Tuma Ventures Limited Privacy Policy

1. Introduction

1.1. Purpose of This Policy:

This Privacy Policy outlines how Tuma Ventures Limited (“Tuma,” “we,” “us,” or “our”), a company duly incorporated in the United Republic of Tanzania under Registration No. 165945697, collects, uses, discloses, and safeguards personal data in connection with the provision of its digital financial services. This includes services accessed through our official website (www.tuma.tz) and mobile applications (collectively, the “Service”).

1.2. Our Commitment to Your Privacy:

Tuma Ventures Limited is deeply committed to protecting your privacy and personal data. We operate in full compliance with the Personal Data Protection Act, 2022 (PDPA 2022), the National Payment Systems Act, 2015 (NPS Act), the Cybercrimes Act, 2015, and all other applicable laws of Tanzania relating to data protection, electronic communications, and financial services. We recognize that the security and confidentiality of your data are fundamental to the trust you place in us as a licensed Payment Service Provider.

1.3. Your Consent:

By accessing, using, or registering for our Service, you confirm that you have read, understood, and agree to the terms of this Privacy Policy. You explicitly consent to the collection, processing, use, and disclosure of your personal data as described herein. If you do not agree with any part of this Policy, you must discontinue your use of our Service immediately. Terms used in this Policy have the same meaning as in our Terms and Conditions unless otherwise defined.

2. Collection of Personal Data

2.1. Information You Provide Directly:

We collect personal data that you provide directly to us when you:

1. Create an account or register for our Service.
2. Complete our Know Your Customer (KYC) verification process.
3. Initiate transactions or use our payment services.
4. Contact our customer support.
5. Participate in surveys or promotions.
6. Provide feedback.

2.2. Information We Collect Automatically from Your Use of Our Service:

When you access or use our digital platforms, we automatically collect certain technical and usage data, including but not limited to:

1. Device and Technical Data: Information such as your device type, unique device identifiers, operating system, browser type and version, mobile network information, and IP address.
2. Usage Data: Details of how you use our Service, including access times, features used, pages viewed, clicks, and transaction patterns.
3. Geolocation Data: Precise or approximate location information from your mobile device or IP address, where permitted by your device settings and applicable law, primarily for fraud prevention and compliance purposes.

2.3. Information We Collect from Third Parties:

We may receive personal data about you from third parties as necessary and permitted by law, for purposes such as:

1. Identity Verification: From public registries, identity verification services, or credit reference bureaus for KYC and fraud prevention purposes, in line with AML/CFT regulations.
2. Compliance Databases: From national or international compliance databases (e.g., sanctions lists) for regulatory screening.
3. Partners: From partners involved in providing our Service (e.g., banks, other PSPs, merchants) to facilitate transactions and resolve issues.

2.4. Categories of Personal Data Collected:

The personal data we collect may include, but is not limited to:

1. Personal Identification Information: Your full name, gender, contact details (residential address, phone number, email address), date of birth, place of birth, nationality, and identity documents (e.g., National ID number, Passport number, Driver’s License number), photograph, and biometric data (if applicable and consented to).
2. Financial Information: Bank account details (if linked), mobile money numbers, transaction history, payment instrument details, and e-wallet balances.
3. Transaction and Payment Information: Details about the payments you make or receive, including amounts, dates, times, payment methods, transaction references, and recipient/sender details.
4. Customer Support Interactions: Records of your communications with our customer support team (e.g., call recordings, chat transcripts, email correspondence).

3. Lawful Basis and Use of Personal Data

3.1. Lawful Basis for Processing (PDPA 2022, Section 28):

We process your personal data based on the following lawful grounds:

1. Consent: Where you have given explicit consent for specific processing activities (e.g., for marketing communications). You have the right to withdraw your consent at any time.
2. Performance of a Contract: Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract (e.g., to process your transactions, manage your account, or deliver our Services).
3. Compliance with a Legal Obligation: Where processing is necessary for compliance with a legal or regulatory obligation to which Tuma Ventures Limited is subject (e.g., KYC/AML/CFT compliance, fraud prevention, regulatory reporting to the BoT).
4. Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided your fundamental rights and interests do not override those interests.
5. Public Interest/Official Authority: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Tuma Ventures Limited.

3.2. Purposes of Using Your Personal Data:

Your personal data is used for the following specific purposes:

1. To Provide and Manage Our Services: To verify your identity, set up and manage your account, facilitate domestic payments, process financial transactions, fulfill our contractual obligations, and deliver our digital financial services.
2. Regulatory Compliance: To comply with relevant Tanzanian laws and regulatory requirements, including Bank of Tanzania (BoT) directives, the National Payment Systems Act, 2015, the Anti-Money Laundering Act, Cap. 423, and the Anti-Terrorism Act, 2002. This includes conducting KYC verification, sanctions screening, transaction monitoring, and regulatory reporting.
3. Customer Support and Communication: To respond to your inquiries, provide essential service updates, resolve technical issues, and manage your relationship with us.
4. Service Improvement and Optimization: To analyze usage patterns, collect feedback, troubleshoot errors, and improve user experience, service performance, and platform functionality.
5. Risk Management and Security: To monitor systems for fraud prevention, detect suspicious activities, enhance platform security, and protect against unauthorized access, misuse, or cyber threats. This includes adherence to the Cybercrimes Act, 2015.
6. Internal Business Operations: For internal management, accounting, auditing, and record-keeping purposes as required by law and internal policies.
7. Marketing and Promotional Communications: To provide you with important service-related communications and, where you have provided your explicit consent, promotional updates about new features, products, or offers. You can opt out of marketing communications at any time.

