Launch app
LEGAL · PRIVACY POLICY

Privacy Policy.

What we collect, why, and what control you have — under UK GDPR and Kenya's Data Protection Act, 2019. Effective 12 June 2026; replaces the version dated 19 March 2024.

1Who is responsible for your data

The controller is Sargo Ltd, registered in England and Wales, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. Privacy questions and requests: privacy@sargo.io (general support: support@sargo.io). Because Sargo Ltd is a UK company serving people in Kenya, both UK GDPR / Data Protection Act 2018 and the Kenya Data Protection Act, 2019 apply to how we treat your personal data, and this policy is written to honour both. It covers our websites and the marketplace at app.sargo.io. Our services are not directed at children and we do not knowingly process children's data.

2What we collect

Identity & verification data — name, date of birth, identity document, a selfie photograph, liveness signals and the face-match result. The selfie and liveness data are biometric data: we are honest that identity verification involves processing them, with the safeguards in section 3. Contact data — email address and, if you apply as a merchant, the answers on your application. Wallet & transaction data — your wallet address, orders, escrow events, amounts, rates, timestamps, dispute records and in-platform messages. Payment-rail details — the M-Pesa or bank details you provide to receive payment in a trade. Technical data — IP address, device and browser information, and logs generated when you use the marketplace. This marketing website sets no cookies and runs no analytics. The app at app.sargo.io uses only what is necessary for sign-in, security and order processing, and tells you there if that changes.

3Why we use it, and the lawful bases

To provide the marketplace — accounts, orders, escrow coordination, support — we process your data to perform our contract with you. To meet legal obligations we verify identity, screen sanctions, monitor transactions and keep records under anti-money-laundering and counter-terrorism-financing law. Biometric verification (selfie, liveness, face match) is carried out with your explicit consent, collected at the moment of verification, through licensed identity-verification providers acting on our instructions; if you do not consent, we cannot open a trading account, because the law requires us to know who we serve. For platform security, fraud prevention, service improvement and rating systems we rely on our legitimate interests, balanced against your rights. We send marketing only with your consent, and you can withdraw it at any time.

4Who sees your data

Your counterparty. P2P means the person on the other side of your trade must see enough to pay you: the payment name and account or phone number you provide for the order. They hold that information independently of Sargo; trade only at sizes and with details you are comfortable sharing. Our providers — identity-verification, infrastructure, security and professional advisers — process data only on our instructions and under contract. Authorities — we disclose where the law requires or permits it, including to financial-crime and tax authorities in Kenya and the UK. Business changes — if Sargo is reorganised or sold, your data may transfer with the business under this policy's protections. Disputes: a zero-knowledge payment proof shows the contract that a transfer happened — Sargo receives the verification outcome, never your banking credentials or session. Support chat. Our site can include the Intercom messenger; when active, the messages you send and basic device data are processed by Intercom Inc. as our processor, under contractual safeguards for international transfers.

5What we never do

We do not sell your personal data. We do not run third-party advertising or targeting cookies on this website. We do not use your data for automated decisions producing legal effects without human review — verification outcomes can always be escalated to a person at privacy@sargo.io.

6Blockchains are public and permanent

Your wallet address and on-chain transactions (escrow locks, releases, amounts) are recorded on public blockchains such as Base and Celo. That record is worldwide, replicated and immutable: nobody, including Sargo, can edit or erase it. Erasure rights therefore apply to the data Sargo holds off-chain (your identity records, application, logs), not to public-ledger data. We never publish your identity to a blockchain; the link between your name and your wallet exists only in our off-chain records, protected as described here.

7International transfers

Sargo Ltd is in the UK; many users are in Kenya; some providers operate elsewhere. When personal data moves between these places we use recognised safeguards — appropriate contractual clauses and, where applicable, adequacy arrangements — so it keeps an equivalent level of protection, as required by both UK GDPR and Kenya's DPA (including its cross-border transfer rules). Details of the safeguards we use are available from privacy@sargo.io.

8Security and retention

We protect personal data with access controls, encryption in transit, segregated verification processing through licensed providers, and least-privilege access for staff; we have a breach-response procedure and will notify you and the relevant regulator where the law requires. We keep data only as long as needed: identity-verification and transaction records for 7 years after your relationship with us ends, as anti-money-laundering law requires; merchant applications for up to 24 months if not taken forward; technical logs for shorter operational periods. We then delete or irreversibly anonymise.

9Your rights

Under both regimes you can ask us for access to your data, correction, erasure (subject to the legal-retention and on-chain limits above), restriction, objection to legitimate-interest processing, portability of data you provided, and to withdraw consent at any time without affecting past processing. Write to privacy@sargo.io; we answer within one month and never charge for a reasonable request, though we may need to verify it is really you. You can complain to the Office of the Data Protection Commissioner (ODPC), Kenya or to the Information Commissioner's Office (ICO), United Kingdom — though we would welcome the chance to put things right first.

10Changes to this policy

We keep this policy under review and will post updates here with a new effective date; for material changes affecting marketplace users we will also notify you through the Platform. Earlier versions are available on request.