Data Protection Notice

Mkango Capital is committed to protecting your personal data in compliance with Zambian data protection laws and international best practices. This notice explains our data protection practices and your rights as a data subject.

1. Data Controller Information

Data Controller: Mkango Capital Limited

Registration Number: [Company Registration Number]

Registered Office: Lusaka, Zambia

Data Protection Officer: dpo@mkangocapital.com

Contact: +260 XXX XXX XXX

2. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contractual Necessity: Processing is necessary to perform our loan services contract with you
• Legal Obligation: Processing is required to comply with banking regulations, anti-money laundering laws, and other legal requirements
• Legitimate Interests: Processing is necessary for our legitimate business interests, including fraud prevention and risk management
• Consent: For marketing communications and optional services (where you have provided explicit consent)

3. Categories of Personal Data

3.1 Identity Data

• Full name and aliases
• Date of birth and age
• National Registration Card details
• Photograph and biometric data
• Gender and marital status

3.2 Contact Data

• Residential and postal addresses
• Phone numbers (mobile and landline)
• Email addresses
• Emergency contact information

3.3 Financial Data

• Employment and income information
• Bank account details
• Credit history and scores
• Loan and repayment records
• Mobile money account details

3.4 Technical Data

• IP address and device identifiers
• Login credentials
• Usage and activity logs
• Browser and operating system information

4. Data Processing Activities

4.1 Loan Application Processing

Purpose: To assess and approve loan applications

Data Used: All categories of personal data

Retention Period: 7 years after loan closure

4.2 Credit Assessment

Purpose: To evaluate creditworthiness and repayment capacity

Data Used: Financial and credit history data

Third Parties: Credit reference bureaus, employers

4.3 Fraud Prevention

Purpose: To detect and prevent fraudulent activities

Data Used: Identity, financial, and technical data

Legal Basis: Legitimate interests and legal obligation

4.4 Communication

Purpose: To send loan updates, notifications, and customer service messages

Data Used: Contact data

Methods: SMS, email, phone calls

5. Data Subject Rights

Under Zambian data protection laws, you have the following rights:

5.1 Right to Access

You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.

5.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. We will update our records promptly.

5.3 Right to Erasure

You can request deletion of your personal data, subject to legal and regulatory retention requirements.

5.4 Right to Object

You can object to processing of your data for direct marketing purposes or based on legitimate interests.

5.5 Right to Data Portability

You can request your personal data in a structured, machine-readable format.

5.6 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time (this does not affect the lawfulness of processing before withdrawal).

5.7 Right to Lodge a Complaint

You can lodge a complaint with the relevant data protection authority if you believe your rights have been violated.

6. Data Security Measures

6.1 Technical Safeguards

• End-to-end encryption for data transmission
• Encryption at rest for stored data
• Multi-factor authentication
• Intrusion detection and prevention systems
• Regular security updates and patches

6.2 Organizational Safeguards

• Access controls based on role and need-to-know
• Employee training on data protection
• Confidentiality agreements
• Regular security audits and assessments
• Incident response and breach notification procedures

6.3 Physical Security

• Secure server facilities
• Access control to physical premises
• CCTV monitoring
• Secure document storage and disposal

7. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms:

• We will notify you within 72 hours of becoming aware of the breach
• We will describe the nature and likely consequences of the breach
• We will outline the measures taken to address the breach
• We will report the breach to relevant authorities as required by law

8. International Data Transfers

If we transfer your data outside Zambia, we ensure:

• The receiving country has adequate data protection laws, or
• Appropriate safeguards are in place (such as standard contractual clauses), or
• We have obtained your explicit consent for the transfer

9. Automated Decision-Making

We may use automated systems to:

• Assess loan applications and creditworthiness
• Detect fraudulent activities
• Calculate loan offers and terms

You have the right to request human review of automated decisions that significantly affect you.

10. Third-Party Data Processors

We engage third-party service providers who process data on our behalf:

• Cloud hosting providers
• SMS and email service providers
• Payment processors
• Credit reference bureaus
• IT support and maintenance providers

All processors are contractually bound to protect your data and use it only for specified purposes.

11. Exercising Your Rights

To exercise any of your data protection rights:

1. Submit a written request to dpo@mkangocapital.com or our registered office
2. Provide proof of identity (e.g., copy of NRC)
3. Specify which right(s) you wish to exercise
4. We will respond within 30 days of receiving your request

12. Contact Information

For any questions, concerns, or requests related to data protection: