Data Protection & Privacy Policy
This Policy also describes customers privacy rights regarding Leapa collection, use, storage, sharing and protection of personal information. It applies to Leapa website and all related sites, applications, services and tools regardless of how the user access or use them.
This policy seeks to communicate in a fair and transparent manner Leapa’s policy on:
-
Customer protection (including mechanism of creating customer awareness on the risks and responsibilities involved in electronic payment transactions),
-
Customer liability in cases of unauthorized electronic payment transactions
-
Customer compensation due to unauthorized electronic payment transactions (within defined timelines)
Applicability
This policy is applicable to merchants, Individual / non-individual customers, who holds a verified account with Leapa and uses any of Leapa’s payment gateway features such as payment collection, funds deposit or the Dashboard.
This policy is not applicable to entities that are part of the ecosystem such as Interchange organisations, Franchises, Intermediaries, Agencies, Service partners, Vendors, Merchants etc.
Definitions & Explanations (for the purpose of this policy)
-
Real loss is defined as financial outlay from customer’s account.
-
Payment transactions are defined as transactions that involve transfer of funds from one account/wallet to another electronically and do not require card information.
-
Unauthorised transaction is defined as debit to customer’s account without customer’s consent
-
Consent includes authorization of a transaction debit either through standing instructions, as per accepted banking practice and regulation, based on account opening process and related matters or based on additional authentication required by the bank such as use of security passwords, input of dynamic password (OTP) or static VBV/ MCSC, challenge questions or use of Card details (CVV/ Expiry date) or any other electronic authentication option provided by the Bank.
-
Date & time of reporting is defined as date & time on which customer has submitted a unique complaint. Date of receiving communication from Leapa, is excluded for purpose of computing number of working days for all action specified in this policy. The working schedule of the home branch would be considered for calculating working days for customer reporting. Time of reporting will be as per Central Africa Time.
-
Notification means an act of the customer reporting unauthorized electronic payment transaction to Leapa
-
Number of days will be computed based on working days
-
Mode of reporting will be the channel through which customer complaint is received first time by Leapa, independent of multiple reporting of the same unauthorized transaction.
-
Loss in foreign currency if any shall be converted to Burundian currency for the purpose of this policy as per Leapa’s policies on conversion at card rate net of commission.
Points covered under the policy
Customer shall be compensated in line with this policy in case of loss occurring due to unauthorized transaction as follows:
Zero Liability of customer
Customer shall be entitled to full compensation of real loss in the event of contributory fraud/ negligence/ deficiency on the part of Leapa (irrespective of whether or not the transaction is reported by the customer)
Customer has Zero Liability in all cases of third party breach where the deficiency lies neither with Leapa nor with the customer but lies elsewhere in the system and the customer notifies the bank within three working days of receiving the communication from Leapa regarding the unauthorised transaction.
Limited Liability of customer
Liability in case of financial losses due to unauthorized electronic transactions where responsibility for such transaction lies neither with Leapa nor with the customer, but lies elsewhere in the system AND there is a delay on the part of customer in notifying/reporting to Leapa beyond 3 working days and less than or equal to 7 working days (after receiving the intimation from Leapa), the liability of the customer per transaction shall be limited to transaction value.
Complete Liability of customer
Customer shall bear the entire loss in cases where the loss is due to negligence by the customer, e.g. where the customer has shared Account details or due to improper protection on customer devices like mobile / laptop/ desktop leading to malware / Trojan or Phishing / Vishing attack. This could also be due to SIM deactivation by the fraudster.
Under such situations, the customer will bear the entire loss until the customer reports unauthorised transaction to Leapa.
In cases where the responsibility for unauthorized electronic payment transaction lies neither with Leapa nor with the customer, but lies elsewhere in the system and when there is a delay on the part of the customer in reporting to the Bank beyond 7 working days, the customer would be completely liable for all such transactions.
Other Points
Customer would not be entitled to compensation of loss if any, in case customer does not agree to cooperate with Leapa by providing necessary documents.
Compensation would be limited to real loss after deduction of reversals or recoveries received by the customer.
Third Party Breach
-
Leapa shall ensure that the Customer protection policy is available on the Leapa’s website for the reference by customers. Leapa shall also ensure that existing customers are individually informed about Leapa’s policy.
-
Leapa will regularly conduct awareness on carrying out safe electronic payment transactions to its customers and staff. Information of safe payment practices will be made available through campaigns on any or all of the following - website, emails, mobile app. Such information will include rights and obligation of the customers as well as non-disclosure of sensitive information e.g. password, PIN, OTP, date of birth, etc.
-
Leapa shall communicate to its customers to register for alerts. Leapa will send alerts to all valid registered email id or mobile number for all opted-in electronic payment transactions.
-
Leapa will enable various modes for reporting of unauthorized transaction by customers. These may include SMS, email, website, toll free number or IVR. Leapa will also enable specific space on its homepage where customers can report unauthorized electronic payment transaction.
-
Leapa shall respond to customer’s notification of unauthorized electronic payment transaction with acknowledgement specifying complaint number, date and time of transaction alert sent and date and time of receipt of customer’s notification. On receipt of customer’s notification, Leapa will take immediate steps to prevent further unauthorized electronic payment transactions in the account.
-
Leapa shall ensure that all such complaints are resolved and liability of customer if any, established within a maximum of 90 days from the date of receipt of complaint.
-
During investigation, in case it is detected that the customer has falsely claimed or disputed a valid transactions, Leapa reserves its right to take due preventive action of the same including closing the account or blocking available funds.
Roles & Responsibilities of Leapa
-
Leapa shall ensure that the Customer protection policy is available on the Leapa’s website for the reference by customers. Leapa shall also ensure that existing customers are individually informed about Leapa’s policy.
-
Leapa shall ensure that the Customer protection policy is available on the Leapa’s website for the reference by customers. Leapa shall also ensure that existing customers are individually informed about Leapa’s policy.
-
Leapa shall communicate to its customers to register for alerts. Leapa will send alerts to all valid registered email id or mobile number for all opted-in electronic payment transactions.
-
Leapa will enable various modes for reporting of unauthorized transaction by customers. These may include SMS, email, website, toll free number or IVR. Leapa will also enable specific space on its homepage where customers can report unauthorized electronic payment transaction.
Rights & Obligations of the Customer
Customer is entitled to:
-
Alerts on valid registered email id or mobile number for all electronic payment transactions.
-
Register complaint through multiple modes – as specified in point relating to Leapa’s roles & responsibilities
-
Intimation at valid registered email/ mobile number with complaint number and date & time of complaint
-
Receive compensation in line with this policy document where applicable.
Customer is bound by following obligations with respect to payment activities:
-
Customer shall mandatorily register valid email id and mobile number with the Bank.
-
Customer shall regularly update his /her registered contact details as soon as such details are changed. Leapa will only reach out to customer at the last known email/ mobile number. Any failure of customer to update Leapa with changes shall be considered as customer negligence. Any unauthorized transaction arising out of this delay shall be treated as customer liability.
-
Customer should provide all necessary documentation.
-
Customer should cooperate with Leapa’s investigating authorities and provide all assistance.
-
Customer must not share sensitive information (such as PIN, password, OTP, transaction PIN, challenge questions) with any entity, including Leapa staff.
-
Customer must protect his/her device as per best practices, including updation of latest antivirus software on the device (Device includes smartphone, feature phone, laptop, desktop and Tab)
-
Customer shall go through various instructions and awareness communication sent by Leapa on secured payment transactions.
-
Customer must verify transaction details from time to time in his/her Leapa Account and raise query with Leapa as soon as possible in case of any mismatch.
Notifying Leapa of the unauthorized transaction
-
Customer shall report unauthorized transaction to Leapa at the earliest, with basic details such as Customer ID and/ or Card number (last 4 digits), date & time of transaction and amount of transaction
-
Customer shall notify/ report through the options listed in the section on Roles & responsibilities of Leapa.
-
Customer shall share relevant documents as needed for investigation or insurance claim.
-
Fully co-operate and comply with Leapa’s reasonable requirements towards investigation and provide details of transaction, customer presence, etc.
Force Majeure
Leapa shall not be liable to compensate customers for delayed credit if some unforeseen event (including but not limited to civil commotion, sabotage, lockout, strike or other labour disturbances, accident, fires, natural disasters or other “Acts of God”, war, damage to the bank’s facilities or of its correspondent bank(s), absence of the usual means of communication or all types of transportation, etc beyond the control of Leapa preventing it from performing its obligations within the specified service delivery parameters.
Age restriction
Leapa’s website and services are not directed to children under 18. Leapa do not knowingly collect information from children under 18. If a parent or guardian becomes aware that their child or ward child has provided Leapa with any information without their consent, please contact Leapa through details on this Policy.
The information Leapa collect
Personal information
To gain full access to Leapa’s website and services, the customer must register for a Leapa account. When you register for an account, Leapa collects Personal Information which the customer voluntarily provides to us.
Personal Information refers to the personal information the customer submits, when he/she signs up or any information that can be used to identify or contact him/her, (e.g. email address, password, name, telephone no and business name). It may also include anonymous information that is linked the customer specifically, (e.g., IP Address).
Leapa uses the customer Personal Information to:
-
Provide the customer with the required services.
-
Respond to customer’s questions or requests
-
Improve Leapa’s operations
-
Address inappropriate use of Leapa website and services
-
Prevent, detect and manage risk against fraud and illegal activities
-
Target advertisements, newsletter and service updates
-
Verify the information that the customer provides with third parties
-
Update Leapa services database, improve content and website layout
-
Resolve disputes that may arise
Leapa may retrieve additional Personal Information about customers from third parties and other identification/verification services such as financial Institution, payment processor and verification services. With the customer consent, Leapa may also collect additional Personal Information in other ways including emails, surveys, and other forms of communication. Once the customers begins using our services through his/her Account, Leapa will keep records of customer’s transactions and collect information of other activities related to our services. Leapa will not share or disclose customer’s Personal Information with a third party without customer consent.
Information Leapa collects from website visitors
Leapa do not collect Personal Information when a user visit the website. However, to monitor and improve Leapa website and services, Leapa may collect non-personally-identifiable information. Leapa will not share or disclose this information with third parties except as a necessary part of providing the website and services. Leapa may use the information to target advertisements to the user.
Information Leapa collects from checkout users
When a merchant’s client checkouts with Leapa on a merchant’s website, Leapa collects and stores merchant’s client card information, email address, mobile phone number, billing and shipping address. To ensure card information is kept safe and secure on our servers, Leapa implements access control measures (physical and virtual), security protocols, policies and standards including the use of tokenization, encryption and firewall technologies in compliance with the PCI DSS Requirements and Leapa implements periodical security updates to ensure that our security infrastructures are in compliance with reasonable industry standards.
Leapa may share merchant’s client contact information with merchants as part of purchase details for record purposes. Leapa will not share this information with other third parties except as a necessary part of providing website and services. Leapa do not share card information with merchants. The merchant’s client should also review merchant’s privacy policy to understand the privacy policies guiding of the merchant he/she transact with.
Cookies
Leapa uses cookies to identify users and make user experience easier, customise services, content and advertising; help ensure that customer’s account security is not compromised, mitigate risk and prevent fraud; and to promote trust and safety on the website. Cookies allow Leapa’s servers to remember customers account log-in information when visiting Leapa’s website, IP addresses, date and time of visits, monitor web traffic and prevent fraudulent activities. If the user’s browser or browser add-on permits, the user have the choice to disable cookies on Leapa’s website, however this may limit the ability to use Leapa’s website and services.
How Leapa protects user’s information
Leapa is committed to managing users Personal Information in line with global industry best practices. We protect Personal Information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration, Leapa also use industry-standard Transport Layer Security (TSL) encryption technology to safeguard user’s Personal Information. Other security safeguards include but are not limited to tokenization, data encryption, firewalls, and physical access controls to Leapa’s building and files and only granting access to Personal Information to only employees who require it to fulfil their job responsibilities.
How Leapa shares the personal information
To enable Leapa’s services to users, Leapa may share user’s information with trusted third parties, such third parties include financial institutions, payment processors verification services, as well as any third parties that the user has directly authorized to receive his/her Personal Information. Personal Information may be stored in locations outside the direct control of Leapa, for instance, on servers or databases co-located with hosting providers.
Leapa may disclose Personal Information for compliance with applicable law or a legal obligation to which Leapa is bound.
Note that merchants the user buys from or contract with have their own privacy policies. The use of user’s information by such third party will be subject to their applicable privacy policy, which be should carefully reviewed by the user. Leapa is not responsible for their actions, including their information protection practices.
The data Leapa retains
Leapa will retain customer information for as long as the customer account is active or as needed to provide services, comply with legal and statutory obligations or verify information with a financial institution.
Leapa is statutory obligated to retain the data customers provide us with in order to process transactions, ensure settlements, make refunds, identify fraud and in compliance with laws and regulatory guidelines applicable, banking providers and card processors.
Therefore, even after closing a Leapa Account, Leapa will retain certain data to comply with these obligations.
Acceptable Use Policy
The following is the list of activities or businesses which are prohibited from using Leapa. This list is not exhaustive and only is a representation of the assessed restricted businesses.
By using Leapa, you agree to comply with the terms and conditions of this Acceptable Use Policy.
1. Prohibited Activities in a nutshell
You may not use Leapa, if you are or in connection with any service, transaction, product or activity that:
-
Violates any law or government regulation, or facilitates or promotes such activities by third parties;
-
Is listed on the prohibition list of the Burundian Customs Authority;
-
Is fraudulent, deceptive, unfair or predatory;
-
Violates any rule or regulation of Visa, MasterCard, or any other electronic funds transfer network;
-
Causes or threatens reputational damage to Leapa or any Card Network;
-
Results in or creates a significant risk of chargebacks, penalties, damages or other harm or liability.
-
Is listed on the prohibited business categories on section 2;
2. Prohibited Business Categories
You may not use Leapa in connection with any product, service, transaction or activity that:
-
Relates to the sale and/or purchase of:
-
Narcotics, steroids, certain controlled substances or other products that present a risk a consumer's safety;
-
Burglary tools and stolen property;
-
Counterfeit goods; such as software, music, movies, designer brands...
-
Illegal drugs and drug paraphernalia;
-
Fireworks, destructive devices and explosives;
-
Identity documents, government documents, personal financial records or personal information;
-
Lottery tickets, sweepstakes entries or slot machines without the required license;
-
Offensive material or hate speech or items that promote hate, violence, racial intolerance, or the financial exploitation of a crime;
-
Unauthorized chemicals;
-
Recalled items;
-
Unlicensed financial services, stocks or other securities;
-
Unlicensed healing/pharmaceutical services
-
Items that infringe or violate any copyright, trademark, right of publicity or privacy or any other proprietary right under the laws of any jurisdiction;
-
Sales of currency without Burundian central bank license, cryptocurrency operators;
-
Obscene material or pornography;
-
Certain sexually oriented materials or services;
-
Certain firearms, firearm parts or accessories, ammunition, weapons or knives;
-
Any product or service that is illegal or marketed or sold in such a way as to create liability to Leapa;
-
Production of military and paramilitary wears and accoutrement, including those of the Police and the Customs, Immigration and Prison Services
-
Relate to transactions that:
- Are associated with purchases of annuities or lottery contracts, lay-away systems, off-shore banking or transactions to finance or refinance debts funded by a credit card;
- Show the personal information of third parties in violation of applicable law;
- Support pyramid or ponzi schemes, matrix programs, other "get rich quick" schemes, certain multi-level marketing programs or other services that promise high rewards;
- Involve gambling, gaming and/or any other activity with an entry fee and a prize, including, but not limited to casino games, sports betting, horse or greyhound racing, lottery tickets, other ventures that facilitate gambling, games of skill (whether or not it is legally defined as a lottery) and sweepstakes unless the operator has obtained prior approval from Leapa and the operator and customers are located exclusively in jurisdictions where such activities are permitted by law.
- Involve certain credit repair, debt settlement services, credit transactions or insurance activities
- Involve offering or receiving payments for the purpose of bribery or corruption.
-
3. Measures and Actions by Leapa
If, in our sole discretion, we believe that you may have engaged in any violation of this Acceptable Use Policy, we may take such actions as we deem appropriate to mitigate risk to Leapa and any impacted third parties and to ensure compliance with this Acceptable Use Policy. This can be done with or without a notice to Such actions may include, without limitation:
-
Blocking the settlement or completion of one or more payments;
-
Suspending, restricting or terminating your access to and use of the Leapa’s Services;
-
Terminating our business relationship with you, including termination without liability to Leapa of any payment service agreement between you and Leapa;
Taking legal action against you;
-
Contacting and disclosing information related to such violations to (i) persons who have sold/purchased goods or services from you, (ii) any banks or Card Networks involved with your business or transactions, (iii) law enforcement or regulatory agencies, and (iv) other third parties that may have been impacted by such violations;
-
Assessing against you any fees, penalties, assessments or expenses (including reasonable attorneys’ fees) that we may incur as a result of such violations, which you agree to pay promptly upon notice.
4. Updates, Modifications & Amendments
We may need to update, modify or amend our Acceptable Use Policy at any time. We reserve the right to make changes to this Acceptable Use Policy.
We advise that you check this page regularly.
Platform Security
Security is one of the biggest considerations in everything we do. Leapa is PCI DSS Level 1 compliant. This is the most stringent level of standard available in the payments industry.
To accomplish this, we make use of best-in-class security tools and practices to maintain a high level of security at Leapa.
Encryption of sensitive data and communication
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Leapa’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Leapa’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure and doesn’t share any credentials with Leapa’s primary services (API, website, etc.).
HTTPS and HSTS for secure connections
Leapa forces HTTPS for all services using TLS (SSL), including our public website and the merchants' portals.
Leapa’s official libraries connect to Leapa’s servers over TLS and verify TLS certificates on each connection.
Secure widgets
Leapa provides smart widgets to integrate to your website to make it easy to capture customer information and payment methods while meeting and reinforcing security standards. Never worry about handling sensitive payment data as we encrypt and channel them to our secure servers from your customers' browser directly.
Identity Check
Before granting the usage of any Leapa account we require our users to provide complete personal information and a scan of a government-issued ID. We’ll then attempt verification following these steps:
-
Directly interface with our customer's bank to get an identity match.
-
Directly interface with our customer's phone service provider to get an identity match.
-
Use state-of-the-art machine learning techniques to detect the authenticity of the government-issued ID.
-
Asking for more identifying information and reach out to government authority when needed.
Machine learning
Our built-in machine learning engine distinguishes fraudsters from customers more accurately than other systems to increase acceptance rates and revenue.
Our machine learning infrastructure lets us retrain thousands of customized models for each business every day. Our algorithms adapt quickly to shifting fraud patterns by learning from millions of global businesses processing billions in payments each year.
Two Factor Authentication (“2FA”)
2FA is an additional layer of security that can be added to the customer Account. We are working on adding 2FA on our merchants’ accounts. When 2FA will be enabled, the merchant will be required to enter a One Time Password (OTP) (which is a verification code Leapa will send to the merchant for authentication purposes), each time the merchant logs in Leapa.
3D Secure 2.0
To protect our merchants from fraud, we are rolling out 3D Secure 2.0. This method adds a layer of verification to help merchants and issuers distinguish good transactions from fraudulent ones.
3D Secure 2.0 is the industry's most advanced technique. It uses intelligent real-time, secure information-sharing pipeline that allows merchants to share transaction attributes with issuers and enable them to authenticate customers with more accuracy and detect fraudulent transactions.