Last Mile Pay Privacy Policy

Last Updated: Nov 1, 2025

Overview

Last Mile Pay ("the App") is a mobile application used by authorized Off-Ramp Service Providers (OSPs) to receive payment orders, scan AidTags from beneficiaries, record attendance or payment delivery, and sync this information with the Last Mile Aid platform.

This Privacy Policy explains how Coala Pay collects, uses, stores and protects your information when you use the App. Customer privacy is important to us.

Information We Collect

Data you provide

We collect personal information that you voluntarily provide to us when you register with the App. This includes user identification (name and email) and authentication (encrypted password). It also includes AidTag numbers and encrypted pin codes.

Log Data

We collect app logs, which includes actions performed, timestamps, device unique identifiers, OS version, crash reports and diagnosis.

How We Use Your Information

We process personal data to:

  1. Enable OSPs to receive and view assigned payment orders
  2. Allow scanning of AidTags to confirm beneficiary payments or attendance
  3. Verify beneficiary identity using a PIN-based mechanism
  4. Store data offline when operating without network connectivity
  5. Sync payment and attendance records with the Last Mile Aid platform
  6. Prevent fraud and ensure accurate delivery of humanitarian assistance
  7. Comply with audit and donor reporting requirements
  8. Improve the reliability, security, and performance of the App

Legal Basis

We rely on the following legal bases:

  • Performance of a contract
    To deliver the services the App is designed for.
  • Legitimate interest
    To ensure secure and effective operation, prevent fraud, and maintain accurate records.
  • Legal obligation
    When data must be retained or shared for regulatory or donor reporting.

Security of Personal Information

The security of your personal information is important to us, we implement technical and organizational measures aligned with ISO 27001, including secure development practices, access controls, and continuous monitoring. Security measures include but are not limited to:

  • Data is encrypted at rest on the device and in transit during synchronization.
  • Offline data is stored temporarily and deleted after successful upload.
  • Servers and storage are hosted on secure cloud environments compliant with industry standards.
  • Access to personal data is restricted to authorized personnel only.

How We Share Your Information

We may share personal data with INGOs and humanitarian organizations managing the project, Off-Ramp Service Providers (but only with authorized staff), auditors or monitoring partners (when required), and cloud service providers that host the platform.

We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal processes, such as in response to a court order or a subpoena.

International Data Transfers

All personal data processed by Last Mile Pay is stored and hosted within the European Union using Google Cloud's EU-based data centers. This ensures compliance with GDPR requirements for data residency and provides an additional layer of protection for all users and beneficiaries.

We do not transfer personal data outside the EU. If a future transfer becomes necessary (for example, for a specific project or partner), we will only do so using GDPR-compliant safeguards and will inform affected users as required.

Links To Third Party Services

Our services may contain links to other sites that are not operated by Coala Pay. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

User Rights

If you are an OSP or beneficiary, you may exercise the following rights (subject to programme constraints):

  • Right of access
  • Right to rectification
  • Right to deletion ("right to be forgotten")
  • Right to restrict processing
  • Right to object
  • Right to data portability

Requests can be submitted to the contact details below.

For beneficiaries whose data is provided by humanitarian partners, some rights may need to be exercised directly with the organization managing the programme.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, including for satisfying any legal, accounting, or reporting requirements. Our data retention schedule is periodically reviewed and aligned with principles of necessity, proportionality, and security, as mandated by relevant data protection laws and standards, including GDPR and ISO 27001 requirements.

The retention periods are defined based on the type of data:

  • OSP account data: retained while the organization participates in the programme.
  • Payment and attendance records: retained for audit and donor reporting purposes, typically 3–7 years, depending on the project.
  • Logs and diagnostics: 6–12 months.
  • Anonymized or aggregated data may be kept indefinitely.

Children's Privacy

Our service does not work with or include anyone under the age of 13 ("Children"). We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us. If we become aware that we have collected personal information from a child under age 13 without verification of parental consent, we take steps to remove that information from our servers.

Changes To This Privacy Policy

We may update our privacy policy from time to time. We will notify users of any changes by posting the updated policy on this page. You are advised to review this privacy policy periodically for any changes. Changes to this policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy or to exercise your rights, please contact us: techteam@coalapay.org