Introduction

This Privacy Policy is issued by Mkulimapay Credit Limited (legally registered as “Mkulimapay Credit Limited”, also referred to in some contexts as “Mkulimapay Credit Ltd”). Both names represent the same legal entity, and the difference is only in abbreviation.

Welcome to Raha Pesa – Your Trusted Financial Companion

At Raha Pesa (“we,” “us,” or “our”), we recognize the profound significance of safeguarding your personal information and privacy. This Raha Pesa Privacy Policy (“Policy”) outlines how we collect, process, store, and protect your data while delivering our comprehensive financial solutions.

Key Considerations Before Proceeding

• Thorough Review Required: Prior to accessing Raha Pesa’s services, we urge you to read this Policy in its entirety, particularly the highlighted clauses.
• Informed Consent: Your continued use of our platform constitutes your acceptance of these terms. Minors must obtain guardian approval before proceeding.
• Withdrawal of Consent: Should you disagree with any provision, you must refrain from utilizing our services immediately.

Scope of Application

1. Coverage of This Policy

This Policy governs all products and services delivered through the Raha Pesa platform, including integrated offerings from affiliates lacking independent privacy policies.

2. Exceptions with Alternative Policies

• Affiliate Services with Dedicated Policies → Their terms prevail unless referenced herein.
• Unaddressed Provisions in Affiliate Policies → This Policy supplements any gaps.

Effective Date: 15 September 2025

PART I: DEFINITIONS

1. Raha Pesa / We / Our

Refers to MKULIMAPAY CREDIT LIMITED, the developer and operator of the Raha Pesa lending platform.

2. Raha Pesa Application

Encompasses the web portal, mobile application (App), H5 interfaces, and any associated digital platforms accessible via devices including (but not limited to):

• Computers
• Tablets
• Smartphones

3. Affiliate / Affiliated Company

A legal entity that:

• Is directly or indirectly controlled by MKULIMAPAY CREDIT LIMITED (parent/subsidiary relationship), or
• Exercises joint control with us over another entity, or
• Is under common control with us via a shared holding entity.

Scope of Coverage:

• Parent companies
• Subsidiaries
• Sister companies under mutual ownership
• Joint ventures
• Associated enterprises

“Control” Definition:

The authority to direct an entity’s management, whether through:

• Equity ownership
• Voting rights
• Contractual agreements
• Other legally recognized influences

4. User / You

Any natural person—whether registered or unregistered—engaging with Raha Pesa’s products or services.

5. Personal Information

Data (electronic or otherwise recorded) that:

• Individually identifies a natural person (e.g., name, ID number), or
• Combined with other data reveals identity or behavioral patterns (e.g., location history).

6. Sensitive Personal Information

High-risk personal data whose exposure, misuse, or unlawful disclosure may lead to:

• Threats to life, property, or safety
• Reputational harm
• Psychological or physical distress
• Discriminatory consequences

Examples Covered Under This Policy:

• Biographical details (e.g., date of birth)
• Employment records
• Family and contact networks/ Education level/ Address

7. Personal Information Deletion

The permanent removal of user data from active systems, rendering it irretrievable via standard operations.

8. Child

A person below the age of 14.

9. Minor

A natural person under 18 years of age (except emancipated minors aged 16+ meeting Kenya’s legal criteria for full civil capacity).

Part Two: Privacy Policy

This privacy policy aims to explain and help you understand the following:

1. How we collect and use your personal information
2. How we use cookies and similar technologies
3. How we share, transfer, entrust processing, and disclose your personal information
4. How we store your personal information
5. How we protect the security of your personal information
6. How we protect the personal information of minors
7. Your personal Information rights
8. Commitment to non-malicious software
9. How This Privacy Policy Is Updated
10. How to contact us

How We Collect and Use Your Personal Information

We may collect the following information about you:

• Name
• National ID
• Gender
• Birthday
• Marriage Information
• Education Information
• Occupation Information
• Address Information
• Income Infomation
• Social Information
• Emergency Contact Information

When you use our products/services, you need to authorize or can choose to authorize us to collect and use your personal information in the following situations:

Collection and Use of Personal Information

1. Core Functionality Requirements

To enable the essential features of Raha Pesa’s products/services, you must authorize us to collect and process minimally required data.

