Privacy Policy

1. What We Collect

• Identity: full name, national ID or passport number, date of birth, gender, nationality, selfie photograph (biometric data)
• Contact: phone number (M-Pesa registered), email, business address & GPS coordinates
• Financial: M-Pesa transaction history (minimum 6 months), loan & repayment records, credit scores
• Business: business type, location, inventory data, partner-provided buyer history
• Device: device ID, IP address, app usage data
• Agent data: identification, engagement & commission records, performance metrics, GPS location during working hours

2. Why We Collect It

• Loan origination, credit scoring, and account management (contractual necessity)
• KYC/KYB verification and CRB reporting (legal obligation — CBK regulations, POCAMLA, CRB Regulations 2020)
• Fraud prevention and product improvement (legitimate interest)
• Marketing communications (your consent — you can opt out at any time)

3. Who We Share Data With

We do not sell your personal data. We share it only as needed with:

• Choice Microfinance Bank — banking & disbursement
• Metropol CRB — credit reporting (positive & negative)
• Safaricom (M-Pesa) — payment processing
• IntaSend — payment gateway
• Partner companies (e.g. Gilanis, Greenwheels) — partner credit products
• Amazon Web Services — encrypted cloud infrastructure

All third parties are bound by data processing agreements.

4. Automated Credit Scoring

We use automated credit scoring to assess loan applications. You have the right to request human review of any automated decision. The algorithm does not use sensitive personal data (race, ethnicity, religion, health) as scoring factors.

5. Data Security

AES-256 encryption at rest, TLS 1.2+ in transit, role-based access control, and regular security assessments. No method is 100% secure, but we follow industry best practices.

6. Retention

KYC documents, loan records, and M-Pesa data are retained for 7 years after the end of the relationship (per CBK and POCAMLA requirements). Credit scoring data is kept for the duration of the relationship plus 5 years. Marketing consent records are kept for the duration plus 2 years. Complaint records are retained for 7 years after resolution. Application logs are kept for 2 years. Data is securely deleted or anonymised after the retention period.

7. International Transfers

Data is hosted on AWS and may be accessed by our parent entity, Cowdi Ltd (United Kingdom), for oversight. Transfers comply with Section 48 of the Data Protection Act and rely on adequacy or standard contractual clauses.

8. Your Rights

Under the Kenya Data Protection Act you can:

• Be informed about how your data is collected and used
• Access, correct, or delete your personal data
• Restrict or object to processing
• Request data portability
• Opt out of automated decision-making

Submit requests to dpo@cowdi.co or in writing to ALN House, Eldama Ravine Close, Westlands, Nairobi. We respond within 30 days.

To delete your account: cowdi.co/delete-account

9. Data Breach Notification

If we become aware of a data breach that is likely to affect your rights, we will notify the Office of the Data Protection Commissioner within 72 hours and inform affected individuals without undue delay.

10. Children

Our services are not intended for anyone under 18. We do not knowingly collect data from minors.

11. Changes

We may update this policy and will post changes here with a new "Last updated" date. Material changes will be notified via the App or email.

12. Contact

Cowdi Tech Limited
Data Protection Officer: dpo@cowdi.co
Complaints: complaints@cowdi.co
Phone / WhatsApp: +254 110 562 290
ALN House, Eldama Ravine Close, Westlands, Nairobi

If unresolved, you may escalate to the Office of the Data Protection Commissioner (ODPC) or the Central Bank of Kenya.

13. Governing Law

This policy is governed by the laws of Kenya, in particular the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021. Any disputes are subject to the jurisdiction of the Kenyan courts.