Privacy
Notice.

Lira-API Limited (Lira, we, us or our) respects your privacy and is committed to protecting your personal data in accordance with the Constitution of Kenya, the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021 and any other applicable International Laws relating to Data Privacy.

This Privacy Notice explains how we collect, use, record, organize, store, share, transfer, secure, retain and otherwise process personal data relating to individuals who interact with our platform, website, products, APIs, applications, support channels, business services and related offerings.

This Privacy Notice applies to:

• Users of Lira's products, applications, APIs and digital platforms.
• Customers, potential customers and end users whose data is submitted to or checked through Lira systems.
• Directors, shareholders, beneficial owners, representatives and employees of our customers, partners, vendors, and service providers.
• Visitors to our website, portals, and support channels.
• Any other natural person whose personal data we receive directly or indirectly in connection with our business operations.

Depending on the context, Lira may act as a data controller (where we determine the purpose and means of processing personal data) or a data processor (where we process personal data on behalf of a customer or partner acting as controller).

Where Lira processes personal data on behalf of another party, the relationship shall be governed by a written data processing agreement in accordance with applicable law.

Depending on the nature of the service, we may collect or receive the following categories of personal data:

We may collect personal data:

• Directly from you when you sign up, onboard, submit a request, use our platform, contact us, or interact with our website or applications.
• From our business customers and partners who provide data to us in connection with our services.
• From public or lawful sources such as corporate registries and official records.
• Automatically through your use of our website, applications, platform, or APIs, including through cookies and similar technologies.
• From third-party service providers, fraud monitoring tools, compliance sources, payment ecosystem participants, or identity verification tools, where lawful.

We process personal data for one or more of the following purposes:

• To provide, operate, maintain and improve our platform, products and services.
• To verify account, payer, payee or transaction information.
• To facilitate onboarding, registration and user authentication.
• To support fraud prevention, security monitoring, and misuse detection.
• To perform analytics, troubleshooting, testing and service optimization.
• To communicate with you regarding your use of our services.
• To manage business relationships with clients, partners, vendors, and service providers.
• To issue invoices, manage payments and maintain business records.
• To comply with legal, regulatory, risk management and audit obligations.
• To respond to complaints, legal claims, disputes, law enforcement requests, and regulatory inquiries.
• To send service, operational or, where permitted, marketing communications.

We process personal data on one or more of the following lawful bases:

Where we rely on consent:

• We will present the relevant information in a clear and understandable manner.
• Consent may be obtained in writing, electronically or by another valid affirmative action.
• Silence, inactivity or failure to object will not amount to consent.
• You may withdraw your consent at any time.
• Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Lira does not knowingly process personal data relating to a child unless such processing is lawful, necessary, and subject to appropriate consent and safeguards. Where personal data relating to a child is processed:

• The identity and authority of the parent, guardian or duly authorized person may be verified.
• The best interests of the child will be taken into account.
• Profiling of a child for direct marketing is prohibited.
• The parent or guardian will, where applicable, be informed of the inherent risks and safeguards in place.

Where Lira uses personal data for direct marketing, we will:

• Notify you where direct marketing is one of the purposes for which personal data is collected.
• Only use personal data for direct marketing where permitted by law and, where required, with your consent.
• Include a clear and simple opt-out mechanism in every direct marketing communication.
• Ensure opting out is easy, accessible and low-cost or free.
• Stop using your personal data for direct marketing once you opt out.

Lira may use automated tools, rules engines, scoring models, matching logic, verification systems, fraud detection controls and similar technologies to support its services, security, and risk management processes.

Where such processing materially affects you, we will implement appropriate safeguards in line with the Act and Regulations, including transparency, review processes and human oversight where required.

We may share your personal data, strictly on a need-to-know and lawful basis, with:

• Our employees, officers and authorized personnel.
• Group companies and affiliates, where applicable.
• Customers, merchants, partners and counterparties connected to the service you are using.
• Technology, hosting, cloud, security, communications, analytics and infrastructure providers.
• Professional advisers, auditors, and consultants.
• Payment ecosystem participants and verification partners.
• Law enforcement agencies, courts, regulators, supervisory bodies or public authorities where required by law.
• Any other recipient where disclosure is lawful, necessary and proportionate.

Where Lira transfers personal data outside Kenya, we will do so only in compliance with the Act and Regulations. Before transferring, we will seek to ensure that:

• The recipient is bound by legally enforceable obligations providing a comparable standard of protection.
• The rights of the data subject are safeguarded.
• Reasonable steps are taken to ensure data is not used for unintended purposes.
• Where required, consent is obtained.
• The data subject is informed of the safeguards, implications and risks of the transfer.

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required for legal, regulatory, contractual, tax, accounting, dispute resolution, fraud prevention, security or reporting purposes.

When personal data is no longer required, we will delete, anonymize or securely destroy it in accordance with our retention and disposal procedures.

We implement appropriate technical and organizational measures to protect personal data. These measures may include:

If a personal data breach occurs, we will assess the risk and take appropriate containment, investigation and remediation steps. Where required by law:

Subject to the Act and applicable limitations, you have the right to:

To exercise your rights, please contact us using the details below and provide sufficient information to enable us to identify you and process your request. We may ask for additional information where reasonably necessary to verify your identity, authority or the scope of your request.

If you have any concern regarding how we process your personal data, you may contact us first so that we can attempt to resolve the issue.

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner, which is established under the Act and has powers to oversee implementation, investigate complaints and enforce compliance.

We may update this Privacy Notice from time to time to reflect changes in law, regulation, technology, business operations or our processing practices. The most current version will be made available through our website, platform or other appropriate channel.