NyotaLoans Privacy Policy

Data Controller: This Privacy Policy (hereinafter referred to as "this Policy") is formulated and implemented by FUTUREINNO DIGITAL TECH LIMITED (hereinafter referred to as "the Company" or "we"). Operating under the brand "Nyota Loan", we run a digital credit facility application (hereinafter referred to as "the App" or "NyotaLoans") dedicated to providing personal credit loan services to users within the Republic of Kenya. We respect the privacy of users (hereinafter referred to as "you") and will take strict measures to protect the security of your personal data in accordance with this Policy. This Policy details the types of personal data we collect the manner in which such information is shared with third parties, and how you can manage your information preferences.

Last Updated Date: 10 March 2026

Scope of Application: This Policy applies to all acts of collecting, using, storing, sharing, transmitting and protecting your personal data when you download, register for, or use the App and related services. Your use of any service of the App shall be deemed as your full reading, understanding, and acceptance of all terms of this Policy.

1. Consent and Authorization Statement

By downloading, installing, and using the App, you confirm and agree to the following:

• You consent to us collecting, processing, storing, and legally sharing your personal data for legitimate business purposes (including but not limited to identity verification, credit assessment, loan approval and disbursement, repayment management, anti-fraud risk control, etc.). All acts shall strictly comply with the Kenya Data Protection Act 2019, the Financial Institutions Act, and other relevant Kenyan laws and regulations. You understand and confirm that you have the right to withdraw your consent at any time, but such withdrawal shall not affect the legality of information processing activities conducted based on your prior consent.
• You warrant that all personal data provided to us is true, accurate, and complete, and undertake to promptly update such data through the designated channels within the App or official customer service when any changes occur. You shall be liable for any losses arising from your intentional provision of false or misleading information.
• You authorize us to verify the authenticity of the information you provide through third parties such as government agencies and licensed credit reference bureaus (e.g., TransUnion Kenya, Metropol Credit Reference Bureau), and to obtain supplementary information related to your credit status within the scope permitted by law for the purpose of credit assessment.
• You acknowledge and agree that, to the extent necessary to provide services, we will share necessary information with third-party service providers after entering into strict data protection agreements with them. You have the right to request us to cease sharing certain information about you with specific third parties through the channels designated in the "Contact Us" section of this Policy.
• You understand that the legal bases for us to process your personal data include your consent, performance of a contract, fulfillment of legal obligations, or protection of legitimate rights and interests. Withdrawal of consent may result in the inability to continue using certain service functions.

2. Definition of Core Terms

• Personal Data: Any information relating directly or indirectly to an identifiable natural person, as defined in Section 2 of the Data Protection Act 2019.
• Sensitive Personal Data: Information revealing sensitive aspects of an individual such as financial status and family relations, for which we will implement strict protection measures.
• Credit Reference Bureau: An institution authorized by Kenyan regulatory authorities to engage in credit information services.
• Cooperative Service Providers: Third parties that provide us with technical support, payment processing, and other services, who must comply with confidentiality obligations equivalent to those set out in this Policy.
• Compliant Device Identifiers: Device identification information that complies with data protection standards, such as Android ID, GAID, and IDFA.

3. Personal Data We Collect

We strictly adhere to the "Principle of Data Minimization" and only collect data necessary to achieve the purposes of the services, which is mainly divided into the following three categories:

3.1 Personal Data Voluntarily Provided by You

During the registration and loan application process, you are required to provide the following necessary information to complete the service process:

