Privacy Policy

Last updated: April 15, 2026

1. Introduction

RemoteFlow Limited ("RemoteFlow", "we", "us") is committed to protecting the privacy and personal data of our users. This Privacy Policy explains how we collect, use, store, and share your information when you use the RemoteFlow platform.

2. Data Protection Framework

This Privacy Policy is governed by and compliant with the Kenya Data Protection Act, 2019 and all regulations issued thereunder by the Office of the Data Protection Commissioner (ODPC). As a data controller, RemoteFlow Limited is registered with the ODPC and processes your personal data in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality as set out in the Act.

You have the right to lodge a complaint with the Office of the Data Protection Commissioner if you believe your data rights have been violated. Contact the ODPC at www.odpc.go.ke.

3. Data We Collect

We collect the following categories of personal data:

  • Identity data: Full name, date of birth, nationality, and government-issued identity documents submitted during KYC verification
  • Contact data: Email address and phone number
  • Financial data: M-Pesa transaction records, wallet balances, payment history, and currency conversion records
  • Technical data: IP address, browser type, device information, and session metadata used for fraud prevention
  • Verification data: KYC results and risk assessment scores from our identity verification partners

4. Purpose of Processing

We process your personal data for the following lawful purposes:

  • To create and manage your RemoteFlow account
  • To verify your identity in compliance with KYC and Anti-Money Laundering (AML) regulations
  • To process deposits, withdrawals, transfers, and foreign exchange transactions
  • To detect, prevent, and investigate fraud, money laundering, and other financial crimes
  • To comply with legal and regulatory obligations under Kenyan law, including Central Bank of Kenya (CBK) directives
  • To communicate with you regarding your account, service updates, and security alerts

5. Data Sharing

We do not sell your personal data. We share information only with the following categories of recipients, strictly on a need-to-know basis and under appropriate data protection agreements:

  • Safaricom PLC: To process M-Pesa STK Push deposits and B2C withdrawals via the Daraja API
  • KYC verification partners: To authenticate your identity documents during onboarding
  • Payment processors: To facilitate cross-border payment receipt and currency conversion
  • Law enforcement and regulators: When required by law, court order, or regulatory directive

6. Data Retention

We retain your personal data for as long as your account is active and for a minimum of seven (7) years after account closure, in compliance with the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) and CBK regulations on record-keeping for financial institutions. Transaction records are maintained in an immutable, double-entry ledger for audit and compliance purposes.

7. Security Measures

We implement industry-standard technical and organisational measures to protect your personal data, including:

  • Bcrypt password hashing with 12 rounds and worker-thread offloading
  • TOTP-based Two-Factor Authentication (2FA) for all accounts
  • JWT-based session management with secure token rotation
  • Real-time transaction risk scoring and fraud detection
  • TLS encryption for all data in transit
  • Managed, encrypted database infrastructure with automated backups

8. Your Rights Under the Data Protection Act

Under the Kenya Data Protection Act, 2019, you have the following rights:

  • Right of access: You may request a copy of the personal data we hold about you
  • Right to rectification: You may request correction of any inaccurate or incomplete personal data
  • Right to erasure: You may request deletion of your personal data, subject to our legal retention obligations
  • Right to restrict processing: You may request that we limit how we use your data in certain circumstances
  • Right to data portability: You may request your data in a structured, commonly used, and machine-readable format
  • Right to object: You may object to processing based on legitimate interests or for direct marketing purposes

To exercise any of these rights, contact us at hello@remoteflow.cc. We will respond within 30 days.

9. Cookies & Tracking

RemoteFlow uses essential session cookies to maintain your authentication state and protect against cross-site request forgery. We do not use third-party advertising cookies or tracking pixels.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered address at least 30 days before they take effect. Your continued use of RemoteFlow after the effective date constitutes acceptance.

11. Contact & Data Protection Officer

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact:

RemoteFlow Limited
Nairobi, Kenya
Email: hello@remoteflow.cc

← Back to Home