Cookie & Tracking Policy
How Kuata uses device identifiers, session tokens, local storage, and tracking technologies
Version 1.0 · Effective Date: 1 May 2026
1. Scope & Purpose
This Cookie & Tracking Policy ("Policy") explains how Kuata Tecnologias Lda. ("Kuata", "we", "us") uses cookies, device identifiers, session tokens, local storage, software development kit (SDK) tracking, and similar technologies (collectively "Tracking Technologies") in:
The Kuata mobile application ("App") — Android and iOS
The Kuata website and web portal (kuata.ao and any subdomains)
Any API integrations or web-based verification flows accessible through the App
This Policy is an integral part of our Privacy Policy and must be read together with it. It is designed to be fully compliant with:
Legal Instrument / Standard | Jurisdiction | Specific Provision |
|---|---|---|
Lei n.o 22/11 — Data Protection (Angola) | Republic of Angola | Art. 5 (data minimisation), Art. 7(a) (consent), Art. 17 (security) |
GDPR — Regulation (EU) 2016/679 | EU / best-practice standard | Art. 5(1), Art. 6(1), Art. 13, Recital 30 (device IDs) |
ePrivacy Directive 2002/58/EC (Cookie Law) | EU / international best practice | Art. 5(3) — prior consent for non-essential cookies |
ISO/IEC 27001:2022 — Information Security | International standard | Controls A.8 (asset management), A.9 (access control) |
ISO/IEC 27701:2019 — Privacy Information Management | International standard | PIMS controls for consent management and tracking minimisation |
BNA Notice 02/24 — AML/CFT | Republic of Angola | Device attestation requirements for payment security |
2. Our Fundamental Principles
Kuata's tracking architecture is governed by four non-negotiable principles:
1. Minimal collection — We collect only what is technically required for security, authentication, or legal compliance. No speculative collection.2. No advertising — We do not use advertising cookies, tracking pixels, retargeting tags, or any technology that profiles you for commercial advertising. This applies to both the App and the website.3. No third-party data sales — We do not sell, license, or share tracking data with any data broker, advertising network, or social media platform.4. Transparency — Every Tracking Technology we use is documented here. If it is not in this document, we do not use it.
3. What Are Tracking Technologies?
Tracking Technologies is a collective term for several types of data collection mechanisms used in mobile apps and websites:
Technology Type | Description | Where Used by Kuata |
|---|---|---|
Cookies | Small text files stored in a browser, identified by domain and name | Website (kuata.ao) only — NOT used in the mobile App |
Session tokens | Cryptographic tokens that identify an authenticated session — stored in secure memory, not persistent files | App and website |
Device identifiers | Hardware-attested IDs unique to a specific device, used to bind your account to your hardware | App only |
Local storage / cache | App-local encrypted storage used to cache document data for offline use | App only |
SDKs (Software Development Kits) | Third-party code libraries embedded in the App that may collect technical telemetry | App — specific SDKs documented in Section 7 |
Pixel tags / web beacons | Invisible 1x1 pixel images embedded in emails or web pages that signal when viewed | NOT USED by Kuata |
Fingerprinting | Inferring a unique device identity from combinations of browser or device attributes | NOT USED by Kuata |
4. Tracking Technologies in the Mobile App
The App does not use browser cookies. Instead, it uses the following mobile-specific technologies:
4.1 Authentication Session Tokens — ESSENTIAL / STRICTLY NECESSARY
Legal basis: Law 22/11 Art. 7(b) (contract performance); GDPR Art. 6(1)(b); BNA Notice 02/24
Field | Detail |
|---|---|
Purpose | Maintains your authenticated wallet session after biometric or PIN login. Binds the session to your specific device and verified identity to prevent session hijacking. |
Data stored | Cryptographic session token (pseudonymous — not linked to your name or BI number in the token itself). Expiry timestamp. Device binding hash. |
Storage location | In-memory session storage. NOT written to persistent disk storage. Cleared immediately on logout or timeout. |
Duration | Active session duration only. Automatically expires after 15 minutes of inactivity. Immediately invalidated on logout or Remote Wallet Lock activation. |
Can you opt out? | No. Session tokens are required for the App to function securely. Disabling them would make authenticated access impossible. |
Third-party access | None. Session tokens are Kuata-generated and Kuata-verified only. |
4.2 Device Attestation Identifier — ESSENTIAL / SECURITY
Legal basis: Law 5/20 Art. 8 (AML CDD); BNA Notice 02/24; GDPR Art. 6(1)(c)
Field | Detail |
|---|---|
Purpose | Hardware-backed unique device binding used for: (1) fraud prevention — detecting one account being accessed from multiple devices, or multiple accounts from one device; (2) AML monitoring — flagging anomalous device patterns; (3) document signing — confirming the JWS signature originated from a hardware-attested device. |
Data stored | Hardware attestation certificate from Android SafetyNet Attestation API / iOS DeviceCheck. Derived device binding hash (one-way hash — the original attestation certificate is not stored after processing). |
Storage location | Kuata's secure backend. Also referenced locally in the device keystore. |
Duration | Retained for the lifetime of the account and for 10 years post-account-closure under AML obligations. |
Can you opt out? | No. Device attestation is a mandatory security and AML compliance requirement. Without it, we cannot operate as a BNA-authorised payment service provider. |
Third-party access | The attestation check is performed against Google (Android) or Apple (iOS) attestation servers. These servers confirm hardware genuineness only; they do not receive your personal data. |
4.3 Biometric Key Binding — ESSENTIAL / SECURITY
Legal basis: Law 22/11 Art. 22 (biometric data); GDPR Art. 9(2)(a) (explicit consent)
Field | Detail |
|---|---|
Purpose | Binds your wallet to your biometric credential (fingerprint or facial recognition) via your device's hardware secure enclave. Used for: (1) authenticating wallet access; (2) authorising payment initiations; (3) signing document presentations. |
Data stored | A cryptographic key pair generated by and stored in the device's hardware secure enclave (Android StrongBox Keymaster / iOS Secure Enclave). The biometric image or scan is NOT stored by Kuata or on the device by the App. The key is unlocked by your biometric but the biometric material itself is handled exclusively by the device OS. |
Storage location | Device hardware secure enclave ONLY. Kuata's servers hold only the public key (used for signature verification). The private key never leaves your device hardware. |
Duration | Until you remove biometric authentication, reset your device, or delete your account. |
Can you opt out? | You may disable biometric authentication and use PIN-only access. Contact Settings > Security > Biometric Authentication. Disabling biometrics does not affect wallet functionality. |
Legal basis | Explicit consent obtained via a separate consent flow at onboarding. Biometric data is a special category under Law 22/11 Art. 22 and GDPR Art. 9. |
4.4 Offline Document Cache — ESSENTIAL / PRODUCT FUNCTION
Legal basis: Law 22/11 Art. 7(b) (contract performance); GDPR Art. 6(1)(b)
Field | Detail |
|---|---|
Purpose | Stores an encrypted local copy of your digital documents on your device to enable offline QR code generation and NFC presentation without internet connectivity. Critical for police checkpoints and low-coverage areas. |
Data stored | Encrypted serialised document payloads (BI, licence, registration, etc.) including all document fields, cryptographic JWS signatures, and validity timestamps. AES-256 encrypted with a key stored in the device keystore. |
Storage location | App-private local storage on your device. Not accessible to other apps on your device. Not backed up to cloud storage services. |
Duration | Present as long as the App is installed. Signatures refresh on each internet connection. Cleared when: (a) you delete the App, (b) you activate Remote Wallet Lock, (c) you delete your account. |
Can you opt out? | Offline mode can be disabled in Settings > App Features > Offline Mode. Disabling it means you can only present documents when connected to the internet. |
4.5 Anonymous Analytics — OPTIONAL / CONSENT REQUIRED
Legal basis: Law 22/11 Art. 7(a) (consent); GDPR Art. 6(1)(a) — legitimate interest with opt-out
Field | Detail |
|---|---|
Purpose | Understanding how features are used to improve the App. Examples: which documents are added most frequently, where users drop off in the onboarding flow, which payments fail most often. |
Data stored | Anonymised event names (e.g., "document_added", "payment_initiated"). No user ID, no BI number, no name, no device ID is attached to these events. Events are aggregated in batches before transmission. |
Storage location | Kuata's analytics backend. Events are aggregated before storage — individual events cannot be traced to a specific user. |
Duration | Aggregated data retained for 2 years. |
Can you opt out? | YES. Go to Settings > Privacy > Analytics and toggle off at any time. The default at first install is ON. You are presented with a clear choice during onboarding. |
Third-party access | None. Analytics are processed in-house. No third-party analytics SDK (Google Analytics, Firebase Analytics, Mixpanel, etc.) is embedded in the App. |
4.6 Crash & Error Reporting — FUNCTIONAL / CANNOT OPT OUT
Legal basis: Law 22/11 Art. 7(b) (contract performance); GDPR Art. 6(1)(b)
Field | Detail |
|---|---|
Purpose | Detecting and fixing App crashes and errors to maintain service stability. Without crash reporting, we cannot identify and repair bugs that affect users. |
Data stored | Stack trace (code execution path at time of crash). App version and OS version. Device type (generic model category — not unique device ID). Error type and timestamp. No personal data, no document data, no transaction data is included. |
Storage location | Kuata's internal logging infrastructure. |
Duration | 2 years. |
Can you opt out? | No. Crash reporting is necessary for us to fulfil our obligation to provide a functional, secure service. If you disable analytics, crash reporting remains active independently. |
Third-party access | None. No third-party crash reporting SDK is used. |
4.7 Push Notification Token — FUNCTIONAL / OPT-OUT AVAILABLE
Legal basis: Law 22/11 Art. 7(b); GDPR Art. 6(1)(b)
Field | Detail |
|---|---|
Purpose | Sending you push notifications for document expiry reminders, payment confirmations, security alerts (new device login, failed authentication), and government registry updates. |
Data stored | Push notification token generated by Google Firebase Cloud Messaging (FCM) for Android or Apple Push Notification Service (APNs) for iOS. This token identifies your device to the notification service but does not include your name or personal data. |
Storage location | Kuata's notification service backend. Tokens are also registered with Google (Android) or Apple (iOS) notification infrastructure. |
Duration | Until you revoke notification permissions on your device or until the token expires and is renewed. |
Can you opt out? | You can disable all notifications in Settings > Account Management > Notification Preferences. Security alerts (unauthorised access attempts) cannot be disabled. |
Third-party access | Google (FCM) or Apple (APNs) notification infrastructure processes the token to deliver notifications. These providers act as data processors under their respective platform terms. |
5. Tracking Technologies on the Kuata Website (kuata.ao)
The website uses a separate set of tracking technologies from the App. Browser cookies are used on the website; they are not used in the App.
5.1 Strictly Necessary Website Cookies — CANNOT OPT OUT
Legal basis: GDPR Recital 47; ePrivacy Directive Art. 5(3) (exemption for technically necessary cookies); Law 22/11 Art. 7(b)
These cookies are essential for the website to function. They cannot be disabled without breaking core website functionality. No consent is required under applicable law.
Cookie Name | Category | Purpose | Duration | Third Party? |
|---|---|---|---|---|
kuata_session | Authentication | Identifies your authenticated web session for support portal and account management pages | Session (closes with browser) | No |
kuata_csrf | Security | Cross-site request forgery (CSRF) protection token — prevents malicious form submissions | Session | No |
kuata_lang | Preference | Remembers your language preference (Portuguese / English) so you do not need to reselect on each visit | 1 year | No |
kuata_cookie_consent | Consent management | Records your consent or rejection of optional cookies so we do not ask again on every visit | 1 year | No |
__cf_bm | Security / Bot detection | Cloudflare bot management cookie — distinguishes legitimate users from automated traffic to protect the website from DDoS and scraping attacks | 30 minutes | Yes — Cloudflare (processor) |
5.2 Performance / Analytics Cookies — OPTIONAL / CONSENT REQUIRED
Legal basis: GDPR Art. 6(1)(a) (consent); ePrivacy Directive Art. 5(3); Law 22/11 Art. 7(a)
These cookies collect anonymised information about how visitors use the website — which pages are viewed, how long is spent on each page, where visitors come from. This helps us improve the website. We set these only if you accept at the cookie consent banner.