• Consequence of Refusal: Failure to provide this information will restrict access to core services.

2. Optional (Enhanced Functionality)

For premium or supplementary features, you may voluntarily grant additional permissions for data usage.

• Consequence of Refusal: Declining such authorization only limits non-essential functionalities, with no impact on basic operations.

Key Principles Governing Data Practices

We adhere to a “Minimum & Purpose-Limited” framework:

• Relevance & Necessity: Data collection is strictly tailored to your selected services.
• Legal Compliance: Processing aligns with Kenya’s Data Protection Act (2019) and global standards (e.g., GDPR).

Future Adaptations

Should we introduce new or optimized features requiring expanded data use:

1. Transparent Notification: Updates will be communicated via:

   • Revised Privacy Policy
   • In-app alerts or pop-ups

2. Granular Consent: Each new purpose will be detailed, and implementation will proceed only upon your explicit approval.

Your Rights & Recourse

For inquiries or objections regarding data practices, contact our Data Protection Officer (details in Section 10).

Account Registration & Management

Account Registration

To access Raha Pesa’s services, you must create an account by providing:

• Mobile phone number (used for identity verification and platform access).
• Refusal to provide this will prevent account creation and service access.

Multi-Device Synchronization:

Your data from different devices may be linked under one account to ensure service consistency. Without this, functionality may be limited.

1.2 Account Login

• First-time login requires SMS one-time verification (OTP) for security and legal compliance.

1.3 Profile Maintenance

• We safeguard your data to enhance service quality and protect your privacy.

Security & Authentication

Identity Verification (KYC)

To use financial services (loans, repayments, etc.), you must provide:

• Biographical data (name, gender, nationality, ID/passport details).
• Contact details (mobile number, residence, emergency contacts).
• Employment/income Information (occupation, salary).

Legal Requirement:

• Kenyan financial regulations mandate KYC—non-compliance restricts access.

Fraud Prevention & System Security

We collect:

• Device data (model, OS, IMEI, MAC/IP address).
• Network activity (transaction logs, connection history).
• Behavioral metrics (usage patterns, session durations).

Purpose:

• Detect/prevent fraudulent activity.
• Secure accounts from unauthorized access.

Creditworthiness Assessment

Loan Eligibility

For credit services, you voluntarily submit:

• Expanded personal/financial data (education, marital status, email).

Impact of Non-Disclosure:

• Without this, we cannot evaluate creditworthiness or approve loans.

Customer Support & Dispute Resolution

Identity Confirmation

For account-related assistance, we verify via:

• Registered mobile number.
• Government-issued ID.
• Transaction history.

Modification Requests:

• Updates to personal/contact details may require additional proof.

Interaction Records

• Calls/chats with support are logged for 30 days (or longer if legally mandated).
• Used to resolve issues and improve service.

Loan Processing & Repayments

Payment Handling

• Bank account/MPESA details are required for disbursements/repayments.
• Omission blocks transaction execution.

Order Management

Loan Applications

• Each request generates an order record containing:
  • Loan parameters (amount, term).
  • Emergency contact details.
  • Transaction timestamps.

Use Cases:

• Facilitate payments.
• Detect irregular activities.

Financial Product Requirements:

• Additional KYC may apply per loan type (disclosed during application).

Device Permissions (Optional)

Permission-Based Features

• Certain enhancements (e.g., location-based offers) need OS-level access.
• Revoking permissions disables associated features but preserves prior data.

Platform-Specific Variations:

• Android/iOS handle permissions differently—review.

iOS Permission

Location Data

Collection & Use

We may access approximate location data to enhance service delivery, limited to:

• General region (city/district-level precision)
• Network-derived coordinates (no GPS or precise tracking)

Purpose

1. Service Customization – Tailor offerings (e.g., localized loan products) to your region.
2. Risk Mitigation – Detect anomalies (e.g., sudden location changes that may indicate fraud).

Handling & Security

• No persistent storage – Coordinates are processed ephemerally unless retained for fraud investigations.
• Zero third-party sharing – Never monetized or disclosed without consent.

Photo Albums

Collection of Data:

Access to photo albums is requested only for:

• Submitting feedback/images for issue resolution
• No indiscriminate scanning—only selected uploads are accessed.

