Tuma Loan Privacy Policy

1. Introduction

a) About Us

Tuma Loan is a mobile lending application operated by ROYTEX TECH LIMITED [Registration No: PVT-8Z1KAZDD]. We are committed to providing fast and convenient personal loan services to residents of Kenya.
ROYTEX TECH LIMITED is a legally registered company in Kenya.
ROYTEX TECH LIMITED is authorized by mictech to develop, publish, and operate Tuma Loan. mictech (License No: xxx-xxx-xxx) is a mobile credit service provider licensed and regulated by the Central Bank of Kenya (CBK), legally authorized to offer lending services in Kenya.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our mobile application (the "App"), our official website (www.roytextech.com), or related services (collectively, the "Services").
We strictly adhere to the Kenya Data Protection Act (2019), the Digital Credit Providers Regulations, and the Google Play Financial Services Policy, ensuring transparent, lawful, and user-first privacy practices.

b) Purpose of This Policy

This Privacy Policy aims to clearly and transparently explain how we handle your personal data. We emphasize that we only collect necessary identity data and manually entered emergency contact information. We do not collect any device data or request device permissions. Our commitment is to data minimization, transparency, and user control as required by the Google Play Store policies.

c) Scope

This policy applies to all data collected through the Tuma Loan App (available on Google Play Store), the website (www.roytextech.com), and related services. It does not cover information collected offline.

d) User Consent

By using our Services, you agree to the terms of this Privacy Policy. If you do not agree, you may still access non-core functions (e.g., browsing informational pages), but you will not be able to access identity-authenticated core services (e.g., applying for a loan). We ensure informed consent through clear notices and opt-in mechanisms, in compliance with Google Play's user consent requirements.

2. Data Collection & Permissions

a) Personal Information Collected

To provide loan services, verify identity, and comply with Kenya's KYC and AML regulations, we collect the following manually entered personal data:

• Identity Information: Name, National ID number, date of birth, or other valid ID details to verify your identity and assess loan eligibility.
• Emergency Contacts: Two manually entered emergency contacts, including name, phone number, and relationship, for emergency communication and risk evaluation.

All data is transmitted via HTTPS and stored securely on our servers (https://data.tumaloans.com). We provide clear information within the app explaining the purpose of each data field.

c) No Device Permissions Requested

The Tuma Loan App does not request or access any device data or permissions.
This permission-free design ensures the App does not access sensitive device features, aligning with Google Play's requirements for permission transparency and data minimization.

d) Data Collection Methods

• Identity Data: Entered by users via secure in-app forms and transmitted to our servers for KYC verification.
• Emergency Contacts: Entered via dedicated fields. We do not access your contact list. Only two manually entered contacts are collected.
• Encrypted Transmission: All data is encrypted using TLS 1.3 and transmitted via HTTPS.
• User Control: You may choose not to provide certain data; however, this may prevent you from completing a loan application.

3. Data Usage

a) Purpose of Using Personal Data

• Identity Verification: To meet KYC and AML regulatory requirements.
• Credit Assessment: To determine your loan eligibility.
• Risk Management: Emergency contacts are used for fraud prevention and risk evaluation.
• Loan Management: To process, disburse, and manage your loan.
• Customer Support: To respond to inquiries, complaints, or disputes.
• Legal Compliance: To meet obligations under the Kenya Data Protection Act and CBK regulations.

4. Data Sharing & Disclosure

a) Data Sharing with Third Parties

• Credit Bureaus: Identity data may be shared with Kenyan CRBs for credit scoring, in accordance with the Data Protection Act.
• Legal Authorities: When legally required.
• Debt Collectors: In the case of loan default, your identity information may be shared with licensed collection agencies.

All data sharing requires either your explicit consent (via in-app notice) or a legal obligation, and is strictly limited to necessary information.

b) Secure Data Transmission

All shared data is transmitted via HTTPS with TLS 1.3 encryption to ensure security.

5. Data Security

a) Technical Safeguards

• Encryption: TLS 1.3 for data transmission; AES-256 for data storage on our secure servers (https://data.tumaloans.com).
• Access Control: Only authorized personnel can access data, bound by strict confidentiality agreements. Operation logs are retained for 180 days.
• Server Security: Firewalls, intrusion detection systems, and regular security audits protect our servers.
• App Security: Secure coding practices and regular updates address potential vulnerabilities.

b) No Cookies or Trackers

Our App and website (www.roytextech.com) do not use cookies, trackers, or similar technologies, in compliance with Google Play's privacy standards.

6. Data Retention & Deletion

a) Data Retention

• Identity Information: Retained while the account is active, and for 7 years after account closure as required by CBK regulations.
• Emergency Contacts: Retained during the loan lifecycle and deleted within 90 days after repayment, unless otherwise required by law.

b) Data Deletion

• You can request data deletion via the App or by emailing support@tumaloans.com.
• Verification of identity (e.g., national ID) is required for deletion requests.
• Outstanding loans or unpaid fees must be settled first.
• Once deleted, the same phone number cannot be used for re-registration to prevent fraud.
• Deletion is completed within 15 business days, and the data is permanently removed from our servers, unless legally required to retain.

7. User Rights & Control

a) Core Data Rights

• Access your personal data.
• Correct inaccurate or incomplete data.
• Delete unnecessary personal data (subject to retention rules).
• Restrict data processing to specific purposes.
• Data Portability: Receive your data in a structured format.
• Withdraw Consent: You may withdraw consent to processing (may impact service access).

b) How to Exercise Your Rights

Send a request via email to support@tumaloans.com, including identity verification details.
We will respond within 15 business days, in compliance with Google Play's timely response requirements.

c) Permission Control

Since we do not request device permissions, no device-level settings need to be adjusted.
You can manage your personal data via the App interface.

8. Children's Privacy

a) Age Restriction

Tuma Loan services are strictly for users aged 18 and above.
Minors are not allowed to register or apply for loans.
Our KYC process verifies age using national IDs to ensure compliance with Kenyan law and Google Play policies.

9. Data Protection Officer (DPO)

a) Role & Responsibilities

• Ensuring compliance with the Kenya Data Protection Act and related laws.
• Handling user inquiries, complaints, and rights requests.
• Liaising with the Office of the Data Protection Commissioner.
• Reviewing our data protection practices regularly.

You may contact our DPO at dpo@tumaloans.com, and we will respond within 15 business days.

10. Contact Us

• Company: ROYTEX TECH LIMITED
• Email: support@tumaloans.com
• Data Protection Officer: dpo@tumaloans.com
• Address: P.O. Box 12345-00100, P.O BOX 7035, 00300 - RONALD NGALA ST.
• Working Hours: Monday to Friday, 9:00 AM to 6:00 PM

11. Policy Updates

a) Notification of Updates

We may update this policy due to legal, regulatory, or service changes.
Updates will be announced via the App, our website (www.roytextech.com), or email, and will take effect upon publication.

b) Continued Use

Continued use of our Services after a policy update means you accept the revised policy. If you disagree, you may stop using core services or access only non-data-interactive features.