MVEND

DEV ACCESS

Data protection and Privacy policy

1. Introduction

MVend Rwanda Limited (“MVend”, “us”, “we” or “our”) is a Payment service provider licensed as an E-money issuer in Rwanda and beyond.

MVend Processes data and information inter alia to: 

  1. Fulfill legal and Contractual obligations;
  2. Deliver payment services to customers;
  3. Exercise responsibilities and duties as a licensed E-money issuer in Rwanda and abroad;
  4. Protect legitimate interest of data subject(s), employees and third parties. MVend places a high priority on the privacy of Data Subjects and views the protection and respect of data privacy rights as a core responsibility. Ensuring compliance with relevant Data Protection Legislation is an essential aspect of MVend’s obligations.

As a Data Controller and Data Processor, Mvend is committed to process the data of our customers, employees, and other data subjects securely and transparently. 

This Policy outlines the lifecycle of data processing, including how we collect, use, store, manage, and retain data, as well as our overall data protection practices.

2. Definitions 

In this Policy, the following terms shall be defined as follows:

  1. Consent: A voluntary, specific, informed, and clear expression of the Data Subject’s intentions, given through a statement or an explicit affirmative action, signifying their agreement to the processing of their data.
  • Data Controller: The individual or legal entity, public authority, agency, or other organization that, either independently or together with others, decides the purposes and methods of processing personal data.
  • Data Processor: An individual or legal entity, public authority, agency, or other organization that processes personal data on behalf of the Data Controller.
  • Data Subject: A natural person who can be identified, either directly or indirectly, particularly by reference to identifiers such as a name, identification number, location data, online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
  • Data Protection Legislation: Refers to the Rwandan Data Protection Act 2021 and any other relevant laws concerning data privacy, protection, and the use of Personal Data, including any guidelines or codes of practice issued by the Supervisory Authority.
  • Processing: any activity or series of activities carried out on personal data or sets of personal data, whether through automated means or not. This includes collection, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or making available in any other form, aligning or combining, restricting, erasing, or destroying.
  • Personal Data: Refers to any information that identifies or is related to an identified Data Subject, a living individual, or an identifiable natural person. This includes, but is not limited to, name, email address, date of birth, mobile number, residential address, payment card information, financial details such as bank account number, government-issued identity credentials (e.g., national ID number, passport, driver’s license), or taxpayer identification number. It may also cover location data such as an Internet Protocol (IP) address or login information.
  • Personal Data Breach: a security incident that results in the accidental or unlawful destruction, loss, modification, unauthorized disclosure, or access to personal data that has been transmitted, stored, or otherwise handled.
  1. Sensitive Personal Data: Personal data related to a data subject which includes information about racial or ethnic origin, political beliefs, religious or philosophical convictions, or trade union membership, as well as the processing of genetic and biometric data used to uniquely identify an individual, healthrelated data, or information concerning an individual’s sexual orientation or sexual life
  • Supervisory Authority: the National Cyber Security Authority (NCSA) or any other designated institution or body responsible for overseeing, monitoring, and ensuring compliance with Data Protection Legislation, to safeguard the fundamental rights and freedoms of individuals.
  • Third Party: any individual or legal entity, public authority, agency, or organization other than the data subject, controller, or processor, including those authorized to process personal data under the direct instruction of the controller or processor.   

3. Purpose of this Policy

The purpose of this policy is to outline MVend’s commitment to protecting and safeguarding Personal Data, establish the principles for proper and secure data management, ensure that all processing activities comply with Data Protection Legislation, uphold the privacy rights of Data Subjects, and ensure that MVend meets its regulatory responsibilities.

4. Scope and Applicability

This Policy applies to the processing of all Personal Data of individuals, including but not limited to:

  • Customers and users of MVend’s products and services.  Vendors and suppliers.
  • Prospective employees.
  • MVend employees (details about MVend’s privacy practices concerning employee data can be found in the Employee Privacy Notice).
  • All Personal Data must be appropriately managed and processed, regardless of how it is collected, recorded, or utilized, whether in paper form, electronic records, or other formats (such as data stored on computers, emails, or other media). 

