Privacy Policy
How Kuata collects, processes, stores, shares, and protects your personal data
Version 1.0 · Effective Date: 1 May 2026
1. About This Policy & Legal Framework
This Privacy Policy ("Policy") explains how Kuata Tecnologias Lda. ("Kuata", "we", "us", "our") processes personal data when you use the Kuata digital identity wallet application ("App") or visit our website (kuata.ao). It applies to all users who are citizens or residents of Angola and, by extension, any user whose data may be subject to the European Union General Data Protection Regulation (GDPR) by virtue of their nationality, residence, or the location of data processing.
Kuata operates under a dual compliance framework, ensuring that all data processing meets both Angolan law and internationally recognised best-practice standards:
Legal Instrument | Jurisdiction / Standard | Relevance to Kuata |
|---|---|---|
Lei n.o 22/11 de 17 de Junho — Lei de Protecao de Dados Pessoais | Republic of Angola (primary) | Primary legal basis for all personal data processing in Angola |
GDPR — Regulation (EU) 2016/679 | European Union / international best-practice | Applied as international standard; governs any EU-resident user data |
Law 5/20 of 27 January 2020 — AML/CFT | Republic of Angola | KYC data collection and retention; 10-year archive obligations |
Law 40/20 of 16 December 2020 — National Payment System | Republic of Angola | Payment initiation data processing requirements |
ISO/IEC 27001:2022 — Information Security Management | International standard | Security controls governing data protection; target certification |
ISO/IEC 27701:2019 — Privacy Information Management | International standard | Privacy management system extension to ISO 27001 |
BNA Notice 02/24 and Instruction 05/24 | Republic of Angola | Customer due diligence and AML supervisory obligations |
2. Data Controller Identity & Contact
The data controller responsible for your personal data is:
Kuata Tecnologias Lda. | Registered in Angola | Luanda [FULL ADDRESS — TO BE COMPLETED] | Company Registration No.: [TO BE COMPLETED] | privacy@kuata.ao | Compliance Officer: [NAME — TO BE COMPLETED]
For questions about this Policy or to exercise your rights, contact our Compliance Officer at privacy@kuata.ao. We respond within 30 calendar days, in compliance with Law 22/11 Article 12 and GDPR Article 12(3).
Legal basis: Law 22/11 Art. 5 (controller definition); GDPR Art. 4(7), Art. 13(1)(a)
3. Data We Collect & Why — Comprehensive Inventory
We apply the principle of data minimisation: we collect only the data that is strictly necessary for the specific, declared purpose. The full inventory of personal data we collect is set out below.
3.1 Identity & Onboarding Data
Legal basis: Law 22/11 Art. 7 (purpose limitation); GDPR Art. 5(1)(b); Law 5/20 Art. 8 (CDD obligations)
Data Element | Source | Purpose | Legal Basis |
|---|---|---|---|
Full legal name | DNIRN API / user entry | Identity verification; wallet personalisation | Law 22/11 Art. 7(b); GDPR Art. 6(1)(b) |
Date of birth | DNIRN API | Age eligibility verification; AML CDD | Law 5/20 Art. 8; GDPR Art. 6(1)(c) |
Gender | DNIRN API | Document display accuracy | Law 22/11 Art. 7(b); GDPR Art. 6(1)(b) |
BI number & expiry | User / DNIRN API | Government document verification; AML KYC | Law 5/20 Art. 8; GDPR Art. 6(1)(c) |
Residential address | DNIRN API / user entry | AML CDD; account records | Law 5/20 Art. 8; GDPR Art. 6(1)(c) |
Phone number (OTP-verified) | User entry + OTP | Account access; authentication; notifications | Law 22/11 Art. 7(b); GDPR Art. 6(1)(b) |
Email address (optional) | User entry | Notifications; support communications | GDPR Art. 6(1)(a) — consent |
Biometric hash (NOT the image) | Device secure enclave — on-device only | Biometric authentication; document signing | Law 22/11 Art. 22 (biometrics); GDPR Art. 9(2)(a) |
Device attestation data | Android SafetyNet / iOS DeviceCheck | Fraud prevention; AML device monitoring | Law 5/20 Art. 8; GDPR Art. 6(1)(c) |
3.2 Documents Stored in the Wallet
Legal basis: Law 22/11 Art. 7(b); GDPR Art. 6(1)(b) (contract performance); Law 40/20
Document Type | Government Source API | Data Elements Stored | Retention |
|---|---|---|---|
Driver's Licence | Ministerio dos Transportes | Licence number, class, issue/expiry dates, restrictions | Duration of account + 10 yrs |
