Privacy Policy
Empowa Pay, Empowa Trade, Empowa Calculator and the Empowa website.
Effective date: May 2026 Version: 2.0 (replaces version dated 2023-03-29) Issued by: Empowa Technology Ltd, Republic of Seychelles
Introduction
Empowa Technology Ltd (the Republic of Seychelles, registered company; referred to in this Policy as 'Empowa', 'we', 'us' or 'our') operates a set of products serving African capital markets and housing finance, including Empowa Pay (a rent-to-own platform), Empowa Trade (a blockchain trading platform), Empowa Calculator (a valuation tool) and the website www.empowa.io.
This Privacy Policy describes how Empowa collects, uses, stores, shares and protects personal data across these products and the website. It is written to satisfy the European Union General Data Protection Regulation (EU GDPR), the Kenya Data Protection Act 2019 and the equivalent data protection regimes in the African jurisdictions where our customers and users are located.
If you have any question about this Policy, the data we hold about you, or your data subject rights, contact us at privacy@empowa.io.
1. Who We Are
Empowa Technology Ltd is incorporated in the Republic of Seychelles. The operating team is geographically distributed; the Security Lead and the Chief Operating Officer act as the primary contact points for any privacy or data protection matter.
For the purposes of EU GDPR, Kenya DPA 2019 and equivalent frameworks, Empowa is the data controller for personal data collected directly through our products and the website. Where we operate a white-label deployment of our platform for an institutional customer, Empowa is the data processor acting on behalf of that customer, who is the controller for their end users; the customer's own privacy policy will apply in addition to this Policy and will be made available on the platform built for that customer.
2. The Products This Policy Covers
This Policy covers personal data processing in connection with the following products and services:
| Product | What it does |
|---|---|
| Empowa Pay | A rent-to-own housing platform connecting tenants, property providers, managers and investors. |
| Empowa Trade | A blockchain trading platform for tokenized assets, with order book, escrow and on-chain settlement. White-label deployments of Empowa Trade for institutional customers are governed by the customer's own privacy policy on the platform built for them; this Policy does not apply to those deployments. |
| Empowa Calculator | A valuation tool for developers and project owners. |
| www.empowa.io | The Empowa marketing website, including the Knowledge Centre and any forms or contact mechanisms available there. |
3. What Personal Data We Collect
The personal data we collect depends on which product you use. Across all products, the categories of data we may collect are:
| Category | What this includes | Lawful basis |
|---|---|---|
| Account and authentication | Email address, password (stored hashed, never in plaintext), phone number where provided, and any two-factor authentication settings. | Contract (Article 6(1)(b) GDPR; equivalent under Kenya DPA 2019) |
| Profile and role | Display name, role (where the product is multi-role: for example, in Empowa Pay your role might be tenant, manager, provider or investor; in Empowa Trade your role might be investor, project owner or operator). | Contract |
| Identity verification (KYC / KYB / KYT) | Where the product requires identity verification under applicable financial regulation, we collect identity documents, biometric verification results, address verification results and sanctions screening results. This processing is delegated to a specialist vendor selected per market; the specific vendor handling your data will be disclosed to you at the time of the verification. | Legal obligation (Article 6(1)(c) GDPR; AML / KYC regimes in the relevant jurisdiction) |
| Financial and payment | Transaction records, installment history, payment status. Full card data is collected and stored by our PCI-DSS compliant payment processors (Paystack, Stripe Connect); Empowa does not store full card numbers. | Contract |
| Wallet addresses (on-chain) | Cardano blockchain wallet addresses you connect to our products. When you connect a wallet and submit on-chain transactions, those addresses and transactions become part of the public Cardano blockchain. | Contract |
| Communications | Messages you send through in-app chat features (Empowa Trade), support tickets, governance poll votes, notifications generated for you. | Contract |
| Usage and behavioural | Login history, request logs, feature usage data (aggregated where possible). | Legitimate interest (Article 6(1)(f) GDPR; service improvement and security) |
| Marketing | Email opt-in records for marketing communications. | Consent (Article 6(1)(a) GDPR; opt-in only) |
4. How We Use Your Data
We use the personal data we collect for the following purposes:
- To provide and operate the products you use: account creation, authentication, transaction processing, communications between platform users, settlement of trades and payments.
