Privacy Policy

This Privacy Policy explains how PayWatan collects, uses, shares, and protects your personal data when you use our website, mobile applications, and related services (together, the “Service”).

We take privacy seriously. We collect only the data we need to run the Service, we are transparent about how we use it, and we give you meaningful control over it. If anything here is unclear, contact us at hello@paywatan.com.

PayWatan is the data controller of personal data processed through the Service. PayWatan operates from establishments in France and Denmark. The French entity is the primary contracting party and is responsible for processing decisions across both jurisdictions.

You can reach us about anything in this Policy at hello@paywatan.com, including requests to exercise your rights under data-protection law.

• Personal data — any information that relates to an identified or identifiable person.
• Processing — anything we do with personal data, including collecting, storing, using, sharing, and deleting.
• You— the visitor or user whose personal data this Policy describes. References to “your data” and “your personal data” mean the same thing.
• Recipient — the holder of the mobile number you specify when ordering a top-up.

We collect the following categories of personal data:

• Identity data — your name, date of birth, and, where required by law, identity-verification documents.
• Contact data — email address, phone number, and any postal address you provide.
• Account data — username, password (stored as a one-way hash), preferences, and language settings.
• Transaction data — the top-ups you place, the Recipient mobile number, Operator, package, amount, currency, timestamps, and delivery status. We do not store full payment card numbers; those stay with our payment partners.
• Payment data — limited card metadata (type, last four digits, expiry), tokenised references, and billing country, returned by our payment processors.
• Technical data — IP address, device type, operating system, browser, language, time zone, app version, and approximate location derived from your IP.
• Usage data — how you navigate the Service, features you interact with, errors and crashes.
• Communications data — the content of messages you send us (e.g. support requests, feedback).
• Marketing data — your preferences for marketing communications and the categories of content you engage with.

We collect personal data in three ways:

• Directly from you — when you sign up, create an account, join the waitlist, place an order, or contact support.
• Automatically — when you use the Service, our systems log technical and usage data via cookies and similar technologies (see Section 14).
• From third parties — including payment processors (confirming a charge), identity-verification providers (where required), Operators (delivery confirmation), and fraud-prevention services.

Under the EU General Data Protection Regulation (GDPR), every use of personal data must have a legal basis. We use yours for the following purposes:

• To provide the Service — creating your account, processing top-ups, delivering them to Recipients, and giving you transaction history. Legal basis: performance of the contract between you and us.
• To process payments — passing necessary details to our payment partners and reconciling transactions. Legal basis: contract performance and our legal obligations.
• To verify identity and prevent fraud — checking who you are and detecting suspicious activity. Legal basis: our legal obligations and our legitimate interests in protecting you, us, and the Service.
• To comply with the law — including AML, counter-terrorism financing, sanctions, tax, and accounting obligations. Legal basis: legal obligation.
• To support you — responding to your messages and resolving issues. Legal basis: contract performance and legitimate interests.
• To improve the Service — analysing usage, fixing bugs, and developing new features. Legal basis: legitimate interests, with privacy-protective settings by default.
• To market to you — sending updates, offers, and product news where you have agreed to receive them. Legal basis: consent, which you can withdraw at any time.

We only send marketing emails or push notifications if you have opted in. You can withdraw consent at any time by clicking the unsubscribe link in any email, changing your notification settings in the app, or contacting us. Withdrawing consent does not affect transactional messages we must send to operate the Service (e.g. order confirmations).

We share personal data only with parties that need it to help us run the Service, and only under contracts that require them to protect it. Categories of recipients include:

• Operators in Afghanistan — Roshan, AWCC, MTN, Salaam, Etisalat — to deliver the top-up to the Recipient.
• Payment processors — to authenticate and settle your payment.
• Identity-verification providers — where required by law or our risk policy.
• Fraud-prevention services — to detect and block fraudulent activity.
• Cloud and hosting providers — to run our infrastructure.
• Analytics and crash-reporting providers — to understand how the Service performs.
• Professional advisers — lawyers, auditors, accountants, where engaged in our usual operations.
• Authorities — where we are legally required to disclose data (for example, a court order, regulator request, or AML reporting obligation).

We do not sell your personal data, and we do not share it with advertising networks for cross-context behavioural advertising.

Delivering top-ups to mobile numbers in Afghanistan requires us to share limited data (typically the Recipient number, Operator, package, and a transaction reference) with the relevant Afghan Operator. Some of our service providers also process data outside the European Economic Area.

Where we transfer personal data outside the EEA, we rely on recognised safeguards under the GDPR, including the European Commission’s Standard Contractual Clauses and, where available, adequacy decisions. You can request a copy of the safeguards we use by contacting us.

We keep personal data only as long as we need it for the purposes described in this Policy, and longer if we are legally required to. Typical retention periods are:

• Transaction and accounting records — up to 10 years after the transaction, to meet tax and AML obligations.
• Identity-verification records — up to 5 years after the end of our business relationship, in line with AML requirements.
• Account data — for as long as your account is active, plus a reasonable period after closure to handle disputes, claims, and post-closure queries.
• Marketing preferences — until you change them, plus a record of when you changed them.
• Support communications — up to 3 years after the issue is resolved.
• Technical logs — typically 30 to 90 days, longer for security investigations.

When we no longer need personal data, we delete it or irreversibly anonymise it.

We use technical and organisational measures designed to protect personal data from loss, misuse, and unauthorised access. These include:

• encryption of data in transit using modern TLS and at rest for sensitive fields;
• access controls that limit who at PayWatan can see what data, with audit logging;
• secure software-development practices and regular security reviews;
• tokenisation of payment information so card numbers are not stored on our systems; and
• an incident-response process designed to detect, contain, and notify breaches in line with the GDPR.

No system is perfectly secure. We will tell you about any personal-data breach that is likely to result in a high risk to your rights, in the manner required by law.

Under the GDPR, you have the following rights in relation to your personal data:

• Access — to know what data we hold about you and receive a copy.
• Rectification — to correct data that is inaccurate or incomplete.
• Erasure — to ask us to delete your data, subject to legal retention obligations.
• Restriction — to limit how we use your data in specific circumstances.
• Portability — to receive certain data in a machine-readable format and have it sent to another controller.
• Objection — to object to processing based on our legitimate interests, including profiling, and to direct marketing.
• Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting prior processing.
• Complain — to a supervisory authority (see Section 18).

To exercise any of these rights, email hello@paywatan.com from the address linked to your account. We may need to verify your identity before acting on a request, especially for access and erasure.

We will respond within one month. If the request is complex or we have received several requests from you, we may extend that deadline by up to two further months and will let you know why. Exercising your rights is free of charge unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act.

We use cookies and similar technologies (local storage, SDKs, pixels) for three purposes:

• Strictly necessary — to keep you signed in, remember your cart, and protect against abuse. These are set without consent because the Service cannot function without them.
• Analytics — to understand how the Service is used and improve it. Set only with your consent.
• Marketing — to measure the effectiveness of our campaigns. Set only with your consent.

You can change your preferences at any time through the cookie settings link in the footer, and you can also manage cookies through your browser. Blocking strictly necessary cookies may stop parts of the Service from working.

PayWatan is not directed at children, and we do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, contact us and we will delete it.

We use automated systems to detect and prevent fraud, including scoring transactions for risk and verifying identity. These systems may block a transaction or temporarily restrict your account without human review.

If a decision significantly affects you, you have the right to ask for human review, express your point of view, and contest the decision by contacting us.

We may update this Policy from time to time. When we do, we will revise the “Last updated” date at the top of the page and, for material changes, notify you through the Service or by email before the changes take effect.

We encourage you to review this Policy periodically so you stay informed about how we protect your personal data.

The fastest way to reach us about privacy is by email at hello@paywatan.com.

You also have the right to lodge a complaint with a data-protection supervisory authority. Because PayWatan operates from France and Denmark, the most relevant authorities are:

• France:Commission Nationale de l’Informatique et des Libertés (CNIL) — www.cnil.fr
• Denmark: Datatilsynet — www.datatilsynet.dk

You can also complain to the supervisory authority in the EU country where you live or work, or where you believe the issue occurred.