• Mobile Phone Number: Serves as your core account for registering and logging into the App, and is used to receive important transaction notifications, security verifications, and service communications.
• Full Name: Used for identity verification and confirmation of the contracting party under the loan agreement to ensure the authenticity of account ownership.
• National ID Number: In accordance with the "Know Your Customer (KYC)" regulatory requirements, used to verify the legality of your identity and civil capacity, and prevent identity theft.
• Gender and Date of Birth: Gender information is used to optimize service adaptation, and the date of birth is used to confirm that you are at least 18 years old (the legal loan age in Kenya). Both serve as auxiliary reference factors for credit assessment.
• Marital Status and Educational Background: Serve as auxiliary information for credit risk assessment to help us gain a more comprehensive understanding of your personal background. We undertake not to engage in discriminatory treatment based on such information.
• City of Residence: Used to confirm the scope of service coverage and serve as an auxiliary assessment factor in conjunction with the regional credit environment.
• Occupation and Monthly Income: The core basis for credit assessment, used to judge your repayment capacity and determine the credit limit and loan terms accordingly.
• Emergency Contact Information: Including full name, relationship, and phone number. You explicitly authorize that we may use this information solely for the purpose of establishing contact when you are in serious default and we are unable to reach you through the registered contact methods provided by you. We will strictly implement in accordance with the Kenya Data Protection Act 2019 and fair debt collection guidelines to ensure that the content of communication is minimized and non-harassing.

3.2 App Permission Information Authorized by You

We only request the following device permissions after obtaining your explicit consent. You can manage or disable these permissions at any time through your device settings, but disabling certain permissions may affect the normal use of related services.

• Camera Permission: Only invoked in the following two specific scenarios, and the permission will be released immediately after the operation is completed. No background photography or storage of irrelevant images will be conducted:
  • a. Loan Application Stage: Used for facial recognition identity verification to comply with KYC regulatory requirements, further confirm the authenticity of your identity, and prevent fraud risks such as identity theft and false applications;
  • b. Repayment Stage: Used to capture and upload repayment vouchers (such as M-Pesa transfer screenshots, bank receipts, etc.) to verify the fact of repayment and ensure that the repayment records are accurate and traceable;
• Device Information Permission: We will not collect hardware identifiers such as IMEI or device serial numbers. Only device model, operating system version, compliant device identifiers (Android ID, GAID, or IDFA), and mobile network information will be collected. This information is used to identify device identity to prevent fraud and optimize App compatibility and performance. Among them, advertising identifiers (GAID/IDFA) can be reset by you in the device settings or their function for advertising tracking can be disabled.
• SMS Permission: To conduct independent credit assessment and anti-fraud analysis, after you authorize, we will only read received SMS messages related to financial transactions (such as bank notifications, M-Pesa transaction records, etc.) for automated analysis of your income and repayment capacity. We commit that we will not read, store, or upload your private conversations, social messages, or any other non-financial SMS. All information read is encrypted and securely transmitted to our secure server (https://www.nyotaloans.com/).
• Application List Information: To safeguard your account and transaction security and prevent fraud risks, after your authorization, we will collect non-sensitive metadata of the applications installed on your device, including the application name, package name, installation time, and last update time. This information is used solely to analyze application patterns related to device security and financial behavior to identify potential risks. We do not collect any of your in-app activity data, browsing history, or personally identifiable information.

3.3 Information Obtained from Third Parties

To supplement and improve your credit assessment model and verify the authenticity of information, we may obtain relevant information about you from the following third parties in accordance with Kenyan laws and regulations:

• Platform Affiliates and Partners: Obtain necessary supplementary information related to your service usage for service connection and experience optimization;
• Licensed Credit Reference Bureaus: Obtain your credit report, historical performance records, and other information for credit risk assessment;
• Other Legitimate Sources: Obtain information from other third-party institutions when permitted by law or authorized by you for anti-fraud and risk control purposes.

In addition, to realize specific functions, we may integrate third-party Software Development Kits (SDKs), which may collect and use your information. For details about the SDKs, including the types of information they collect and the purposes of processing, please refer to the detailed description in Section 5.5 "Third-Party Software Development Kits (SDKs)" of this Policy.

