PesaNet
PesaNetLegal

Legal Document

Privacy Policy

Effective Date: January 1, 2025Last Updated: March 1, 2026Version: 3.2
PesaNet, Inc. ("PesaNet," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, website, and related financial services (collectively, the "Services"). Please read this policy carefully. If you do not agree with its terms, please discontinue use of our Services.

1. Information We Collect

1.1 Information You Provide Directly

We collect personal information you voluntarily provide when you:

  • Register an account: full legal name, date of birth, email address, phone number, residential address, and country of residence.
  • Complete identity verification (KYC): government-issued identification documents (passport, national ID, driver's license), selfie photographs, and proof of address documents.
  • Link a bank account: bank account number, routing number, and account holder name (processed via Plaid, Inc. — a third-party open banking provider).
  • Add a payment card: card number, expiration date, and CVV (tokenised and processed via Stripe, Inc. — we do not store raw card data).
  • Use lending features: employment status, income information, and any supporting financial documents you voluntarily submit.
  • Contact support: communications, attachments, and any personal information contained therein.

1.2 Information We Collect Automatically

When you access or use our Services, we automatically collect:

  • Device information: device model, operating system version, unique device identifiers (device fingerprint), and mobile network information.
  • Usage data: app features accessed, transaction history, session duration, and interaction logs.
  • Location data: approximate location derived from IP address; precise GPS location only with your explicit permission.
  • Log data: IP address, browser type, pages visited, referring URL, timestamps, and error reports.
  • Cookies and similar technologies: session cookies, persistent cookies, and pixel tags as described in our Cookie Policy.

1.3 Information from Third Parties

  • Identity verification providers: results of document verification checks, facial recognition matching scores, and watchlist screening results.
  • Banking providers (Plaid): account balance information, transaction history, and account ownership verification.
  • Payment networks: transaction authorisation and settlement data from Visa, Mastercard, and mobile money operators.
  • Credit reference agencies: where legally permitted, credit bureau data for lending eligibility assessments.
  • Fraud prevention services: risk scores and flagged indicators from our fraud detection partners.

2. How We Use Your Information

We process your personal information for the following purposes and on the following legal bases:

2.1 Providing and Operating the Services

  • Creating and managing your account.
  • Processing payments, transfers, deposits, and withdrawals.
  • Issuing and managing virtual debit cards.
  • Facilitating peer-to-peer lending transactions.
  • Providing customer support and resolving disputes.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR); legitimate interest.

2.2 Regulatory Compliance and Legal Obligations

  • Verifying your identity in accordance with Know Your Customer (KYC) and Anti-Money Laundering (AML) obligations under the Bank Secrecy Act, FinCEN regulations, and applicable state money transmitter laws.
  • Screening against OFAC Specially Designated Nationals (SDN) and other sanctions lists.
  • Filing Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) as required by law.
  • Retaining records as mandated by financial regulators.

Legal basis: Legal obligation (Art. 6(1)(c) GDPR).

2.3 Security and Fraud Prevention

  • Detecting, investigating, and preventing fraudulent transactions and unauthorised account access.
  • Verifying trusted device registrations.
  • Monitoring for suspicious patterns of behaviour.
  • Protecting the security and integrity of our platform.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); legal obligation.

2.4 Improving Our Services

  • Analysing usage patterns to improve app features and user experience.
  • Conducting internal research and analytics.
  • Testing and debugging.

Legal basis: Legitimate interests.

2.5 Communications and Marketing

  • Sending transactional notifications (receipts, alerts, security notifications) — these are required for the Services and cannot be opted out of.
  • Sending promotional communications with your consent — you may opt out at any time via the app settings or unsubscribe link.

Legal basis: Consent (Art. 6(1)(a) GDPR); legitimate interests for transactional communications.