5. Key Privacy Principles

MVend adheres to the following fundamental privacy principles as part of its Data

Privacy Program

5.1.Lawfulness, Fairness, and Transparency

MVend collects, processes, and uses Personal Data legally and fairly. We ensure that data subjects are informed about how their data is handled and the reasons behind the collection, use, and storage of their data.

5.2.Purpose Limitation

Personal Data is collected for clear, specific, and legitimate purposes, and it is not processed further in ways that are inconsistent with or exceed the original reasons for which the data was collected.

5.3.Data Minimization

We ensure that Personal Data is sufficient, relevant, and restricted to what is necessary for the purposes for which it is being processed. We assess the scope of the processing to ensure it is only as extensive as required to achieve the intended purpose.

5.4.Accuracy

We ensure that all Personal Data collected is accurate and regularly updated. Every reasonable measure is taken to correct, update, or amend any inaccurate personal data without unnecessary delay.

5.5.Storage Limitation

Personal Data is retained in a manner that allows the identification of data subjects only for as long as is necessary to fulfil the purposes for which the data is processed.

5.6.Integrity and Confidentiality

We ensure that data subjects’ Personal Data is processed with appropriate security measures in place, protecting it from unauthorized or unlawful processing, as well as accidental loss, destruction, or damage, through the use of suitable technical and organizational safeguards.

5.7.Accountability

MVend, as a data controller, is responsible for ensuring and demonstrating compliance with the aforementioned principles. We implement procedures to guarantee that all employees, contractors, consultants, and any other parties with access to personal data managed by or on behalf of MVend, are fully aware of, and abide by, their duties and responsibilities under the Data Protection Legislation.   

6. Purposes for Processing

MVend collects and processes Personal Data under various circumstances, including but not limited to:

  1. Establishing and managing customer accounts. 
  2. Delivering payment processing services and other related offerings. 
  3. Overseeing payment transactions, including authorization, clearing, chargebacks, and related dispute resolutions.
  4. Preventing fraud, unauthorized transactions, claims, and mitigating liabilities. 
  5. Communicating with data subjects regarding MVend’s products, services, offers, programs, and promotions, as well as those of financial institutions, merchants, and partners. 
  6. Complying with applicable laws and regulations, including obligations related to Know Your Customer (KYC), risk assessments, Anti-Money Laundering (AML), anti-corruption, sanctions screening, or as required by judicial processes, law enforcement, or governmental agencies with jurisdiction over MVend or its affiliates. 
  7. Evaluating and improving business operations, including developing new products and services. 
  8. Providing newsletters, advertisements, and service updates. 
  9. Using data analytics to enhance our website, products, services, and user experiences, while optimizing service delivery. 
  10. Managing interactions with MVend’s employees, such as customer support staff or officers, whether through phone, letters, in-person meetings, emails, or messages, to maintain the business relationship with the organization the Data Subject represents.
  11. Managing security and access to MVend’s premises and IT systems (e.g., website, data management platforms, communications systems), including preventing and detecting security threats, fraud, and unauthorized or malicious activities. 
  12. Responding to requests for contact from MVend, including adding individuals to mailing lists or replying to requests for Personal Data. 
  13. For any other purposes where specific notice is given at the time of data collection.
  14. Assessing individuals’ employment interests and contacting potential candidates about employment opportunities at MVend. 
  15. As needed, establishing, exercising, or defending legal rights. 

7. Personal Data that We Collect

MVend may collect, use, or process the following types of Personal Data:

7.1.Identity Data

Information such as a data subject’s full name, government-issued identity number, and date of birth. This data is required to verify identity and provide our services. We also collect copies of a data subject’s passport, driving license, or any other government-issued identity card, along with photographs or images in photo or video form (if applicable), and any other registration information provided to prove eligibility for using our services. This complies with regulatory requirements for Know Your Customer (KYC), Know-Your-Business (KYB), and Anti-Money Laundering (AML) laws and regulations.