4. Purposes of Using Personal Data

The collected information is only used for the following purposes directly related to the services and will not be used beyond the necessary scope:

• Account Creation and Management: Complete registration using your mobile phone number, verify identity information to ensure account ownership, and realize basic functions such as login, password retrieval, and information inquiry;
• Identity Verification and Credit Assessment: Verify the authenticity of your identity through personal data, assess repayment capacity in conjunction with third-party credit information, and determine loan eligibility and credit limits;
• End-to-End Loan Service Support: Cover loan application review, contract generation, disbursement, repayment reminders, overdue collection (establishing contact through your authorized emergency contacts when necessary) and other links to ensure smooth and compliant services;
• Fraud Prevention and Risk Control: Establish a risk identification model based on device information and personal background data to prevent abnormal behaviors such as fake registrations and identity theft;
• Service Optimization and Personalized Recommendations: Recommend suitable loan products according to your needs and optimize App performance and user experience;
• Compliance and Legal Performance: Respond to the legitimate requirements of regulatory authorities, comply with KYC and Anti-Money Laundering (AML) regulations, and retain necessary information to respond to potential legal disputes;
• Customer Service Response: Use your contact information and account details to quickly handle inquiries, complaints, and feedback, and retain communication records for verification purposes.

5. Sharing, Transfer, and Public Disclosure of Personal Data

We strictly abide by data confidentiality obligations and will not sell or rent your personal data to any third party. Information will only be shared, transferred, or disclosed to a limited extent in the following statutory or agreed circumstances:

5.1 Sharing

• Cooperative Service Providers: Share necessary information with third parties providing technical support, payment processing, customer service, etc. (such as providing account information to payment service providers to complete disbursement). Such third parties are required to enter into data processing agreements with us, clarify confidentiality obligations, and may only use the information for the purpose of providing services. We will supervise their data processing behaviors;
• Affiliates and Cooperative Institutions: Share information within the scope of your explicit consent or the necessity to achieve service purposes. Affiliates and cooperative institutions have no right to use the information for purposes other than those agreed in this Policy;
• Credit Reference and Debt Collection Institutions: When you are in default and fail to repay after multiple contacts, provide necessary information (full name, outstanding amount, emergency contact information) to legitimate debt collection institutions to assist in debt recovery; submit your performance records (including overdue records) to licensed credit reference bureaus to fulfill the obligation of credit information reporting;
• To improve services, conduct anonymized macro trend analysis, or develop business insights that do not identify individual identities, we may analyze the overall de-identified data. Such analysis will not identify or be linked to any specific individual.

5.2 Transfer

We will not transfer your personal data to any company, organization, or natural person except in the following circumstances:

• In the event of corporate restructuring transactions such as mergers, acquisitions, or asset transfers, the information may be transferred as part of the transaction assets. We will notify you prior to the transfer, require the transferee to continue complying with this Policy, and the transferee must obtain your explicit consent again when changing the purpose of information use;
• Obtain your explicit prior consent or authorization;
• The transfer is required in accordance with laws, regulations, or mandatory administrative or judicial requirements.

5.3 Public Disclosure

Your personal data will only be publicly disclosed in the following circumstances:

• Comply with the mandatory requirements of applicable laws and regulations;
• You have violated laws, regulations, or service agreements, and it is necessary to disclose relevant information (including violations, judicial documents, measures taken, etc.) to protect the rights, property, and safety of us, affiliates, other users, or the public;
• Personal data that you have voluntarily disclosed to the public, or information collected from legally publicly disclosed sources.

5.4 Circumstances Not Requiring Consent

In accordance with relevant laws, regulations, and national standards, sharing, transferring, or publicly disclosing your personal data without your consent is permitted in the following circumstances:

• Related to the performance of obligations stipulated by laws and regulations;
• Directly related to national security and national defense security;
• Directly related to public safety, public health, and major public interests;
• Directly related to criminal investigation, prosecution, trial, and execution of judgments;
• For the purpose of safeguarding your or other individuals' life, property, and other major legitimate rights and interests but it is difficult to obtain your consent;
• In accordance with the provisions of laws and regulations and the requirements of competent authorities, industry organizations such as the Kenya Association of Microfinance Institutions (KAMFI), etc.

5.5 Details of Third-Party Software Development Kits (SDKs)

To ensure the realization of relevant functions of the App and the safe and stable operation of the App, we may integrate Software Development Kits (SDKs) provided by third parties. We will conduct strict security assessments on them and require them to adopt strict data protection measures in accordance with this Policy and relevant agreements.

Details of the main third-party SDKs we integrate are as follows:

• Adjust SDK: Provided by Adjust GmbH. To conduct app installation attribution, statistical analysis, measure advertising effectiveness, and prevent fraud, this SDK will collect your device identifiers (such as advertising ID), IP address, and app interaction events. For more information on data processing, please refer to its privacy policy: https://www.adjust.com/terms/privacy-policy/.
• Firebase Analytics SDK: Provided by Google Ireland Limited. To conduct statistical analysis of app performance, understand user behavior to improve product experience, and troubleshoot crashes, this SDK will collect your device identifiers, app usage data (such as feature clicks), device model, and operating system version information. For more information on data processing, please refer to Google's privacy policy: https://policies.google.com/privacy.
• Facebook SDK: Provided by Meta Platforms, Inc. To conduct statistical analysis and measure and optimize advertising effectiveness, this SDK will collect your device identifiers, app usage data, and advertising interaction data. For more information on data processing, please refer to Meta's privacy policy: https://www.facebook.com/privacy/policy/.
• AIHelp SDK: Provided by Heytap Cloud Corporation. To provide in-app customer support services, including user inquiries, feedback submission, and issue resolution, this SDK will collect your device information (such as device model, operating system version), app usage data, and customer support chat history. This information is used solely to assist in resolving your questions and improving support services..

Please note that the above third-party SDKs may change their data collection types or purposes due to version upgrades, function adjustments, etc. Please refer to their official latest policies for the most up-to-date information. Meanwhile, you can reset or restrict the use of advertising identifiers (such as Apple's IDFA and Google's GAID) for advertising tracking through your device's operating system settings.

6. Storage and Security Protection of Personal Data

6.1 Storage Method and Location

We are the data controller of your personal data. All information is transmitted through encryption technology to secure servers located within Kenya (Server Address: https://www.nyotaloans.com) for storage. If it is necessary to transfer data to overseas locations for storage or processing (such as using international cloud services), we will ensure compliance with the cross-border data transfer specifications of the Data Protection Act 2019 and safeguard information security through encrypted transmission, signing data processing agreements, and other means. Your information may be stored on the financial cloud, and we will take all reasonable and necessary measures to ensure the secure processing of data in compliance with this Policy.

6.2 Security Protection Measures

We adopt multi-layered security protection measures to fully protect the security of your information, which meet the security standards for financial applications:

• Data Encryption: The transmission process adopts HTTPS protocol encryption, and the storage uses AES-256 encryption algorithm. Sensitive information is additionally desensitized; at the same time, security technical measures such as de-identification are adopted to strengthen information protection;
• Access and Permission Control: Establish a data classification and management system, and fully encrypt sensitive information such as mobile phone numbers and national ID numbers; set strict access permissions and operation permissions, real-time monitor access behaviors and retain logs; compliant device identifiers are processed through hash normalization to avoid plaintext transmission and storage;
• Security Audit and Emergency Response: Regularly invite third-party security institutions to conduct security audits and promptly fix vulnerabilities; establish an emergency response mechanism. If an information leakage or other security incident occurs, we will promptly notify you and relevant regulatory authorities in accordance with legal requirements;
• Third-Party Compliance Management: Conduct security qualification audits on cooperative service providers, require them to comply with equivalent data protection standards, and regularly verify compliance.

