Last Updated: 2026-02-26 Effective Date: 2026-02-26

Privacy Policy — tipWave #

Last Updated: 2026-02-26 Effective Date: 2026-02-26

1. Introduction #

tipWave ("we", "our", "us") operates the tipWave mobile application, web application, and payment page (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This Policy should be read together with our Terms of Service.

Data Controller: Kiteschool Kitebelles LTD (BRN: C23194572) Registration: The Controller is registered with the Data Protection Office of the Republic of Mauritius in accordance with Section 30 of the Data Protection Act 2017 Address: Royal Road, La Gaulette 1903-02, Mauritius Email: hello@tipwave.tech Data Protection Officer (DPO): dpo@tipwave.tech (appointed in accordance with Section 22(2)(e) of the Data Protection Act 2017)

We are committed to protecting your privacy and complying with the Data Protection Act 2017 of Mauritius (Act No. 20 of 2017).

2. Information We Collect #

2.1 Information You Provide #

For Partner Venues (legal entities):

  • Legal entity name, BRN (Business Registration Number)
  • Incorporation documents and beneficial ownership information (persons holding 25% or more)
  • Business bank account details (account number, bank name — for payment of services)
  • Contact details of the authorized representative (name, email, phone)
  • Business address

Provision of this data is required for onboarding to the platform.

For Recipients (employees of Partner Venues):

  • Email address
  • Phone number
  • Name
  • Profile photo
  • Identity document (for verification upon registration)
  • QR code data (short codes, display name, associated Venue)
  • Savings goals and progress
  • Achievement badges and gamification data

Provision of this data is required to use the Service as a Recipient (except for goals and achievements, which are optional). Without it, we cannot verify your identity or record tips.

For Guests (tip givers):

  • Payment card information (processed directly by Peach Payments — tipWave never stores or has access to full card numbers, CVV, or PIN)
  • Optional: name, message, and rating with tip

Provision of payment data is required to complete a tip. Optional data (name, message, rating) is voluntary.

2.2 Information Collected Automatically #

  • Device information (type, operating system, app version)
  • Transaction history (tip amounts, dates, statuses)

Our infrastructure providers (Google Cloud Platform, Cloudflare) automatically process technical data such as IP addresses, access timestamps, and error logs as part of their service operation. tipWave does not independently collect or store this data, but it may be accessible to us through our infrastructure providers' administration tools.

2.3 Information from Third Parties #

  • Authentication data from Firebase Authentication (email, phone number, sign-in method)
  • Payment confirmation and transaction status from Peach Payments
  • Bot verification data from Cloudflare Turnstile (on the payment page)
  • KYC verification results of tipWave as a merchant from Peach Payments (upon merchant status updates)

3. How We Use Your Information #

We use your information to:

  • Provide and maintain the Service
  • Process tip payments and pay Partner Venue invoices
  • Verify Partner Venues (registration, BRN, beneficial owners)
  • Verify Recipients upon registration
  • Record tips collected for each Recipient
  • Send transaction notifications to Recipients and reports to Venues
  • Analyze aggregated usage patterns to improve the Service (with your consent)
  • Comply with legal obligations (AML/CFT, tax, data protection)
  • Respond to requests from our payment partners relating to fraud, money laundering, and abuse detection

Under the Data Protection Act 2017 (Section 28), we process your personal data based on:

Basis Application DPA 2017 Reference
Contract Management of Recipient accounts and Venue agreements, payment processing, Venue invoice payments, Service provision Section 28(1)(b)
Legal Obligation Venue verification (KYB), Recipient identification, tax reporting, data retention Section 28(1)(c)
Legitimate Interest Platform security, fraud prevention, protection against unauthorized access Section 28(1)(f)
Consent Marketing communications, analytics, other processing not covered by the above bases Section 24, Section 28(1)(a)

Consent under Section 24 of DPA 2017 means a freely given, specific, informed, and unambiguous indication of the data subject's wishes, expressed by a statement or by a clear affirmative action.

By creating an account, you:

  • Accept the Terms of Service and this Policy — this forms the contractual basis for processing data necessary for Service operation (account management, payments, invoice processing)
  • Give consent for processing for consent-dependent purposes (marketing communications, analytics) — you may withdraw this consent at any time

Processing based on legal obligation (KYC, AML, tax reporting) and legitimate interest (platform security) does not depend on your consent and is carried out by operation of law.

You may withdraw your consent at any time by contacting us at hello@tipwave.tech. Withdrawal of consent is as easy as giving it. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal. Only consent-dependent features (such as marketing communications) will be affected — core Service functionality relies on contractual and legal obligation bases.

5. Data Sharing #

We may share your information with:

5.1 Service Providers #

Provider Purpose Location
Peach Payments (Peach Payment Services Proprietary Limited) Card payment processing, card tokenization, fraud screening, settlement with tipWave as merchant (PCI-DSS Level 1 certified). Contact: privacy@peachpayments.com South Africa (UK/EU for operational needs)
Firebase Authentication (Google) User authentication Google Cloud
Firebase Cloud Storage (Google) Storage of user-uploaded content (profile photos) Google Cloud, asia-south1 (Mumbai)
Google Cloud Platform Data hosting, Firestore database, Cloud SQL asia-south1 (Mumbai)
Cloudflare Content delivery, DDoS protection, bot protection (Turnstile) Global CDN
Peach Payments' sub-processors Peach Payments engages its own sub-processors for identity verification (KYC), sanctions and PEP screening as part of its regulatory obligations. Details available from Peach Payments upon request Various jurisdictions
MCB Ltd (Mauritius Commercial Bank) Acquiring bank for card transactions, settlement of funds to tipWave's merchant account Mauritius

We enter into Data Processing Agreements (DPA) with all service providers, ensuring equivalent data protection standards in accordance with Section 36 of DPA 2017.

Peach Payments' roles in data processing:

Role Scope Basis
Data Processor (on behalf of tipWave) Card payment processing, card tokenization, settlement with tipWave as merchant Data Processing Agreement (DPA)
Independent Data Controller KYC/AML verification of tipWave as merchant, fraud monitoring of payment transactions, SAR filing with FIU, card scheme compliance (Visa/Mastercard) Peach Payments' regulatory obligations as a licensed PSP

As an independent controller, Peach Payments independently determines the purposes and means of processing for its regulatory obligations. tipWave does not control and is not responsible for processing carried out by Peach Payments under their own regulatory obligations. For details, see the Peach Payments Privacy Policy.

Peach Payments may share your data with its affiliated entities and sub-processors as necessary to provide payment processing services and fulfill regulatory obligations. A current list of Peach Payments affiliates is available from Peach Payments upon request.

5.2 Payment Data Security #

All card payments are processed by Peach Payments, which is PCI-DSS Level 1 certified — the highest level of payment security certification. Your card information is securely transmitted directly to Peach Payments' PCI-DSS Level 1 compliant vault. Payment card data is:

  • Tokenized — card numbers are replaced with non-sensitive tokens by Peach Payments
  • Encrypted in transit using TLS/HTTPS
  • Never stored on tipWave servers — we do not have access to full card numbers, CVV, or PIN
  • Screened for fraud — Peach Payments performs automated fraud checks on every transaction

For card payments, 3D Secure authentication (Verified by Visa, Mastercard SecureCode) may be required for additional security. 3D Secure is implemented and maintained by Peach Payments.

Charges will appear on your bank or card statement as "TIPWAVE" or a similar descriptor (which may include "PEACH" as the payment processor).

Peach Payments acts as a data processor for payment data on our behalf, and as a data controller in relation to its own regulatory obligations (card scheme rules, KYC of tipWave as merchant, anti-fraud requirements). Peach Payments does not directly process personal data of Recipients or Partner Venues — such data is processed by tipWave. For details on how Peach Payments handles payment data, refer to the Peach Payments Privacy Policy.

We may disclose your information if required by law, including to:

  • Financial Intelligence Unit (FIU) Mauritius — for anti-money laundering compliance
  • Mauritius Revenue Authority — for tax compliance
  • Data Protection Commissioner — in response to lawful requests
  • Law enforcement — in response to valid legal process

We will evaluate each request and only provide data in response to legally valid and binding requests.

5.4 Business Transfers #

In the event of a merger, acquisition, or sale, data necessary for the continuation of the Service may be transferred as part of the transaction. In such cases: (a) we will notify you before your data is transferred to a new controller, (b) the acquiring entity will be required to maintain equivalent data protection standards, and (c) you will have the right to request deletion of your data before the transfer is completed.

We do not sell your personal information.

5.5 Sub-processor Changes #

If we engage new sub-processors or replace existing ones, we will update this Privacy Policy and notify you of material changes in accordance with Section 14. A current list of sub-processors is available upon request at hello@tipwave.tech.

6. Data Retention #

We retain your personal data for the following periods:

Data Category Retention Period Legal Basis
Partner Venue data (registration, BRN, beneficial owners, bank details) Duration of agreement + 7 years FIAMLA 2002, Section 17
Venue bank details (business account) Duration of use + 7 years FIAMLA 2002, Section 17
Non-financial Recipient profile data (name, photo) Duration of account + 30 days Contractual necessity
Recipient identity documents 7 years from end of relationship FIAMLA 2002, Section 17
Transaction records 7 years from transaction date FIAMLA 2002, Section 17
Tip records (amounts, Recipients, Venues) 7 years from last operation date FIAMLA 2002, Section 17
Payment data (tokens only) 7 years from transaction date FIAMLA 2002, Section 17; Peach Payments requirement (min 12 months)
Device and log data 90 days Operational need
Marketing preferences Until consent is withdrawn Consent-based

After the retention period, data is securely deleted or anonymized using industry-standard methods (cryptographic erasure for encrypted databases, secure overwrite for unencrypted storage). Deletion is performed automatically where technically feasible; manual deletion is verified through documented processes. We verify quarterly that stored data does not exceed retention periods.

7. Automated Decision-Making #

We do not use fully automated decision-making or profiling that produces legal effects concerning you. Automated systems are used only for:

  • Fraud detection — Peach Payments performs automated fraud screening on every payment transaction. tipWave may refer cases to our payment partners if unusual activity is brought to our attention
  • Bot protection — Cloudflare Turnstile verification on the payment page
  • Sanctions screening — Peach Payments screens tipWave as a merchant against sanctions and PEP lists as part of its regulatory obligations
  • Gamification — automated calculation of achievement badges and progress metrics based on your transaction history and Service usage (e.g., number of tips received, savings goals), if you opt in to these features. These are informational only and do not produce legal effects or affect your access to Service features

You have the right to request human intervention in any automated process that affects you and to be informed of the logic involved in such processing.

8. Data Security #

We implement appropriate technical and organizational measures to protect your data, as required by the Data Protection Act 2017 (Section 31):

  • Encryption in transit — TLS 1.2+ / HTTPS
  • Encryption at rest — database-level encryption (Cloud SQL, Firestore)
  • Access controls — role-based permissions, principle of least privilege
  • Pseudonymization — where technically feasible, personal data is pseudonymized to minimize risks
  • Tokenization — payment card data is tokenized by Peach Payments (PCI-DSS Level 1); tipWave does not store or process full card numbers
  • Resilience — backups, monitoring, ability to restore data promptly after incidents
  • Periodic security assessments — regular testing and evaluation of effectiveness of technical and organizational measures
  • Data Protection Impact Assessments (DPIA) — conducted prior to high-risk processing activities (including financial data processing and identity verification) in accordance with Section 29 of DPA 2017

Security responsibility breakdown:

Area Responsible Party
Payment data security (cards, tokens, PCI-DSS) Peach Payments
Fraud monitoring of payment transactions Peach Payments
Settlement with tipWave as merchant Peach Payments (merchant account segregated from Peach's operational funds)
Partner Venue data verification and storage tipWave (Google Cloud Platform)
Recipient data verification and storage tipWave (Google Cloud Platform)
Tip and payment accounting tipWave (Cloud SQL)
Account security and authentication tipWave (Firebase Authentication)
Profile data and transaction history security tipWave (Google Cloud Platform)
User content security (photos) tipWave (Firebase Cloud Storage)
Payment page bot protection tipWave (Cloudflare Turnstile)

No method of transmission or storage is 100% secure. In the event of a data breach, we will promptly assess the risk and take remedial measures in accordance with Section 9 of this Policy.

9. Data Breach Notification #

tipWave maintains a breach register in accordance with DPA 2017. The decision to notify the Data Protection Commissioner and data subjects is made by the DPO within 24 hours of breach discovery.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Data Protection Commissioner of Mauritius within 72 hours of becoming aware of the breach, as required by the Data Protection Act 2017 (Section 25)
  • Notify affected data subjects no later than 7 calendar days after notifying the Commissioner, when the breach is likely to result in a high risk to their rights and freedoms (Section 26)
  • Provide information about: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach

Notification is not required if the data was encrypted or otherwise protected in a manner that renders it unusable by unauthorized persons.

Our payment processor, Peach Payments, is contractually obligated to notify tipWave if they become aware of an unauthorized acquisition, disclosure, or loss of data affecting tipWave's merchant account or Guests' payment data. Peach Payments does not directly process personal data of Recipients or Partner Venues — in the event of a breach of such data, tipWave bears the notification responsibility as described above.