7.2.Contact Data

Includes the country of residence, contact address, email address, phone number, device details, and billing information. This data is necessary for communication with customers regarding the provision of our services and to verify login requests.

7.3.Log/Technical Data

When MVend’s services are accessed, our servers automatically record data sent by the browser. This includes information such as links clicked on, length of time spent on specific pages, unique device identifiers, page interaction information (e.g., scrolls and clicks), login details, IP addresses, location, and other device-related data.

7.4.Financial Data

Information such as bank account number, International Bank Account Number (IBAN), sort code, beneficiary details, transaction date, total transaction amount, and other data provided by financial institutions or merchants when acting on their behalf.

7.5.Transactional Data

This refers to payment-related information when customers use our products or services to make payments.

7.6.Marketing and Communications Data

Includes records of data subjects’ preferences to subscribe to or withdraw from marketing materials from MVend or third parties, as well as communications with MVend through phone calls, call recordings, online chats, or other communication channels.

7.7.Communication Records

Records of any discussions or communications between users and MVend when we contact a user, or when a user contacts us. Additionally, we may collect, store, use, and transfer non-personal or anonymized data, such as statistical or demographic data.

Note: MVend’s services are not directed towards children. We do not intentionally collect or process data from minors. If any employee identifies that personal data from a minor has been mistakenly or unknowingly collected, this should be immediately reported to the Data Protection Officer (DPO).

8. RIGHTS OF DATA SUBJECTS

Data subjects are entitled to certain rights, and it is every employee’s obligation to ensure the exercise of these rights is facilitated and requests are promptly addressed. No employee shall refuse to act on a data subject’s request regarding their rights unless they cannot or are not in a position to verify the data subject’s identity. An employee may request additional information necessary to confirm or verify the data subject’s identity.  All inquiries and requests submitted by data subjects must be addressed within thirty (30) days of receiving the request. No employee shall charge or receive a fee from a data subject for exercising their rights.

Below are the rights of a data subject:

8.1.Right to Information

A data subject may request information on how their data is being processed, how it is stored, and for what purpose.

8.2.Right of Access

A data subject has the right to request copies of their data and/or supplementary information regarding its processing.

8.3.Right to Rectification:

If personal data is incorrect, inaccurate, or incomplete, a data subject can request that it be corrected, rectified, or updated.

8.4.Right to Object:

A Data Subject at any time in writing or electronically, may request to stop processing his or her personal data which causes or is likely to cause loss, sadness or anxiety to the data subject, particularly for advertising, marketing, research, or statistical purposes.

However, this right does not apply if MVend  demonstrates compelling legitimate grounds for the personnel data processing, which override the interests, rights and freedoms of the data subject or for the establishment of the legal claim.

8.5.Right to be Erasure:

A data subject may request that their data be deleted or erased if it is no longer necessary for its original purpose. However, this right is limited and does not apply when MVend is required by law or regulatory compliance to retain the data.

8.6.Right to Object to the Processing of Personal Data:

If a data subject objects to the further processing of their personal data, employees/processors must cease processing unless legitimate grounds overriding the rights, interests, and freedoms of the data subject can be proven, or if the processing is necessary for the establishment, exercise, or defense of legal claims.

8.7.Right to Data Portability:

Upon request, MVend shall provide the data subject with their data in a structured, commonly used, and machine-readable format. Where technically feasible, MVend may transmit the data directly to another controller upon the data subject’s request.

8.8.Right Not to be Subject to a Decision Based on Automated Processing:

No data subject shall be subjected to a decision made solely based on automated processing, including profiling.

8.9. Right to Designate an Heir to Personal Data:

If a deceased data subject leaves a will, the designated heir has the right concerning the processing of the deceased’s data.