Please note that 100% absolute security cannot be guaranteed for Internet transmission. Due to technical limitations and rapid development, as well as the existence of various malicious attack methods, even if we strive to strengthen security measures, we cannot always ensure 100% information security. If our physical, technical, or management protection facilities are compromised, leading to unauthorized access, public disclosure, tampering, or damage of information, thereby harming your legitimate rights and interests, we will strictly assume corresponding responsibilities in accordance with the law; if information security risks arise due to your own reasons (such as stolen devices, password leakage), you shall bear the responsibility yourself. After receiving your information, we will immediately activate the above security measures for protection.

7. Your Rights Relating to Personal Data

In accordance with the Kenya Data Protection Act 2019, you have the following rights with respect to your personal data, and we will facilitate the exercise of these rights: You have the right to know how we process your personal data. We explain the methods of collecting, using, storing, and providing your information through this Policy, and provide you with channels to inquire about, update, delete, and protect such personal data.

7.1 Specific Rights

• Right of Access: You may request a copy of all personal data we have collected about you, including details such as the purpose of processing, scope of sharing, and retention period; you have the right to access your personal business-related information, including historical application information, transaction information, or other information that cannot be displayed within the App;
• Right to Rectification: If the information is inaccurate or incomplete, you may request correction or supplementation (for example, changes to occupation and income can be made through the "Personal Center" or with the assistance of customer service); when you find that the personal data we process about you is incorrect, you have the right to request us to correct it;
• Right to Erasure: When the information is no longer necessary for service purposes, we engage in illegal processing, or you withdraw your consent, you may request the deletion of your personal data (which can be applied for independently through "Personal Center - Account Deletion" or with the assistance of customer service); you have the right to actively request the cancellation of your personal account;
• Right to Restriction of Processing: When you dispute the accuracy of the information or the processing behavior, you may request the suspension of information processing until the dispute is resolved;
• Right to Data Portability: You may request us to provide your personal data in a structured, commonly used, and machine-readable format to facilitate transfer to other service providers (provided free of charge);
• Right to Withdraw Consent: You may withdraw your consent to device permissions and information processing at any time (permission withdrawal is completed through device settings, and withdrawal of consent to information processing shall be done by contacting customer service);
• Right to Disable Advertising Tracking: For Android devices, you can reset GAID or disable ad personalization through "Settings - Google - Ads"; for iOS devices, you can disable the App's access to IDFA through "Settings - Privacy & Security - Tracking".

7.2 Methods of Exercising Rights

If you wish to exercise the above rights, please send an application through the official email provided in the "Contact Us" section of this Policy, specifying your full name, registered mobile phone number, and specific needs. We will verify and respond within 14 working days of receiving the application. To ensure information security, we may require you to provide identity verification documents. For requests that are obviously without legal basis or repeatedly submitted, we have the right to legally refuse to process them after explaining the reasons.

You can inquire about or correct information by leaving a message through "Personal Center - Settings - Feedback" within the App, and we will respond within 5 working days. You can also apply for account cancellation through this channel or customer service (account cancellation can be completed by accessing "Personal Center - Settings - Account Deletion").

8. Retention Period of Personal Data

We only retain your personal data for the period necessary to achieve the purposes stated in this Policy, adhering to the "Principle of Minimal Retention Period":

• Loan Service-Related Information: Retained for 3 years after full repayment of the loan principal and interest, and automatically anonymized after the expiration of this period;
• Credit and Performance-Related Information: In accordance with the Data Protection Act 2019 and financial regulatory requirements, retained until the expiry of the relevant legal limitation period (usually 6 years). This retention requirement has been filed with credit reference bureaus;
• Marketing-Related Information: Retained until the date you explicitly refuse to receive marketing information (you can disable marketing pushes through "Settings - Notification Settings");
• Compliant Device Identifiers: Retained only during your use of the App. After uninstalling the App, the locally stored identifiers are automatically deleted, and only hash-processed data that cannot be linked to personal identity is retained on the server.

When the information exceeds the retention period or is no longer necessary for services, we will process it through anonymization (unable to identify individual identities) or secure deletion. Records of deletion will be retained for at least 1 year for verification purposes.