10. Your Rights #

Under the Data Protection Act 2017 of Mauritius (Sections 37-40), you have the right to:

  • Access — Request a copy of your personal data (Section 37)
  • Rectification — Correct inaccurate or incomplete data (Section 38)
  • Erasure — Request deletion of your data, subject to legal retention obligations (Section 39)
  • Restriction — Limit processing of your data in particular circumstances (Section 40)
  • Portability — Receive your data in a structured, machine-readable format
  • Objection — Object to certain processing activities, particularly direct marketing
  • Withdrawal of Consent — Withdraw previously given consent at any time, without affecting the lawfulness of prior processing (Section 24)
  • Object to Automated Decisions — Not be subject to decisions based solely on automated processing that produce legal effects
  • Complaint — Lodge a complaint with the Data Protection Commissioner (see Section 17)

How to exercise your rights: Contact us at dpo@tipwave.tech. We will respond within 30 calendar days. If necessary, the deadline may be extended by 30 additional days for complex requests — we will notify you of the extension and its reasons within the initial 30-day period. Data is provided in JSON or CSV format at your choice. Requests are processed free of charge.

11. International Data Transfers #

Your data is primarily stored on Google Cloud Platform infrastructure in the asia-south1 (Mumbai, India) region. Your data may also be transferred to and processed in other countries where our service providers operate (South Africa for Peach Payments; the United Kingdom and European Union for Peach Payments' operational needs; various regions for Cloudflare CDN).

Under the Data Protection Act 2017 (Section 36), we protect cross-border transfers through:

  • Standard Contractual Clauses (SCC) with infrastructure providers
  • Contractual data protection commitments with third-party processors (Peach Payments, Google Cloud / Firebase, Cloudflare)
  • Contractual guarantees providing equivalent data protection standards

The transfer of your data outside Mauritius is carried out based on:

  • Standard Contractual Clauses (SCC, Module 2: controller-processor) with Google Cloud and Cloudflare
  • Data Processing Agreement with Peach Payments, including data protection guarantees equivalent to DPA 2017
  • Contractual necessity — the transfer is necessary for the performance of the contract between you and tipWave (Section 36(b))

By registering with the Service, you give informed consent for the transfer of your data to the jurisdictions listed above for the purposes described in this Policy.

12. Cookies and Tracking Technologies #

Our Service uses the following cookies and similar technologies:

Type Purpose Can Be Disabled?
Essential Firebase Authentication session tokens, security No — required for Service to function
Bot protection Cloudflare Turnstile cookies on payment page No — required for payment security
Analytics Aggregated, anonymized usage data (requires your consent) Yes

We do not use advertising or third-party tracking cookies. Analytics data is aggregated and anonymized before processing; it cannot be used to identify individual users. You can opt out of analytics data collection through the application settings or your browser settings. Disabling essential cookies may affect the functionality of the Service.

13. Age Requirement #

Our Service is not intended for persons under 18 years of age. We do not knowingly collect personal information from such persons. If we learn that we have collected personal data from a person under 18, we will take steps to delete that information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hello@tipwave.tech.

14. Changes to This Policy #

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via:

  • Email notification
  • Posting the new policy on this page
  • Updating the "Last Updated" date

If you do not agree with the changes, you may close your account in accordance with the Terms of Service before the changes take effect.

15. Language #

This Privacy Policy is provided in English and French. A Russian translation is available for informational purposes only and does not constitute an official version. In case of any discrepancy between versions, the English version shall prevail.

16. Data Protection Officer #

In accordance with Section 22(2)(e) of the Data Protection Act 2017, we have appointed a Data Protection Officer (DPO):

DPO contact details:

  • Email: dpo@tipwave.tech
  • Postal address: DPO, Kiteschool Kitebelles LTD, Royal Road, La Gaulette 1903-02, Mauritius

The DPO performs the following functions in accordance with Section 23 of DPA 2017:

  • Advising on compliance with data protection legislation
  • Monitoring compliance of data processing with DPA 2017 requirements
  • Conducting and coordinating Data Protection Impact Assessments (DPIA)
  • Maintaining a register of processing operations
  • Liaising with the Data Protection Office of the Republic of Mauritius
  • Handling data subject requests

The DPO acts independently and does not receive instructions regarding the performance of their duties.

For payment data inquiries, you may also contact Peach Payments directly:

  • Email: privacy@peachpayments.com
  • Basis: Peach Payments acts as an independent data controller in relation to its regulatory obligations (KYC, AML, fraud monitoring)

17. Complaints #

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Data Protection Office of Mauritius:

18. Contact Us #

If you have questions about this Privacy Policy:

  • Company: Kiteschool Kitebelles LTD
  • Address: Royal Road, La Gaulette 1903-02, Mauritius
  • Email: hello@tipwave.tech