Privacy Policy

1. Introduction

Endelea Finance Limited ("Endelea", "we", "us", "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, share, and safeguard information about you when you use our mobile application, web platform, and related services (collectively, the "Services").

This policy is written in compliance with the Kenya Data Protection Act 2019 (DPA) and the Kenya Data Protection (General) Regulations 2021. By using our Services, you consent to the collection and use of your information as described in this policy.

2. Data Controller

The data controller for your personal data is:

• Company: Endelea Finance Limited
• Registration: Kenya, Certificate of Incorporation [Number on file]
• Address: Westlands Business District, Nairobi, Kenya
• Data Protection Officer Email: dpo@endeleafinance.com
• Registration with ODPC: Registered with the Office of the Data Protection Commissioner (ODPC), Kenya

3. Data We Collect

3.1 Account Data

When you register, we collect your full name, email address, phone number (in E.164 format, e.g. +254…), and a securely hashed password.

3.2 Financial Transaction Data

With your explicit permission, we collect M-Pesa transaction data via SMS message content on Android devices. This includes: transaction amounts (stored as integer cents in KES), merchant or payee names, transaction types (send, receive, buy goods, pay bill, withdraw), and transaction timestamps. We do not have access to your M-Pesa PIN or Safaricom account credentials.

3.3 Manually Entered Data

Data you manually enter including budget categories, goal targets, contribution amounts, and notes attached to transactions.

3.4 Usage and Device Data

We collect app usage patterns, feature usage frequencies, device type and operating system version, and app version — for the purpose of improving the platform and debugging issues.

3.5 Advisor Relationship Data

If you connect with a financial advisor through the platform, the advisor's name, credentials, and your consent to share your data with them are recorded and stored.

4. How We Use Your Data

We use your data for the following purposes, each grounded in a lawful basis under the DPA 2019:

• Service Delivery (Contract): To provide transaction tracking, budgeting, goal management, and AI insights.
• AI Categorisation (Consent): To automatically categorise your transactions using our AI models.
• Subscription Management (Contract): To process M-Pesa subscription payments and maintain your account.
• Platform Improvement (Legitimate Interest): Aggregated, anonymised usage data helps us improve features.
• Security (Legitimate Interest): To detect fraud, unusual activity, and protect your account.
• Legal Compliance (Legal Obligation): To comply with applicable Kenyan laws and regulatory requirements.

5. M-Pesa & SMS Data

Endelea accesses M-Pesa SMS messages on your Android device only to extract transaction details. This permission is granted explicitly by you during setup. We do not read, store, or process any other SMS messages on your device. The raw SMS message text is processed locally on your device and the extracted structured data is sent to our servers — the raw SMS text is never transmitted or stored.

Endelea is not a payment service provider. We do not initiate, hold, or transfer funds on your behalf. M-Pesa integration is solely for subscription payment collection and transaction data capture.

6. AI & Machine Learning

Our AI features are powered by backend language models. We employ a privacy-first, federated learning architecture which means:

• Your personal financial data is never used to train publicly accessible AI models.
• Before any data is sent to our AI processing pipeline, it is stripped of personally identifiable information (names, phone numbers, account numbers).
• Model improvements use aggregated, anonymised patterns — not individual transaction histories.
• You may opt out of contributing to model improvement at any time in your account settings.

7. Data Sharing

We do not sell your personal data. We may share data in the following limited circumstances:

• With financial advisors you explicitly connect to: Only data you have consented to share, and only while the advisor relationship is active.
• With service providers: Hosting (Kenyan-domiciled servers), payment processing (Safaricom Daraja API), and analytics partners under data processing agreements that restrict use to service delivery only.
• Legal requirements: If required by a court order, regulator, or law enforcement authority under Kenyan law.
• Business transfer: In the event of a merger or acquisition, your data would be transferred under equivalent privacy protections with advance notice to you.

8. Data Retention

We retain your data for as long as your account is active. If you cancel your subscription, your data is retained for 90 days to allow account reactivation, after which it is permanently deleted. If you request account deletion, your data is deleted within 30 days. Transaction records may be retained for up to 7 years in anonymised form for regulatory compliance purposes.

9. Security Measures

We protect your data using industry-standard security measures including:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for all data in transit
• Biometric authentication options on the mobile app
• Role-based access controls limiting which staff can access which data
• Regular security audits and penetration testing
• All servers hosted within Kenya to maintain data residency compliance

10. Your Rights Under the DPA 2019

Under the Kenya Data Protection Act 2019, you have the following rights:

• Right of Access: Request a copy of all personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data ("right to be forgotten").
• Right to Data Portability: Receive your data in a machine-readable format (CSV/JSON).
• Right to Restriction: Request restriction of processing in certain circumstances.
• Right to Object: Object to processing based on legitimate interests or direct marketing.
• Right to Withdraw Consent: Withdraw consent at any time where processing is consent-based.

To exercise any of these rights, submit a request through the app (Settings → Privacy → Data Requests) or email dpo@endeleafinance.com. We will respond within 30 days.

11. Cookies

Our mobile app does not use cookies. Our marketing website uses essential cookies for session management, and optional analytics cookies (which you may decline). A full Cookie Policy is available separately.

12. Children's Privacy

Our Services are intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered, please contact us immediately at dpo@endeleafinance.com and we will delete the account.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and in-app notification at least 14 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

14. Contact Us / Data Protection Officer

For any privacy-related queries, data requests, or complaints:

• Email: dpo@endeleafinance.com
• Address: Data Protection Officer, Endelea Finance Limited, Westlands, Nairobi, Kenya

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at www.odpc.go.ke.