4. Sharing of Personal Data

4.1. Circumstances for Sharing Your Data:

Your personal data may be shared under the following circumstances, always with appropriate safeguards and in compliance with this Policy and applicable laws:

1. With Service Providers: With trusted third-party service providers who support our operations. This includes providers for IT hosting, infrastructure, data analytics, communication services, customer support, and identity verification. These service providers are contractually obligated to protect your data and use it only for the purposes for which we engage them.
2. Regulatory and Legal Bodies: When required by law, court order, or to comply with lawful requests from government agencies, regulatory bodies such as the Bank of Tanzania (BoT), the Financial Intelligence Unit (FIU), the Tanzania Revenue Authority (TRA), or judicial authorities. This includes mandatory reporting under AML/CFT regulations.
3. Interoperability Partners: With other licensed payment service providers and financial institutions to facilitate seamless payment transactions, only as necessary to complete your transactions and as governed by Interoperability Agreements and relevant BoT directives.
4. With Your Consent: Where necessary, we will obtain your explicit consent before sharing your data for purposes outside the primary scope of service delivery, legal compliance, or our legitimate interests as described in this Policy.
5. Business Transfers: In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company. In such cases, your data would be subject to the acquiring entity's privacy policy.

5. Your Rights Under Tanzanian Law

5.1. Your Data Protection Rights (PDPA 2022, Part V):

In accordance with the Personal Data Protection Act, 2022, you have the following rights regarding your personal data held by us:

1. Right to Access: To request access to your personal data that we hold, and to receive information about its processing.
2. Right to Rectification: To request the correction or updating of inaccurate, incomplete, or outdated personal data.
3. Right to Object/Restriction of Processing: To object to or request the restriction of specific processing activities, especially where processing is based on legitimate interests or direct marketing.
4. Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
5. Right to Erasure/Deletion ("Right to be Forgotten"): To request the deletion of your personal data, subject to our legal and regulatory retention obligations.
6. Right to Data Portability: To request a copy of your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller, where technically feasible and permitted by law.
7. Right to lodge a Complaint: To lodge a complaint with the relevant data protection authority in Tanzania if you believe your rights have been violated.

5.2. How to Exercise Your Rights:

You may exercise any of your rights by contacting us through the dedicated contact details provided in Section 12 of this Policy. We will respond to your request within the timeframe stipulated by applicable law. Please note that we may require additional information to verify your identity before processing your request.

6. Retention of Personal Data

We retain your personal data for only as long as necessary to fulfill the purposes for which it was collected, and to comply with our operational, legal, and regulatory obligations under Tanzanian law. This includes:

• AML/CFT Regulations: Records related to customer identification and transactions for at least ten (10) years after the business relationship ends or the transaction date.
• National Payment Systems Act, 2015: Payment system records for at least five (5) years.
• Financial Consumer Protection Regulations: Complaint records for a specified period.
• Other statutory retention periods.

Once the retention period expires, your personal data will be securely deleted or anonymized in accordance with our Data Retention Policy.

7. Data Transfers Outside Tanzania

Tuma Ventures Limited primarily processes data within Tanzania. However, should personal data be transferred outside Tanzania, we ensure that adequate safeguards are in place as required under the Personal Data Protection Act, 2022 (PDPA 2022), Part VII, Section 43. This includes:

• Transferring data only to countries with adequate data protection laws as recognized by Tanzania.
• Implementing appropriate contractual clauses with the recipient.
• Obtaining your explicit consent where required for such transfers.
• Ensuring compliance with the BoT Cloud Computing Guidelines, 2023, particularly the requirement for mission-critical systems and data to remain within Tanzania.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, accidental loss, or destruction. These measures include:

• Encryption: For data in transit and at rest where appropriate.
• Access Controls: Strict controls to limit access to personal data to authorized personnel only.
• Network Security: Firewalls, intrusion detection/prevention systems, and secure network configurations.
• Regular Security Audits: Periodic vulnerability assessments and penetration testing.
• Employee Training: Regular training on data security and privacy best practices.
• Incident Response: A robust plan for detecting, responding to, and recovering from data incidents.

9. Cookies and Tracking Technologies

Our digital platforms use cookies and similar technologies to enhance functionality, improve user experience, and analyze platform usage. These tools may collect non-personal data such as browser settings, time spent on pages, and user preferences. We also use them for security purposes, such as fraud detection. You can manage cookie settings through your browser, although disabling certain cookies may affect some platform features and the functionality of our Service.

10. Children's Privacy

Our Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that personal data of a minor has been inadvertently collected, it will be promptly deleted from our records.

11. Third-Party Links

Our Services may contain links to external websites or applications that are not operated by Tuma Ventures Limited. We are not responsible for the privacy practices, content, or security of such third parties. Users are strongly encouraged to review the privacy policies of any external sites or services they visit.

12. Changes to This Privacy Policy

We may periodically update this Privacy Policy to reflect changes in our data practices, legal requirements, or regulatory guidance. Any changes will be posted on this page with a revised "Last Updated" date. Where significant changes are made, we will notify you through our platforms or by email. Your continued use of our Services after the effective date of the revised Policy constitutes your acceptance of the changes.

13. Contact Information

For questions, concerns, or to exercise your rights regarding this Privacy Policy or our data practices, please contact: