M-pesa – Privacy Supplement

VCL Financial Services (“VCLFS”) is committed to continually augmenting the privacy of your personal information. To demonstrate its commitment, VCLFS has created this privacy supplement to communicate its intent to provide effective processes for the appropriate handling of such personal information and to comply with applicable legislation that governs the authentication, protection and disclosure of personal information.

This privacy supplement explains how VCLFS processes your personal information for the M-pesa services offered on the M-pesa application or the USSD (*111#, *200# and *201#) (collectively the “M-pesa Platforms”) to offer you the ability to pay for goods and services without carrying cash. Importantly, it is designed to provide additional contextual information to that already provided by VCLFS’s privacy notice.

This privacy supplement explains the information that is collected via the M-pesa Platforms and how it will be used.

By registering for the M-pesa Platforms you are bound by this privacy supplement, and you are further required to acknowledge the personal information processing activities contemplated herein.

Data Controller

VCLFS is the data controller (as defined in the Data Protection Act 5 of 2012) in respect of the personal information processed via your use of the M-pesa Platform.

How to contact us

Your opinion matters to us – if you have any questions about this privacy supplement, please contact our customer care on 114 or you can write to our privacy team at:

Privacy Office

Postal Address:

P.O. Box 7387,

Maseru 100



Personal information we collect about you

Information we collect about you

  • VCLFS will collect personal information when you register on the M-pesa Platforms. The personal information collected will include customer details such as, date of birth (DOB), physical address, names, cell phone number (MSISDN), ID number ,PIN and in some cases source of income proof. This will enable VCLFS to recognise you during subsequent visits.
  • When performing a deposit and/or transaction on the M-pesa Platforms, VCLFS may process your approximate location information by determining how far you and / or a recipient are from the base stations forming our network (we do not track your geo-location). VCLFS’ processes this information to ensure that it complies with the Money Laundering and Proceeds of Crime Act 2008. VCLFS may also process the aforementioned information to limit and/or prevent instances of fraud, theft and / or unsuccessful transactions while providing the M-pesa service.
  • You can load your M-pesa account with your bank card. Bank card details such as cardholder’s name, card number, expiry date and CVV will be collected should you elect the option of making payment with your bank card.
  • VCLFS will collect additional personal information when you register for an account on the M-pesa Platforms. The personal information collected may include identification number, business registration number, nature of business, occupation address and source of funds.
  • M-pesa Platforms will also collect personal information from third-party information sources to fulfil its obligations to comply with the Money Laundering and Proceeds of Crime Act 2008 as amended should you register for an account.
  • For minor registration, through the guardian’s consent we collect the minor’s age, date of birth, gender, MSISDN and their full names.
  • We collect personal information when you first download the M-pesa app or use the USSD to set up your profile.
  • We also collect anonymous analytics information on how customers use the M-pesa app in order to improve the M-pesa app and troubleshoot. We use a variety of analytics methods including what is commonly referred to as “Big data analytics”. Big data analytics are mathematically driven analysis techniques on large and varied data sets (that is why it is “big” data) to uncover hidden patterns and previously unrevealed trends. At VCLFS we take governance of big data analytics seriously. Our data scientists are required to adhere to a Code of Ethics. We have a strict use case process that requires that privacy and data protection law checks are carried out before any use case commences. We also have strict rules ensuring that personal information is protected at the appropriate stage in the process.
  • We use our analytics to, for example:
    • Conduct market research and to carry out research and statistical analysis, including to monitor how customers use our networks, products and services; and
    • Frame our marketing campaigns and determine how we might personalise those.

