Privacy policy.

When you sign up and use the platform, we store:

• Identity: phone number, name, gender (optional), email (optional), preferred language.
• KYC documents: photos of your government-issued ID, uploaded by you. Encrypted at rest, visible only to platform admins doing verification.
• Chama activity: which chamas you belong to, your role, your contribution history, trust score, loan history.
• Payment metadata: M-Pesa transaction IDs, amounts, timestamps. We don't store PINs or card numbers; payment authentication happens on your phone through Safaricom.
• Technical logs: IP address, device type, rough location (country / city) for security and debugging. Retained 90 days.

• Your M-Pesa PIN. Ever. Safaricom authenticates you; we just get the result.
• Your contacts, SMS inbox, camera roll, microphone. No app-level permissions requested beyond what you actively upload.
• Tracking cookies for advertising. No ad networks are embedded.

Your data powers the service. Nothing more:

• Verifying your identity (OTP login, KYC review).
• Running your chama's contributions, rotations, loans, and wallet.
• Sending SMS receipts, reminders, and magic pay links.
• Calculating your trust score from your own on-time payment history.
• Complying with Kenyan law (AML, CBK, DPA where applicable).

Inside your chama, role-based access controls who sees what:

• You see all your own activity across every chama.
• Members see group-level activity (who paid, trust scores, cycles).
• Chairperson, treasurer, secretary see the same plus management actions.
• Changa Changa platform adminssee KYC documents during review and can access support-level logs when debugging an issue you've reported.

We share data with third parties only when strictly necessary: Safaricom for payments, our SMS provider for delivery, Cloudflare R2 for encrypted document storage. None of them receive more than they need to do their job.

• Encryption in transit: TLS 1.2+ for every connection.
• Encryption at rest: AES-256-GCM on KYC docs, Daraja credentials, OTP secrets, and refresh token hashes.
• Short-lived access tokens: JWTs expire in 15 minutes and are rotated via bcrypt-hashed refresh tokens.
• Dual-control withdrawals: two separate admins must approve before group funds leave the wallet.
• IP whitelisting: Daraja webhook endpoints only accept traffic from Safaricom in production.

• Active data: as long as you have an account or your chama is open.
• Financial records: 7 years after closure, to meet Kenyan tax and AML obligations.
• Technical logs: 90 days.
• OTP codes: 5-minute TTL, deleted on successful login.

Under the Kenya Data Protection Act, you can:

• Ask us what we hold about you.
• Correct any inaccurate data.
• Delete your account and, where legally allowed, your data.
• Export your chama ledger and personal history as a PDF.
• Object to how we process your data and lodge a complaint with the ODPC.

Exercise any of these via the contact page or email privacy@changachanga.ke.

We use a small number of strictly-functional cookies (session, CSRF, locale preference). No third-party trackers, no advertising cookies. Your browser can block all of them, though the app won't work if you block the session cookie.

Changa Changa is for adults. We don't knowingly collect data from anyone under 18. If we learn we've accidentally done so, we'll delete it.

If this policy changes materially, we'll tell you via the app and SMS before the change takes effect.