Privacy Policy

1. Introduction

iTrust Finance Limited ("iTrust," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, process, store, and protect your personal data when you use our Mobile App, Customer Portal, and related services (collectively, the "Platform").

This Privacy Policy is designed to comply with the Personal Data Protection Act No . 11 of 2022, the Cybercrimes Act, 2015, the Electronic and Postal Communications Act (EPOCA), 2010, relevant regulations from the Bank of Tanzania (BoT) and Capital Markets and Securities Authority (CMSA), and other applicable Tanzanian laws and regulations.

iTrust Finance Limited is registered as a Data Processor with the Personal Data Protection Commission (PDPC) of Tanzania, in accordance with the Personal Data Protection Act No . 11 of 2022.

2. About iTrust Finance Limited

iTrust Finance Limited is a company incorporated under the laws of the United Republic of Tanzania. We are licensed and regulated by the Capital Markets and Securities Authority (CMSA) and authorized to provide investment advisory, fund management, and securities trading services in Tanzania; licensed and regulated by the Bank of Tanzania (BOT) as a Tier 2 Financial Services Provider.

Regulatory Information

• PDPC Registration Number: 0-000-002-094.

Registered Office:

• Plot No . 429, Block C, Mahando Street, P.O. Box 22636, Masaki, Dar es Salaam.

Contact Information:

• Email:info@itrust.co.tz
• Phone: +255 659 071 777
• Website:itrust.co.tz

3. Information We Collect

3.1 Personal Data

Registration Information

• Full name as per official identification.
• Email address.
• Mobile phone number.
• National Identification Number (NIDA).
• Biometric details (fingerprint, photo).
• Passport details.
• Date of birth.
• Residential address.
• Nationality and residence status.

Financial Information

• Bank account details.
• Investment portfolio information.
• Transaction history.
• Investment preferences and objectives.
• Risk tolerance assessment data.
• Income and financial status information.

Technical Information

• Device information (type, model, operating system).
• IP address and location data.
• Browser type and version.
• Usage patterns and Platform interaction data.
• Mobile device identifiers.

In certain circumstances, and where permitted by law, we may also collect your personal information from third-party sources. These may include, but are not limited to, credit bureaus for creditworthiness assessment, public registers for identity verification (e.g., NIDA database), and regulatory bodies for compliance purposes. We will inform you of the source of such data upon your request, in accordance with the PDPA 2022.

3.2 Sensitive Personal Data

In accordance with the Personal Data Protection Act 2022, we may collect sensitive personal data including:

• Financial information and transaction records.
• Identification documents and biometric data (where applicable) collected for identity verification and secure login as specified in Section 3.1.
• Investment and trading patterns.

Such sensitive data is processed only with your explicit consent and for specific purposes outlined in this Policy.

4. How We Use Your Information

4.1 Primary Purposes

Service Provision

• Account registration and identity verification.
• Processing investment transactions and trades.
• Providing investment advisory services.
• Portfolio management and reporting.
• Customer support and communication.

Regulatory Compliance

• Know Your Customer (KYC) verification.
• Anti-Money Laundering (AML) compliance.
• Regulatory reporting to CMSA, Bank of Tanzania, and other authorities.
• Tax reporting and compliance.

Business Operations

• Risk management and fraud prevention.
• Platform improvement and development.
• Marketing and promotional activities (with consent). You can withdraw your consent for marketing communications at any time through your account settings or by contacting us using the details in Section 14.
• Research and analytics for service enhancement.

4.2 Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Your consent for specific processing activities.
• Contractual necessity for service provision.
• Legal obligations under financial services (e.g., Know Your Customer (KYC), Anti-Money Laundering (AML), tax reporting, and regulatory reporting to CMSA and Bank of Tanzania).
• Legitimate interests in business operations and security including but not limited to improving and developing our Platform and services, preventing fraud, managing business risks, and ensuring the security of our systems and data.

5. Data Sharing and Disclosure

5.1 Authorized Disclosures

When we share your personal information with third-party service providers (data processors), we ensure they are bound by contractual agreements that obligate them to maintain data protection standards at least equivalent to those set out in this Privacy Policy and the Personal Data Protection Act 2022. We do not sell your personal data to marketing partners. We may share your personal information with:

Regulatory Authorities

• Capital Markets and Securities Authority (CMSA).
• Bank of Tanzania (BoT).
• Tanzania Revenue Authority (TRA).
• Financial Intelligence Unit (FIU).
• Other regulatory bodies as required by law.

Service Providers

• Capital Markets and Securities Authority (CMSA) Dar es Salaam Stock Exchange (DSE).
• Central Securities Depository (CSD).
• Licensed dealing members and brokers.
• Payment processors and financial institutions.
• Technology service providers and system administrators.

Third Parties

• Legal advisors and auditors.
• Credit bureaus and risk assessment agencies.
• Marketing partners (with your consent).

5.2 Legal Basis for Processing

We may disclose your information without consent in the following circumstances:

• Legal requirements and court orders.
• Prevention of money laundering and terrorist financing.
• Fraud prevention and investigation.
• Protection of our rights and interests.
• Public interest and national security, strictly in accordance with applicable laws and lawful orders.

6. Data Security

6.1 Security Measures

We implement appropriate technical and organizational security measures to protect your personal data, including:

• Encryption of data in transit and at rest.
• Secure authentication and access controls.
• Regular security assessments and updates.
• Staff training on data protection.
• Incident response procedures.

We also conduct regular Data Protection Impact Assessments (DPIAs) for new processing activities or significant changes to existing ones, especially those involving sensitive personal data, to identify and mitigate privacy risks. Our security practices align with industry best practices for financial institutions.

6.2 Data Breach Response

In the event of a breach, we will:

• Notify the Personal Data Protection Commission within 72 hours.
• Inform affected individuals without undue delay.
• Take immediate steps to contain and remediate the breach.
• Cooperate with regulatory authorities in investigation.

7. Data Retention

7.1 Retention Periods

To comply with regulatory obligations for financial records, audit purposes, and to resolve disputes we retain your personal data for the following periods:

• Account information: Duration of account relationship plus 7 years.
• Transaction records: 7 years from transaction date.
• KYC documents: 5 years from account closure.
• Marketing communications: Until consent is withdrawn.

7.2 Disposal

Personal data is securely destroyed or deleted when retention periods expire, unless required by law to be retained longer.

8. International Data Transfers

8.1 Transfer Restrictions

In accordance with the Personal Data Protection Act 2022, we do not transfer personal data outside Tanzania without appropriate safeguards and authorization from the Personal Data Protection Commission.

8.2 Authorized Transfers

Where transfers are necessary for service provision, we ensure:

• All regulatory requirements from respective regulators are met.
• Adequate data protection standards in the destination country.
• Contractual protections for data subjects.
• Compliance with PDPA transfer requirements.

9. Your Rights

9.1 Data Subject Rights

Under the Personal Data Protection Act 2022, you have the following rights:

Access Rights

• Request access to your personal data.
• Obtain copies of your data.
• Request information about data processing.

Correction Rights

• Request correction of inaccurate data.
• Update incomplete information.
• Request data rectification.

Deletion Rights

• Request for the erasure of personal data
• Object to processing in certain circumstances.
• Request data portability.

Control Rights

• Withdraw consent for processing
• Object to automated decision-making
• Request restriction of processing

9.2 Exercising Your Rights

To exercise your rights, contact us at:

• Email:customerservice@itrust.co.tz
• Phone:+255 659 071 777
• Address:Plot No . 429, Block C, Mahando Street, P.O. Box 22636, Masaki, Dar es Salaam.

We will respond to your request within 30 days as required by law. Should your request be complex or numerous, we may extend this period by a further 60 days, and we will inform you of any such extension and the reasons for it within the initial 30-day period.

You also have the right to lodge a complaint with the Personal Data Protection Commission if you believe your data protection rights have been violated.

10. Cookies and Tracking

Our Platform uses cookies and similar technologies to:

• Maintain user sessions and preferences.
• Improve Platform functionality.
• Analyse usage patterns.
• Enhance security.

You can manage cookie preferences through your browser settings. Note that disabling cookies may affect Platform functionality.

11. Children’s Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If we discover we have collected such information, we will delete it immediately.

12. Updates to This Policy

12.1 Policy Changes

We may update this Privacy policy from time to time to reflect:

• Changes in applicable laws.
• Updates to our services.
• Improvements to our privacy practices.

12.2 Notification of Changes

We will notify you of material changes (e.g., changes to how we process sensitive data, significant new uses of data, or changes in data sharing practices) through:

• Email notifications
• Platform notifications
• Website announcements

Continued use of our Platform after changes constitutes acceptance of the updated Policy.

13. Complaints and Disputes

13.1 Operational Complaints

If you have concerns about our data processing practices, contact our Data Protection Officer at:

• Email:customerservice@itrust.co.tz
• Phone: +255 659 071 777

The Data Protection Officer (DPO) is responsible for overseeing compliance with this Privacy Policy and the Personal Data Protection Act 2022, and for handling data protection inquiries and requests.

13.2 Regulatory Complaints

Personal Data Protection Commission

• Email:helpdesk@pdpc.go.tz
• Phone: +255 684 497 788/+255 654 004 975

Capital Markets and Securities Authority

• Email:info@cmsa.go.tz
• Fax: +255 22 2113846
• Phone:+255 22 2114959/61