Privacy Policy

We collect information only as required to operate the BantuziLoans platform and to fulfil our contractual obligations with you. The categories of data we collect include:

• Account data: name, email address, phone number, and job title of users registered on behalf of a tenant organisation.
• Borrower data (entered by lenders): full name, National Registration Card (NRC) number, employment details, net salary, employer name, and copies of identity and payslip documents uploaded by the lender. This data belongs to the lender (data controller) and is processed by us as a data processor.
• Usage data: IP address, browser type, pages visited, and actions performed within the platform, collected for security auditing and product improvement.
• Payment data: subscription billing details processed through our payment partners. We do not store full card numbers on our servers.

We use the data we collect for the following purposes:

• To provision and operate your BantuziLoans tenant account.
• To authenticate users and enforce role-based access controls.
• To generate amortisation schedules, deduction files, and reports on your instruction.
• To send service notifications (e.g., MOU expiry alerts, approval decisions).
• To process subscription payments and issue invoices.
• To investigate security incidents and maintain audit logs.
• To improve platform features based on aggregated, anonymised usage analytics.

We do not sell personal data to third parties. We do not use borrower data for any purpose beyond providing the contracted service to the lender who uploaded it.

We share data only in the following limited circumstances:

• Sub-processors: infrastructure providers (cloud hosting in the region), email delivery services, and payment gateways. All sub-processors are bound by data processing agreements.
• Legal obligations: where required by Zambian law, a court order, or a lawful request from a competent authority.
• Business transfer: if Bantuzi Enterprises Limited is acquired or merged, data will transfer to the successor entity under equivalent protections. We will notify affected tenants in advance.

We never transfer personal data outside Zambia without your explicit written consent.

We retain personal data for as long as your subscription is active and for a period of seven (7) years after termination to comply with Zambian financial record-keeping obligations. Audit logs are retained for the same period and are immutable.

If you request deletion of an account, we will anonymise personal identifiers within 30 days, except where retention is required by law or for the resolution of disputes.

Under the Zambia Data Protection Act (PDPB 2021), you have the following rights with respect to your personal data:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate data.
• Right to erasure: request deletion, subject to legal retention obligations.
• Right to restrict processing: request that we limit how we use your data.
• Right to data portability: request your data in a machine-readable format.
• Right to object: object to processing based on legitimate interests.

To exercise any of these rights, contact us at info@bantuzi.com. We will respond within 30 days.

We implement technical and organisational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• JWT-based authentication with short-lived tokens and refresh rotation.
• Role-based access controls enforced at the API layer.
• Immutable audit logs for all data access and changes.
• Regular security reviews of the application and infrastructure.
• Data hosted on infrastructure located in the region — not transferred internationally.

No method of transmission or storage is 100% secure. In the event of a data breach that poses risk to individuals, we will notify affected parties and the Data Protection Authority of Zambia within 72 hours of discovery.

BantuziLoans uses strictly necessary cookies for session management (JWT tokens stored as HTTP-only cookies) and a single analytics session cookie to improve the platform. We do not use third-party advertising cookies.

You can disable non-essential cookies in your browser settings. Disabling session cookies will prevent login.

We may update this policy from time to time. When we make material changes, we will notify active tenant administrators by email at least 14 days before the changes take effect. The "last updated" date at the top of this page will always reflect the current version. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

For privacy-related queries, data subject requests, or to report a concern, contact our Data Protection Officer: