CREDA Limited ("CREDA", "we", "us") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights regarding your personal information.
1. Data We Collect
When you use CREDA, we collect: Identity data: Full name, phone number, national ID (optional) Financial data: Contribution records, loan history, CREDA Score, transaction records Group data: Group membership, role, meeting attendance, voting records Device data: Device type, operating system, IP address, app usage patterns Location data: Approximate location (city level) for merchant matching Green activity data: Environmental activities you log voluntarily We collect only what is necessary to provide the CREDA service.
2. How We Use Your Data
We use your data to: - Operate and improve the CREDA platform - Calculate your CREDA Score - Process M-Pesa transactions and contributions - Send SMS notifications and OTP codes - Generate group financial statements and reports - Match you with relevant merchants and investment opportunities - Comply with Kenyan law and regulatory requirements - Generate anonymized financial inclusion reports for DFI partners (with group consent) We do not use your data for advertising or sell it to third parties.
3. SMS and Communications
CREDA sends SMS messages via Taifa Mobile for: - OTP verification codes - Transaction confirmations - Loan and contribution reminders - Meeting notifications - Security alerts You may reduce non-essential SMS by adjusting notification preferences in your profile settings. OTP and security messages cannot be disabled.
4. Data Sharing
We share your data only in these circumstances: Within your group: Other group members see your name, role, contribution status, and CREDA Score as relevant to group governance. With merchants: When you use CREDA Lipa, the merchant receives your name and transaction details only. With M-Pesa/Safaricom: Transaction data necessary to process payments. With DFI partners: Anonymized, aggregated data only, with no personally identifiable information, and only with the express consent of group administrators. With regulators: If required by Kenyan law, court order, or regulatory authority. We never sell your personal data.
5. Data Storage and Security
Your data is stored on Supabase infrastructure with servers in the EU (Frankfurt region). We implement: - End-to-end encryption for sensitive data - Row-level security on all database tables - Multi-factor authentication for admin access - Regular security audits - Audit logs for all financial transactions We retain your data for as long as your account is active, plus 7 years for financial records as required by Kenyan law.
6. Your Rights
Under the Kenya Data Protection Act 2019, you have the right to: - Access your personal data - Correct inaccurate data - Request deletion of your data (subject to legal retention requirements) - Object to processing of your data - Data portability (export your transaction history) - Withdraw consent where processing is consent-based To exercise these rights, contact: privacy@creda.africa
7. CREDA Score and Credit Data
Your CREDA Score is calculated from your platform activity and is stored in your profile. You may view your score breakdown at any time in the app. We do not share individual CREDA Scores with external parties without your explicit consent. Group administrators can see member scores within their group context only.
8. Children's Privacy
CREDA is intended for users aged 18 and above. We do not knowingly collect data from persons under 18. If you believe a minor has registered on CREDA, contact us at privacy@creda.africa and we will delete the account promptly.
9. Cookies and Analytics
CREDA is a Progressive Web App (PWA) and does not use third-party advertising cookies. We use minimal analytics to understand app performance and usage patterns. No personally identifiable information is included in analytics data.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via SMS and in-app notification. Continued use of CREDA after changes constitutes acceptance of the updated policy.
11. Contact and Data Controller
CREDA Limited is the data controller for personal data processed through the CREDA platform. Data Protection Officer: CREDA Limited c/o Sidnet Limited Nairobi, Kenya Email: privacy@creda.africa Phone: +254 722 210 711 Supervisory Authority: Office of the Data Protection Commissioner Kenya (www.odpc.go.ke)