Privacy Policy

Your privacy is important to us. This Privacy Policy ("Policy") applies to services provided by Collis LTD ("we", "us", or "Collis") through the Collis mobile application, website, and all related digital services that link to or reference this Policy (collectively, the "Platform" or "Services"). This Policy explains what information we collect from users of our Services (a "User", "you", or "your"), including information that may be used to personally identify you ("Personal Information"), and how we use it.

Collis does not sell your personal data to third parties. We encourage you to read this Policy in full. This Policy applies to any visitor to or user of our Services. Any capitalised terms used herein but not defined shall have the meaning set forth in our Terms of Service, available at collis.so/terms-of-service.

We reserve the right to change this Policy at any time. We will notify you of any material changes by posting a revised Policy to this page and/or by sending notice to the primary email address associated with your account at least fourteen (14) days before the changes take effect. You are responsible for ensuring we have a current and deliverable email address for you and for periodically reviewing this Policy for updates. Changes are effective when posted. Your continued use of our Services after we publish or send notice of changes to this Policy means that your Personal Information will be subject to the updated Policy

This Policy applies to your Personal Information when you visit our website, download and use the Collis application, or otherwise use the Services as a visitor, tourist, or temporarynon-resident in Rwanda. Collis LTD acts as the Data Controller for all Personal Information collected through the Platform, as authorised by Data Controller Certificate Registration Number 001/2279/0326 issued by the Data Protection and Privacy Office (DPPO) of Rwanda under Law No. 058/2021.

This Policy does not apply to the privacy practices of third-party services that operate in connection with our Platform. Specifically, it does not govern the data practices of XentriPay, which processes card top-up transactions and disburses funds to MTN Mobile Money accounts on our behalf, MTN Rwanda, or PayPal. Each of these services operates under its own terms and privacy policies, which we encourage you to review independently. Collis is not responsible for the privacy or data security practices of these third parties, which may differ from those set out in this Policy.

This Policy also does not apply to any third-party applications or services connected to the Platform through integration. Such third-party services are not part of our Services and are subject to their own policies and terms. The Platform or website may contain links to other websites. We have no control over those websites and they are subject to their own terms of use and privacy policies.

Information You Provide to Us

Account and Identity Information. To create an account and access the Collis Platform, you must complete our mandatory Know Your Customer (KYC) process before initiating any transaction. During registration and KYC, we collect your passport or government-issued national ID number and a copy of the document, country of residence and email address.

Biometric Data. As part of the KYC process, we collect a facial image and conduct a real-time biometric liveness check through our integrated KYC provider, Didit. This process confirms that the individual completing verification is a live person and matches the submitted identity document. Biometric data is treated as a sensitive data category and is processed with heightened protections in accordance with the Rwanda Data Protection Law.
Financial and Transaction Information. We collect information related to your use of the Platform's payment features, including wallet top-up amounts, recipient MTN Mobile Money (MoMo) numbers you enter, transfer amounts, withdrawal requests, and transaction timestamps. Collis never stores raw card data. All card processing is carried out within XentriPay's PCI-DSS compliant environment, and we do not receive or retain full card numbers or CVV codes.

Communications. We collect records of your interactions with the Collis customer support team, including emails, in-app messages, and any other correspondence you initiate with us.

Information We Receive from Third Parties

KYC and AML Verification. We receive identity verification results and AML screening outcomes from Didit, our integrated KYC and AML verification provider. This includes confirmation of document authenticity, biometric liveness check results, and screening outcomes against international sanctions lists, Politically Exposed Persons (PEP) databases, and adverse media sources.

Payment Processing. We receive transaction outcome data from XentriPay following card top up processing and MTN MoMo disbursements, including transaction reference numbers, success or failure status, and timestamps.

We do not purchase or receive Personal Information from data brokers, social media platforms, or commercial marketing data providers.

