Privacy Policy

Geliana Pay ("we", "us", "our", "the Platform") is committed to protecting your personal data in accordance with the Kenya Data Protection Act, No. 24 of 2019 ("Data Protection Act"), the Data Protection (General) Regulations, 2021, and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our Platform. It also explains your rights under the Data Protection Act and how to exercise them.

By using Geliana Pay, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you should discontinue use of the Platform.

Geliana Pay is the data controller for the purposes of the Data Protection Act. We determine the purposes and means of processing your personal data.

Our Data Protection Officer (DPO) can be contacted at:

Email: dpo@geliana.com

We collect the following categories of personal data:

3.1 Account and Profile Data

• Full name, email address, and profile image (from Clerk authentication)
• Chosen username/handle
• Country of residence
• Account creation and update timestamps

3.2 Identity Verification (KYC) Data

• Selfie or profile photo
• National ID or passport image
• KRA PIN (encrypted at rest)
• National ID number or passport number (encrypted at rest)
• Payout details: M-Pesa phone number or bank account information

KYC data is encrypted using AES-256-GCM before storage. Decryption keys are managed separately and only accessible to authorised administrative personnel.

3.3 Transaction Data

• Tip amounts, messages, and sender details
• Invoice details (client names, email addresses, amounts, descriptions)
• Payment references and status information
• Payout records and settlement details

3.4 Technical Data

• IP address and browser information
• Device type and operating system
• Usage patterns and interaction data
• Cookies and similar tracking technologies (see Section 8)

3.5 Appearance Customisation Data

• Accent colour, background style, and hero pattern selections
• Card style and button style preferences
• Cover image URL and invoice logo URL
• Custom titles for tip pages and invoices

3.6 Email Notification Data

• Email addresses of recipients (Creators, Payers, Clients, and administrators)
• Full HTML body of every sent email
• Delivery status (sent or failed) and error messages
• All email records are stored permanently in the email audit log

3.7 Public Tip Page Data

• Information visible on public tip pages: handle, display name, bio, avatar
• Payer names and messages submitted with tips (visible to the Creator)

We process your personal data for the following purposes, under these legal bases:

We share your personal data with the following categories of recipients:

5.1 Payment Processor — Paystack

Paystack Payments Limited processes all transactions on the Platform. They receive payer name, email, phone number, and transaction amount data. Paystack is a Central Bank of Kenya licensed Payment Service Provider and processes data in accordance with its own privacy policy and applicable regulations.

5.2 Authentication — Clerk

Clerk.com provides user authentication services. Clerk manages your login credentials and session data. Their service is GDPR-compliant and data is processed in accordance with their privacy framework.

5.3 Cloud Infrastructure — Convex

Convex provides our backend database and serverless infrastructure. All data stored on Convex is encrypted at rest. Convex's infrastructure is hosted on Google Cloud Platform, with data processing locations that may include the United States and Europe.

5.4 Email Delivery — Resend

Resend provides email delivery services for notification emails. When we send an email, the recipient's email address and email content are transmitted to Resend for delivery. Resend processes data in accordance with its privacy policy and is GDPR-compliant.

5.5 File Storage — UploadThing

UploadThing handles file uploads for KYC documents and profile images. Uploaded files are stored temporarily and deleted after processing where applicable.

5.5 Legal and Regulatory Disclosures

We may disclose personal data where required by law, including to:

• The Kenya Revenue Authority (KRA) for tax compliance
• The Central Bank of Kenya (CBK) for regulatory oversight
• The Financial Reporting Centre (FRC) for anti-money laundering
• Law enforcement agencies under valid legal process

5.6 Creator-Payer Data

When a Payer sends a tip or pays an invoice, their name and email are shared with the Creator for transaction purposes. Similarly, when a Creator sends an invoice, their business name and details are shared with the Client.

We adhere to the following data protection principles under Section 25 of the Data Protection Act:

1. Lawfulness, fairness, and transparency — We process data lawfully, fairly, and transparently as described in this policy.
2. Purpose limitation — Data is collected for specified, explicit, and legitimate purposes and not further processed in incompatible ways.
3. Data minimisation — We only collect data that is adequate, relevant, and limited to what is necessary for our purposes.
4. Accuracy — We take reasonable steps to ensure data is accurate and kept up to date.
5. Storage limitation — Data is kept only for as long as necessary (see Section 10).
6. Integrity and confidentiality — Data is processed securely, protected against unauthorised access, loss, or damage.
7. Accountability — We are responsible for and can demonstrate compliance with these principles.

Under the Data Protection Act, you have the following rights regarding your personal data:

To exercise any of these rights, contact our Data Protection Officer at dpo@geliana.com. We will respond to your request within the timeframe required by the Data Protection Act (generally 30 days).

We use essential cookies required for authentication and Platform functionality. These cookies are necessary for the operation of our service and do not require consent under the Data Protection Act.

We do not use third-party tracking cookies for advertising or analytics purposes that require consent. Any future use of non-essential cookies will be subject to your prior consent.

We retain personal data only as long as necessary for the purposes described in this policy, subject to the following retention periods:

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of sensitive data at rest using AES-256-GCM
• Encryption of data in transit using TLS 1.3
• Access controls and authentication for administrative access
• Regular security assessments and monitoring
• Data minimisation — we only collect data necessary for our services
• Secure infrastructure provided by Convex (Google Cloud Platform backend)

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you of any data breach affecting your personal data as required by the Data Protection Act.

Your personal data may be transferred to and processed in countries outside Kenya where our service providers operate:

• United States: Convex (database), Clerk (authentication), UploadThing (file storage)
• Nigeria: Paystack (payment processing)

We ensure appropriate safeguards are in place for such transfers, including standard contractual clauses or equivalent data protection agreements with our service providers, as required by Section 31 of the Data Protection Act.

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

We encourage you to contact us first at dpo@geliana.com so we can address your concerns before you escalate to the ODPC.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Platform. We encourage you to review this policy periodically.

For questions about this Privacy Policy or our data protection practices: