NyotaLoans Privacy Policy

Last Updated: April 09, 2026

Issuing Entity: This Privacy Policy (hereinafter referred to as the "Policy") is formulated and implemented by FUTUREINNO DIGITAL TECH LIMITED (hereinafter referred to as the "Company" or "We"). We operate the digital credit loan application (hereinafter referred to as the "App" or "NyotaLoans") under the brand "Nyota Loan", focusing on providing personal credit loan services to users within the Republic of Kenya. We respect the privacy of users (hereinafter referred to as "You") and will take strict measures to protect the security of your personal information in accordance with this Policy. This Policy details the types of personal information we collect, how we share information with third parties, and how you can manage your information preferences.

Application Scope: This Policy applies to all our acts of collecting, using, storing, sharing, transmitting and protecting your personal information when you download, register, use the App and related services. Your use of any service of the App shall be deemed that you have fully read, understood and agreed to all the terms of this Policy.

1. Consent and Authorization Statement

By downloading, installing and using the App, you confirm and agree to the following matters:

  • You agree that we collect, process, store and legally share your personal information for legitimate business purposes (including identity verification, credit assessment, loan approval and disbursement, repayment management, anti-fraud risk control, etc.), and all acts shall strictly comply with the Kenyan Data Protection Act 2019, Financial Institutions Act and other relevant laws and regulations. You understand and confirm that you have the right to withdraw your consent at any time, and the withdrawal of consent shall not affect the legality of information processing activities carried out based on your consent prior to such withdrawal.
  • You warrant that all personal information provided to us is true, accurate and complete, and undertake to update it in a timely manner through designated channels within the App or official customer service when the information changes. You shall be liable for any losses caused by your intentional provision of false or misleading information.
  • You authorize us to verify the authenticity of the information provided by you through third parties such as government agencies and licensed credit reference bureaus (e.g., TransUnion Kenya, Metropol Credit Reference Bureau), and obtain supplementary information related to your credit status within the scope permitted by law for credit assessment.
  • You expressly authorize us and our compliant third-party partners to inquire the following data. Such inquiries shall strictly comply with relevant Kenyan laws, regulations and industry standards, and shall only be used for identity verification, credit assessment and anti-fraud risk control, and shall not be used for other purposes not agreed in this Policy:
    1. Mobile Number Check: Inquire the authenticity and compliance of the mobile phone number you provided, to confirm the validity of your account binding and prevent fraud risks such as fake registration and mobile number impersonation;
    2. ID Number Check: Inquire the authenticity, validity and information consistency of the ID, name, gender, date of birth, place of birth and residential address corresponding to the ID number you provided, to verify your legal identity in compliance with the Know Your Customer (KYC) regulatory requirements and prevent fraud such as identity impersonation and fake applications;
    3. CRB Credit Report Inquiry: Authorize us to inquire your personal credit report from credit reference bureaus (CRB) authorized by the Central Bank of Kenya, including but not limited to your credit record, historical performance, default record and other relevant information, to comprehensively assess your credit status, repayment ability and loan risk, and provide core reference for loan approval and credit limit determination. The inquiry shall comply with the Banking (Credit Reference Bureaus) Regulations 2008 and relevant regulatory requirements.
  • You acknowledge and agree that, to the extent necessary for the provision of services, we will share necessary information with third-party service providers on the premise of signing strict data protection agreements with them. You have the right to request us to stop sharing part of your information with specific third parties through the channels specified in the "Contact Us" section of this Policy.
  • You understand that the legal basis for our processing of your personal information includes your consent, performance of a contract, performance of legal obligations or protection of legitimate interests. Withdrawal of consent may result in the inability to continue using some service functions. In particular, withdrawal of authorization related to data inquiry will make it impossible to complete identity verification and credit assessment, thereby disabling core services such as loan application of the App.

2. Definition of Core Terms

  • Personal Information: Any information directly or indirectly related to an identified or identifiable natural person, as defined under Section 2 of the Data Protection Act 2019.
  • Sensitive Personal Information: Information revealing personal sensitive aspects such as financial status and family relations, which we shall protect with strict safeguards.
  • Credit Reference Bureau: An institution authorized by Kenyan regulatory authorities to engage in credit information services, including credit reference bureaus (CRB) authorized by the Central Bank of Kenya.
  • Cooperative Service Provider: A third party that provides technical support, payment processing, data inquiry and other services for us, who shall abide by confidentiality obligations equivalent to those in this Policy.
  • Compliant Device Identifier: A data protection-compliant device identification information, such as Android ID, GAID, IDFA.

