Privacy Policy — MyChama

This policy is in draft pending legal review. It describes how MyChama will handle your data at launch. Questions? Contact [email protected].

1. Who we are

MyChama Ltd (registration in progress) is a Kenyan private limited company that operates the MyChama platform at mychama.app and origin.mychama.app. We help Kenyan chamas (savings / investment groups) keep contributions, loans, welfare, and meeting records in one place.

For the purposes of the Kenya Data Protection Act, 2019 ("DPA"), MyChama Ltd is the data controller for the personal data you provide as a platform user. Where your chama uploads information about its members, MyChama Ltd acts as a data processor on behalf of your chama (which is the controller for that member data).

Data Protection Officer (DPO): contactable at [email protected].
General contact: [email protected].
ODPC registration: application pending. Certificate number will be published here once issued.

2. What data we collect

Account and profile

When you create an account we collect:

Your name, email, and phone number (required).
Password (stored hashed with PBKDF2 — we never see your plaintext password).
Optional: national ID number, date of birth, address, occupation, monthly income, profile photo, next-of-kin and emergency contact details. You choose what to provide. We flag the sensitive fields (ID, DOB, income) when you enter them.

Chama financial records

Your chama's records — monthly contributions, loans, welfare claims, investments, bills, meeting minutes, and the M-Pesa or bank transactions that underlie them — live in your organisation's account. We store these so your chama can run, report, and reconcile them. Only members of that chama with the right role can see them.

Meeting documents you upload

Minutes (PDF or Word), the chama constitution, and any attachments you choose to upload. We extract text from minute documents to help with record-keeping; we do not share that text with anyone outside your chama.

M-Pesa payment data

When you pay via M-Pesa (STK Push or paybill), Safaricom sends us the transaction reference, amount, paying phone number, and timestamp via the Daraja API. We use this to reconcile the payment against your contribution or bill.

Technical / analytics

Server logs (IP address, browser user-agent, request timestamps) for security and debugging. A first-party cookie named mychama_consent that records whether you've agreed to the cookies we use (see §4). We do not use Google Analytics, Meta Pixel, or third-party trackers on this marketing site.

3. Why we process it (lawful basis)

Under DPA §30 we rely on the following lawful bases:

Contract performance — to deliver the service you signed up for (account creation, running the chama, producing statements, processing payments).
Your consent — at signup, for marketing emails (opt-in, can be revoked), and for any optional data you provide.
Legal obligation — financial records we must keep (7 years) and responses we must give to lawful orders.
Legitimate interest — security monitoring, fraud prevention, and product improvement, balanced against your privacy.

4. Cookies

Our site uses one cookie category you need to know about:

mychama_consent — first-party, records your cookie preferences (12 months).
sessionid / csrftoken — first-party, used to keep you signed in and to protect against cross-site request forgery. These are necessary for the app to work at all.

We do not use third-party advertising cookies. If that changes, we'll ask for your consent first.

5. Who we share data with (sub-processors)

We use the following service providers to run MyChama. Each handles only the data it needs for its function:

Provider	Purpose	Where the data goes
Hetzner Online GmbH	Application server + database hosting	Germany (EU)
Cloudflare, Inc.	DNS, CDN, marketing site hosting (Pages), DDoS protection	Global edge (incl. Kenya)
Safaricom PLC (Daraja API)	M-Pesa STK Push and paybill reconciliation	Kenya
Africa's Talking Ltd	SMS notifications	Kenya
Meta Platforms, Inc.	WhatsApp notifications via WhatsApp Business API	United States
Google LLC (OAuth + SMTP fallback)	Sign-in with Google; outbound email delivery	United States
Functional Software, Inc. (Sentry)	Error tracking (if enabled — no chama financial data sent)	United States

We do not sell your data. We do not share it with advertisers, data brokers, or other chamas. We'll update this list if we add, remove, or change providers and note material changes at the top of this page.

6. Cross-border data transfers

Some of our providers process data outside Kenya:

Germany (Hetzner): the EU has been assessed by the ODPC as providing an adequate level of data protection.
United States (Google, Meta, Sentry, some Cloudflare edges): we rely on the provider's contractual safeguards (standard contractual clauses equivalents) and, where applicable, your explicit consent.

You can ask us for a copy of the safeguards in place for any transfer at [email protected].

7. How long we keep it

Active account data: kept for as long as you use MyChama.
Financial records: 7 years after creation (to match Kenyan accounting and tax recordkeeping norms), even if you close your account.
Server logs: 90 days.
Error-tracking data: 30 days.
Marketing preferences / unsubscribes: indefinitely (so we remember that you opted out).

When a retention period ends, we delete or irreversibly anonymise the data.

8. Your rights

The Kenya DPA gives you the following rights. You can exercise any of them by emailing [email protected]. We'll respond within 30 days.

Access — get a copy of the personal data we hold about you.
Correction — ask us to fix information that's wrong or incomplete.
Deletion — ask us to delete your data, subject to our legal obligation to keep financial records (see §7).
Portability — get your data in a structured, machine-readable format, or have us send it to another provider.
Objection — object to processing based on legitimate interest or to direct marketing.
Restriction — ask us to pause processing while a dispute is resolved.
Withdraw consent — where we rely on consent, you can withdraw it at any time.

If you think we've mishandled your data, you can complain to the Office of the Data Protection Commissioner at [email protected]. We ask that you raise the issue with us first so we can try to put it right.

9. How we protect your data

TLS encryption in transit for every request.
Hashed passwords (PBKDF2).
Role-based access controls — chama data is scoped to your chama; MyChama staff access is minimal and audit-logged.
Routine database backups held on Hetzner infrastructure.
Security patching and dependency monitoring.

We are actively rolling out encryption at rest for sensitive personal data fields. Timeline and scope will be updated in this policy as the work progresses.

10. Data breach notification

If a breach affects your personal data, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of it, as required by DPA §43. We will also notify you directly, as soon as reasonably practicable, if the breach is likely to result in a high risk to your rights — unless the data was protected such that the risk is materially reduced (e.g. encrypted), in which case we will notify you if or when that changes.

11. Children

MyChama is not intended for users under the age of 18. We do not knowingly collect data from children. If you believe a minor has provided us personal data, contact [email protected] and we will delete it.

12. Changes to this policy

When we make material changes, we'll update the "Last updated" date at the top of this page, bump the version, and notify you by email. Minor wording or formatting fixes are made without notice.

13. Contact

Data Protection Officer: [email protected]
General: [email protected]
Postal address: to be added once MyChama Ltd incorporation completes.