        8.10.         Right to Representation:

 If a data subject is impaired or unable to exercise their rights, they have the right to be represented by a parent, a care centre, or a court-appointed guardian.

9. LAWFUL BASIS FOR PROCESSING

The purposes of MVend’s processing are based on one of the following:

9.1.Contractual Obligation

We process personal data to establish and execute a contract or contractual obligations.

9.2.Legal Obligation

Data is processed when we have a legal obligation to comply with relevant applicable laws, regulations, and orders. This includes measures to prevent fraud by verifying your identity and addressing risks associated with terrorism financing, proliferation financing, and money laundering. To ensure compliance with all relevant financial legislations, such as Anti-Money Laundering and Counter-Terrorist Financing laws, we must collect, store, and process personal data.

9.3.Consent

Where we rely on consent, the data subject must provide explicit consent for such processing. The data subject has the right to withdraw consent at any time.

9.4.Legitimate Interest

MVend may process personal data based on legitimate interests pursued by our business, provided that such processing does not override the fundamental rights and freedoms of the data subject.

10. SECURITY, INTEGRITY, AND CONFIDENTIALITY

        10.1.         Security

MVend shall ensure that personal data is stored securely and kept up to date. Personal data must be protected by appropriate technical and organizational measures against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage. All servers and computers containing data should be secured with approved security software and firewalls.

        10.2.         Confidentiality and Storage

Personal data is considered confidential. Unauthorized processing of personal data is strictly prohibited. Access to personal data shall be granted to employees on a need-toknow basis. Data should not be shared informally, and any access request must be justified before approval.

For physical records, paper documents must be stored in secure drawers or filing cabinets. Employees must ensure that printed materials are not left unattended in areas accessible to unauthorized individuals. When no longer required, printed data should be shredded and disposed of securely.

For electronic records, data must be protected against unauthorized access, accidental deletion, and malicious hacking attempts. Data should only be stored on designated drives and servers and uploaded to approved cloud services.

Data backups should be performed frequently and tested regularly according to the company’s standard backup procedures.

        10.3.         Accuracy

All employees handling data are responsible for taking reasonable steps to ensure its accuracy and currency:

i. Data should be held in as few locations as necessary; employees should avoid creating unnecessary additional data sets. ii. Employees should take opportunities to confirm and update data, such as verifying customer details during interactions.

  1. MVend will facilitate data subjects in updating their information.
  2. Data inaccuracies should be corrected promptly; for example, if a customer’s mobile number is no longer reachable, it should be removed from the database.
  3. Data should be regularly reviewed, and outdated information should be deleted if no longer needed or if there is no legal basis for retention.

11. DISCLOSURE AND TRANSFER OF PERSONAL DATA

MVend may disclose or share personal data as reasonably required for the purposes outlined in this policy. Personal data may be disclosed or shared in the following ways:

        11.1.         Subsidiaries and Affiliated Entities

MVend may provide data to its subsidiaries or affiliated entities for the purpose of processing personal data on its behalf. We require that these parties agree to process such information based on our instructions, implement appropriate confidentiality and security measures, and comply with applicable data protection legislation.

        11.2.         Third-Party Service Providers

Data may be shared with third-party providers, service providers, financial partners, or suppliers to effectively provide our services to customers. These services include identity verification, fraud prevention, customer service and support, analytics, payment facilitation through our banking and financial service partners (including card networks), communication service providers, and information technology services.

        11.3.         Legal Compliance

We may share personal data to comply with subpoenas, court orders, summonses, requests from police or other law enforcement agencies, regulatory inquiries, or as required by law.

        11.4.         Necessary Disclosure

We may share personal data where disclosure is reasonably necessary to:

  1. Satisfy any applicable law, regulation, legal process, or enforceable governmental request.
  2. Detect or prevent fraud, including the investigation of potential violations of our Terms of Service.
  3. Address security or technical issues. iv. Protect against imminent harm to the rights, property, or safety of MVend, its users, or the public, as required or permitted by law.