9. Protection of Minors' Personal Data

We attach great importance to the protection of minors' personal data. Kenyan law stipulates that natural persons under the age of 18 are minors and do not have independent loan application qualifications. Our products and/or services are not targeted at minors under the age of 18. We will never intentionally provide loan services to minors, nor will we actively collect personal data of minors or request relevant device permissions.

If you are a minor under the age of 18, please immediately stop using the products and services of Nyota Loans. If we discover that we have collected personal data of a minor due to operational errors or other reasons, we will take the initiative to delete the relevant information within 7 working days of discovery and terminate the provision of services.

If you are the legal guardian of a minor and have any questions about the processing of the minor's information under your guardianship, please contact us in a timely manner, and we will fully cooperate with the handling.

10. Changes to This Policy

To adapt to updates to laws and regulations, adjustments to business models, or optimization of App functions, we may revise this Policy. After the revision, we will notify you through pop-up windows, announcements, etc. within the App, and update the "Last Updated Date"; if the changes involve significant adjustments to your core rights or information processing rules, we will notify you separately via SMS, and you must re-confirm your consent to continue using the services.

To provide you with better services, as our business develops, this Policy will be updated from time to time. However, without your explicit consent, we will not reduce the rights you are entitled to under this Policy. We will announce changes to this Policy through reasonable means such as announcements on the website and App, and remind you of updates to relevant content before they take effect. Your continued use of our products and/or services shall mean your acceptance of the revised policy terms.

In the event of significant changes, we will notify you in a more prominent manner (including but not limited to App announcements, SMS, or special prompts on the browsing page, explaining the specific changes to the privacy policy). To ensure that you can receive notifications in a timely manner, we recommend that you notify us promptly when your contact information changes.

We recommend that you review this Policy regularly to keep abreast of the latest privacy protection measures. Your continued use of the App's services shall be deemed as your acceptance of the revised policy terms.

11. Contact Us

If you have any questions about this Policy, need to file a complaint or report, wish to exercise your rights related to personal data, or have any questions about our business, please contact us through the following methods:

• Official Customer Service Email: [email protected]
• In-App Feedback: Enter the NyotaLoans APP and click "Personal Center - Settings - Feedback" to leave a message

We will contact you within 5 working days of receiving your email or message, and resolve the issue or give a clear reply within 14 working days. If you are dissatisfied with the response result, you may further file a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.

12. Disclaimer

• This Policy is formulated in accordance with the Kenya Data Protection Act 2019, the Financial Institutions Act, and the Kenya Information and Communications Act. If there is any conflict with legal provisions, the legal provisions shall prevail;
• We will take reasonable industry-standard measures to protect your information, but we shall be exempt from liability within the scope permitted by law for losses entirely caused by force majeure, your own reasons, or direct losses caused by the unilateral breach of contract by a third-party service provider despite our having fulfilled reasonable due diligence and entered into strict data protection agreements with them;
• The App may contain third-party links or services. We are not liable for the privacy policies or information processing behaviors of third parties, and we recommend that you carefully read the third parties' policies. Details of the processing of your personal data by the third-party SDKs (Software Development Kits) integrated by us are detailed in Section 5.5 "Details of Third-Party Software Development Kits (SDKs)" of this Privacy Policy;
• You agree that the legal results arising from our use and sharing of your information in accordance with this Policy are within the scope of your authorization. If a third party (such as a cooperative service provider or SDK provider) that we have bound with the aforementioned reasonable and necessary measures violates its legal obligations or agreement terms, resulting in data leakage, we will legally require it to assume liability and provide you with necessary assistance to safeguard your legitimate rights and interests. However, this does not exempt us from liability that we may bear as the data controller in accordance with applicable laws;
• Despite the fact that we adopt industry-standard practices to protect your personal data, due to technical limitations, we cannot ensure that all your private communications and other information will not be leaked through channels not listed in this Privacy Policy.