Cookie Name | Category | Purpose | Duration | Third Party? |
|---|---|---|---|---|
_kuata_analytics | Performance | Kuata first-party analytics — anonymous page view counts and session durations. No user identification. | 2 years | No |
Note: Kuata does NOT use Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, or any other third-party analytics or behavioural tracking tools on its website. If these appear in your browser's cookie scanner, they are injected by a browser extension or your internet service provider, not by Kuata.
5.3 Marketing & Advertising Cookies — NOT USED
Legal basis: Law 22/11 Art. 5 (data minimisation); GDPR Art. 5(1)(b) (purpose limitation)
Kuata does not use advertising cookies, retargeting pixels, social media tracking tags, or any technology designed to profile you for marketing purposes. This applies to both the website and the App, and is a permanent policy commitment — not a current status that may change.
Specifically, Kuata does not and will not use:
Meta (Facebook) Pixel or Meta Conversions API
Google Ads / Google Tag Manager tracking tags
LinkedIn Insight Tag
TikTok Pixel
Twitter/X conversion tracking
Any programmatic advertising exchange integration
Any third-party data management platform (DMP) or customer data platform (CDP) that profiles users across sites
5.4 Cookie Consent Management
On your first visit to kuata.ao, a cookie consent banner is displayed. You may:
Accept all cookies — enables strictly necessary + performance cookies
Reject optional cookies — enables strictly necessary cookies only
Manage preferences — granular control over each optional category
Your consent choice is recorded in the kuata_cookie_consent cookie and is valid for 12 months. You may change your preference at any time via the Privacy Settings link in the website footer. Withdrawing consent for optional cookies does not affect the legality of processing that occurred before withdrawal.
Legal basis: GDPR Art. 7(3) (withdrawal of consent); ePrivacy Directive Art. 5(3)
6. Third-Party Processing — Detailed Disclosures
The following third parties process technical data in connection with Kuata's App and website. Each operates under a Data Processing Agreement (DPA) with Kuata.
Third Party | Role | Data Shared | Purpose | Basis |
|---|---|---|---|---|
Cloudflare | CDN / DDoS protection / Bot management | IP address (temporary), request metadata | Website security; DDoS prevention; CDN delivery | Legitimate interest; DPA |
Google (Android only) | SafetyNet / Play Integrity Attestation | Device attestation certificate request | Confirming device hardware genuineness for AML compliance | Legal obligation (AML); DPA |
Apple (iOS only) | DeviceCheck API | Attestation token | Confirming device hardware genuineness for AML compliance | Legal obligation (AML); DPA |
Google (FCM — Android only) | Push notification delivery | Push token + notification payload | Delivery of security alerts and service notifications | Contract; DPA |
Apple (APNs — iOS only) | Push notification delivery | Push token + notification payload | Delivery of security alerts and service notifications | Contract; DPA |
AML/sanctions screening provider | Processor | Name and date of birth only | PEP and sanctions list screening at onboarding | Legal obligation; DPA |
We do not embed any third-party social media SDKs, advertising SDKs, or data broker SDKs in the App.
7. International Transfers of Tracking Data
Legal basis: Law 22/11 Art. 14; GDPR Art. 44–49
Some third-party processors (Cloudflare, Google, Apple) may process technical data (device attestation signals, notification tokens) outside Angola. We ensure these transfers are protected by:
Standard Contractual Clauses (SCCs) aligned with GDPR adequacy requirements
Adequacy decisions or equivalent protections under Law 22/11
Data Processing Agreements that restrict the processor to processing only for the declared purpose
The data transferred to these third parties is limited to technical signals (attestation certificates, push tokens) and does not include your name, BI number, payment history, or document data.
