FDIC Wallet Privacy Policy

1. Overview

FDIC Wallet is a credential management application that allows residents to enroll for, receive, and safely store digital certificates issued by the Financial Digital Identity Certificate Authority (“FDIC Authority”, “we”, “us”). This Privacy Policy explains what personal data we collect, why we collect it, how it is protected, and the rights you have under the Kenya Data Protection Act, 2019 and the GDPR principles applied by FDIC Authority.

2. Information We Collect

2.1 Identity & contact data

• Full legal name, national ID or passport number, and date of birth
• Citizenship information and demographic attributes provided during enrollment
• Email address and mobile number for verification and notifications

2.2 Biometric & document data

• High-resolution photo of the user’s face captured via the mobile camera solely for one-to-one identity verification
• National ID number, full name, date of birth, and email address used for IPRS (Integrated Population Registration System) identity verification

2.3 Cryptographic artifacts

• Locally generated RSA key pairs (private keys remain on device; public keys are transmitted securely)
• Issued X.509 certificates and PKCS#12 backup files, encrypted with user-selected passwords

2.4 Device & usage data

• Model, OS version, and anonymized device identifier to enforce security policies
• Logs limited to error diagnostics (no behavioral analytics or advertising identifiers)

3. Purpose & Lawful Bases

We process personal data only when lawful bases apply:

• Performance of a contract: To create enrollment requests, verify identity through IPRS, issue certificates, and maintain audit logs.
• Legal obligation: Compliance with Kenya’s digital signature regulations, evidence retention, and know-your-customer requirements.
• Consent: Camera and storage access, email verification, and optional biometric capture rely on explicit user consent.
• Legitimate interests: Securing the platform, preventing fraud, and maintaining service integrity.

4. How We Use Data

• Verify identity through IPRS (Integrated Population Registration System) before a certificate is issued
• Generate and store certificate metadata for revocation, CRL, and OCSP services
• Send transactional communications such as email verification, enrollment status updates, and certificate expiry reminders
• Investigate abuse, comply with court orders, and produce audit logs requested by regulators

5. Sharing & Transfers

FDIC Authority does not sell personal data. Access is restricted to vetted personnel and essential processors:

• IPRS (Integrated Population Registration System): We share identity information (national ID number, name, date of birth, email) with IPRS for identity verification purposes as required by law
• Government agencies: When required for lawful identity validation
• Infrastructure vendors: Railway, AWS, and secure email providers acting under data processing agreements
• Certificate ecosystem partners: OCSP/CRL responders for relying-party validation

Whenever data leaves Kenya, we rely on encrypted channels, server-side encryption at rest, and contractual safeguards consistent with GDPR Articles 44–49.

6. Retention & Deletion

• Enrollment submissions are retained until issuance is completed or the request is withdrawn.
• Certificate lifecycle records are retained for the validity period plus seven (7) years, in line with Certification Practice Statements.
• Device-resident data remains under user control and is deleted when the app is uninstalled or secure storage is cleared.
• Backups and logs have defined schedules (90 days for operational logs, 24 hours for transient facial images unless mandated by law).

7. Security Measures

• End-to-end TLS 1.3, HSTS, and certificate pinning in the mobile app
• Hardware-backed keystore for private keys, biometric-gated access, and encrypted PKCS#12 exports
• Role-based access controls, multi-factor authentication for administrative personnel, and immutable audit trails
• Secure integration with IPRS for identity verification with encrypted API communications
• Regular penetration tests and compliance reviews against the Kenya Data Protection Act and ISO/IEC 27001 controls

8. Your Rights

Users may exercise these rights by emailing privacy@fdic-ca.company:

• Right to access copies of enrollment records and certificates
• Right to rectification of inaccurate or outdated information
• Right to erasure (subject to statutory retention requirements)
• Right to restrict or object to certain processing activities
• Right to portability for data you provided electronically

9. Children & Sensitive Data

FDIC Wallet is not available to individuals under 18 years of age. We do not knowingly process children’s data. Sensitive biometric data is handled with heightened safeguards, limited access, and purpose restriction.

10. Changes to This Policy

We will post every update to this page, refresh the “Last Updated” date, and notify users in-app or via email when changes are material. Continued use after updates constitutes acceptance.