How we use your personal information

VCLFS processes and discloses your personal information for specific and limited purposes. These include:

  • Processing bank card details to facilitate payments of goods and services purchased on the M-pesa Platforms.
  • Processing you and a deposit recipient’s approximate location relative to a base station on our network in order comply with VCLFS’ obligations under the applicable Anti Money Laundering, terrorist financing and/or criminal laws.
  • Processing of account details to facilitate purchases of goods and services on the M-pesa Platforms, deposit and withdrawals into and out the Wallet and domestic remittances from the Wallet.
  • Processing of personal information to assess and handle any customer queries, to develop and improve our products, services, communication methods and the functionality of M-pesa Platforms.
  • As our customer, we will contact you to keep you informed about new and existing products and services, competitions, prize draws and other promotions and we may use your personal information to run those competitions, prize draw, events and promotions, only to the extent that you have not, at any stage, objected to receiving such marketing communications.
  • We may send you marketing of all products or services provided within the M-pesa platforms via sms unless you have opted out.
  • Disclosure of your MSISDN as personal information to Merchants to facilitate the purchase of goods and service on the M-pesa Platforms when you consent to the disclosure and/or such disclosure is reasonably required to fulfil the transaction.

Where applicable, VCLFS will share information about you with:

VCLFS may also transfer and disclose your personal information to third parties who may process information on our behalf;

  • To comply with a legal obligation.
  • When we believe in good faith that applicable law requires it.
  • At the request of governmental authorities conducting an investigation.
  • To verify or enforce our “Terms of Use” or other applicable policies.
  • To detect and protect against fraud, or any technical or security vulnerabilities.
  • To respond to an emergency; or otherwise; and
  • To protect the rights, property, safety, or security of third parties and VCLFS.

What about the security of your personal information?

  • VCLFS takes the security of your personal information very seriously. VCLFS takes every effort to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure.
  • Our measures include implementing technology, policies and processes aimed at protecting the confidentiality, integrity and availability of your personal information. We will update and refine these measures on an ongoing basis.
  • You agree not to give or make available your means to access your M-pesa account to any unauthorised individuals. You are responsible for all transactions you authorise using the Wallet. If you permit other persons to use your M-pesa account, you are responsible for any transactions they authorise. VCLFS will not be liable for any claims where payments were made by unauthorised persons using your cellphone or credentials online. 
  • Access to your personal information is only permitted among our employees and agents on a need-to-know basis and subject to strict contractual confidentiality obligations when processed by third parties.

How long we keep your personal information for?
We may not retain your personal information any longer than is necessary for achieving the purpose for which your personal information was collected or subsequently processed. For example, where you make a purchase on the M-pesa app or using the USSD with us we will keep the data related to your purchase, so we can perform the specific contract you have entered and after that, we will keep the personal information for a period which enables us to handle or respond to any complaints, queries or concerns relating to the purchase, unless:

  • The retention of your personal information is required or authorised by law.
  • We reasonably require your personal information for lawful purpose related to our function or activities.
  • The retention of your personal information is required by a contract that we enter into with you.
  • You or competent person consent to the retention of personal information relating to a child.

VCLFS will retain your payment records for a period of 10 years as required by law. After the 10-year period, your transaction data will be deleted from the live system.

VCLFS may also retain your personal information for the following reasons:

  • Your personal information may also be retained so that we can continue to improve your experience with us and to ensure that you receive any loyalty rewards which are due to you.
  • We retain the personal information we collect directly for targeting purposes for as little time as possible, after which we employ measures to permanently delete it.
  • We will actively review the personal information we hold and delete it securely, or in some cases anonymise it when there is no longer a legal, business or consumer need for it to be retained.

Keeping your personal information secure

We have specialised security teams who constantly review, improve, and ensure the implementation of appropriate, reasonable technical and organisational measures to protect your personal information from unauthorised access, accidental loss, disclosure, or destruction. We are required in terms of Data Protection Act of Lesotho to notify you and the Information Regulator, if any of your personal information has been compromised.

Communications over the internet (such as emails) aren’t secure unless they’ve been encrypted. Your communications may go through a number of countries before being delivered, as this is the nature of the internet.

We cannot accept responsibility for any unauthorised access or loss of personal information that is beyond our control.

We’ll never ask for your secure personal or account information by an unsolicited means of communication. You’re responsible for keeping your personal and account information secure and not sharing it with others.