3. Personal Information We Collect

We strictly follow the principle of "minimum necessity" and only collect information necessary to achieve service purposes, which are mainly divided into the following three categories:

3.1 Personal Information You Actively Provide

During registration and loan application, you are required to provide the following necessary information to complete the service process:

  • Mobile Phone Number: Serves as the core account for your registration and login to the App, and is used to receive important transaction notifications, security verification and service communication, as well as the core inquiry basis for mobile number check;
  • Full Name: Used for identity recognition and confirmation of the loan contract subject to ensure the authenticity of account ownership;
  • ID Number: Used to verify your legal identity and civil capacity in compliance with KYC regulatory requirements, prevent identity impersonation, and serve as the core inquiry basis for ID number check;
  • Gender and Date of Birth: Gender information is used to optimize service adaptation, and date of birth is used to confirm you are over 18 years old (the legal loan age in Kenya). Both are used as auxiliary references for credit assessment;
  • Marital Status and Education Level: Used as auxiliary information for credit risk assessment to help us understand your personal background more comprehensively. We undertake not to discriminate based on such information;
  • City of Residence: Used to confirm service coverage and serve as an auxiliary assessment factor combined with regional credit environment;
  • Occupation and Monthly Income: Core credit assessment basis for judging your repayment ability and determining credit limit and loan terms accordingly;
  • Emergency Contact Information: Including name, relationship and phone number. You expressly authorize us to use this information to establish contact only when you are seriously overdue and we cannot contact you through your registered method. We will strictly comply with the Kenyan Data Protection Act 2019 and fair debt collection guidelines to ensure communication content is minimized and non-harassing.

3.2 Application Permission Information Authorized by You

We will only request the following device permissions after obtaining your explicit consent. You can manage or disable these permissions at any time through device settings, but disabling some permissions may affect the normal use of relevant services.

  • Camera Permission: Only invoked in the following two specific scenarios, and the permission will be released immediately after operation. No background shooting or storage of irrelevant images will be conducted:
    • a. Loan Application Stage: Used for face recognition identity verification to comply with KYC regulatory requirements, further confirm your identity authenticity, and prevent fraud risks such as identity impersonation and fake applications;
    • b. Repayment Stage: Used to photograph and upload repayment vouchers (such as M-Pesa transfer screenshots, bank receipts, etc.) to verify repayment facts and ensure accurate and traceable repayment records;
  • Device Information Permission: We do not collect IMEI, device serial number or other hardware identifiers. We only collect device model, operating system version, compliant device identifiers (Android ID, GAID or IDFA) and mobile network information. This information is used to identify device identity to prevent fraud and optimize application compatibility and performance. Among them, advertising identifiers (GAID/IDFA) can be reset or their use for advertising tracking can be disabled in your device settings;
  • SMS Permission: For independent credit assessment and anti-fraud analysis, with your authorization, we will only read received SMS related to financial transactions (such as bank notifications, M-Pesa transaction records, etc.) for automated analysis of your income and repayment ability. We undertake not to read, store or upload your private conversations, social information or any other non-financial SMS. All relevant information read is securely transmitted to our secure server (https://www.nyotaloans.com/) after encryption;
  • Application List Information: To protect your account and transaction security and prevent fraud risks, with your authorization, we will collect non-sensitive metadata of installed applications on your device, including application name, package name, installation time and latest update time. This information is only used to analyze application patterns related to device security and financial behavior to identify potential risks. We do not collect any activity data, browsing history or personal identification information within your applications.

