Privacy Policy
Instanly Mobile Application
Last updated: June 30, 2025
Version: 3.0 | Effective date: July 1, 2025
๐ Privacy Commitment
Instanly SARL ("we", "our", "us") is firmly committed to protecting your privacy and personal data. This Privacy Policy transparently details how we collect, use, store, and protect your information when using our mobile application for instant money transfers and interoperability between African mobile wallets.
๐ข1. Entity Identification and Legal Status
1.1 Company Identity
- Corporate name: Instanly SARL (Limited Liability Company)
- RCCM: CI-ABJ-03-2022-B12-00621
- Head office: Riviera 3, Boulevard Latrille, Abidjan, Cรดte d'Ivoire
- Share capital: 1,000,000 FCFA
- Phone: +225 07 0153 7372
- Corporate email: contact[@]instanly.com
- Website: https://instanly.com
1.2 Operating Jurisdictions
- Primary jurisdiction: Republic of Cรดte d'Ivoire, Mauritius
- Secondary jurisdictions: United States of America (cloud services)
- Target markets: 35+ African countries
- Regulatory compliance: BCEAO, UMOA, FDA (USA), GDPR (EU)
1.3 Nature of our Services
โ ๏ธ IMPORTANT CLARIFICATION: Instanly is a technology service provider and NOT a financial institution. We never hold user funds and do not provide wallets, accounts, or deposit services. We act exclusively as an API interoperability layer that connects users to licensed financial partners who execute the actual transfers. Funds are debited from the sender and instantly credited to the recipient via licensed providers.
๐2. Personal Data Collected
To provide and improve our services in compliance with KYC/AML regulations and security requirements, we collect the following categories of personal data:
2.1 Identification and KYC Data
- Full name: First name(s) and last name(s)
- Date of birth: For age verification and compliance
- Identity document: Number and photo of national ID, passport, or driver's license
- Nationality: Country of citizenship
- Residential address: Complete postal address
- Profession: Declared professional activity
- Estimated income: Income level for risk assessment
2.2 Contact and Communication Data
- Phone number: Primary and secondary numbers
- Email address: Primary and recovery addresses
- Communication preferences: Channel choices (SMS, email, push, WhatsApp)
- Preferred language: French, English, or local languages
- Time zone: To optimize notifications
2.3 Transactional and Financial Data
- Transfer history: Amounts, recipients, dates, statuses
- Beneficiary information: Names, phone numbers, relationships
- Payment methods: Mobile wallets used and preferred
- Commissions and fees: Rate calculations and applications
- Reference codes: Unique transaction identifiers
- Transfer reasons: Declared purposes (family, business, etc.)
- Transaction geolocation: Origin and destination countries
2.4 Technical and Usage Data
- Device information: Model, OS, version, RAM, storage
- Unique identifiers: Device ID, Advertising ID, UUID
- IP address: IPv4/IPv6 for geolocation and security
- Session data: Duration, pages visited, actions performed
- Activity logs: Connection logs, errors, crashes
- Performance data: Response times, network latency
- User preferences: Settings, customizations, favorites
2.5 Biometric and Security Data
- Fingerprints: Cryptographic hash (never the actual fingerprint)
- Facial recognition: Mathematical templates only
- Voice recognition: Voice patterns for authentication
- PIN codes and passwords: Stored with BCrypt encryption
- Authentication tokens: JWT and session tokens
- Security certificates: Public/private keys
2.6 Analytics and Behavioral Data
- Firebase Analytics: Anonymized usage events
- Usage patterns: Frequency, schedules, preferences
- User journey: Application navigation
- A/B Testing data: Interface and feature tests
- User feedback: Ratings, comments, suggestions
- Customer support: Conversation and ticket history
โ๏ธ3. Data Processing Purposes
3.1 Primary Purposes (Contract Performance)
- Executing money transfers: Secure and instant transaction processing
- Identity verification (KYC): Compliance with financial regulations