12. ROLES AND RESPONSIBILITIES

Every MVend’ employee is responsible for ensuring that personal data is handled properly and securely.

        12.1.         Board of Directors

The Board is responsible for ensuring that MVend meets its legal obligations by maintaining oversight of the company’s privacy and security operations and monitoring compliance with data protection legislation. The Board must be informed about the privacy and security risks or challenges the company faces and provide oversight on mitigating those risks by reviewing privacy reports and regulatory updates from the Data Protection Officer (DPO) and the privacy team.

Their responsibilities also include reviewing and approving the company’s privacy policies and procedures and providing support to the DPO in implementing data privacy plans and recommendations in line with data protection legislation and global best practices.

        12.2.         Data Protection Officer (DPO)

MVend has appointed a Data Protection Officer (DPO) who is responsible for overseeing the company’s data protection strategy, its implementation to ensure compliance with data protection legislation. The DPO shall among many other obligations serve as a contact point for MVend regarding data protection matters, ensuring that MVend regularly conducts data protection impact assessments to identify and mitigate potential risks in data processing operations; cooperating with regulatory or supervisory authorities; and ensuring all employees undergo mandatory annual and ongoing training to foster a culture of data privacy awareness within the organization.

        12.3.         Information Security Manager

i. Ensuring all systems, services, and equipment used for storing data meet acceptable security standards. ii. Performing regular checks and scans to ensure security hardware and software are functioning properly.

iii. Evaluating any third-party services, the company is considering using to store or process data.

        12.4.         Responsibilities of the Employees

To safeguard the data collected and processed, our employees implement the following measures, among others:

i. Ensuring that the computer screens are locked when left unattended. ii. Avoid sharing personal data informally, especially via email, as it is not secure. Use MVend’s secure platforms for data sharing.

iii. Encrypt data before transferring it electronically. iv. Keep all data secure by following precautions and guidelines outlined in company policies.

  • Strong passwords, at least 12 characters long, including letters, numbers, and special characters, must be used for all devices and accounts. Passwords should never be shared.
  • Personal data must not be disclosed to unauthorized individuals, whether inside or outside the company.
  • Employees should seek guidance from their line managers or the Data Protection Officer (DPO) if unsure about any aspect of data privacy and protection.

13. TRAININGS

MVend will ensure that employees, especially those handling personal data, receive adequate data privacy and protection training to develop the necessary knowledge, skills, and competence required to effectively manage the compliance framework under this Policy and Data Protection Legislation.

All MVend’s employees shall undergo mandatory and ongoing data privacy and information security awareness training. This training will be provided as part of the new employee orientation process and as part of the refresher programs for existing employees.

The training will cover personal data handling procedures and help employees understand their responsibilities to ensure compliance with the Data Protection Legislation.

14. NON-COMPLIANCE

All employees of MVend are required to abide by the provisions of this Policy. Any noncompliance with the requirements outlined in this Policy must be escalated to the Data Protection Officer at: dpo@mvendgroup.com.

Failure to comply with the provisions of this Policy is sanctionable. Sanctions for noncompliance may include suspension, termination of employment, or other actions legally available to MVend, and will be determined based on the severity of the breach.

15. COMPLAINTS HANDLING PROCEDURE

Data subjects may make request for information about access to, correction, deletion or objection to personal data processing. All request can be made in writing, orally or electronically to the MVend address.

To lodge the complaints and request the Data subject shall sent his/her concern to the DPO’s email: dpo@mvendgroup.com.  

MVend undertakes to revert at the latest within one month of receipt of the request, where there is reasonable cause for appropriate withholding of personal data upon Data Subject request, we shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action. At the expiry of that period the data subject may raise his/her complaint to the NCSA.

16. REVIEWS OF THIS POLICY

MVend reserves the right to review, re-evaluate, and amend this policy at any time.

    Sign In

    To access your API intergration