Purpose of Use:

Uploaded images are solely used for troubleshooting and are not utilized for marketing or unrelated processes.

Data Security:

Images would not store and shared with third part.

Device Information

Collection of Data:

We gather:

• Device identifiers (IMEI, MAC, serial number)
• Hardware/OS details (model, manufacturer, OS version)
• Network data (IP, carrier, connection type)

Purpose of Use:

• App optimization and functionality
• Personalized features
• Compliance, troubleshooting, and security

Data Security:

All data is HTTPS-encrypted and stored on https://api.mkulimapay.com. No unauthorized third-party sharing.

By using our services, you consent to this policy. Contact support with questions.

Enhancement of Raha Pesa Loan Platform Products/Services

(1) Research & Optimization:

We perform de-identified statistical analysis on aggregated data to:

• Optimize platform content and layout.
• Guide business decisions for service improvements.
• Enhance overall product functionality and user experience.

(2) Data-Driven Insights:

Your transaction and usage data may be analyzed to understand:

• Geographic trends and behavioral preferences.
• Demographic patterns (potentially cross-referenced with anonymized third-party data). Findings inform the development of tailored financial solutions.

(3) User Feedback & Surveys:

• You may be invited via provided contact details to participate in voluntary market research.
• Survey responses assist in evaluating user interest, shaping future offerings.
• Non-participation does not restrict access to core platform features.

Transparency & Control:

All analyses adhere to strict anonymization protocols. You retain full control over survey participation.

1.9 Guidelines for Collection and Use of Personal Information

(1) Purpose Limitation

• Information will strictly align with disclosed usage in this Policy.
• Any secondary processing for new purposes requires reaffirmed consent.

(2) Third-Party Data Integration

With your approval, we may supplement your profile through:

• Affiliates, credit bureaus, or licensed partners (e.g., to verify identity, assess creditworthiness).
• Data shared (e.g., loan terms, approval status) enables seamless service delivery.

(3) Consent Exemptions

Per regulatory statutes, authorization is not required when processing aligns with:

• Legal obligations (e.g., fraud prevention, court orders).
• Public interests (e.g., health crises, crime investigations).
• Contractual necessities (e.g., processing loan applications).
• Life-critical scenarios (e.g., medical emergencies).
• Publicly available data (e.g., official registries, press releases).

Anonymized Data:

Irreversibly de-identified information is exempt from consent obligations.

Scope:

Applies exclusively to Raha Pesa’s direct service provisions.

How We Use Cookies and Similar Technologies

(1) Purpose of Cookies

To optimize service delivery and enhance functionality, we utilize encrypted Cookies on your device. These files:

• Store your encrypted login credentials (irreversible hashing ensures anonymity).
• Facilitate seamless access to authenticated services.
• Operate automatically without requiring manual input.

Cookies are strictly limited to the purposes outlined in this Privacy Policy.

(2) Cookie Management

• You may accept or decline Cookies via browser settings.
• Disabling Cookies may restrict access to certain platform features.

How We Share, Transfer, Entrust Processing, and Disclose Your Personal Information

Data Sharing and Provision

Principles of Processing

We never share your order details, account information, and device data with others

Separate Consent Requirement

For non-standard sharing scenarios (see Section 1 for exceptions), we will:

• Obtain prior, explicit consent per legal standards.

• Transparently disclose:

  • Third-party identities.
  • Processing purposes, methods, and data categories. Consent mechanisms will be contextually displayed during service engagement.

Partner Categories

We collaborate with:

Financial & Payment Institutions

• Loan/refund processing: Order details shared with banks/payment gateways.
• Fraud prevention: Risk-based sharing of IP addresses or supplementary data.
• Credit services: Identity, contact, and bank data shared with institutional partners under contractual safeguards. You will be separately notified and asked for consent before such sharing.

Data Transfers

Your data is never transferred to external entities except when:

1. You explicitly authorize the transfer.

2. Legally mandated (court orders, regulatory requirements).

3. Corporate restructuring (mergers, acquisitions):

   • We will notify you of the transferee’s identity and contacts.
   • The successor entity must adhere to this Policy or re-seek consent.

