Skip to main content
Last updated: 7th January 2026

ā€‹
1. Introduction

Bizilabs (ā€œweā€, ā€œusā€, or ā€œourā€) is the Data Controller for the personal data collected through the Thamani mobile application. We are committed to protecting your privacy in accordance with the Constitution of Kenya and the Data Protection Act (2019). By using Thamani, you agree to the practices described in this Privacy Policy.

ā€‹
2. Information We Collect

We collect only the data necessary to provide you with financial insights.
  • Account Data: Email address and authentication credentials (via Supabase).
  • Transaction Data (Sensitive): With your explicit consent, we process M-PESA SMS messages (Amount, Date, Merchant/Sender, and Reference). We use automated ā€œkeyword filteringā€ to ensure personal texts are ignored.
  • Device Data: Phone numbers and SIM slot information to uniquely group your transactions.
  • Usage Data: Anonymized metrics on app performance and feature engagement (via PostHog).

ā€‹
3. Lawful Basis for Processing

Under Section 30 of the Data Protection Act, we process your data based on:
  • Consent: Your clear affirmative action to grant SMS and Device permissions.
  • Contractual Necessity: To provide the tracking and summaries you signed up for.
  • Legitimate Interests: To maintain app security and troubleshoot performance issues.

ā€‹
4. Data Sharing and International Transfers

We do not sell your personal data. To operate the Service, we share data with:
  • Infrastructure Providers: Supabase (Database/Auth) and Google Cloud.
  • Analytics & Billing: PostHog and RevenueCat. Note on Cross-Border Transfers: Some of these providers host data outside of Kenya. By using the Service, you consent to this transfer. We ensure these providers maintain data protection standards equivalent to those required under Kenyan law.

ā€‹
5. Data Security

We implement ā€œData Protection by Design and Defaultā€ including:
  • Encryption: All data is encrypted in transit (TLS) and at rest (AES-256).
  • Access Control: Strict internal policies to ensure only authorized system processes handle transaction data.
  • Anonymization: We strip identifiers from data used for internal analytics.

ā€‹
6. Data Retention

We retain your personal data only for as long as your account is active.
  • Account Deletion: If you delete your account, your data is scrubbed from our active databases within 30 days, except where retention is required by law.

ā€‹
7. Your Rights as a Data Subject

In accordance with Section 26 of the Data Protection Act, you have the right to:
  • Be Informed: To know how your data is being used (this Policy).
  • Access: Request a copy of the data we hold about you.
  • Correction: Request that we fix inaccurate or incomplete data.
  • Deletion (Right to be Forgotten): Request the permanent erasure of your data.
  • Object/Restricted Processing: Opt-out of certain data uses.
  • Data Portability: Request your data in a structured, machine-readable format.
  • Withdraw Consent: Revoke permissions at any time via device settings.

ā€‹
8. Childrenā€™s Privacy

Thamani is restricted to users aged 18 and above. We do not knowingly collect data from minors. If we discover such data has been collected, it will be deleted immediately.

ā€‹
9. Complaints

If you believe your data has been mishandled, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya via their website (www.odpc.go.ke).

ā€‹
10. Contact Us

For any privacy-related inquiries or to exercise your rights, please contact us at justbizilabs@gmail.com