- Fraud prevention: Detection and prevention of suspicious activities
- Customer support: Technical assistance and problem resolution
- Providing receipts: Transaction documentation
3.2 Secondary Purposes (Legitimate Interest)
- Service improvement: User experience optimization
- Platform security: Protection against cyberattacks
- Analytics and statistics: Usage trend analysis
- New feature development: Product innovation
- Regulatory compliance: Legal obligation fulfillment
3.3 Purposes with Explicit Consent
- Personalized marketing: Offers tailored to preferences (OPT-IN only)
- Referral program: Recommendation and bonus management
- Push notifications: Personalized transaction alerts
- Precise geolocation: Location-based services
- Social media sharing: Success and achievement publishing
๐ซ What we NEVER do
- Use your data for advertising profiling purposes
- Sell your data to third parties
- Share your data without your explicit consent
- Use your biometric data for commercial purposes
- Access your data without legitimate reason
๐4. Data Security and Protection
4.1 Technical Security Measures
| Domain |
Applied Measures |
Standards/Certifications |
| Encryption in Transit |
TLS 1.3, Perfect Forward Secrecy |
FIPS 140-2 Level 3 |
| Encryption at Rest |
AES-256-GCM, rotating keys |
FIPS 140-2 Level 4 |
| Authentication |
MFA, biometrics, JWT tokens |
OATH TOTP/HOTP |
| Infrastructure |
Secure AWS/Azure, WAF |
SOC 2 Type II, ISO 27001 |
| Monitoring |
24/7 SIEM, anomaly detection |
NIST Cybersecurity Framework |
4.2 Organizational Measures
- Principle of least privilege: Minimal necessary access
- Environment separation: Isolated production/test/development
- Security training: Staff sensitized to best practices
- Regular audits: Quarterly assessments by external parties
- Incident management: Defined response procedures
- Secure backup: Encrypted and geo-replicated backups
4.3 Sensitive Data Protection
Biometric Data
- Storage in mathematical templates only
- Impossible to reconstruct original data
- AES-256 encryption with HSM keys
- Access restricted to authorized administrators
Financial Data
- Tokenization of sensitive information
- PCI-DSS level 1 compliance
- Complete and immutable audit trails
- End-to-end encryption
๐5. Data Storage and International Transfers
5.1 Data Location
| Data Type |
Primary Location |
Secondary Location |
Purpose |
| KYC/Identity Data |
Cรดte d'Ivoire (MTN Data Center) |
Germany (Private Cloud) |
Local compliance + Backup |
| Transactional Data |
Multi-region Africa |
Europe (AWS Frankfurt) |
Performance + Redundancy |
| Logs and Analytics |
United States (Google) |
Europe (Google) |
Processing and analysis |
| Biometric Data |
Cรดte d'Ivoire only |
N/A |
Maximum protection |
5.2 International Transfer Safeguards
- Standard Contractual Clauses (SCC): Compliant with EU adequacy decisions
- Binding Corporate Rules (BCR): Binding internal rules
- Privacy Shield certification: Equivalent protection level
- Impact assessment (DPIA): Risk analysis by jurisdiction
- Redress mechanisms: Complaint channels in each country
5.3 Cloud Partners and Subprocessors
| Partner |
Service |
Location |
Certifications |
| Cloudflare / Amazon Web Services |
Cloud infrastructure |
Multi-regions |
SOC 1/2/3, ISO 27001, PCI-DSS |
| Google Firebase |
Analytics, authentication |
Europe, United States |
ISO 27001, SOC 2 |
| MTN CLOUD CI |
Cรดte d'Ivoire Data Center |
Abidjan, CI |
ISO 27001, Tier III |
| WORKCLOUD |
AFRICA Backup |
Abidjan, Ivory Coast |
ISO 27001, HDS |
๐ฎ6. Data Sharing with Third Parties
6.1 Licensed Financial Partners (Contractual Necessity)
Payment Service Providers (PSP)
- MTN Mobile Money: MTN transfer execution
- Orange Money: Orange payment processing
- Moov Money: Moov transaction management
- Wave: API integration for Wave transfers
- M-Pesa (Safaricom): Kenya/Tanzania transactions
- Airtel Money: Multi-country Airtel coverage
- Plus 15+ others
Data shared: Name, phone number, amount, transaction reference
Legal basis: Transfer contract performance
Aggregators and Technical Partners
- PAIEMENTPRO: Multi-operator aggregation platform
- HUB2: UEMOA interoperability services
