Privacy Policy

Zama Pay is a product and service platform developed and operated by OohBit Innovations Limited, a company incorporated in the United Republic of Tanzania. This Privacy Policy ("Policy") explains in extensive detail how OohBit Innovations Limited ("we," "our," or "us") collects, uses, stores, shares, and protects your personal, business, financial, and technical data when you access and use the Zama platform, mobile applications, APIs, websites, WhatsApp-integrated tools, and all related services (collectively, the "Platform").

We are deeply committed to upholding your privacy rights and ensuring the confidentiality, integrity, and lawful handling of your information. Our practices strictly adhere to the Data Protection Act, 2022 of the United Republic of Tanzania, The Electronic and Postal Communications Act, The Anti-Money Laundering Act, and applicable international data protection standards, including those set by the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention).

By using the Platform, you agree to the collection, use, and processing of your data as outlined in this Policy. If you do not agree with any part of this Policy, you must discontinue use of the Platform.

We collect and process the following categories of personal and business information:

a. Personal Identification Information:

• Full name and preferred name
• Date of birth and national identification number
• Gender and nationality
• Contact information (email, phone number)
• Profile photo (optional)

b. Business and Operational Information:

• Business name and registration number
• Business address and GPS location (for service mapping)
• Type of business (e.g., retail, services)
• Tax Identification Number (TIN), VAT number (if registered)

c. Financial and Transactional Information:

• Mobile wallet numbers and/or linked bank account details (e.g., M-Pesa, Tigo Pesa, Airtel Money, or Tanzanian bank accounts)
• Linked bank accounts (where applicable)
• Transaction timestamps, amounts, parties involved
• Transaction reference numbers and metadata

d. Technical and Device Information:

• IP address, MAC address, device ID
• Browser type, OS version, screen resolution
• Log files, error reports, usage timestamps

e. Communication Data:

• WhatsApp interaction metadata (order confirmations, receipts)
• User support inquiries and chat logs
• Customer responses from surveys and feedback forms

We use your information for the following legitimate and lawful purposes:

• To create and manage your Zama account
• To verify your identity and comply with Know Your Customer (KYC) requirements
• To process payments, refunds, withdrawals, and digital store transactions through mobile wallets and/or bank accounts
• To provide customer support and respond to inquiries
• To personalize user experience and deliver tailored recommendations
• To monitor usage, detect suspicious activity, and prevent fraud
• To generate business analytics and performance reports
• To comply with obligations under Tanzanian and international financial regulations
• To send system notifications, receipts, service alerts, and marketing updates (where consented)

Our data processing activities are based on:

• Consent – where you have explicitly agreed to data use for a specific purpose (e.g., marketing communications)
• Performance of a Contract – where data processing is necessary to deliver our services to you
• Legal Obligation – when required by regulators, tax authorities, or law enforcement agencies
• Legitimate Interest – for operational efficiency, fraud prevention, and user experience enhancement

You may withdraw consent at any time by contacting support@zamapay.me. Withdrawal does not affect prior lawful processing.

We treat your data with the highest standard of confidentiality. However, data may be shared in the following limited circumstances:

a. With Trusted Service Providers:

• Payment processors and financial institutions (e.g., Vodacom, Airtel, Tigo, Halotel, and Tanzanian banks)
• Hosting and cloud storage services (e.g., AWS, Google Cloud)
• WhatsApp Business API vendors
• Email and SMS communications providers
• Risk and fraud prevention platforms

All third parties are contractually bound to data protection obligations, including security, confidentiality, and restricted use clauses.

b. With Regulatory Authorities:

We may disclose data when required by:

• The Bank of Tanzania (BoT)
• The Tanzania Revenue Authority (TRA)
• The Financial Intelligence Unit (FIU)
• Courts of law and law enforcement agencies

This includes reporting suspicious transactions, audits, and compliance with AML and CFT requirements.

c. During Business Restructuring:

In the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred to successor entities under confidentiality agreements.

Zama employs technical and organizational measures to protect your data:

• End-to-end encryption for sensitive data during transit and storage
• Role-based access control for employees and contractors
• Firewalls, secure hosting, and anti-malware protection
• Regular vulnerability testing, audits, and penetration tests
• Continuous monitoring for suspicious activity

Despite best efforts, no system is entirely immune from breaches. In the event of a data breach, we will notify affected users and relevant regulators within the legally required timelines.

We retain your data only for as long as is necessary to:

• Fulfil our contractual and legal obligations
• Provide access to service records and historical data
• Comply with Tanzanian tax and financial laws (e.g., 5 years for AML records)
• Resolve disputes and enforce agreements

You may request deletion of your data. However, certain records may be retained where required by law or to protect our legal interests.

Under the Data Protection Act, 2022, you are entitled to the following rights:

• Right to Access – View or request copies of your personal data
• Right to Rectification – Correct inaccurate or outdated data
• Right to Deletion – Request erasure of your data under qualifying conditions
• Right to Object – Challenge processing based on our legitimate interest
• Right to Restrict Processing – Temporarily limit data use under specific grounds
• Right to Data Portability – Receive data in a readable format or transfer it to another provider
• Right to Complain – File a complaint with the TCRA Data Protection Commissioner

Requests may be submitted to privacy@zamapay.me. We will respond within 30 days.

Zama uses cookies, pixels, and analytics tools to:

• Store your language and platform preferences
• Enable secure login and session tracking
• Collect analytics on platform usage and conversion rates
• Deliver targeted promotions and retargeting ads

You can manage cookie settings in your browser or mobile device. Disabling cookies may impair certain functionalities.

Some of our systems and service providers may process your data outside Tanzania. In such cases:

• Data is encrypted and transmitted over secure channels
• We verify that destination countries have adequate protection measures
• Contracts contain data protection clauses and jurisdictional safeguards

We comply with cross-border data transfer rules issued by the Tanzanian government.

Zama's services are designed for individuals aged 18 years and above. We do not knowingly collect information from minors. If a child's data is inadvertently collected, we will delete it upon identification or notification.

We may use automated tools to:

• Detect and block fraudulent behavior
• Suggest features or content based on user behavior
• Determine eligibility for certain features (e.g., BNPL or credit limits)

Decisions with significant legal or financial impact will be subject to human review.

This Policy may be updated to reflect changes in law, technology, or business operations. When revised:

• A new effective date will be published
• Significant changes will be communicated via email or platform alert

Your continued use of the Platform signifies agreement to the revised Policy.

If you have questions, concerns, or wish to exercise your rights:

This Policy is a living document, and your trust is our highest priority. We welcome feedback and will continuously work to uphold your digital rights and data sovereignty in Tanzania and beyond.