Privacy Policy

CREDA Limited
A subsidiary of Sidnet Limited
Nairobi, Kenya
Registration No: [Registration number]

CREDA Limited operates the CREDA platform. Depending on how your group is set up, we may process personal data as a data controller (for example account and platform operations) and/or as a processor on instructions from your group or organisation. Your group may also be a controller for member and transaction data it enters.

Sidney Essendi, CEO

privacy@creda.africa

For general legal notices, you may also contact legal@creda.africa.

• Provide the service: authenticate you, show ledgers and dashboards, enforce roles and approvals, and sync data across devices.
• Payments and integrations: initiate or reconcile payments where you use linked providers (for example mobile money), and comply with their rules.
• Security and integrity: detect fraud, abuse, and technical failures; maintain audit trails; backup and restore data.
• Legal and compliance: meet lawful requests, defend legal claims, and comply with accounting or regulatory obligations that apply to us or your group.
• Product improvement: understand usage in aggregate to fix bugs and improve features (we do not sell your personal data).

We rely on lawful bases recognised under the DPA, such as performance of a contract, legitimate interests that are not overridden by your rights, compliance with legal obligations, and consent where we ask for it (for example optional marketing, if offered).

We keep personal data only as long as needed for the purposes above, including statutory, tax, and audit retention periods that may apply to group financial records.

• Active account and group records are kept while your relationship with CREDA Limited continues and for a reasonable period afterwards to resolve disputes or renewals.
• Backups may retain copies for a limited technical window before rotation.
• Logs and security data are kept for a period appropriate to investigate incidents, typically months unless law requires longer.

When retention ends, we delete or anonymise data where feasible.

We share personal data only where necessary, with:

• Service providers who host the platform, store databases, send SMS or email, process payments, or provide security monitoring (for example cloud infrastructure and mobile money partners), under contracts that require protection of your data.
• Your group and its authorised users, according to roles you assign inside the CREDA platform.
• Authorities when required by law, court order, or to protect rights, safety, and the integrity of the service.
• Professional advisers (lawyers, auditors) under confidentiality obligations.

Where processors are outside Kenya, we take steps consistent with the DPA (for example appropriate safeguards and agreements).

Subject to applicable law, you may have the right to:

• Be informed about processing (this policy is part of that).
• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion or restriction in certain circumstances.
• Object to processing based on legitimate interests, where the law allows.
• Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya.

How to exercise your rights: email privacy@creda.africa (or legal@creda.africa) with your name, phone or email on the account, and a short description of your request. We will respond within a reasonable time and may ask for information to confirm your identity. Some requests may need to be coordinated with your group if they control certain data.

We use cookies and similar storage to keep you signed in, remember preferences (such as language), protect against abuse, and measure basic product performance. Essential cookies are required for the site to function. Where we use non-essential analytics or similar tools, we will rely on consent or other lawful bases as required and provide controls where available in the product or browser settings.

You can block or delete cookies through your browser; some features may not work without essential cookies.

The CREDA platform is not directed at children. If you believe we have collected data from a child without appropriate authority, contact us and we will take appropriate steps.

We use technical and organisational measures appropriate to the risk, including encryption in transit, access controls, and logging. No online service is perfectly secure; please use strong practices on your devices.

We may update this Privacy Policy from time to time. The "Last updated" date at the top will change when we do. For material changes, we will provide notice as appropriate (for example in-app or by email).