- To comply with our legal obligations: identity verification (KYC) under applicable financial regulations, anti-money-laundering monitoring, tax and accounting record-keeping.
- To secure the platforms: access logging, audit trails, fraud and abuse detection, incident investigation.
- To improve our products: aggregated analytics on feature usage, technical performance, and user journeys.
- To communicate with you: transactional notifications, service announcements, responses to your support requests.
- To send you marketing communications only where you have explicitly opted in; you can withdraw consent at any time through the unsubscribe link in any marketing email or by emailing privacy@empowa.io.
5. Where Your Data Is Stored
Personal data is stored by default in European Union data centre regions, operated by our sub-processors (principally Supabase, AWS, Cloudflare, Netlify, Vercel and Google Workspace). Specific regions are typically EU-West (Ireland) or EU-Central (Frankfurt), selected by sub-processor for performance and resilience.
Where a particular customer engagement requires data residency in a different jurisdiction (for example, contractual requirements for data to remain within a specific African country), Empowa may configure that engagement's deployment with sub-processors in that jurisdiction. We will inform you if your data is stored outside the EU.
6. Cross-Border Data Transfers
Because your data may originate in one country and be stored in another (typically: African origin, EU storage), we treat this as an international transfer of personal data and apply appropriate safeguards:
- For storage in the European Union, we rely on the GDPR-equivalent protection that applies once data enters the EU.
- For transfer from your country of residence to the EU, we rely on the appropriate transfer mechanism under your local law. Under the Kenya Data Protection Act 2019 Section 48, EU storage is generally an adequate-protection transfer; equivalent provisions in other African regimes are relied upon as applicable.
- Where required by a specific customer engagement or your local law, we adopt Standard Contractual Clauses (SCCs) with the relevant sub-processors.
7. Sub-Processors
We use the following categories of sub-processor to deliver our products. A current detailed list is available on request to privacy@empowa.io and is updated as our sub-processor inventory evolves.
| Category | Examples |
|---|---|
| Database, authentication and storage | Supabase, MongoDB Atlas (legacy services) |
| Cloud hosting and infrastructure | Amazon Web Services (AWS), Cloudflare, Netlify, Vercel |
| Cardano blockchain providers | Maestro, Blockfrost, NMKR, Genius Yield |
| Payment processing | Paystack, Stripe Connect |
| Identity verification (KYC, KYB, KYT) | Selected per engagement; the specific vendor handling your data will be disclosed at the time of verification. |
| Email and notifications | Mailgun |
| Productivity and internal tooling | Google Workspace, 1Password, GitHub, Notion, Figma |
Each sub-processor operates under its published Data Processing Agreement, which Empowa has accepted. We maintain an internal record of which sub-processor processes which categories of data.
8. How Long We Keep Your Data
We retain personal data only as long as needed for the purpose for which it was collected, or as required by law. Our retention schedule by data category is:
| Category | Retention period | Why |
|---|---|---|
| Active user account data | Duration of your account plus 12 months | Allows account reactivation and resolution of post-departure matters. |
| Authentication credentials (password hashes) | Until account closure | No legitimate purpose to retain after closure. |
| KYC and identity verification records | Per applicable AML / KYC law, typically 5-7 years after end of business relationship | Legal obligation under the relevant jurisdiction's AML regime. |
| Financial and payment transaction records | 7 years from transaction date | Accounting and tax obligations across applicable jurisdictions. |
| Communications (in-app chats, support tickets) | 3 years from last activity | Reasonable retention for support history and dispute resolution. |
| Marketing communications data | Until you withdraw consent, plus a 30-day purge cycle | Consent-based; immediate withdrawal honoured. |
| Server and request logs | 90 days | Operational and security purposes. |
| Audit logs (security and access logs) | 12 months minimum | Required for security investigation. |
| On-chain wallet addresses and transaction references (off-chain mirror) | Aligned with the underlying user account retention | See Section 9 below for the on-chain immutability acknowledgement. |
9. On-Chain Data and the Right to Erasure
Cardano blockchain data is immutable. When you connect a Cardano wallet to Empowa Trade and submit on-chain transactions (token mint, distribution, order placement, trade execution, settlement), the wallet address you used and the details of the transaction are permanently recorded on the public Cardano blockchain. We cannot delete or modify on-chain data; nobody can, by the design of the blockchain.