Public Disclosure

Disclosure occurs only under:

• Your direct request, with specific consent on disclosure methods.

• Legal obligations (e.g., subpoenas, government investigations).

  • We rigorously validate the legality of such requests (e.g., warrant checks).

How We Store Your Personal Information

Storage Principles

We do not transfer your personal data outside our controlled systems unless:

You provide explicit consent for such a transfer.

Legal obligations (regulatory mandates, court orders, or government requests) necessitate disclosure.

Corporate restructuring (merger, acquisition, or bankruptcy) occurs—in which case:

• The receiving entity must continue applying this Policy’s protections or re-seek your authorization.

Retention Periods

We store your data only as long as strictly necessary, adhering to:

• Purpose-driven timelines (e.g., active account maintenance).
• Legal minimums (e.g., 90 days for transactional records).
• Regulatory requirements (e.g., financial compliance mandates).

Examples:

• Mobile number retention: Maintained while your Raha Pesa account is active to ensure service continuity and security. Post-closure, data is deleted/anonymized.
• Extended retention: Applied only when legally compelled (e.g., litigation holds or fraud investigations).

Deletion Triggers:

• Expiry of retention period.
• Your deletion request or account termination.

Exemptions: Extended storage may apply for:

Legal compliance (tax laws, anti-money laundering rules).

Public safety or protection of rights (users, employees, or corporate interests).

Service Termination

Should Raha Pesa cease operations:

1. Immediate halt to data collection.
2. Notice to users via individual messages or public announcements.
3. Secure erasure/anonymization of all retained personal data.

How We Protect Your Personal Information Security

Protective Measures

We employ bank-grade security protocols to safeguard your personal data against unauthorized access, disclosure, alteration, or destruction through multi-layered defense mechanisms, including:

Encryption Standards

• Data-at-rest: AES-256 encryption for stored information, coupled with intrusion prevention systems to thwart cyberattacks.
• Data-in-transit: TLS 1.2+ protocols for all external transmissions.

Controlled Data Utilization

• Dynamic masking for displayed information (e.g., partial phone numbers: 254207905940).
• Pseudonymization for internal analytics to dissociate identities from raw datasets.

Sensitive Data Handling

• Field-level encryption for financial details
• Context-aware desensitization tailored to data type and risk profile.

Financial Sector Compliance

• ISO 27001-aligned security frameworks.
• Segregated network architectures with role-based access to payment systems.

Governance Protocols

We enforce strict operational disciplines to maintain data integrity:

Access Management

• Biometric+RFID authentication for sensitive systems.
• Confidentiality clauses binding all personnel via employment contracts.

Activity Monitoring

• Immutable audit logs recording all data interactions (retained for 5 years).
• AI-driven anomaly detection for real-time threat alerts.

Organizational Controls

• Quarterly GDPR/DPA training with mandatory certification.
• Third-party penetration testing biannually.

Data Prudence

• Storage minimization: Purge schedules aligned to:
  • Service necessity (e.g., loan records: 7 years post-transaction).
  • Statutory limits (e.g., KYC data: per CBK guidelines).

Breach Response Protocol

In case of a security incident, we act under 72-hour GDPR/KDPA notification mandates:

Stakeholder Notification

• 72-hour disclosure: Via SMS/email detailing:
  • Nature of breach (e.g., “unauthorized DB access on [date]”).
  • Exposed data categories (e.g., “names, emails”).
  • Mitigation steps (e.g., password resets enabled).

Regulatory Reporting

• Office of the Data Protection Commissioner (ODPC) filings with forensic reports.

Service Discontinuation

• 30-day advance notice for platform closures via:
  • In-app banners + registered mail.
  • Post-shutdown data erasure (BitRaser-certified deletion).

Legal Accountability

• Remediation fund covering identity protection services where negligence is proven.

How We Protect the Personal Information of Minors

Age Restriction Policy

Raha Pesa strictly prohibits underage usage. Our services are exclusively available to individuals aged 18 years and above. Any attempt by a minor to register or use our platform will result in immediate account termination and data rejection.

Parental Intervention Protocol

If a guardian discovers unauthorized registration by a minor:

Contact Our Compliance Team:

• Hotline: 254207905940 Monday to Friday: 8am - 5pm
• Response Timeline: Verified cases trigger 72-hour data erasure, confirmed via email/SMS.

