Kasi Pesa (“we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, share, and protect your information when you access Tanzanian loan services through our mobile application (“app”). By using our app, you agree to comply with the terms of this policy.

1. Information We Collect and Permissions

1.1 Purpose and Content of Information Collection

We collect the following types of information:

• Personal Information
  Purpose: To conduct KYC (Know Your Customer) and identity verification through your personal information.
  Content Collected: Your name, gender, citizen identity card, citizen identity card number, place of birth, date of birth, residential address, duration of residence, religious beliefs, marital status, nationality, education level, WhatsApp number, email, and mobile money account.
• Device and Technical Information
  Purpose: GAID (Google Advertising ID) is used to evaluate the effectiveness of our online marketing ads; other device IDs are primarily used for security verification during account login or fund transactions; other device information is used for device authenticity analysis to prevent misuse and malicious attacks on the app.
  Content Collected: Your UUID (Universally Unique Identifier), GAID, phone name and model, operating system version, device language, battery status, and network address.
• Behavioral Data
  Purpose: To gain a deeper understanding of user needs by analyzing your access behavior on the platform, while also conducting anomaly analysis to improve user experience.
  Content Collected: For example, page load times, dwell times, click counts, borrowing history, repayment history, and account updates.
• Employment Information
  Purpose: To analyze and evaluate your financial status and provide an appropriate loan limit.
  Content Collected: Job type, company phone, company address, company name, monthly income, and industry of employment.
• Contact Information
  Purpose: To enable us to contact you in case of emergencies.
  Content Collected: Emergency contact person's name, mobile number, and relationship to the emergency contact.

1.2 Purpose and Content of Permission Collection

• Network Status
  Purpose: To ensure the app operates smoothly under good network conditions and adjusts strategies during poor network conditions to reduce application crashes caused by network issues, providing a stable user experience.
  Access Content: Access to your network status, such as network IP.
• Notification Permissions
  Purpose: We need to obtain your notification permissions in order to send you reminders regarding loan status and repayment status updates in a timely manner.
• Coarse Location Information
  Purpose: To mainly provide location-based personalized loan services, as different regions may receive different credit limits. Additionally, based on the analysis of your active areas, we avoid the risk of account theft to ensure the safety of your funds.
  Access Content: Coarse location permission ACCESS_COARSE_LOCATION.
• Camera Permission
  Purpose: Camera permission is required for face biometric identification (face photo capture) during the KYC verification process to ensure loan security.
• Application List
  Purpose: To analyze your device for potential security risks by detecting the presence of malware, spyware, or other potentially harmful applications that could compromise your financial security or personal data.
  Access Content: List of installed applications on your device to perform security risk assessment.

1.3 Third-Party and External Data

We may also collect data from external sources, including but not limited to:
• Your submissions: Information you provide directly (e.g., account updates, loan applications).
• Account analysis: Behavioral insights derived from how you use our services.
• Public registrations: Publicly available data from government databases or registries.
• Authorities: Information shared by government agencies, regulatory bodies, or law enforcement.
• Telecommunications providers: Data from mobile network operators, with your consent (e.g., carrier details).
• Third parties: Data obtained from partners, service providers, or publicly accessible platforms.

2. Data Collection Methods

If you decide to open a Kasi Pesa account and provide personal information to use our services (for example, filling out personal information or authorizing access to personal information and permissions), we will collect, process, and share various types of information. Rest assured, we will retain and use this information only for the necessary period to fulfill the stated purposes or comply with legal requirements.

3. Deleting or Modifying Your Personal Information

3.1 Modifying Personal Information

You may request to update or correct your personal information by emailing [email protected]. We will process this request within three working days and may require verification documents to ensure account security.

3.2 Deleting Personal Information

You can request the deletion of your personal data through the following methods:

1. Voluntary deletion request:
   You can send an email to [email protected] requesting to delete all or part of your data, providing identification and the reason for deletion. We will clear all data from our systems within seven calendar days after verification.
2. Manual deletion feature:
   You can deactivate your account in the Kasi Pesa app under "My - Settings - Logout Account" to delete your personal information. Deleted data cannot be restored, but certain data (such as loan records) may be retained as required by law.
3. Exceptions:
   Records required by law (e.g., loan contracts, repayment history) and data shared with third-party service providers cannot be deleted according to this policy.

4. Data Disclosure

Kasi Pesa places great importance on your privacy and will only share personal information in accordance with this privacy policy. We may disclose your data to the following categories of recipients, solely for the purposes permitted and/or as legally required in Section 1 (Purpose of Data Collection):

1. Internal affiliates and service providers (contractors, professional consultants, debt collection agencies, and third-party vendors processing data under strict confidentiality agreements)
2. Credit and financial institutions
   • Credit bureaus: National and local credit reporting agencies (e.g., credit bureaus, insurance companies, or rating agencies) for risk assessment, loan underwriting, or fraud prevention.
   • Cooperative financial institutions: Financial service providers directly offering products/services to you (e.g., payment gateways, loan disbursement platforms).
3. Legal and regulatory entities
   • Authorities: Government regulatory bodies (e.g., the Tanzania Securities Exchange Commission, Bank of Tanzania), law enforcement agencies, or the courts for compliance with legal obligations, investigations, or court orders.
   • Guarantors/Security providers: Entities providing guarantees or collateral for your loans.
4. Other legitimate recipients
   • Law enforcement agents: Persons/entities assisting in enforcing or upholding the contractual or legal rights of Kasi Pesa.
   • Authorized third parties: Any parties explicitly authorized by you in writing or through account settings (e.g., sharing data with trusted applications via integrated SDKs).

5. Data Retention

We will retain your data only for as long as necessary to fulfill the purposes listed in this policy or as legally required. The retention period for specific categories of data is as follows:

5.1 Personal, behavioral data, and third-party external data

Personal information, behavioral data, and third-party external data will be retained for three years after you complete your last transaction through Kasi Pesa or will be deleted immediately upon account termination.

5.2 Device and technical data

For anti-fraud and risk analysis purposes, device data and location information will be retained for at least 90 days. This data will be deleted immediately upon account termination.

5.3 Legal and regulatory exceptions

Data required by Tanzanian law (e.g., Anti-Money Laundering Act, Securities Exchange Commission reporting) will be retained for the minimum duration specified by regulatory authorities (typically 5-7 years).

6. Your Rights

As a user of Kasi Pesa, you have the following rights under Tanzanian law. To exercise any of these rights, please contact us at [email protected]. You have the right to:

1. Right to be informed. Know what personal data we collect about you, how we use, share, or store your data, and the purposes and legal basis for processing your data.
2. Right of access. You have the right to access your personal data and a copy of your user data.
3. Right to rectify. You may request correction of inaccurate or incomplete data.
4. Right to deletion. You may request the deletion of your personal data, unless it is retained under law. For example, you may request the deletion of your account data.
5. Right to restrict processing. You may object to the processing of your data for specific purposes, such as direct email marketing.
6. Right to complain. You have the right to object to the processing of personal information at any time and raise objections about the processing of your personal data under Tanzanian law. For any inquiries, requests, concerns, complaints, or exercising your rights regarding personal information, you may contact Kasi Pesa at [email protected], which will ensure your complaints are acknowledged promptly.

7. Protection of Personal Information

Kasi Pesa employs various methods to protect your personal information in compliance with Tanzanian law and international best practices (e.g., ISO 27001).

7.1 Data Encryption

• In transit: All data exchanged between devices and our servers is encrypted using TLS 1.3 (Transport Layer Security).
• At rest: Sensitive data (like passwords, financial details) is stored using AES-256 encryption.

7.2 Access Control

• Role-based permissions: Access for employees and contractors is strictly granted based on their job roles (e.g., customer support vs. system administrator).

7.3 Network Security

• Firewalls and intrusion detection: Deployed to monitor and prevent unauthorized access attempts.
• Regular penetration testing: Conducted periodically to identify and patch vulnerabilities.

7.4 Employee Training

• Annual security training: Covering phishing prevention, data handling protocols, and incident reporting.
• Role-specific workshops for IT staff covering secure coding practices and third-party vendor risk management.

7.5 Third-Party Vendor Management

• Contractual obligations: Service providers (e.g., cloud hosting, payment gateways) must comply with our data processing addendum.
• Audit rights: Kasi Pesa reserves the right to audit third parties to ensure compliance with security standards.

7.6 Incident Response

• User communication: If your data is compromised, a transparent communication service will be provided via email at [email protected].

7.7 Continuous Improvement

We conduct risk assessments every six months to address emerging threats, regularly revising policies to reflect technological advancements and regulatory changes. However, while we strive to maintain data security, we cannot guarantee 100% safety.

7.8 Collection and Processing of Sensitive Data

All collected sensitive data will be transmitted to our secure servers to ensure data safety and confidentiality during transit.

8. Third-party SDKs and Services

To enhance service delivery, we have integrated reliable third-party SDKs and services. Below are detailed descriptions of their purposes, data handling, and compliance measures:

8.1 Faceid SDK

Purpose: To verify user identity through facial recognition during account creation or transactions, facilitating KYC (Know Your Customer) and anti-fraud measures, while accessing the device camera with user consent and ensuring that facial biometric data is encrypted during transmission and storage.
Address: https://faceid.com/pages/sdk_download

8.2 Firebase SDK

Purpose: To provide real-time alerts, utilize Google Analytics to optimize services, monitor technical issues, and process device information and usage logs to enhance application performance and user experience.
Address: https://pub.dev/packages/firebase

8.3 Facebook SDK

Purpose: To achieve more effective ad attribution and optimization, precise user behavior tracking, seamless user experience, and deeper data integration with Facebook's advertising platform.
Address: https://pub.dev/packages/facebook_app_events

9. Children's Privacy

Our application is not suitable for users under the age of 18.

10. Changes to This Policy

We reserve the right to periodically update this privacy policy to reflect regulatory changes, operational improvements, or enhanced user protections. All updates will be published on the customer service platform and through in-app notifications, encouraging users to review regularly to understand how Kasi Pesa manages data.