If you request erasure of your personal data under Article 17 of the GDPR or the equivalent right under your local law, we will delete or anonymise the personal data we hold about you in our off-chain systems (within the limits described in Section 10 below). We cannot delete data that has been permanently recorded on the Cardano blockchain through a transaction you submitted. We will inform you at the time of any on-chain interaction that the data will become public and persistent.
10. Your Data Protection Rights
Under the EU GDPR, the Kenya Data Protection Act 2019 and equivalent African data protection regimes, you have the following rights:
- Right to access: you can ask for a copy of the personal data we hold about you.
- Right to rectification: you can ask us to correct inaccurate or incomplete personal data.
- Right to erasure: you can ask us to delete your personal data, subject to the on-chain immutability acknowledgement in Section 9 and any legal retention obligations (such as KYC / AML records that we are required to keep).
- Right to restriction of processing: you can ask us to stop processing your personal data while we resolve a question about it.
- Right to data portability: you can ask us to provide your personal data in a structured, machine-readable format so you can transfer it to another service.
- Right to object: you can object to processing based on our legitimate interest, or to direct marketing.
- Rights related to automated decision-making: where we make decisions about you based solely on automated processing that produces legal or significant effects, you have the right to human review of those decisions.
To exercise any of these rights, contact us at privacy@empowa.io. We will verify your identity (typically by re-confirmation through the email address registered on your account, with additional verification where the request involves sensitive data) and respond within 30 days of the verified request. For complex requests we may extend this by up to 60 days, with notification to you of the extension and the reason.
11. Cookies and Tracking
Our products use cookies and equivalent technologies for the following purposes:
- Strictly necessary cookies: required for authentication, session management and security. These cannot be disabled.
- Functional cookies: remember your preferences (language, display settings) so you do not have to set them on every visit. Optional.
- Analytics cookies: aggregated, non-identifying usage data for service improvement. Optional and disabled by default.
- Marketing cookies: only set if you have explicitly consented. Disabled by default.
Where required by your jurisdiction, the products will display a cookie consent banner allowing you to manage your preferences. You can also manage cookies through your browser settings; disabling strictly necessary cookies will prevent the product from functioning correctly.
12. How We Protect Your Data
We protect your personal data through a layered set of technical and organisational measures:
- Encryption in transit: all communication with our products and the website uses TLS 1.2 or higher.
- Encryption at rest: databases and storage at our sub-processors encrypt data at rest using industry-standard methods.
- Authentication and access control: two-factor authentication is enforced across every system holding personal data, both for the operational team and for users where the product supports it.
- Row-level security: our Supabase databases enforce row-level security policies so that users can only access their own data, even where queries are made through shared API endpoints.
- Audit logging: access to data is logged and the logs are retained for security investigation.
- External security review: our on-chain code has been audited by independent specialist firms (Anastasia Labs in 2025 and Cyberscope in 2026). Our platform has documented internal security testing covering authentication, authorization, input validation, rate limiting and cryptographic patterns.
- Documented operational procedures: written procedures for offboarding of team members include rotation of every credential the departing member knew, restructuring of multisig signers and revocation of all platform access within defined time bounds.
13. Data Breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, including the nature of the breach, the categories and approximate number of data subjects affected, the contact point for further information and the measures we have taken to address the breach.
14. Children's Data
Our products and services are intended for users who are at least 18 years old (or the age of majority in your jurisdiction, if higher). We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided personal data to us, please contact privacy@empowa.io and we will take steps to delete it.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in our products, in our sub-processor inventory, or in applicable law. When we make a material change, we will update the 'Effective date' at the top of this Policy and (where the change materially affects how we use your personal data) notify you directly through email or an in-product notification.
16. Contact and Complaints
If you have any question about this Policy or how we handle your personal data, contact us at privacy@empowa.io.
If you are not satisfied with our response to a question or complaint, you have the right to lodge a complaint with the supervisory authority in your jurisdiction. For data subjects in the European Union, the relevant supervisory authority will be the one in your country of residence. For data subjects in Kenya, the supervisory authority is the Office of the Data Protection Commissioner (ODPC). Equivalent authorities apply in other African jurisdictions.