8. How Long We Keep Tracking Data
Tracking Technology | Retention | Legal Basis | Deletion Method |
|---|---|---|---|
Session tokens | 15 minutes idle / logout | Contract performance | Automatic expiry |
Device attestation hash | 10 years (AML) | Law 5/20 Art. 30 | Cryptographic erasure |
Biometric key (public key only on server) | Account lifetime + account closure | Contract / consent | Secure deletion on account closure |
Offline document cache (on device) | App install lifetime | Contract performance | App uninstall / Remote Lock / account deletion |
Anonymous analytics events | 2 years | Legitimate interest / consent | Standard deletion |
Crash/error logs | 2 years | Contract performance | Standard deletion |
Push notification token | Until revoked / token expiry | Contract performance | Token invalidation |
Website session cookies | Session only | Contract performance | Browser session close |
Cookie consent record | 1 year | Legal obligation (consent documentation) | Expiry |
Cloudflare __cf_bm | 30 minutes | Legitimate interest | Automatic expiry |
9. Your Controls & Rights
Legal basis: Law 22/11 Chapter III; GDPR Art. 7(3), Art. 17, Art. 21
9.1 In-App Controls
Control | What It Does | Location in App |
|---|---|---|
Analytics toggle | Enables or disables anonymised usage analytics collection | Settings > Privacy > Analytics |
Offline mode toggle | Enables or disables the offline document cache | Settings > App Features > Offline Mode |
Biometric authentication toggle | Switch between biometric and PIN-only authentication | Settings > Security > Biometric Authentication |
GPS in stop history toggle | Enables or disables GPS location recording in stop records | Settings > Privacy > Location |
Notification preferences | Control which notification types are delivered (security alerts cannot be disabled) | Settings > Notifications |
Clear offline cache | Immediately deletes the local encrypted document cache | Settings > App Features > Clear Cache |
Export my data | Download a full copy of your personal data in JSON or PDF format | Settings > Account > Export My Data |
Remote Wallet Lock | Immediately invalidates all session tokens and suspends all App functions from any browser | kuata.ao/lock |
9.2 Website Cookie Controls
On kuata.ao, you may manage cookie preferences via:
The cookie consent banner on first visit
The Privacy Settings link in the website footer (accessible at any time)
Your browser's built-in cookie management settings (clearing, blocking, or inspecting cookies)
Please note: blocking all cookies in your browser settings may prevent some strictly necessary cookies from functioning, which may affect website features such as the support portal login.
9.3 Your Data Subject Rights
In relation to tracking data, you have the same rights described in the Privacy Policy: access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. To exercise these rights regarding tracking data specifically, contact privacy@kuata.ao.
10. Children & Age Restriction
Kuata's App and website are designed for users aged 18 and over. We do not knowingly deploy tracking technologies directed at children. The BI verification requirement at onboarding prevents under-18 registration. If we become aware that tracking data has been collected from a user under 18, we will delete it immediately.
11. Changes to This Policy
We will notify you of material changes to this Cookie & Tracking Policy via:
In-app push notification at least 14 days before the effective date
A prominent notice on the kuata.ao cookie consent banner
Email notification (where an email address is registered) at least 14 days before the effective date
If a change requires fresh consent (e.g., adding a new optional tracking category), we will present a new consent flow before any new tracking begins. All prior versions of this Policy are archived and available on request from privacy@kuata.ao.
12. Contact
Data Controller: Kuata Tecnologias Lda. | Compliance Officer / Privacy Contact: [NAME — TO BE COMPLETED] | Email: privacy@kuata.ao | Address: [LUANDA REGISTERED ADDRESS — TO BE COMPLETED]
To request a full list of all cookies and trackers currently active on kuata.ao, or to exercise any data subject right in relation to tracking data, contact privacy@kuata.ao. We respond within 30 calendar days.