1. Introduction
mychama.digital ("we", "our", or "the Platform") is committed to protecting your personal data in compliance with Kenya's Data Protection Act, 2019. This Privacy Policy explains what data we collect, how we use it, and your rights as a data subject.
2. Data We Collect
When you register and use the Platform, we collect the following categories of data:
- Identity data: Full name, National ID number.
- Contact data: Phone number (used as your login identifier).
- Organization data: Group name, address, and phone number.
- Financial records: Contribution amounts, loan records, and savings balances that your group administrator enters into the Platform.
- Usage data: Log files, IP addresses, browser type, and activity timestamps for security and audit purposes.
3. How We Use Your Data
We process your personal data for the following purposes:
- To create and manage your account and organization on the Platform.
- To verify your identity via OTP sent to your phone number.
- To enable group financial record-keeping features (contributions, loans, meetings).
- To send important service notifications (e.g., OTP verification codes).
- To maintain security audit logs and prevent unauthorized access.
- To comply with legal obligations under Kenyan law.
4. Legal Basis for Processing
We process your personal data on the following legal bases as provided under the Data Protection Act 2019:
- Consent: You have explicitly agreed to these terms during registration.
- Contract performance: Processing is necessary to provide the service you registered for.
- Legitimate interests: Security monitoring and fraud prevention.
- Legal obligation: Where required by Kenyan law.
5. Data Sharing
We do not sell your personal data. We may share data only in the following circumstances:
- Service providers: Trusted third-party providers (e.g., hosting, SMS gateways) who process data on our behalf under data processing agreements.
- Legal requirements: Where required by a court order or applicable Kenyan law.
- Group administrators: Member data entered within a group is visible to that group's administrators.
6. Data Retention
We retain your personal data for as long as your account remains active. If you request deletion of your account, we will delete or anonymize your data within 30 days, except where retention is required by law (e.g., financial audit records).
7. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- PIN and password hashing using industry-standard algorithms (bcrypt).
- Time-limited OTP codes for phone verification.
- Role-based access controls to limit data access within the Platform.
- Encrypted HTTPS connections for all data in transit.
8. Your Rights
Under Kenya's Data Protection Act 2019, you have the right to:
- Access: Request a copy of your personal data we hold.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your data (subject to legal retention requirements).
- Portability: Receive your data in a structured, machine-readable format.
- Withdraw consent: Withdraw your consent to processing at any time (this may affect your ability to use the Platform).
- Object: Object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@mgr.digital.
9. Cookies
The Platform uses session cookies strictly necessary for authentication and security. We do not use third-party tracking or advertising cookies.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes through the Platform. The latest version will always be available at mgr.digital/privacy.
11. Contact & Complaints
For privacy-related queries, contact our Data Protection Officer at privacy@mgr.digital.
You may also lodge a complaint with the Office of the Data Protection Commissioner of Kenya at www.odpc.go.ke.