Privacy Policy
Last Updated: July 14, 2026
SwiftBook ("we," "our," or "us") is committed to protecting the privacy of Kenyan merchants, business owners, and their cashiers. This Privacy Policy explains how we collect, use, process, and secure transaction metadata and business details when you use our web application, terminal services, and M-PESA reconciliation dashboard.
By accessing or using SwiftBook, you agree to the collection and use of information in accordance with this policy and in compliance with the Kenya Data Protection Act, 2019.
1. Information We Collect
To provide real-time transaction tracking and terminal management, we collect the following categories of information:
- Merchant & Business Information: Business Name, M-PESA Shortcode (Paybill/Till Number), custom Safaricom Daraja API credentials (if configured), billing details, and physical facility names.
- User & Cashier Accounts: Owner email address, full name, cashier terminal names, POS IDs, and hashed PIN numbers. We do not store plain-text cashier PINs.
- M-PESA Transaction Metadata: We process payment confirmation data received via the Safaricom Daraja API webhook callbacks. This includes transaction amounts, date/time of payment, customer phone numbers (masked/unmasked depending on Daraja API standards), transaction statuses, and Bill Reference numbers.
- Local Device Data: To facilitate offline mode, we temporarily cache transaction records on your device using browser storage (IndexedDB/localStorage) until connection is restored.
2. How We Use Your Information
We use the collected data strictly to run and secure our services:
- To route M-PESA STK Push requests and generate local transaction receipts.
- To enable Business Owners to reconcile transactions across multiple cashier terminals.
- To verify cashier terminal logins and enforce PIN-based rate limiting to prevent unauthorized terminal access.
- To process system notifications, approval alerts, and billing updates via our third-party email provider (Resend).
3. Data Processing and Safaricom Daraja Integrity
SwiftBook acts as a data processor for the transaction details generated by your customers.
- Callback Security: All webhook callbacks from Safaricom (
POST /api/payments/callback) are strictly validated for integrity to prevent spoofing. - Credential Encryption: If you choose to use your own custom Daraja credentials, they are securely stored and encrypted in our PostgreSQL database.
4. Data Sharing and Third Parties
We do not sell or rent your business or customer transaction data. We only share information with third-party service providers necessary to run SwiftBook:
- Safaricom (Daraja API): To initiate payments.
- Hosting & Database Providers (Render, Neon PostgreSQL, Cloudflare): For application infrastructure and database hosting.
- Resend: For sending essential account emails and verification links.
5. Data Security
We implement industry-standard security measures, including:
- Enforcing HTTPS and secure SSL endpoints globally.
- Initializing global security headers via Helmet middleware.
- Encrypting user and cashier sessions using JSON Web Tokens (JWT).
- Enforcing strong password rules and 15-minute terminal lockouts after multiple failed PIN attempts.
6. Your Rights
Under the Kenya Data Protection Act, you have the right to access, rectify, or request the deletion of your business and personal account data. Business owners can manage team access, view history, or update their credentials directly through the owner dashboard.
For data deletion requests or inquiries regarding our privacy practices, please contact our support team.