Reporting Mechanisms

For concerns regarding minors’ data:

📩 Channels: See Section 9 (“Contact Us”) for:

• Email:cs.rahapesa.ios@mkulimapay.co.ke
• ⏳ Resolution SLA: 15 business days for formal complaints.

Your Personal Information Rights

In compliance with Kenya’s Data Protection Act (2019), you retain full authority over your personal data. Below outlines how to exercise these rights:

Access & Portability

Self-Service Access:

• Navigate: Loans -> Loan History to review transaction histories.
• Export: Request a CSV/PDF copy via Section 9 (processed in ≤15 days).

Rectification

🛠 Correction Protocol:

• Errors? Call 254207905940. Verified amendments completed within 15 business days.

Erasure Requests

Valid Grounds for Deletion:

• Legal violations | Non-consensual collection | Account closure | Service termination. Processing:
• Backup data purged within 60 days (legal holds exempted).

Account Closure

Termination Paths:

1. App: Profile`` → Close Account

• Data anonymized except for:
  • CBK-mandated credit records (7 years)
  • Fraud investigation holds

Communication Preferences

Opt-Out Options:

• Marketing: Unsubscribe via phone/email.
• Critical Alerts: Loan defaults/security alerts remain mandatory.

Automated Decisions:

• Dispute algorithmic loan denials via Section 9 (15-day response).

Data Transfer

Secure Transfers:

• Need to migrate data? Submit a GDPR-style SAR to cs.rahapesa.ios@mkulimapay.co.ke
• Transmitted via PGP-encrypted channels.

Request Handling

Verification & Exceptions:

• ID Check: Passport/National ID required.

• Request Denial? Applicable if:

  • National security concerns
  • Judicial investigations
  • Prevent fraud/harm

Transparency & Objections

Right to Know:

• New data-sharing partners? 30-day advance notice via in-app alerts.

Right to Refuse:

• Targeted Ads: Email cs.rahapesa.ios@mkulimapay.co.ke
• Third-Party Sharing: 254207905940 (excludes regulatory reporting)

Commitment to non-malicious software

Ethical Data Practices

We uphold the highest standards of integrity and transparency in data handling. Our application strictly adheres to the following principles:

Consent-Centric Collection

• No personal data is gathered without your explicit authorization.
• Granular permissions (e.g. contacts) are opt-in only, with clear explanations for required access.

Zero Unauthorized Sharing

• Your data is never sold, leased, or disclosed to third parties without your approval—no exceptions.
• Third-party processors (if any) are bound by DPA-compliant contracts (GDPR/Kenya DPA aligned).

Malware-Free Guarantee

• No covert tracking, adware, or device-harmful code exists in our ecosystem.
• Rigorous audits: Annual pentesting

How This Privacy Policy Is Updated

We may periodically revise this Privacy Policy to reflect evolving regulations, technologies, or service enhancements. Rest assured:

Transparency in Changes

• The “Last Updated” date atop this policy will reflect amendments.
• Reduction of rights? Never without your explicit opt-in consent.

What Triggers Policy Revisions?

Major updates (30-day advance notice required) include:

1. Service Model Shifts

   • New data purposes | Expanded collection categories | Altered processing methods. (Example: Introducing biometric authentication for loans.)

2. Structural Changes

   • Mergers, acquisitions, or insolvency affecting data ownership.

3. Third-Party Data Flows

   • New data recipients (e.g., credit bureaus, insurers).

4. Expanded User Rights

   • New control mechanisms (e.g., right to restrict processing).

5. Security Accountability

   • Updated DPO contacts | Revised breach notification protocols.

6. Risk Assessments

   • High-risk findings mandate operational adjustments.

How to Contact Us

If you have any questions about this policy or any complaints or comments regarding the handling of your personal information, please contact us through our customer hotline or by sending an email to our customer service email. We will complete the verification and processing within fifteen working days.

Company: MKULIMAPAY CREDIT LIMITED

Customer Hotline: 254207905940

Customer Service Email: cs.rahapesa.ios@mkulimapay.co.ke

Please feel free to reach out to us with any concerns or inquiries. We are here to help and ensure that your personal information is handled securely and appropriately.