- BUI: Digital payment solutions
- Flutterwave: Africa payment infrastructure
Data shared: Minimal necessary transactional information
Safeguards: Data processing agreements, end-to-end encryption
6.2 KYC and Compliance Providers
- Jumio: Automated identity verification
- Onfido: Identity document validation
- Smile Identity: Africa KYC specialist
- Trulioo: Global identity verification
Data shared: Identity documents, photos, biographical data
Retention period: Maximum 90 days for verification
6.3 Authorities and Regulatory Bodies
โ๏ธ Legal Communication Obligations
We may be required to share your data with:
- BCEAO: Central Bank of West African States
- CENTIF-CI: National Financial Information Processing Unit
- General Tax Directorate: Tax obligations
- Judicial authorities: Upon requisition or letters rogatory
- INTERPOL/Police: Fight against terrorism and money laundering
Notification: You will be informed unless expressly prohibited by law
6.4 Analytics Platforms (Pseudonymized Data)
- Google Analytics: Anonymized usage analysis
- Firebase Analytics: Engagement metrics
- Mixpanel: Pseudonymized user events
- Amplitude: User journey analysis
Data shared: Anonymous identifiers, usage events, technical data
Opt-out available: Via application settings
โ๏ธ7. Your Rights and How to Exercise Them
7.1 Fundamental Rights (GDPR and National Laws)
๐ Right of Access (Article 15 GDPR)
- Obtain a copy of all your personal data
- Know the processing purposes
- Identify recipients of your data
- Know the retention period
- Response time: Maximum 30 days
- Format: Secure PDF or JSON export
โ๏ธ Right to Rectification (Article 16 GDPR)
- Correct inaccurate data
- Complete incomplete data
- Update your personal information
- Implementation: Immediate in the application
- Propagation: Automatic notification to partners
๐๏ธ Right to Erasure / "Right to be Forgotten" (Article 17 GDPR)
- Deletion of your personal data
- Conditions: No legal retention obligation
- Exceptions: Transactional data (10-year retention)
- Process: Anonymization of non-deletable data
๐ Right to Restriction of Processing (Article 18 GDPR)
- Temporarily freeze the use of your data
- Maintain data without processing it
- Application cases: Data contestation, processing objection
๐ฆ Right to Data Portability (Article 20 GDPR)
- Retrieve your data in a structured format
- Transfer your data to another service
- Available formats: JSON, CSV, XML
- Includes: Profile, history, preferences
๐ซ Right to Object (Article 21 GDPR)
- Object to processing based on legitimate interest
- Refuse direct marketing
- Opt-out of behavioral analyses
- Effect: Immediate cessation of concerned processing
7.2 Biometric Data Specific Rights
- Explicit consent required: Mandatory manual activation
- Simple revocation: One-click deactivation
- Immediate deletion: Definitive erasure upon request
- No transfer: Local storage only
7.3 Minor-Specific Rights (Under 18 years)
๐ถ Enhanced Protection for Minors
- Minimum age: 16 years with parental authorization
- Parental consent: Mandatory verification
- Minimal data: Collection limited to strictly necessary
- Enhanced erasure right: Priority deletion
- No profiling: Behavioral analyses prohibited
7.4 How to Exercise Your Rights
๐งพ8. Legal Basis for Processing
8.1 Categorization by Legal Basis
| Legal Basis |
Data Concerned |
Purposes |
Duration |
| Explicit Consent |
Biometric data, precise geolocation |
Authentication, geolocated services |
Until revocation |
| Contract Performance |
Identity, contact details, transactions |
Money transfers, customer support |
Contract duration + 5 years |
| Legal Obligation |
KYC, transaction history |
AML/CFT compliance, taxation |
10 years minimum |
| Legitimate Interest |
Analytics, security logs |
Service improvement, security |
3 years maximum |
8.2 Legitimate Interest Assessment
We have conducted impact assessments (DPIA) for each processing based on legitimate interest:
- Necessity test: Is processing necessary to achieve the objective?
- Proportionality test: Are the means proportionate to the purpose?
- Balance test: Do our interests outweigh your rights?