We use the information we collect for the following purposes:

• To create and manage your Collis account and verify your identity through mandatory
• KYC before enabling any transaction.
• To process wallet top-ups, mobile money transfers to MTN MoMo accounts, and withdrawals to PayPal;
• To deliver and improve the Platform and your overall user experience;
• To send you transaction confirmations, account alerts, security notifications, and important service updates;
• To conduct real-time AML screening and ongoing transaction monitoring in compliance with Rwandan AML regulations, BNR requirements, and FATF recommendations;
• To detect, prevent, and investigate fraud, account misuse, sanctions evasion, and other financial crime;
• To respond to your customer support requests and resolve Platform issues.
• To enforce our Terms of Service and protect Collis's legal rights;
• To maintain the security and integrity of the Platform;
• To create aggregate and de-identified data for platform improvement and analytics. We maintain such data in de-identified form and do not attempt to re-identify it;
• In connection with a merger, acquisition, or similar transaction, as described in Section 3;
• When required by law or to respond to legal process;
• At your direction, with your consent, or for any other purpose you expressly authorise

Collis does not sell, rent, or trade your Personal Information to any third party for commercial or marketing purposes. We disclose Personal Information only in the following circumstances, and always with appropriate contractual protections in place:

With Our Service Providers and Subprocessors. We share your Personal Information with third-party service providers who assist us in operating the Platform and delivering the Services. All subprocessors are bound by data processing agreements that impose protections no less rigorous than those in this Policy. Our current subprocessors include XentriPay, which processes card top-up transactions and disburses funds to MTN MoMo accounts on behalf of Collis under BNR License No. BNR/PI/2025/03; Didit, which conducts KYC identity verification, biometric liveness checks, and real-time AML screening; MTN Rwanda, which receives recipient MoMo numbers and transfer amounts to facilitate mobile money disbursements; PayPal, which processes wallet withdrawal requests; and our cloud infrastructure provider, which hosts and stores Platform data encrypted at rest and in transit.

With Regulatory and Law Enforcement Authorities. We may disclose your Personal Information to the Rwanda Financial Intelligence Centre (FIC) as required by mandatory AML reporting obligations, the National Bank of Rwanda (BNR) for regulatory reporting and compliance oversight, the Data Protection and Privacy Office (DPPO) in connection with data protection supervisory functions, and Rwandan law enforcement authorities or courts where required by a valid court order, warrant, or statutory obligation. Where legally permitted, we will notify you of any such disclosure before it occurs. We may be legally prohibited from doing so in certain circumstances, particularly in connection with criminal investigations or AML reporting.

In Connection with a Business Transfer. In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your Personal Information may be transferred to the relevant successor entity as part of that transaction. We will notify you of any such transfer and inform you of the successor entity's privacy commitments before the transfer takes effect.

With Your Consent or at Your Direction. We may share your Personal Information with third parties where you have expressly consented to such sharing or directed us to do so.

Aggregated and De-Identified Data. We may share aggregated, de-identified, or anonymised data derived from our users' information with third parties for analytics and business purposes. Such data cannot reasonably be used to identify you or any other individual.

The Collis Platform uses a limited set of cookies and similar tracking technologies. Cookies are small text files stored on your device that help our servers recognise your session, remember your preferences, and understand how the Platform is used. We use cookies only to the extent necessary to operate the Platform securely and to collect anonymised performance data.

Collis does not use advertising cookies, marketing trackers, or third-party profiling cookies of any kind. We do not use cookies to deliver targeted advertising or to track your activity across other websites or services.

The types of cookies we use are as follows. Essential cookies are required for secure login, maintaining your authenticated session, and enabling the core functionality of the Platform. These cookies cannot be disabled without preventing you from using the Platform. Analytics cookies collect anonymised, aggregated information about how the Platform is used, such as which screens are accessed most frequently and where technical errors occur. This data does not identify you personally and is used solely to improve Platform performance and reliability.

You may manage your cookie preferences through your browser or device settings. Please note that disabling essential cookies will prevent you from accessing or using the Platform. Disabling analytics cookies will not affect your ability to use the Platform.

We take reasonable and industry-standard steps to protect your Personal Information against unauthorised access, alteration, disclosure, misuse, or destruction. The security measures we implement include end-to-end encryption of all data transmitted to and from the Platform using TLS protocols, encryption of data stored at rest within our infrastructure, biometric and multi-factor authentication for Platform access, role-based access controls that limit internal staff access to Personal Information on a strict need-to-know basis, regular security assessments and penetration testing, real-time transaction monitoring and automated fraud detection systems, and a formal incident response procedure including data breach notification protocols.

Collis never stores raw card data. All card transaction processing occurs exclusively within XentriPay's PCI-DSS compliant environment, and we do not receive or retain full card numbers at any stage.

If you have an account with us, you are responsible for keeping your account credentials, PIN, and authentication information confidential. Your account is protected by the credentials you set during registration. We urge you to take steps to protect your Personal Information by not sharing your login details and by contacting us immediately at help@collis.so if you suspect any unauthorised access to your account. While we implement these measures, no security system is impenetrable. By using the Services, you acknowledge that you understand and agree to assume the residual risks inherent in any internet-based service.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, Collis will notify the DPPO without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly as soon as reasonably practicable, via the email address associated with your Collis account.

