Privacy Policy
Last updated: February 2026
1. Who This Policy Applies To
This policy applies to sellers who create TandPay accounts and to buyers who make payments through TandPay. Sellers have accounts with full profiles. Buyers do not create accounts — they are identified by phone number when making a payment.
2. Information We Collect from Sellers
When you register as a seller, we collect:
| Data | Required? | Purpose |
|---|---|---|
| Phone number (+250…) | Yes | Account login, OTP verification, SMS notifications |
| 5-digit PIN | Yes | Account authentication (stored as a bcrypt hash, never in plaintext) |
| Full name | Yes | Displayed on your public seller profile |
| National ID number | No | Identity verification (KYC) — required before payout processing |
| Business name | Yes | Displayed on your public seller profile and order pages |
| MoMo phone number | Yes | Receiving payouts via MTN Mobile Money (may differ from your login phone) |
| MoMo Pay code | No | Displayed for direct payments outside TandPay |
| Location | No | Displayed on your public seller profile |
| Bio / description | No | Displayed on your public seller profile |
| Profile photo | No | Displayed on your public seller profile and order pages |
3. Information We Collect from Buyers
Buyers do not create accounts. When a buyer makes a payment, we collect:
- Phone number — entered when initiating an MTN MoMo payment. Used to send payment confirmation, the delivery code via SMS, and to process refunds if needed.
- Transaction details — what was purchased, the amount paid, and the delivery confirmation status.
If a buyer opens a dispute, we additionally collect:
- Dispute reason and details — text explaining the problem (minimum 10 characters).
- Evidence photos — optional images uploaded to support the dispute (up to 10 per dispute).
- Dispute messages — communications between buyer, seller, and TandPay administrators.
If a buyer leaves a review, the review text, star rating, and the buyer's phone number are stored.
4. Information Collected Automatically
- Device fingerprint — a hash of your device characteristics, used to recognize trusted devices and prevent unauthorized logins. The raw fingerprint is hashed before storage. We do not store your actual browser or device identifiers.
- Cookies — TandPay sets two types of cookies:
- Authentication cookies — contain your encrypted session token, managed by our authentication service. These are essential for keeping you logged in.
- Language preference cookie — stores your chosen language (English or Kinyarwanda). Lasts 1 year.
5. Your Public Seller Profile
When you create a seller account, certain information is publicly visible to anyone who visits your seller profile link or views your orders:
- Full name
- Business name
- Profile photo (if provided)
- Location (if provided)
- Bio (if provided)
- MoMo Pay code (if provided)
- Trust score, total sales count, and review ratings
Your login phone number, national ID, and MoMo payout phone number are not displayed on your public profile page.
6. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Account login and security | Phone, PIN (hashed), device fingerprint, OTP codes (hashed) |
| Payment processing | Buyer phone, seller MoMo phone, transaction amounts |
| Delivery confirmation | Buyer phone (to send delivery code via SMS) |
| Dispute resolution | Buyer phone, dispute reason/evidence, messages |
| Public seller profile | Name, business name, location, bio, photo, reviews |
| Identity verification (KYC) | Full name, national ID |
| SMS notifications | Phone number, transaction details (amounts, order titles) |
| Fraud prevention | Device fingerprint, login patterns, rate limiting |
7. Third-Party Services
TandPay shares the minimum data necessary with the following services to operate. We never sell your data.
7.1 MTN Mobile Money (Payments)
When a buyer pays or a seller receives a payout, we send the following to MTN's MoMo API:
- The payer or payee's phone number
- The payment amount
- A TandPay transaction reference ID
MTN processes payments under their own privacy policy and Rwandan financial regulations.
7.2 Pindo (SMS)
We use Pindo to send SMS messages (OTP codes, delivery codes, transaction notifications). Each SMS includes:
- The recipient's phone number
- The message text (which may include OTP codes, delivery codes, or transaction amounts)
7.3 Cloudinary (Images)
Profile photos, product images, and dispute evidence photos are uploaded directly from your browser to Cloudinary. TandPay only stores the resulting image URL — we do not process or store the image files on our own servers.
7.4 Supabase (Infrastructure)
Our database and authentication service is hosted on Supabase. All account data, transaction records, and application data are stored in Supabase's cloud infrastructure.
7.5 Vercel (Hosting)
The TandPay website is hosted on Vercel. Vercel processes standard web request data (IP address, request headers) to serve the application. We do not use Vercel's analytics services.
8. How We Protect Your Data
TandPay uses the following security measures:
- Encryption in transit — all connections use HTTPS/TLS. No data is transmitted in plaintext.
- PIN hashing — your 5-digit PIN is hashed with bcrypt (blowfish) before storage. We cannot see or recover your PIN.
- OTP hashing — one-time verification codes are hashed with SHA-256 before storage. The plain code exists only in the SMS sent to your phone.
- Delivery code hashing — the 4-digit delivery code is hashed with SHA-256 for verification. Brute-force attempts are blocked after 5 failed entries (15-minute lockout).
- Row-level security — database access controls ensure sellers can only see their own transactions, devices, and account data. Administrative data is restricted to authorized staff.
- Rate limiting — OTP requests, login attempts, and other sensitive operations are rate-limited to prevent abuse.
- Device verification — logging in from a new device requires OTP verification via SMS.
- Session management — sessions expire after inactivity. Trusted device tokens expire after 90 days.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (profile, business info) | Until you request account deletion, or 12 months after last activity |
| Transaction records | Minimum 5 years (Rwandan financial record-keeping requirements) |
| Dispute records and evidence | Minimum 5 years alongside transaction records |
| OTP codes | Automatically expire after 5 minutes; purged regularly |
| Trusted device records | 90 days from last use; deleted with your account |
| SMS delivery logs | 30 days for operational monitoring, then purged |
| Audit logs | Minimum 5 years alongside transaction records |
10. Your Rights
As a TandPay user, you have the right to:
- Access your data — request a copy of all personal data we hold about you.
- Correct your data — update your name, business information, MoMo number, and other profile details at any time through the dashboard.
- Delete your account — request deletion of your account and personal data. Note: transaction records are retained for the legally required period even after account deletion. Contact privacy@tandpay.rw to request deletion.
- Withdraw consent — you may stop using TandPay at any time. Withdrawing consent does not affect the lawfulness of processing performed before withdrawal.
Buyers: since buyers do not have accounts, buyer phone numbers associated with completed transactions are retained as part of the transaction record. Buyers may contact us to request information about what data we hold linked to their phone number.
11. Children
TandPay is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. Seller registration requires an adult with a valid Rwandan phone number.
12. Governing Law
TandPay operates in Rwanda and complies with applicable Rwandan data protection laws, including the Law N° 058/2021 relating to the protection of personal data and privacy. We are committed to protecting user privacy in accordance with both Rwandan law and international best practices.
13. Changes to This Policy
We may update this privacy policy as TandPay evolves. If we make significant changes to how we handle your data, we will notify all registered sellers via SMS at least 7 days before the changes take effect. The updated policy will be posted on this page with a new "Last updated" date. Continued use of the Platform after changes constitutes acceptance.
14. Contact
For privacy-related questions, data access requests, or to exercise any of your rights, contact us at privacy@tandpay.rw.