Skip to main content
Global Issue Visa & Mastercard cards in 180+ countries via one API — no bank queue, no volume minimums. See pricing →

Products & Program

Card Types

Platform Features

Regions

Industries

Fyatu vs. Competitors

Pricing
English English Français Français
Login Get Started
Legal

Privacy Policy

How Fyatu collects, uses, and protects personal data in connection with its card issuing platform and APIs.

Last updated: 2026-05-13

1. Introduction

Fyatu Financial Technologies Limited (“Fyatu,” “we,” “us,” “our”) is committed to protecting personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in connection with our card issuing platform, APIs, dashboard, and related services (collectively, the “Platform”).

This policy applies to:

  • Client contacts — authorised representatives, directors, beneficial owners, and other individuals associated with a business entity that holds or applies for a Fyatu account
  • Visitors — individuals who visit https://fyatu.com or our documentation

It does not govern how our Clients process their own cardholders’ personal data. For that, see Section 4.

By using the Platform, you confirm that you have read and understood this policy.

2. Our Role: Controller and Processor

Fyatu acts in two distinct capacities depending on whose data is involved:

Data Controller — for Client contact data. When we collect and process personal data about the individuals who represent a Client (directors, signatories, UBOs, account contacts), Fyatu is the data controller. We determine the purposes and means of that processing and are responsible for complying with applicable data protection law.

Data Processor — for cardholder data. When a Client uses the Platform to issue cards and manage cardholders, the Client is the data controller for their cardholders’ personal data. Fyatu processes that data only on the Client’s behalf, under the Client’s instructions, and as described in the data processing terms agreed between the parties. Cardholders seeking to exercise their data rights should contact the Client directly.

3. Data We Collect About You

Business Registration and KYC

When a business entity applies for or holds a Fyatu account, we collect:

  • Company legal name, registration number, country of incorporation, and registered address
  • Certificate of incorporation, certificate of good standing, and business licence
  • Details of directors, authorised signatories, and ultimate beneficial owners (UBOs), including full name, date of birth, nationality, and government-issued ID
  • Bank statements or financial references where required for enhanced due diligence

Account and Platform Use

Through your use of the Platform, we collect:

  • API credentials activity, dashboard login events, and session metadata
  • Programme configuration settings, card product definitions, and spend control rules
  • Transaction data, settlement records, and reconciliation reports associated with your programme
  • Programme Balance funding transactions (stablecoin wallet addresses, deposit/withdrawal records)
  • Support and communication history

Technical Data

We automatically collect when you access the Platform or our website:

  • IP address and approximate geolocation
  • Device type, operating system, and browser version
  • Usage patterns, page views, and feature interactions
  • Cookies and similar tracking technologies (see our Cookie Policy)

4. Cardholder Data

When your programme issues cards, your cardholders’ personal data (names, identity documents, transaction records, device tokens) is processed on the Platform on your behalf. As the data controller for your cardholders, you are responsible for:

  • Having a lawful basis for collecting and sharing your cardholders’ data with Fyatu
  • Providing your cardholders with appropriate privacy notices
  • Handling cardholder data rights requests (access, deletion, correction, portability)
  • Ensuring your use of the Platform complies with applicable data protection law in your operating markets

Fyatu processes cardholder data only to provide the agreed card issuing and programme management services, to comply with card network rules and applicable law, and for fraud prevention and AML monitoring.

We do not use your cardholders’ personal data for our own marketing purposes.

5. How We Use Your Information

We use Client contact and account data for the following purposes:

  • Account verification and KYC — Verify the identity of individuals associated with the Client entity, conduct AML/CFT due diligence, and meet regulatory obligations
  • Platform provision — Operate and maintain your card programme, process API requests, and provide technical support
  • Billing and invoicing — Issue invoices, process payments, and manage your Programme Balance
  • Security and fraud prevention — Detect suspicious activity, prevent unauthorised access, and protect the integrity of the Platform
  • Legal and regulatory compliance — Meet obligations under Tanzanian law, card network rules (Visa/Mastercard), and BIN Sponsor requirements; respond to lawful authority requests
  • Platform improvement — Analyse aggregated, anonymised usage data to improve features and performance
  • Communications — Send platform notifications, security alerts, invoices, policy updates, and product announcements relevant to your account

6. Who We Share Data With

We share personal data only as necessary to provide the Platform or comply with legal obligations:

  • KYC and identity verification providers — Third-party services that process identity documents and conduct AML screening for business and individual verification
  • BIN Sponsors and card networks — Licensed financial institutions and Visa/Mastercard, who require certain data to issue cards and process transactions under their rules
  • Banking and payment infrastructure partners — Providers that process Programme Balance funding, settlements, and disbursements
  • Cloud and infrastructure providers — Hosting, storage, and security services operating under contractual data protection obligations
  • Regulatory and law enforcement authorities — When required by Tanzanian law, card network rules, court order, or to prevent or report financial crime

We do not sell personal data. We do not share data with advertisers or unrelated third parties.

7. Data Security

We implement the following to protect personal data:

  • Encryption — Data in transit is encrypted using TLS 1.2+; sensitive data at rest is encrypted
  • Access controls — Role-based access to data with multi-factor authentication required for all staff accessing production systems
  • API security — API keys are hashed at rest; all API calls require authentication and are logged
  • PCI DSS compliance — Card data is handled in accordance with PCI DSS Level 1 standards through our BIN Sponsor partners; raw PANs are never stored on Fyatu infrastructure
  • Monitoring — Continuous security monitoring, intrusion detection, and anomaly alerting
  • Audits — Regular security assessments, penetration testing, and vulnerability disclosure programme

No system is 100% secure. While we apply industry-standard controls, we cannot guarantee absolute security.

8. Data Retention

We retain personal data for as long as an account is active and for a maximum of 900 days following account closure. This applies to both Client contact data and cardholder data processed on your behalf.

After the 900-day retention period, data is permanently deleted or irreversibly anonymised. You may request confirmation of your data deletion timeline by contacting [email protected].

9. Your Rights

As a Client contact whose personal data Fyatu processes as a data controller, you have the following rights (subject to applicable law and AML retention obligations):

  • Access — Request a copy of the personal data we hold about you
  • Correction — Request correction of inaccurate or incomplete data
  • Erasure — Request deletion of your data, subject to legal retention requirements
  • Portability — Request your data in a structured, machine-readable format
  • Objection — Object to processing for specific purposes
  • Restriction — Request limitation of processing in certain circumstances

To exercise any of these rights, contact [email protected]. We will respond within 30 days. Note that AML regulations may limit our ability to delete certain records before the 900-day retention period expires.

Cardholders: If you are a cardholder on a programme operated by one of our Clients, please contact that Client directly to exercise your data rights. Fyatu processes cardholder data on the Client’s behalf and cannot respond to cardholder rights requests independently.

10. International Transfers

Your data may be transferred to and processed in countries other than your own, including Tanzania and the countries where our KYC providers, BIN Sponsors, and infrastructure partners operate. Where data is transferred internationally, we ensure appropriate contractual safeguards are in place with all recipients.

11. Cookies and Tracking

We use cookies and similar technologies on our website and dashboard to maintain sessions, remember preferences, and analyse usage. For full details, see our Cookie Policy.

You can manage cookie preferences through your browser settings. Blocking essential cookies may affect platform functionality.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the account contact address at least 30 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance.

13. Contact

For privacy-related inquiries or to exercise your data rights, reach us via your dedicated shared Slack channel or by email:

Download Fyatu & Take Control

Get your Fyatu card in seconds. Pay online, in-store, and across borders — and manage every transaction from your phone.

Get it on Google Play Download on the App Store