Legal

Privacy Policy.

Kashup is committed to protecting your personal data. This policy explains what we collect, why we collect it, how we use and protect it, and your rights as a data subject.

Effective date: 1 May 2025Last updated: 4 May 2026Jurisdiction: Federal Democratic Republic of Ethiopia
We never sell your data

Your information is used only to deliver and improve our services.

Encrypted end-to-end

AES-256 at rest, TLS 1.3 in transit, role-based access controls.

Your rights respected

Access, correct, delete, or port your data. We respond within 30 days.

Minimal collection

We collect only what is necessary for the service or required by regulators.

Breach notification

We commit to notifying you within 72 hours of any confirmed data breach.

Contact our DPO

privacy@kashup.et — your dedicated Data Protection Officer.

01

What personal data we collect

In the course of its daily operations, Kashup may collect personal information from individuals when you apply for services, interact with our team, or use our mobile and web applications.

Identification & contact
  • ·Full legal name, date of birth, nationality
  • ·National ID, passport number, or Fayda/Wardya biometric reference
  • ·Phone number, email address, physical mailing address
Financial information
  • ·Bank account details and payment information
  • ·Income, source of funds, and net worth declarations
  • ·Transaction history and order activity on the Kashup platform
  • ·CSD account number and portfolio positions
Digital & technical data
  • ·IP address, browser type, and device identifiers
  • ·Pages visited, session duration, and in-app actions
  • ·Login timestamps and access logs
  • ·Cookies and similar tracking technologies (with your consent)
Suitability & compliance data
  • ·Risk profile questionnaire responses
  • ·Investment experience and product suitability assessments
  • ·AML/CFT screening results (managed via Wardya AI)
  • ·PEP and sanctions check outcomes
02

How we use your personal data

We use your data only for the purposes listed below. We do not sell, rent, or trade your personal data to third parties.

Service delivery
  • ·Opening and managing your Kashup investment account
  • ·Processing orders and routing them to licensed brokers and the ESX
  • ·Facilitating CSD registration and dematerialisation
  • ·Enabling mobile-money and partner-bank payment flows
Regulatory compliance
  • ·Know Your Customer (KYC) and identity verification under ECMA directives
  • ·Anti-Money Laundering (AML) and Counter-Terrorism Financing (CFT) monitoring
  • ·Investor suitability and product appropriateness checks
  • ·Reporting to ECMA, ESX, or other competent authorities as required by law
Platform improvement & communications
  • ·Diagnosing technical issues and improving platform performance
  • ·Sending transactional notifications (order status, account alerts)
  • ·Sending product updates, market insights, and investment education (opt-out available)
  • ·Conducting anonymised analytics to understand user behaviour
03

How we share your personal data

Kashup only shares your data where necessary to deliver services, comply with law, or operate secure infrastructure.

Authorised third parties
  • ·Licensed brokers and the Ethiopian Securities Exchange (ESX) — to execute orders
  • ·Central Securities Depository (CSD Ethiopia) — for account registration and settlement
  • ·Partner banks — for custody, payment, and account linking
  • ·Wardya AI — for KYC, AML, suitability, and fraud analysis
  • ·Cloud and infrastructure providers — under strict data processing agreements
Legal disclosure
  • ·ECMA, NBE, or other regulators when required by applicable law
  • ·Courts or law enforcement agencies under lawful order
  • ·Fraud prevention agencies and credit reference bureaus
04

How we protect your personal data

Kashup applies technical and organisational measures proportionate to the sensitivity of your data.

Technical controls
  • ·AES-256 encryption at rest; TLS 1.3 in transit
  • ·Role-based access control with least-privilege enforcement
  • ·Multi-factor authentication for all staff and API access
  • ·Immutable audit logs for every access to sensitive records
  • ·Regular penetration testing and vulnerability assessments
Organisational controls
  • ·Designated Data Protection Officer (DPO)
  • ·Staff training on data handling and privacy obligations
  • ·Vendor due-diligence before any data-sharing arrangement
  • ·Incident response plan with 72-hour breach notification commitment
05

How long we keep your data

We retain personal data only as long as necessary for the purpose it was collected or as required by law.

Retention periods
  • ·Account and KYC records — 10 years after account closure (ECMA/NBE requirement)
  • ·Transaction records — 7 years (financial reporting obligations)
  • ·Consent and audit logs — 5 years
  • ·Marketing preferences — until you withdraw consent or request deletion
  • ·Technical logs — 90 days rolling (security monitoring)
06

Your rights

As a data subject you have the following rights. Submit requests to privacy@kashup.et — we respond within 30 days.

Rights available to you
  • ·Right of access — obtain a copy of your personal data
  • ·Right to rectification — correct inaccurate or incomplete data
  • ·Right to erasure — request deletion (subject to legal retention obligations)
  • ·Right to restriction — limit how we process your data pending a dispute
  • ·Right to data portability — receive your data in a structured, machine-readable format
  • ·Right to withdraw consent — at any time, without affecting prior lawful processing
  • ·Right to object — to processing based on legitimate interests or for direct marketing
  • ·Right to lodge a complaint — with ECMA or the relevant data-protection authority
07

Cookies & tracking

Kashup uses cookies and similar technologies to operate the platform, remember preferences, and gather analytics.

Cookie types
  • ·Essential cookies — required for login, security, and core functionality (cannot be disabled)
  • ·Analytics cookies — anonymised usage data to improve the platform (opt-out available)
  • ·Preference cookies — remember your language, theme, and display settings
  • ·Marketing cookies — only placed with your explicit consent
08

Children's privacy

Kashup does not knowingly collect data from individuals under 18. If you believe a minor has submitted personal data to us, contact privacy@kashup.et and we will delete it promptly.

09

Fraud & impersonation warning

Fraudsters may pose as Kashup representatives via phone, email, or social media. Kashup will never ask for your password, PIN, or full payment card details. Always verify through official channels at kashup.et before sharing sensitive information.

10

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app alert at least 14 days before they take effect. The effective date at the top of this page reflects the latest version.

Questions about your privacy?

Contact our Data Protection Officer at privacy@kashup.et or write to: Kashup Financial Technologies, Addis Ababa, Ethiopia.