the Republic of Zambia and any regulations issued thereunder. We are committed to upholding the data protection principles established by the Zambia Information and Communications Technology Authority (ZICTA) and the Office of the Data Protection Commissioner.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Zambia.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: