This Privacy Policy sets out how LasPay protects the personal, financial, and sensitive data of customers, employees, agents, merchants, business partners, and other stakeholders across its mobile application, website, internal systems, and operations. By registering for, accessing, or using LasPay services, users acknowledge that they have read, understood, and accepted this Privacy Policy, and continued use of LasPay constitutes ongoing acceptance of its terms; failure to read or understand the policy does not exempt users from compliance.
The policy ensures compliance with Da Afghanistan Bank (DAB) regulations and applicable data protection and privacy laws, while promoting a culture of confidentiality, data security, accountability, and responsible data handling within LasPay.
This Privacy Policy applies to all LasPay staff, agents, merchants, super agents, business partners, and third-party providers. It covers all personal, financial, and sensitive data collected or processed through LasPay’s app, website, systems, operations, and agent network.
Data sharing is permitted only with authorized third parties, DAB, or other authorities as required by law, regulation, or with mutual consent under a formal agreement.
LasPay is committed to safeguarding the confidentiality, integrity, and availability of all personal, financial, and sensitive data under its control, in line with Da Afghanistan Bank (DAB) regulations and applicable laws.
All data shall be collected, processed, stored, and shared strictly for lawful, legitimate, and regulatory purposes. Every employee, agent, and relevant third party is responsible for complying with this policy and all applicable data protection and privacy requirements.
1.1. Board of Supervisors
The Board of Supervisors holds ultimate responsibility for data protection and privacy governance at LasPay. The Board approves this policy, oversees compliance with regulatory requirements, and ensures that sufficient resources are allocated for its effective implementation.
1.2. Senior Management
Senior Management is responsible for implementing this policy across all departments and operations. It ensures the enforcement of data protection controls; addresses identified risks and takes timely corrective actions where necessary.
1.3. Data Protection Officer (DPO)
The Data Protection Officer oversees compliance with data protection and privacy obligations, advises management on privacy risks and incidents, and recommends mitigation measures. The DPO serves as the primary contact point for Da Afghanistan Bank (DAB), other regulators, and data subjects on privacy-related matters.
LasPay operates in full compliance with Da Afghanistan Bank (DAB) Electronic Money Institution (EMI) regulations, applicable AML/CFT laws, KYC requirements, and relevant data protection principles, including internationally recognized privacy standards where applicable.
Regulatory obligations are reviewed on an ongoing basis, and all relevant requirements are embedded into LasPay’s internal policies, procedures, systems, and operational controls to ensure continuous compliance.
LasPay collects personal, financial, business, and technical data needed for secure electronic money services, including KYC, contact details, wallet and transaction records, business data (where applicable), and device information. The minimum required information for registration is a valid phone number. With user consent, LasPay may access device features such as contacts, SMS, camera, and storage for service functionality, transaction facilitation, and security, and users can restrict or revoke access at any time.
Collected data may include IP address, device identifiers (IMEI, MAC), device model, browser type, ISP details, and GPS location. Data is used for onboarding, verification, transactions, salary and tax services, fraud detection, regulatory reporting to DAB, customer support, notifications, and service improvements. With explicit consent, LasPay may send promotional messages or updates via email or in-app notifications, combine information with other sources to enhance personalization, and share data with parent, sister, or subsidiary companies under confidentiality agreements and applicable regulations.
LasPay protects all data through strong security measures, including encryption of sensitive information, role-based access controls, secure systems and servers, and robust authentication mechanisms. Access to data is strictly limited to authorized personnel on a need-to-know basis, in line with internal controls and regulatory requirements.
LasPay shares personal, financial, and sensitive data strictly on a need-to-know basis and only where permitted by law, regulation, or contractual obligation. Permitted disclosures may be made to Da Afghanistan Bank (DAB) and other competent authorities, licensed banks and payment partners for transaction processing, and auditors or compliance service providers performing regulatory or statutory duties. Data may also be disclosed to law enforcement agencies upon receipt of a lawful and valid request.
LasPay does not sell, trade, or disclose personal data to marketing or advertising entities, unauthorized third parties, or any party lacking a legal basis, regulatory mandate, or explicit user consent. All data sharing is governed by confidentiality obligations and security controls to ensure continued protection of user and partner information.
LasPay performs due diligence on all third parties, including agents, merchants, service providers, and business partners, to ensure compliance with Da Afghanistan Bank (DAB) regulations and data protection standards. All third-party engagements are governed by binding confidentiality, data protection, and compliance obligations and are subject to continuous monitoring and corrective action.
Where users transact with merchants, agents, or other users through the LasPay platform, such parties are independently responsible for their own privacy and data protection practices. LasPay is not liable for third-party data handling outside its systems, except as required by law or DAB directives, while ensuring appropriate safeguards for data processed within LasPay’s control.
LasPay retains customer and transaction data for at least 5 years, as required by the EMI regulation, and securely deletes or anonymizes it after this period unless a longer retention is required by law or DAB for investigation, audit, or legal purposes.
LasPay users have the right to access their personal data, update or correct inaccurate or incomplete information, and request deletion of their data where legally permissible. Users may modify or update their information directly through LasPay’s application or authorized channels and are responsible for ensuring the accuracy of the information provided. Requests may be restricted where data retention is required under Da Afghanistan Bank (DAB) regulations or applicable laws. Users may also raise privacy concerns or submit complaints by contacting info@Laspay.af
LasPay treats any data breach as a serious incident and requires all staff, agents, and third-party providers to report suspected or confirmed breaches immediately to the Data Protection Officer (DPO). The DPO will promptly investigate, contain, and remediate the breach, document all findings and corrective actions, and notify Da Afghanistan Bank (DAB) and affected users as required by law and regulatory timelines.
LasPay provides mandatory data protection and privacy training for all employees, officers, and relevant staff, ensuring they understand their responsibilities in handling personal and financial data. Regular awareness sessions are also conducted to reinforce confidentiality obligations, safe data practices, and regulatory compliance requirements.
LasPay conducts regular internal audits to ensure ongoing compliance with this Privacy Policy and related data protection procedures. External audits are also carried out when required by Da Afghanistan Bank (DAB), other regulators, or the Board, to validate the effectiveness of LasPay’s data security controls. Any findings or gaps identified during audits are promptly addressed through corrective actions and continuous improvement measures.
LasPay requires all privacy and data protection issues, including incidents, risks, and compliance concerns, to be reported promptly to senior management and escalated to the Board when necessary. All regulatory reporting obligations, including reporting to Da Afghanistan Bank (DAB) or other authorized authorities, will be fulfilled accurately and within the required timelines, ensuring transparency and compliance.
LasPay continuously improves its privacy and data protection framework by encouraging feedback from customers, employees, agents, and business partners. The policy, controls, and procedures are regularly reviewed and updated to reflect regulatory changes, audit findings, emerging risks, and international best practices, ensuring ongoing enhancement of data security and privacy.
This Privacy Policy is reviewed at least annually and whenever required due to changes in Da Afghanistan Bank (DAB) regulations, applicable laws, or LasPay’s operations. Any material updates are approved by the Board of Directors and communicated in advance to stakeholders, including customers, through appropriate channels such as in-app notifications or official announcements. Continued use of LasPay’s services after such notifications constitutes acknowledgment and acceptance of the updated Privacy Policy.