Privacy Policy

Effective Date: September 25, 2025


Thank you for using the Flash Mkopo loan application (hereinafter referred to as "this app", "we", or "our"). We highly value your privacy and data security, and fully comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This privacy policy details our principles and measures regarding the collection, use, storage, and protection of personal information, as well as your rights related to it.


1. Data Controller Information

Data Controller: NISA AMELIA
Data Protection Officer Contact: support@flashmkopo.com


2. Information We Collect and Legal Basis

To provide secure and convenient loan services, we may collect the following types of information:

Contact Information and Emergency Contact Details

- Collection and Use: To quickly reach you during emergencies (such as your account being at risk of security breach and we are unable to contact you), the app will add your contact information to your contact list, used to select and verify emergency contacts (names and phone numbers). You can also manually input contact details.

- Data Processing: We promise that emergency contact information will only be used for security purposes, and we will not sell or share it for marketing or third-party purposes.

Device and Application Information

- Collection and Use: We will collect information about your device (such as device model, operating system version, network status) and the list of apps on your device (especially those related to financial or security matters). This information will be used for:

- Analyzing device performance, reducing software errors, and ensuring service stability.

- Assessing device security, preventing misuse and fraud.

- Data Processing: This information will be processed through encryption to mitigate risks and improve user experience, and will not be used for unintended purposes.

Personal and Identification Information

- Collection and Use: During loan applications, you will provide personal information (such as name, NIN, date of birth, monthly income, address) to complete identity verification (KYC) and credit assessment. This information is crucial for determining your borrowing capacity and loan amount.

- Data Processing: The personal information you fill in will be processed through encryption, solely for providing loan services, and in compliance with relevant laws and regulations.

Message Information

- Collection and Use: To evaluate loan services and detect fraud, the app will access your message records (especially those related to financial services and transactions). This will help us understand your financial situation and identify unusual activities.

- Data Processing: Access to message data will be securely stored and used solely for risk assessment purposes.

Location Information

- Collection and Use: We will collect coarse location data to provide location-based services and as a means to detect fraud.

- Data Processing: Location data will be anonymized, used only to enhance services and maintain security.

Support Services and Permissions

To ensure critical functions operate properly, we also require:

- Camera Permission: For capturing ID images during KYC to verify identity.

- Network Status Permission: To monitor network status, improve app performance, and reduce unforeseen issues.

- Notification Permission: To send you important alerts regarding loan statuses and repayments.

3. Permissions Requested and Usage

We adhere to the principle of minimal necessary permissions and request the following:

  • Notification permissions: To send loan activity and repayment information
  • Camera permissions: For identity verification during KYC
  • Location permissions (approximate): For location-based personalized services and security verification
  • Network status permissions: To optimize application performance and stability
  • SMS permissions: Limited to reading SMS related to financial services for fraud detection and account security

Important note: You can revoke any permission at any time via device settings, but this may affect certain functionalities.


4. Integration with Third-party SDKs and Data Processing

Information about third-party SDKs integrated and their data processing:

a) FaceID SDK

  • Purpose: Facial recognition for identity verification
  • Data processing: Encrypted transmission and storage of biometric data
  • Privacy Policy: https://faceid.com/privacy
  • Data protection measures: Data Processing Agreement (DPA) signed

b) Firebase SDK

  • Purpose: Analytics and technical monitoring
  • Data processing: Device information and logs
  • Privacy Policy: https://firebase.google.com/support/privacy
  • Data protection measures: Google LLC endorsed under the EU-US Privacy Framework

c) Facebook SDK

  • Purpose: Ad attribution and user behavior analysis
  • Data processing: Anonymized and aggregated data
  • Privacy Policy: https://www.facebook.com/policy.php
  • Data protection measures: Meta Platforms approved under the EU-US Privacy Framework

All third-party service providers comply with GDPR requirements and have signed necessary data processing agreements.


5. Data Transfer

Your data may be processed outside Tanzania. In such cases, we ensure adequate protections through:

  • EU Commission adequacy decision
  • Standard Contractual Clauses (SCC)
  • Certified data privacy frameworks
  • Binding Corporate Rules (BCR)

You can contact us for detailed information on data transfer protections.


6. Data Storage and Security Measures

We implement the following security measures:

  • All data transmitted over SSL/TLS encryption
  • Stored on secure servers (api.flashmkopo.com) with firewalls and intrusion detection systems
  • Strict access control, limited to authorized personnel
  • Regular security audits and vulnerability assessments
  • Data encryption and anonymization techniques
  • Employee training on data protection

7. Disclosure and Sharing of Information

We only share your information in the following cases:

  • With your explicit consent
  • With processing partners under Data Processing Agreements for service provision
  • To comply with legal obligations or respond to lawful government requests
  • To protect our or others' legitimate rights and interests

8. Rights of Data Subjects

Under GDPR, you have the following rights:

  • Access: Obtain a copy of your personal data we hold
  • Correction: Correct inaccurate or incomplete data
  • Deletion: Request deletion of your data under certain conditions ("Right to be Forgotten")
  • Restriction of Processing: Request restriction under specific circumstances
  • Data Portability: Receive your data in a structured, commonly used format and transmit it to another controller
  • Opposition: Oppose data processing based on legitimate interests, including for direct marketing
  • Revoke Consent: Withdraw consent at any time; prior processing remains valid

You can exercise these rights by contacting support@flashmkopo.com. We will respond within 30 days.


9. Data Retention Period

We retain your data only for as long as necessary to fulfill the purposes:

  • Active user data: Retained until 36 months after the last activity
  • Loan application data: Retained until 60 months after loan settlement (per financial regulations)
  • Marketing data: Retained until you withdraw consent plus 6 months

After the retention period, data will be securely deleted or anonymized.


10. Minors' Privacy Protection

This service is not intended for users under 18. If we unintentionally collect data about minors, please notify us immediately so we can delete it promptly.


11. Changes in Data Usage

If we intend to use your data for purposes beyond the original scope, we will notify you in advance and obtain necessary consent.


12. Data Breach Notification

If a data breach occurs that could pose risks to your rights and freedoms, we will notify the supervisory authority within 72 hours of discovery and inform you promptly if there is a high risk.


13. Your Data Rights

We commit to protecting your data rights. If you have any questions or complaints about data processing, please contact us via the contact information below.


14. Contact Us

For data protection inquiries, contact us at:
Customer support email: support@flashmkopo.com


15. Right to File Complaint with Supervisory Authority

You have the right to file a complaint with your local, occupational, or suspected infringement data protection supervisory authority. Our main supervisory authority is:
Tanzania Communication Regulatory Authority (TCRA)
Contact details:
- Address: P.O. Box 474, Dar es Salaam, Tanzania
- Phone: +255 22 211 2560 / 211 2561
- Fax: +255 22 211 2564
- Email: info@tcra.go.tz
- Website: https://www.tcra.go.tz


16. Legal Compliance

Flash Mkopo strictly complies with Tanzanian data protection laws, EU GDPR, and Google privacy policies to ensure personal information is used legally and securely.


17. Policy Updates

We will notify significant changes via in-app notifications or email. Please review this policy regularly to stay updated.


Thank you for trusting and using Flash Mkopo!