3.3 Information Obtained from Third Parties

To supplement and improve your credit assessment model and verify information authenticity, we may obtain your relevant information from the following third parties in compliance with Kenyan laws and regulations:

  • Affiliated Parties and Partners: Obtain necessary supplementary information related to your service use for service connection and experience optimization;
  • Licensed Credit Reference Bureaus (CRB): Obtain your credit report, historical performance records and other information for credit risk assessment. Such acquisition is based on the CRB credit report inquiry authorization you made in Chapter 1 of this Policy;
  • Data Inquiry Service Provider (Peleza Three-Element Verification Service): Obtain results of your mobile number check (verifying whether the registered user of the mobile phone number is consistent with your ID number) and ID number check (verifying information corresponding to your ID number: name, gender, date of birth, place of birth, residential address) for identity verification and anti-fraud risk control. Such acquisition is based on the relevant authorization you made in Chapter 1 of this Policy;
  • Other Legitimate Sources: Obtain information from other third-party institutions within the scope permitted by law or with your authorization for anti-fraud and risk control.

In addition, to realize specific functions, we may access third-party software development kits (SDKs), which may collect and use your information. For details of SDKs, including the types of information they collect and processing purposes, please refer to the detailed description in Section "5.5 Third-Party Software Development Kits (SDKs)" of this Policy.

4. Purposes of Using Personal Information

The information we collect is only used for the following purposes directly related to services and will not be used beyond the necessary scope:

  • Account Creation and Management: Use mobile phone number to complete registration, verify identity information to ensure account ownership, and implement basic functions such as login, password retrieval and information query;
  • Identity Verification and Credit Assessment: Verify identity authenticity through personal information, assess repayment ability combined with mobile number check, ID number check results, CRB credit report and other information, and determine loan eligibility and credit limit;
  • Full-Lifecycle Loan Support: Covering loan application review, contract generation, disbursement, repayment reminders, overdue debt collection (contacting through your authorized emergency contact when necessary) to ensure smooth and compliant services;
  • Fraud Prevention and Risk Control: Establish risk identification models combined with device information, personal background data, mobile number and ID number check results to prevent abnormal behaviors such as fake registration and identity impersonation;
  • Service Optimization and Personalized Recommendation: Recommend suitable loan products according to your needs and optimize application performance and user experience;
  • Compliance and Legal Performance: Respond to legitimate requirements of regulatory authorities, comply with KYC and Anti-Money Laundering (AML) regulations, and retain necessary information to deal with potential legal disputes;
  • Customer Service Response: Use your contact information and account information to quickly handle inquiries, complaints and feedback, and retain communication records for verification.

5. Sharing, Transfer and Public Disclosure of Personal Information

We strictly abide by data confidentiality obligations and will not sell or rent your personal information to any third party. We will only share, transfer or disclose information to a limited extent under the following statutory or agreed circumstances:

5.1 Sharing

  • Cooperative Service Providers: Share necessary information with third parties providing technical support, payment processing, customer service, data inquiry (including mobile number check, ID number check, CRB credit report inquiry) and other services (e.g., provide your identity information to CRB for credit report inquiry, provide your mobile phone number and ID number to data verification service providers for completion of checks). Such third parties are required to sign data processing agreements with us to clarify confidentiality obligations and may only use information for the purpose of providing services. We will supervise their data processing activities;
  • Affiliated Parties and Cooperative Institutions: Share information within the scope necessary to obtain your explicit consent or achieve service purposes. Affiliated parties and cooperative institutions have no right to use information for purposes not agreed in this Policy;
  • Credit and Collection Agencies: When you are overdue and fail to repay after multiple attempts to contact, provide necessary information (name, outstanding amount, emergency contact information) to legitimate collection agencies to assist in collection; report your performance records (including default records) to licensed credit reference bureaus to fulfill credit information reporting obligations;
  • To improve services, conduct anonymized macro trend analysis or develop non-personally identifiable business insights, we may analyze de-identified aggregate data. Such analysis will not identify or be linked to any specific individual.

5.2 Transfer

We will not transfer your personal information to any company, organization or natural person, except under the following circumstances:

  • In the event of corporate restructuring transactions such as merger, acquisition or asset transfer, information is transferred as part of transaction assets. We will notify you before transfer and require the transferee to continue to abide by this Policy. Re-obtain your explicit consent if changing the purpose of information use;
  • Obtain your explicit consent or authorization in advance;
  • Transfer is required by laws and regulations or mandatory administrative and judicial requirements.