3. How We Share Your Information

We do not sell your personal information. We share your information only as described below:

3.1 Service Providers

We share data with trusted third-party providers who assist in delivering our Services, including:

  • Plaid, Inc. — bank account linking and financial data aggregation
  • Stripe, Inc. — payment card processing and virtual card issuance
  • Identity verification providers — KYC document verification and biometric matching
  • Cloud hosting providers (AWS) — infrastructure and data storage
  • Analytics providers — aggregated, pseudonymised usage analytics
  • Customer support platforms — case management and communication tools

All service providers are contractually bound to process your data only as directed by us and in accordance with applicable data protection laws.

3.2 Legal and Regulatory Disclosures

We may disclose your information to:

  • Financial intelligence units (FinCEN) and law enforcement agencies, as required by the Bank Secrecy Act and other applicable laws.
  • Courts, regulators, and government agencies pursuant to valid legal process (subpoenas, court orders, regulatory inquiries).
  • State money services business regulators during examinations or investigations.

3.3 Business Transfers

In connection with a merger, acquisition, sale of assets, or other corporate transaction, your information may be transferred as part of that transaction, subject to the acquirer honouring this Privacy Policy or providing equivalent protections.

3.4 With Your Consent

We may share your information with third parties where you have given us explicit consent to do so.

4. Data Retention

We retain your personal information for as long as your account is active and for the following periods thereafter:

  • Account and KYC records: 5 years after account closure, as required by FinCEN record-keeping rules (31 C.F.R. § 1020.410).
  • Transaction records: 5 years from the date of each transaction.
  • AML/SAR records: 5 years from the date of filing.
  • Customer communications: 3 years from the date of communication.
  • Security logs: 2 years from collection.

After these periods, data is securely deleted or anonymised unless a longer retention period is required by applicable law or ongoing legal proceedings.

5. Your Rights and Choices

5.1 Rights Under GDPR (EEA/UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure: Request deletion of your data, subject to our legal retention obligations.
  • Right to restriction: Request that we limit processing of your data in certain circumstances.
  • Right to data portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision-making: Not to be subject to solely automated decisions (including profiling) that significantly affect you.

5.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, business purposes, and third parties with whom we share it.
  • Right to delete: Request deletion of your personal information, subject to exceptions.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to opt-out of sale/sharing: PesaNet does not sell or share personal information for cross-context behavioural advertising.
  • Right to limit use of sensitive personal information: Limit our use of sensitive personal information (such as financial data) to purposes necessary to provide the Services.
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your CCPA rights, submit a request to privacy@pesanet.app or call our toll-free number: 1-800-PESANET. We will verify your identity before processing requests.

5.3 How to Exercise Your Rights

Submit privacy rights requests to: privacy@pesanet.app

We will respond within:

  • 30 days for GDPR requests (extendable to 90 days with notice)
  • 45 days for CCPA requests (extendable to 90 days with notice)

6. Data Security

We implement industry-standard security measures to protect your information:

  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
  • Access controls: Role-based access controls with multi-factor authentication for all staff accessing production systems.
  • Device fingerprinting: We use cryptographic device fingerprints to detect and prevent unauthorised access from unrecognised devices.
  • PIN protection: All sensitive operations require a user-set PIN, which is never stored in plaintext.
  • Penetration testing: We conduct regular third-party security assessments.
  • PCI DSS compliance: Our card data handling meets PCI Data Security Standard requirements.

Despite these measures, no system is perfectly secure. In the event of a data breach, we will notify affected users and relevant regulators as required by applicable law.

7. International Data Transfers

PesaNet operates primarily in the United States. If you access our Services from outside the US, your information may be transferred to, stored, and processed in the US. For transfers from the EEA or UK, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Your explicit consent for transfers where required

8. Children's Privacy

Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that a minor has provided personal information, we will promptly delete it and terminate the associated account. If you believe a minor has used our Services, contact us at privacy@pesanet.app.

9. Third-Party Links

Our Services may contain links to third-party websites and services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you use.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy with a new "Last Updated" date
  • Sending an in-app notification or email for significant changes
  • Requesting fresh consent where required by law

Your continued use of the Services after any changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions, requests, or complaints:

If you are an EEA resident and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.