Vehicle Registration | Ministerio dos Transportes | Plate, chassis, make, model, owner name, registration expiry | Duration of account + 10 yrs |
Insurance Card | Insurer API / user upload | Policy number, insurer, coverage type, validity dates | Duration of account + 10 yrs |
Passport | SME (Migracao e Estrangeiros) | Passport number, nationality, issue/expiry, visa data | Duration of account + 10 yrs |
Birth Certificate | DNIRN | Registration no., names, date/place of birth, registrar | Duration of account + 10 yrs |
Marriage Certificate | DNIRN | Registration no., parties, date/place, regime | Duration of account + 10 yrs |
Loyalty Cards | User entry / partner API | Card number, programme name, member name | Until removed by user |
3.3 Transaction & Payment Initiation Data
Legal basis: Law 22/11 Art. 7(b); Law 40/20 Art. 18; GDPR Art. 6(1)(b) and (c); BNA Notice 02/24
Kuata is a payment pass-through initiator only. We do not store card numbers, bank account numbers, or financial balances. We record only the initiation metadata required for compliance and dispute resolution:
Biller name and category (e.g., EDEL, EPAL, Movicel)
Payment reference number (as entered by the user)
Initiated amount and currency (AOA)
Timestamp (date and time of initiation, in UTC and WAT)
EMIS confirmation code (settlement reference returned by EMIS)
Device session ID (cryptographic session token — not a persistent device ID)
Payment status (Confirmed / Pending / Failed)
User account identifier (internal pseudonymous ID — not BI number)
Kuata never sees, stores, or transmits your bank account number, card number, or account balance. Settlement flows directly from your bank to the biller via EMIS/Multicaixa infrastructure.
3.4 Law Enforcement Verification Records (Stop History)
Legal basis: Law 22/11 Art. 7(c) (legitimate interest / legal obligation); GDPR Art. 6(1)(c); Law 5/20
When a police officer verifies your documents, Kuata creates a tamper-evident stop record in your wallet. This record is yours — it is not shared with law enforcement agencies without your explicit consent or a valid legal order. Stop records contain:
Date, time, and duration of the stop
GPS coordinates (optional — you may disable location recording in Settings)
Address or road identifier (human-readable location, where available)
Officer unit identifier (hashed badge number — not stored in plain text)
Police station / unit name (as declared by the verifier device)
Documents verified during the stop
Reason for stop (as entered by officer on the verifier device)
Outcome of stop (e.g., Released without action, Warning issued, Fine reference)
Cryptographic signature of the entire event (tamper-evident; signed by Kuata PKI)
User-added notes (free text, added after the stop — not visible to any third party)
Dispute flag (if raised by the user — routes to oversight channel)
3.5 App Usage & Technical Data
Legal basis: Law 22/11 Art. 7(b) and (f); GDPR Art. 6(1)(f) — legitimate interest (service improvement and security)
Data Type | Purpose | Anonymised? | Retention |
|---|---|---|---|
Feature interaction events | Product improvement | Yes — no user ID attached | 2 years |
Crash / error logs | Stability and debugging | Yes | 2 years |
App version and OS version | Compatibility management | Yes | 2 years |
Security event logs (failed auth attempts, unusual patterns) | Fraud prevention; AML monitoring | No — linked to account for investigation | 10 years (AML obligation) |
Push notification delivery status | Notification reliability | Yes | 90 days |
3.6 Data We Do NOT Collect — Explicit Exclusions
Legal basis: Law 22/11 Art. 19 (sensitive data restrictions); GDPR Art. 9
Kuata explicitly does not collect, process, or store the following data categories:
Biometric images (photos, fingerprint scans) — only device-generated cryptographic hashes, stored exclusively in the device secure enclave
Card numbers, bank account numbers, IBAN, or routing numbers
Account balances or financial position data
Audio or video recordings of any kind
Communications content (SMS, messages, emails between users)
Health, medical, or genetic data (unless a health insurance card is voluntarily added — limited to policy metadata only)
Political opinions, religious beliefs, or trade union membership
Criminal conviction data (beyond what appears on government-issued documents)
Children's data — the App is for users 18 and over
Data harvested from social media or third-party data brokers
4. Legal Bases for Processing
Kuata relies on the following legal bases for processing personal data, as defined under Law 22/11 and GDPR:
Legal Basis | Law 22/11 Provision | GDPR Art. 6 Ground | Processing Activities Covered |
|---|---|---|---|
Performance of contract | Art. 7(b) | Art. 6(1)(b) | Identity verification, document storage, payment initiation, wallet operation |
Legal obligation | Art. 7(c) | Art. 6(1)(c) | AML/KYC compliance (Law 5/20), BNA payment obligations (Law 40/20), 10-year record retention |
Legitimate interest | Art. 7(f) | Art. 6(1)(f) | Anonymised analytics, fraud detection, product security improvements |
Consent (explicit) | Art. 7(a) | Art. 6(1)(a) | Optional email address; optional analytics toggle; optional GPS in stop history |
Vital interest (emergency) | Art. 7(d) | Art. 6(1)(d) | Emergency disclosure to law enforcement where life is at risk |
For processing of biometric hash data (a special category under both Law 22/11 Art. 22 and GDPR Art. 9), the legal basis is explicit informed consent, obtained at onboarding via a separate, granular consent flow. You may withdraw biometric consent at any time; your wallet will revert to PIN-only authentication.
Legal basis: Law 22/11 Art. 22; GDPR Art. 9(2)(a)
5. How We Use Your Data — Purpose Limitation
Legal basis: Law 22/11 Art. 5(b) (purpose limitation); GDPR Art. 5(1)(b)
5.1 Primary Purposes — Why We Collected the Data
Providing, operating, and maintaining the digital identity wallet and all its functions
Verifying your identity against government registries (DNIRN, Ministerio dos Transportes, SME)
Generating cryptographically signed, government-equivalent digital documents
Enabling secure offline and online document verification (QR code, NFC)
Initiating bill payments on your behalf via EMIS/Multicaixa — strictly as a pass-through
Maintaining your tamper-evident stop history and verification audit trail
Sending you document expiry notifications and security alerts
Fulfilling AML/CFT obligations under Law 5/20 and BNA regulations
5.2 Secondary Purposes — Compatible Use
We only use your data for secondary purposes where those purposes are compatible with the primary purpose and where at least one legal basis applies. Current compatible secondary uses:
Anonymised aggregate analytics to understand feature usage (no individual identification)
Security research and fraud pattern analysis (pseudonymised data only)
Legal defence or regulatory response (where required by law)
5.3 Prohibited Uses — We Will Never
Sell, rent, or transfer your personal data to any third party for commercial gain
Use your data for advertising targeting, behavioural profiling, or ad auctions
Share your stop history with any government authority without a valid legal order
Process your data for automated decision-making that produces legal effects without human review
Combine your data with external data brokers or social media profiles
Process your data for any purpose not declared in this Policy without prior notice and, where required, consent
6. Data Sharing & Third-Party Disclosure
Legal basis: Law 22/11 Art. 14 (data transfer); GDPR Art. 13(1)(e), Art. 28
6.1 Government Registry Integrations (Verification Only)
When you add or update a document, Kuata transmits the minimum required identifier to the relevant government registry API. We receive only the data fields necessary to populate your wallet. We do not send data to these registries beyond what is required for verification:
DNIRN (Direccao Nacional de Identificacao, Registo e Notariado) — BI, birth/marriage certificates
Ministerio dos Transportes / DNDT — driver's licence, vehicle registration
SME (Servico de Migracao e Estrangeiros) — passport, travel documents
6.2 EMIS / Multicaixa — Payment Initiation
For payment initiations, Kuata transmits the following data to EMIS: payment instruction (biller code, reference, amount), session token, and timestamp. Kuata does not transmit your name, BI, address, or bank credentials to EMIS. EMIS processes this data as an independent data controller under BNA regulation. Refer to EMIS's own data processing terms for their obligations.