5.3 Public Disclosure

Publicly disclose your personal information only under the following circumstances:

  • Comply with mandatory requirements of applicable laws and regulations;
  • You have violated laws and regulations or service agreements, and it is necessary to disclose relevant information (including violations, judicial documents, measures taken, etc.) to protect the rights, property and safety of us, affiliated parties, other users or the public;
  • Personal information you voluntarily disclose to the public or collected from legally publicly disclosed information.

5.4 Circumstances Not Requiring Consent

According to relevant laws and regulations and national standards, sharing, transferring or publicly disclosing your personal information under the following circumstances does not require your consent:

  • Related to the performance of obligations stipulated by laws and regulations;
  • Directly related to national security and national defense security;
  • Directly related to public safety, public health and major public interests;
  • Directly related to criminal investigation, prosecution, trial and judgment execution;
  • For the purpose of protecting your or other individuals' life, property and other major legitimate rights and interests but it is difficult to obtain your consent;
  • In accordance with laws and regulations and requirements of competent authorities, industry organizations such as Kenya Internet Finance Association.

5.5 Details of Third-Party Software Development Kits (SDKs)

To ensure the realization of relevant functions and safe and stable operation of the App, we may access SDKs provided by third parties. We will conduct strict security assessment on them and require them to take strict data protection measures in accordance with this Policy and relevant agreements.

Details of the main third-party SDKs we access are as follows:

  • Adjust SDK: Provided by Adjust GmbH. For application installation attribution, statistical analysis, advertising effect measurement and fraud prevention, this SDK collects your device identifier (such as advertising ID), IP address and application interaction events. For more information on data processing, please refer to their privacy policy: https://www.adjust.com/terms/privacy-policy/.
  • Firebase Analytics SDK: Provided by Google Ireland Limited. For statistical analysis of application performance, understanding user behavior to improve product experience and troubleshooting crash issues, this SDK collects your device identifier, application usage data (such as function clicks), device model and operating system version information. For more information on data processing, please refer to Google's privacy policy: https://policies.google.com/privacy.
  • Facebook SDK: Provided by Meta Platforms, Inc. For statistical analysis, measurement and optimization of advertising delivery effects, this SDK collects your device identifier, application usage data and advertising interaction data. For more information on data processing, please refer to Meta's privacy policy: https://www.facebook.com/privacy/policy/.

Please note that the specific data collection types or purposes of the above third-party SDKs may change due to version upgrades, function adjustments, etc. Please refer to their latest official policies. At the same time, you can reset or restrict the use of advertising identifiers (such as Apple's IDFA, Google's GAID) for advertising tracking through your device operating system settings.

6. Storage and Security Protection of Personal Information

6.1 Storage Method and Location

We are the data controller of your personal information. All information is transmitted to secure servers located within Kenya (server address: https://www.nyotaloans.com) through encryption technology for storage. If it is necessary to transmit data outside Kenya for storage or processing (such as using international cloud services), we will ensure compliance with cross-border data transmission specifications of the Data Protection Act 2019, and protect information security through encrypted transmission, signing data processing agreements, etc. Your information may be stored on financial clouds, and we will take all reasonable and necessary measures to ensure secure data processing and compliance with this Policy.

6.2 Security Protection Measures

We adopt multi-level security safeguards to fully protect your information security in line with financial application security standards:

  • Data Encryption: HTTPS protocol encryption for transmission, AES-256 encryption algorithm for storage, and additional desensitization for sensitive information; security technical measures such as de-identification are also used to strengthen information protection;
  • Access and Permission Control: Establish a data hierarchical classification management system, encrypt sensitive information such as mobile phone numbers and ID numbers throughout the process; set strict access and operation permissions, monitor access behavior in real time and retain logs; compliant device identifiers are processed by hash normalization to avoid plaintext transmission and storage;
  • Security Audit and Emergency Response: Regularly invite third-party security institutions to conduct security audits and fix vulnerabilities in a timely manner; establish an emergency response mechanism. In the event of a security incident such as information leakage, we will notify you and relevant regulatory authorities in a timely manner as required by law;
  • Third-Party Compliance Management: Conduct security qualification audits on cooperative service providers (including data inquiry service providers, CRB, etc.), require them to abide by equivalent data protection standards, and regularly verify compliance.

Please note that Internet transmission cannot achieve 100% absolute security. Due to the limitations and rapid development of technology, as well as the existence of various malicious attack methods, even if we strive to strengthen security measures, we cannot always guarantee 100% information security. If information is accessed without authorization, publicly disclosed, tampered with or destroyed due to the destruction of our physical, technical or management protection facilities, thereby damaging your legitimate rights and interests, we shall bear corresponding responsibilities strictly in accordance with the law; if information security risks arise due to your own reasons (device theft, password leakage), you shall bear the responsibility. After receiving your information, we will immediately activate the above security measures for protection.

7. Your Rights to Personal Information

In accordance with the Kenyan Data Protection Act 2019, you have the following rights regarding your personal information, and we will facilitate the exercise of your rights: You have the right to know how we process your personal information. We explain to you the collection, use, storage, provision and other processing methods of information through this Policy, and provide you with ways to query, update, delete and protect such personal information.

7.1 Specific Rights Content

  • Right of Access: May request to obtain a copy of all personal information we collect about you, including details such as processing purposes, sharing scope and storage period; have the right to access your personal business-related information including historical application information, transaction information, data inquiry records (mobile number check, ID number check, CRB credit report inquiry records) or other information not displayed in the App;
  • Right of Correction: If information is inaccurate or incomplete, you may request correction or supplementation (e.g., occupation and income changes can be modified through "Personal Center" or assisted by customer service); if you find that the personal information we process about you is incorrect, you have the right to request us to correct it;
  • Right of Erasure: When information is no longer necessary for service purposes, we engage in illegal processing or you withdraw consent, you may request deletion of personal information (you can apply by yourself through "Personal Center - Account Deletion" or contact customer service for assistance); you have the right to voluntarily apply for cancellation of your personal account;
  • Right of Restriction of Processing: When you object to the accuracy of information or dispute processing behavior, you may request suspension of information processing until the dispute is resolved;
  • Right to Data Portability: May request us to provide your personal information in a structured, commonly used and machine-readable format for transfer to other service providers (provided free of charge);
  • Right to Withdraw Consent: May withdraw consent for device permissions and information processing at any time (permission withdrawal is done through device settings, and information processing consent withdrawal is done by contacting customer service); in particular, withdrawal of authorization related to data inquiry will make it impossible to continue using core services such as loan application of the App;
  • Right to Disable Advertising Tracking: Android devices can reset GAID or disable personalized advertising through "Settings - Google - Ads"; iOS devices can disable IDFA usage permission through "Settings - Privacy & Security - Tracking".

7.2 Methods of Exercising Rights

If you wish to exercise the above rights, please send an application to the official email address in the "Contact Us" section of this Policy, indicating your name, registered mobile phone number and specific request. We will verify and respond within 14 working days upon receipt of the application. To ensure information security, we may require you to provide identity verification materials. For requests that are obviously without legal basis or repeatedly submitted, we reserve the right to refuse processing in accordance with the law after stating reasons.

You can leave a message to query or correct information through "Personal Center - Settings - Feedback" in the App, and we will reply within 5 working days. You can also apply for account cancellation through this path or customer service channels (account cancellation can be completed by entering "Personal Center - Settings - Cancel Account").

8. Retention Period of Personal Information

We only retain your personal information for the minimum period necessary to achieve the purposes stated in this Policy, following the principle of "minimum retention period":

  • Loan Service-Related Information: Retained until 3 years after full settlement of loan principal and interest, and automatically anonymized upon expiration;
  • Credit and Performance-Related Information: Retained until the expiration of relevant legal litigation prescription (usually 6 years) in accordance with the Data Protection Act 2019 and financial regulatory requirements. Such retention requirements have been filed with credit reference bureaus;
  • Data Inquiry-Related Records (Mobile Number Check, ID Number Check, CRB Credit Report Inquiry Records): Retained until 3 years after full settlement of loan principal and interest, and automatically anonymized upon expiration. If required for compliance verification, the retention period may be extended until the expiration of relevant legal litigation prescription;
  • Marketing-Related Information: Retained until the date you explicitly refuse to receive marketing information (marketing push can be turned off through "Settings - Message Notifications");
  • Compliant Device Identifier: Retained only during your use of the App. After uninstalling the App, locally stored identifiers are automatically deleted, and only hash-processed data that cannot be linked to personal identity is retained on the server side.

When information exceeds the retention period or is no longer necessary for services, we will process it through anonymization (unable to identify personal identity) or secure deletion. Deletion records are retained for at least 1 year for future reference.

9. Protection of Minors' Personal Information

We attach great importance to the protection of minors' personal information. Kenyan law stipulates that natural persons under the age of 18 are minors and are not eligible for independent loan applications. Our products and/or services are not intended for minors under the age of 18. We will never intentionally provide loan services to minors, nor will we take the initiative to collect minors' personal information or request relevant device permissions, let alone conduct mobile number checks, ID number checks or CRB credit report inquiries on minors.

If you are a minor under the age of 18, please stop using NyotaLoans products and services immediately. If we find that minors' personal information has been collected due to misoperation or other reasons, we will take the initiative to delete relevant information and terminate service provision within 7 working days after discovery.

If the guardian of a minor finds relevant situations or has questions about the information processing of the minor under guardianship, please contact us in a timely manner, and we will fully cooperate with the handling.

10. Changes to This Policy

To adapt to updates of laws and regulations, adjustments to business models, service upgrades or application function optimization, we may revise this Privacy Policy from time to time. Please keep an eye on updates to this page and the latest update date at the top of the Policy. The revised Policy shall take effect immediately upon being posted on this page, and no separate notice will be given to you one by one. If it involves major adjustments to core rights or information processing rules, we will give prominent prompts through reasonable means such as in-application announcements and homepage prompts. Without your explicit consent, we will not reduce the rights you enjoy under this Policy. We recommend you review this Policy regularly to keep abreast of the latest privacy protection rules and information processing methods. Your continued use of our products and services after the Policy is updated shall be deemed that you have read, understood and agreed to accept the revised latest version of the terms.

11. Contact Us

If you have questions about this Policy, need to file a complaint or report, wish to exercise rights related to personal information (including querying, withdrawing data inquiry authorization, etc.) or have any questions about our business, please contact us through the following ways:

  • Official Customer Service Email: [email protected]
  • In-App Feedback: Enter NyotaLoans APP, click "Personal Center - Settings - Feedback" to leave a message

We will contact you within 5 working days upon receipt of your email or message, and resolve the issue or give a clear reply within 14 working days. If you are not satisfied with the response result, you may further file a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.

12. Disclaimer

  • This Policy is formulated in accordance with the Kenyan Data Protection Act 2019, Financial Institutions Act, Kenya Information and Communications Act, Banking (Credit Reference Bureaus) Regulations 2008. In case of conflict with legal provisions, legal provisions shall prevail;
  • We will take reasonable industry-standard measures to protect your information, but we shall be exempted from liability to the extent permitted by law for losses caused entirely by force majeure, your own reasons, or losses directly caused by unilateral breach of third parties after we have fulfilled reasonable duty of care and signed strict data protection agreements with third-party service providers (including data inquiry service providers, CRB, Peleza, etc.);
  • The App may contain third-party links or services. We are not responsible for the privacy policies and information processing behaviors of third parties, and recommend you carefully read third-party policies. Details of third-party SDKs (Software Development Kits) processing your personal information accessed by us have been detailed in Section 5.5 Third-Party Software Development Kits (SDKs) of this Privacy Policy;
  • You agree that legitimate results arising from our use and sharing of your information in accordance with this Policy are within the scope of your authorization. If information leakage occurs due to third parties (such as cooperative service providers, SDK providers, data inquiry service providers, CRB, Peleza, etc.) violating their legal obligations or contractual agreements after we have taken reasonable and necessary measures as mentioned above to restrict them, we will legally require them to bear responsibility and provide you with necessary assistance to safeguard your legitimate rights and interests. However, this does not exempt us from liability that we may bear as a data controller under applicable laws;
  • Although the platform adopts industry-standard practices to protect your personal information, due to technical limitations, the platform cannot ensure that all your private communications and other information will not be leaked through channels not listed in this Privacy Policy.
Last Updated: April 09, 2026