โฐ9. Data Retention Period
9.1 Detailed Retention Schedule
| Data Category |
Active Retention |
Intermediate Archiving |
Final Fate |
| Identification data (KYC) |
During relationship + 5 years |
5 additional years |
Definitive deletion |
| Transaction history |
10 years (legal obligation) |
5 years (tax archiving) |
Anonymization |
| Biometric data |
During use |
Not applicable |
Deletion upon deactivation |
| Technical logs |
3 years |
2 years (security) |
Definitive deletion |
| Marketing data |
3 years after last interaction |
Not applicable |
Definitive deletion |
| Customer support |
3 years after resolution |
2 years (improvement) |
Anonymization |
9.2 Automatic Purge Process
- Monthly review: Identification of data to be deleted
- Secure deletion: Multiple overwrite + physical destruction
- Certification: Destruction certificate by providers
- Audit logs: Complete traceability of deletions
๐ง10. Cookies and Tracking Technologies
10.1 Types of Cookies Used
๐ Strictly Necessary Cookies (Exempt from Consent)
- Session ID: Maintaining user session
- CSRF Token: Protection against cross-site attacks
- Security settings: Security configuration
- Duration: Session only
๐ Performance Cookies (Consent Required)
- Google Analytics: _ga, _gat, _gid
- Firebase Performance: Performance metrics
- Hotjar: Session recordings (anonymized)
- Duration: 2 years maximum
๐ฏ Functionality Cookies (Consent Required)
- Language preferences: Language memorization
- Interface theme: Dark/light mode
- Favorites: Frequent beneficiaries
- Duration: 1 year maximum
10.2 Consent Management
- Consent banner: Granular choice by category
- Preference center: Modification at any time
- Simplified opt-out: One-click refusal
- DNT respect: Honor "Do Not Track" signal
10.3 Alternative Technologies
- Local Storage: Local storage of preferences
- Session Storage: Temporary session data
- IndexedDB: Local database for offline
- WebRTC: Real-time communication (customer support)
๐จ11. Incident Management and Data Breaches
11.1 Breach Notification Procedure
โก Incident Response Plan (24/7)
- Detection: Automatic SIEM systems + human monitoring
- Containment: Immediate isolation of affected systems
- Assessment: Risk level classification (1-4)
- Authority notification: CNIL within 72 hours if high risk
- User notification: Within 72 hours if risk to rights
- Remediation: Vulnerability correction
- Final report: Post-incident analysis and improvements
11.2 Types of Incidents Covered
- Unauthorized access: System intrusion
- Data leakage: Accidental information exposure
- Alteration: Unauthorized data modification
- Loss: Accidental data destruction
- Ransomware: Malicious system encryption
- Social engineering: Staff manipulation attempts
11.3 Incident Communication
๐12. Multi-Jurisdictional Compliance
12.1 General Data Protection Regulation (GDPR)
- Applicability: Users residing in the EU
- EU Representative: GDPR-Rep.eu, Germany
- Supervisory authority: CNIL (France) - lead authority
- Redress mechanism: Free complaint to CNIL
12.2 California Consumer Privacy Act (CCPA)
- Applicability: California residents
- Specific rights: "Do Not Sell", sale disclosures
12.3 Personal Data Protection Law (Cรดte d'Ivoire)
- Supervisory authority: Telecommunications Regulatory Authority (ARTCI)
- Declaration: File declared under number xxxx (Pending)
12.4 Other Applicable Regulations
- Nigeria (NDPR): Compliance for Nigerian users
- Kenya (DPA 2019): Data protection in Kenya
- Ghana (DPA 2012): Ghanaian regulation
- UEMOA: Regional banking directives
๐13. Policy Updates
13.1 Versioning and History
- Current version: 3.0 (June 30, 2025)
- Previous version: 2.1 (March 15, 2025)
- Next scheduled review: December 2025
- Archiving: All versions available upon request
13.2 Modification Process
- Impact analysis: Assessment of regulatory changes
- Internal consultation: Legal and technical review
- DPO validation: Compliance and consistency
- Prior notification: 30 days before effective date
- Publication: Website, application, email
13.3 Types of Modifications
Minor Modifications (Simple Notification)
- Typographical error corrections
- Editorial clarifications
- Contact information updates
Major Modifications (Consent Required)
- New processing purposes
- New data recipients
- Extension of retention periods
- New processing technologies
๐14. Glossary and Definitions
Technical Terms
- API: Application Programming Interface
- End-to-end encryption: Data protection from sender to receiver
- Hash: Unique and irreversible digital fingerprint
- Token: Temporary authentication token
- UUID: Universally Unique Identifier
Legal Terms
- Personal data: Any information relating to an identified or identifiable person
- Processing: Any operation on personal data
- Data controller: Entity that determines purposes and means
- Data processor: Entity that processes on behalf of the controller
- Pseudonymization: Replacement of direct identifiers
Financial Terms
- KYC: Know Your Customer
- AML: Anti-Money Laundering
- CFT: Combating the Financing of Terrorism
- PSP: Payment Service Provider
- Mobile Money: Mobile phone payment service
โ16. Disclaimer and Limitations
๐ Nature of our Services
IMPORTANT REMINDER: Instanly is a technology service provider and NOT a financial institution. We never hold user funds and do not offer banking services. We act exclusively as an interoperability platform that connects users to licensed financial service providers.
๐๏ธ Partner Brands and Logos
Intellectual property: All logos and icons representing mobile money operators (MTN, Orange, Moov, M-Pesa, Airtel, Wave, etc.) used in the Instanly application and website are the property of their respective holders. They are displayed solely to indicate interoperability and compatibility with their services and do not imply any ownership, partnership, or endorsement except where explicitly stated otherwise.
โ๏ธ PSP Responsibility
Licensed payment service providers (PSPs) are responsible for holding, debiting, and crediting funds under regulatory supervision. Instanly cannot be held responsible for decisions, policies, or malfunctions of partner PSPs.