We retain your Personal Information while your account is active or as long as is necessary to provide the Services to you, comply with our legal obligations, resolve disputes, and enforce our agreements. This includes data you have provided to us directly and data generated from your use of the Services.

Specific retention periods that apply to your data are as follows. KYC and identity documents, including passport or ID copies and AML screening records, are retained for a minimum of five (5) years from the date of your last transaction, in accordance with Rwandan AML regulations and BNR requirements. Transaction records, including wallet top-ups, mobile money transfers, and withdrawal records, are retained for a minimum of ten (10) years in compliance with applicable Rwandan financial recordkeeping obligations. Biometric data collected during KYC verification is deleted promptly once the verification process is complete and the data is no longer required for that purpose. Account and contact information is retained for the duration of your active account and for three (3) years following account closure. Log and technical data is retained for twelve (12) months for security monitoring and fraud prevention purposes. Records of support communications are retained for three (3) years from the date of the last interaction.

Please note that we may retain information that is otherwise deleted in de-identified and aggregated form, in archived or backup copies as required pursuant to records retention obligations, or as otherwise required by law. Backup data held in immutable systems for disaster recovery purposes is not accessible for operational use and is overwritten in accordance with our backup rotation schedule. We will retain an archived copy of your records as required by law or for legitimate business purposes

Under Law No. 058/2021 of 13/10/2021 Relating to the Protection of Personal Data and Privacy in Rwanda, you have the following rights with respect to your Personal Information. To exercise any of these rights, please contact our Data Protection Officer at dpo@collis.so. We will respond to all valid requests within thirty (30) days of receipt and may need to verify your identity before processing your request.

You have the right to access the Personal Information we hold about you and to receive information about how and why it is processed. You have the right to request correction of any inaccurate or incomplete Personal Information we hold. You have the right to request deletion of your Personal Information, subject to our legal retention obligations under Rwandan AML and financial recordkeeping law, which may require us to retain certain records regardless of your request. You have the right to request that we limit the processing of your data in certain circumstances. You have the right to receive Personal Information you have provided to us in a structured, commonly used, machine-readable format. You have the right to object to processing of your Personal Information where we rely on legitimate interests as our lawful basis; we will cease such processing unless we can demonstrate compelling grounds that override your rights. Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal. You have the right to lodge a complaint with the Data Protection and Privacy Office (DPPO) of Rwanda at any time if you believe we have violated your data protection rights.

All users may also request to review, update, or correct the Personal Information held in their Collis account by contacting us at help@collis.so or by accessing the account settings within the Platform. For your protection, we may only update the Personal Information associated with the specific email address used to send us your request, and we may need to verify your identity before doing so.

If you wish to close your account, you may do so by contacting us at help@collis.so or through the account closure function within the Platform. Before closing your account, you must withdraw any remaining wallet balance to your PayPal account. Following account closure, any personally identifiable information associated with your account will be deleted as soon as reasonably practicable, subject to our legal retention obligations as described in Section 6 above.

We do not send marketing or promotional communications. All communications from Collis to you are service-related, including transaction confirmations, account security alerts, and

Your browser settings may allow you to automatically transmit a Do Not Track signal to websites and online services you visit. We do not alter our data practices in response to Do Not Track signals from a visitor's browser. This is because Collis does not engage in cross-site tracking, targeted advertising, or the kind of behavioural profiling that Do Not Track signals are designed to address. The analytics data we collect is anonymised and used solely to improve Platform performance, not to track individuals across other websites or services.

Collis is headquartered in and operates from the Republic of Rwanda. The Services are controlled and operated by us from Rwanda. If you are accessing the Services from outside Rwanda, your Personal Information will be processed in Rwanda and potentially in other jurisdictions where our subprocessors are located, including cloud infrastructure providers. By using the Services, you consent to the processing of your information in Rwanda and to other countries where we or our subprocessors operate, which may have data protection rules different from those of your country of residence. In certain circumstances, courts, law enforcement agencies, regulatory bodies, or security authorities in those countries may be entitled to access your Personal Information in accordance with their local laws. We take appropriate safeguards for all international transfers as described in this Policy, including ensuring that our subprocessors are bound by data processing agreements containing protections no less rigorous than those required under Rwandan law.

If you have any questions, complaints, or concerns about this Policy or the Platform, please contact us using the details below: