Legal
Privacy Policy
Last updated: May 7, 2026
1. Who We Are
Cool is a product of IKANISA Ltd, a company registered in Rwanda. We provide a community finance mobile application for group savings (ibimina), wallet records, BioPay, and mobile-money evidence workflows for Rwandan cooperatives and informal savings groups.
Privacy contact: [email protected] · WhatsApp
2. Data We Collect
| Category | Data Points | Purpose |
|---|---|---|
| Identity | Phone number, WhatsApp number, full name, account identifiers, KYC/KYB status where required | Account creation, OTP verification, risk controls, compliance review |
| BioPay | Face embeddings, liveness metadata, enrollment consent, payout route metadata, match/revocation audit events | BioPay enrollment, payee matching, abuse prevention, audit evidence |
| Financial | Wallet, group, contribution, Mobile Money SMS evidence, ledger, reconciliation, receipt, and compliance-case records | Evidence-backed ledger, savings tracking, dispute handling, compliance reporting |
| Device and security | Device model, OS version, app version, App Check attestation, IP/network signals, SIM-change and velocity risk signals where available | Account security, fraud prevention, abuse detection, technical support |
| Usage and operations | Feature interactions, support events, notification delivery, admin/audit events, error and performance telemetry | Product improvement, reliability, auditability, incident response |
3. How We Use Your Data
- Savings Management: Recording and verifying group contributions via SMS-parsed evidence.
- Payment Processing: Initiating USSD sessions and verifying Mobile Money transactions.
- Compliance: Performing KYC/KYB, sanctions/PEP/adverse-media screening where required, generating reports, and responding to lawful requests.
- Account Security: WhatsApp OTP verification and session management.
- Product Improvement: Anonymized, aggregated analytics to improve features.
4. BioPay and Biometric Data
BioPay is optional. When you enroll, the app generates a face embedding from camera frames and sends the enrollment or match request to Cool's protected backend with device attestation. Cool does not intentionally store raw camera frames, and BioPay records are protected by Row Level Security, App Check, audit logs, revocation controls, and retention rules.
5. Mobile Money SMS Data
With your explicit permission on Android, Cool reads approved Mobile Money confirmation SMS messages to help verify and reconcile savings or wallet activity. This data is:
- Limited to approved Mobile Money sender IDs and uploaded through Firebase App Check-protected endpoints
- Stored as payment evidence, including hashes and parsed fields, in our secure database
- Used for ledger verification, reconciliation, dispute handling, fraud review, and support
- Redacted or deleted according to the applicable retention policy where legal obligations allow
- Never shared with third parties for marketing purposes
6. Data Sharing
We share your data only with:
| Recipient | Data Shared | Purpose |
|---|---|---|
| Licensed banks, PSPs, MNOs, and regulated partners | Identity, payment, settlement, dispute, and compliance records as needed | Approved financial services, reconciliation, safeguarding, and legal obligations |
| Regulators, auditors, and authorities | Reports, audit evidence, suspicious activity information, or records required by law | Regulatory compliance and lawful requests |
| Infrastructure and security vendors | Application data, authentication, device attestation, telemetry, and support records under contract | Hosting, authentication, security, monitoring, support, and incident response |
We do not sell, rent, or trade your personal data to any third party. We do not use any third-party payment gateway APIs. Offshore storage or vendor processing that involves personal data must be reviewed and approved before production use.
7. Data Security
- Row Level Security (RLS): Customer-facing database access is scoped to your user identity, with separate audited service and admin controls for operational workflows.
- App Check: Abuse-prone SMS ingest and OTP endpoints are protected by Firebase App Check in production.
- Encryption: Data is encrypted in transit using TLS and protected at rest through approved hosting and database controls.
- Evidence-Backed Ledger: Cryptographic hashing ensures transaction integrity.
- No Payment APIs: Cool does not integrate with any payment gateway. Payments are initiated via USSD by you.
8. Data Retention
- Active accounts: Data is retained while needed to operate your account, groups, wallet records, compliance obligations, support, and security controls.
- SMS evidence and parser payloads: Raw or detailed SMS evidence is minimized, redacted, or deleted according to approved retention windows, while hashes, references, and audit records may be retained for reconciliation and dispute evidence.
- Closed accounts: Personal data is deleted, anonymized, or restricted after account deletion where legal, regulatory, fraud-prevention, accounting, audit, and dispute obligations allow. Financial and compliance records may be retained for up to 7 years or longer if legally required.
- Legal holds: Records may be preserved when required for disputes, investigations, court orders, regulator requests, or incident response.
9. Your Rights
You have the right to:
- Access your personal data at any time via the app
- Correct inaccurate information in your profile
- Delete your account and request deletion or restriction of eligible personal data (see Account Deletion)
- Export your savings history and contribution records
- Object or restrict certain processing where applicable
- Withdraw consent for SMS reading at any time via device settings
10. Children's Privacy
Cool is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via in-app notification or SMS. Continued use of the app after notification constitutes acceptance.
12. Contact Us
For privacy-related questions, data access requests, or complaints:
- Email: [email protected]
- WhatsApp: +250 795 588 248
- Address: IKANISA Ltd, Kigali, Rwanda
- Privacy or DPO requests: use the email above with the subject line "Privacy Request".