Our website may provide links to third-party websites. We cannot be responsible for the security and content of such third-party websites. You are therefore required to make sure you read that company’s privacy and cookies policies before using or putting your personal information on their site.

The same applies to any third-party websites or content you connect to using our products and services.

You may choose to disclose your information in certain ways such as social plug-ins (including those offered by Google, Facebook, Twitter and Pinterest) or using third-party services that allow you to post reviews or other information publicly, and a third party could use that information.

Social plug-ins and social applications are operated by the social network themselves and are subject to their own terms of use and privacy and cookies policies. You should make sure you’re familiar with these.

Your rights

At VCLFS, we are committed to processing personal information honestly, ethically, with integrity, and always consistent with applicable laws and our values. Below we set out details on how you can exercise your rights. Please note, under certain circumstances these rights may be limited if we still have lawful grounds to process your personal information. If you have a question or cannot find the answer, please contact our call centre at 114.

Rights related to automated decision-making

VCLFS, may process your personal information using automated means. An automated decision is a decision that is made solely by automatic means, where no humans are involved in the decision-making process related to your personal information. Automated processing in the M-pesa app is conducted to comply with FICA, conduct fraud and risk control checks.

Right to correct personal information

If you become aware that any of the information, we keep about you is incorrect or outdated, you can log into the M-pesa app or use the USSD “*200# to edit your personal details.

VCLFS will allow you access to update your stored personal information in the M-pesa app and by usage of the USSD. You may add, delete and/or edit stored card data. You may also be able to change your PIN. You may amend personal information such as address, occupation and source of funds if you have elected to register for a Wallet. 

Right to access personal information

You have the right to request a record or description of personal information that we hold about you. This includes the right to request VCLFS to confirm, free of charge, whether it holds any personal information about you; as well as information about the categories of third parties who have, or have had, access to your personal information. To make this request please contact our Customer Services team at 114.

Right to object to use of personal information

You have the right, in certain circumstances, to object to VCLFS processing your personal information. In order for VCLFS to provide you with products and services, VCLFS is required to process your personal information which is necessary for the conclusion or performance of a contract and to give effect to you signing up for a M-pesa account and as such the provision of your personal information is mandatory and you may not object to same in order to continue using the M-pesa platforms.

Under certain circumstances, you have the right to object to certain types of processing, including processing for direct marketing (i.e., receiving emails or SMS from us notifying you or being contacted with varying potential opportunities). If you no longer want to receive marketing messages from us, you can choose to opt out at any time within the M-pesa app.

How to lodge a complaint

If you want to contact us about any of your rights or should you believe that VCLFS has used your personal information contrary to applicable law, you undertake to first attempt to resolve any concerns with our Customer Services team at 114. If you are not satisfied with such process, you can write to our privacy team at:

Legal and Compliance

Privacy Office

Vodacom Park

585 Mabile Road

P.O.Box 7387



Right to restrict use of your personal information

If you feel that the personal information we hold on you is inaccurate, please update your personal information in the M-pesa app or using the USSD, “*200#, or you believe we shouldn’t be processing your personal information, please contact our Customer Services team at 114. In certain circumstances, for example where you contest the accuracy of your information, or where VCLFS no longer requires your information for achieving its purpose but must maintain it for purposes of proof, you have the right to ask us to restrict processing.

Right to deletion

VCLFS strives to only process and retain your personal information for as long as we need to. In certain circumstances, for example, where you indicate that your personal information is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully, you have the right to request that we erase your personal information that we hold. If you feel that we are retaining your personal information longer than we need, it is worth first checking that your contract with us has been terminated, which you can do with Customer Services. If your contract with us has been terminated, we may still have lawful grounds to process your personal information.

How does VCLFS keep this privacy supplement up to date?

  • VCLFS will update this privacy supplement when necessary to reflect customer feedback and changes in our products and services.
  • VCLFS will update this privacy supplement when necessary to reflect customer feedback and changes in our products and services. If the changes are significant, we will provide a more prominent notice (including, for certain services, SMS notification of privacy supplement changes).
  • VCLFS will not reduce your rights under this privacy supplement.