6.3 Cloud Infrastructure Provider
Kuata's servers are hosted on a cloud infrastructure provider with data centres located in Angola or in jurisdictions with adequate data protection standards recognised under Law 22/11. The cloud provider acts as a data processor under a written Data Processing Agreement (DPA) that meets the requirements of Law 22/11 Art. 14 and GDPR Art. 28. The cloud provider may not process your data for its own purposes.
6.4 Third-Party Service Processors
Kuata engages the following categories of data processors, each bound by a written DPA:
Processor Category | Purpose | Data Shared | Contractual Safeguard |
|---|---|---|---|
Cloud hosting provider | Infrastructure | Encrypted data at rest | DPA + Angolan data residency |
Identity verification SDK | On-device biometric processing | None — on-device only | SDK licence + data isolation terms |
Crash reporting tool (anonymised) | App stability | Anonymised error logs | DPA + data anonymisation terms |
AML/sanctions screening provider | PEP/sanctions checks | Name and date of birth only | DPA + confidentiality |
Email / notification service | System notifications only | Email address (if provided) | DPA + no marketing use |
6.5 Legal Disclosure to Authorities
Kuata may disclose personal data to the Banco Nacional de Angola (BNA), the Unidade de Informacao Financeira (UIF), the courts, or law enforcement agencies only when:
Required by a valid, specific, and written legal order under Angolan law
Requested by the BNA in the exercise of its supervisory powers under Law 40/20
Requested by the UIF under Law 5/20 for AML/CFT purposes
Required to prevent an imminent risk to life (vital interests ground)
We will notify you of any such disclosure where we are legally permitted to do so. We will challenge any overly broad or legally defective requests.
Legal basis: Law 22/11 Art. 7(c); GDPR Art. 6(1)(c); Law 5/20 Art. 30
6.6 International Data Transfers
Kuata's primary data residency is Angola. In the event any data is processed outside Angola, we ensure adequate protection through:
Standard contractual clauses (SCCs) aligned with GDPR adequacy standards
Binding corporate rules where applicable
Adequacy decisions recognised by the Agencia de Protecao de Dados (APD) of Angola
We do not transfer personal data to countries or organisations that do not provide an adequate level of data protection equivalent to Angolan law.
Legal basis: Law 22/11 Art. 14; GDPR Art. 44–49
7. Data Retention & Deletion Schedule
Legal basis: Law 22/11 Art. 12 (storage limitation); GDPR Art. 5(1)(e); Law 5/20 Art. 30; BNA supervisory guidance
We keep your personal data only for as long as necessary for the declared purpose, and no longer. The following schedule governs all retention decisions:
Data Category | Retention Period | Legal Basis for Retention | Deletion Method |
|---|---|---|---|
KYC / identity records (BI, biographic data) | 10 years from account closure | Law 5/20 Art. 30 (AML mandatory) | Cryptographic erasure of encryption keys |
Payment initiation records | 10 years from transaction | Law 5/20 / Law 40/20 / BNA | Cryptographic erasure |
AML/CFT alerts and resolutions | 10 years from event | Law 5/20 Art. 30 | Cryptographic erasure |
STR filings and supporting evidence | 10 years from filing | Law 5/20 Art. 30 | Cryptographic erasure — restricted |
Stop history records | 10 years from event | Law 22/11 (audit trail) | Cryptographic erasure |
Verification event logs (non-police) | 5 years | Legitimate interest | Secure deletion |
Security event logs (auth, fraud) | 10 years | Law 5/20 / security | Cryptographic erasure |
Anonymised analytics | 2 years | Legitimate interest | Standard deletion |
Crash/error logs (anonymised) | 2 years | Legitimate interest | Standard deletion |
Email address (optional) | Until withdrawn or account deletion | Consent | Immediate on request |
Session tokens | 15 minutes idle / logout | Contract performance | Automatic expiry |
Note: The 10-year AML/CFT retention obligation (Law 5/20 Art. 30) is mandatory. Even if you delete your account, these specific records must be retained by Kuata in encrypted, operationally inaccessible archives. They are not used for any active purpose after account closure.
8. Your Rights as a Data Subject
Legal basis: Law 22/11 Chapter III; GDPR Art. 15–22; GDPR Art. 77
You have comprehensive rights over your personal data under both Angolan law and, where applicable, the GDPR. All requests should be submitted to privacy@kuata.ao. We will respond within 30 calendar days. Complex or high-volume requests may be extended by a further 60 days, with written notice.
Your Right | What It Means | How to Exercise | Limitations |
|---|---|---|---|
Right of Access (Art. 15 GDPR / Law 22/11 Art. 11) | Receive a full copy of all personal data we hold about you | Email privacy@kuata.ao — "Data Access Request" | Identity verification required |
Right to Rectification (Art. 16 GDPR / Law 22/11 Art. 13) | Correct inaccurate or incomplete personal data | Email or in-App Settings | Data sourced from government registries must be corrected at source |
Right to Erasure / Right to be Forgotten (Art. 17 GDPR / Law 22/11 Art. 14) | Delete your personal data | Account Management > Delete Account | 10-year AML retention obligation overrides erasure for compliance records |
Right to Restriction (Art. 18 GDPR) | Limit how we process your data while a dispute is resolved | Email privacy@kuata.ao — "Restriction Request" | Cannot restrict legally mandated processing |
Right to Data Portability (Art. 20 GDPR / Law 22/11 Art. 16) | Receive your data in a structured, machine-readable format (JSON or PDF) | Settings > Account > Export My Data | Applies to data you provided; not derived compliance records |
Right to Object (Art. 21 GDPR / Law 22/11 Art. 15) | Object to processing based on legitimate interest | Email privacy@kuata.ao — "Objection Request" | Cannot object to legally mandatory processing |
Right to Withdraw Consent (Art. 7(3) GDPR) | Withdraw consent for optional processing (email, analytics, GPS) | Settings > Privacy at any time | Withdrawal does not affect prior processing |
Right Not to be Subject to Automated Decisions (Art. 22 GDPR) | Human review of any decision that significantly affects you | Contact privacy@kuata.ao | AML risk scoring involves human Compliance Officer review |
Right to Lodge a Complaint (Art. 77 GDPR / Law 22/11 Art. 27) | Complain to the supervisory authority | Agencia de Protecao de Dados (APD), Angola — www.apd.ao | EU: relevant national DPA | No restriction |
9. Security Measures — Technical & Organisational
Legal basis: Law 22/11 Art. 17 (data security); GDPR Art. 32; ISO/IEC 27001:2022; ISO/IEC 27701:2019
Kuata implements security controls aligned with ISO/IEC 27001:2022 (target certification) and ISO/IEC 27701:2019 (Privacy Information Management). Our security architecture includes:
9.1 Encryption
Data at rest: AES-256 encryption for all stored personal data and compliance records
Data in transit: TLS 1.3 for all API communications between App, servers, and government APIs
Biometric keys: generated and stored exclusively in the device hardware secure enclave (Android StrongBox / iOS Secure Enclave) — Kuata's servers never hold or process biometric material
Document signing: JSON Web Signatures (JWS) with RS256 (RSA-PKCS#1 v1.5 / SHA-256) using hardware-attested device keys
Archive encryption: AES-256 with hardware security module (HSM)-managed keys; mandatory key rotation every 12 months
9.2 Access Control
Zero-knowledge architecture for biometric data — Kuata cannot access biometric material even under legal compulsion
Role-based access control (RBAC) for all staff — need-to-know basis
No engineering team access to production personal data
Multi-factor authentication for all administrative system access
Privileged access management (PAM) for Compliance Officer and infrastructure administrators
9.3 Infrastructure & Operational Security
Angolan data residency — all personal data stored in Angola or jurisdictions with adequate protection
Tamper-evident, append-only audit logs for all compliance-critical records
Intrusion detection and security monitoring (SIEM)
Annual penetration testing by independent third-party security firm
Formal vulnerability disclosure and patch management programme
ISO 27001 certification target: Q2 2027; SOC 2 Type II target: Q4 2027
9.4 Incident Response
In the event of a personal data breach, Kuata will:
Notify the APD within 72 hours of becoming aware, as required by GDPR Art. 33 and Law 22/11 Art. 25, where the breach is likely to result in a risk to individuals
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34 / Law 22/11 Art. 26)
Maintain a breach register documenting all incidents, impacts, and remediation steps
Conduct a post-incident review and implement corrective controls
Legal basis: Law 22/11 Art. 25–26; GDPR Art. 33–34; ISO/IEC 27001:2022 Annex A.5.24–5.28
10. Children's Data
Legal basis: Law 22/11; GDPR Art. 8
The Kuata App is intended exclusively for users aged 18 and over. We do not knowingly collect personal data from individuals under 18. The onboarding process requires a valid Bilhete de Identidade, which under Angolan law is issued to adults. If we discover that a user is under 18, we will immediately suspend the account and delete all associated data within 30 days, retaining only the legally mandated compliance records.
If you believe a minor has registered, contact privacy@kuata.ao immediately.
11. Automated Decision-Making & Profiling
Legal basis: GDPR Art. 22; Law 22/11 Art. 15
Kuata uses automated systems for the following limited purposes:
AML transaction monitoring — automated pattern detection generates alerts for human review by the Compliance Officer. No account action is taken without human sign-off.
Biometric authentication — automated one-to-one comparison of your live biometric against your registered hash. This is a security function, not a profiling activity.
Document status sync — automated check of government registry APIs to update document validity. This reflects authoritative government data, not Kuata's assessment.
Kuata does not use profiling for commercial, credit, or eligibility decisions. Any automated flag that could result in account suspension is reviewed by the Compliance Officer before action is taken.
12. Changes to This Policy
We will notify you of material changes to this Privacy Policy:
Via in-app push notification at least 14 days before the effective date
Via email (where you have provided an email address) at least 14 days before the effective date
Via a prominent banner on kuata.ao
Continued use of the App after the effective date of a material change constitutes acceptance of the updated Policy. For changes that require fresh consent (e.g., new processing purposes, new special category data), we will present a new consent flow before proceeding.
All prior versions of this Policy are archived and available on request from privacy@kuata.ao.
13. Governing Law & Supervisory Authority
This Policy is governed by the laws of the Republic of Angola, primarily Lei n.o 22/11 de 17 de Junho. For users in the European Union or whose data processing falls under GDPR, the provisions of GDPR also apply, and the relevant EU national supervisory authority has jurisdiction.
The competent supervisory authority for Angola is:
Agencia de Protecao de Dados (APD) — Republic of Angola | Website: www.apd.ao | [ADDRESS — TO BE CONFIRMED WITH LEGAL COUNSEL]
Disputes relating to this Policy are subject to the jurisdiction of the courts of Luanda, Angola, without prejudice to the rights of EU-resident users to bring claims before their local supervisory authority or courts.
14. Contact & Exercising Your Rights
Data Controller: Kuata Tecnologias Lda. | Compliance Officer: [NAME — TO BE COMPLETED] | Email: privacy@kuata.ao | Address: [LUANDA REGISTERED ADDRESS — TO BE COMPLETED] | Response time: 30 calendar days