Mombo Sacco Privacy Notice

Effective Date: 3rd February 2024

1. SCOPE OF THIS PRIVACY NOTICE

1.1 Mombo App is a mobile application used by Mombo Savings and credit cooperative society to serve its members. Mombo Sacco is a Commissioner of cooperative development licensed savings and credit cooperative society and the data controller responsible for processing your data when you download and use the Mombo mobile application (“Mombo App”) hosted on the Google Play Store, Apple App Store or when you access our Services through other Channels.

1.2 Mombo Sacco may also act as a data processor for a data controller with whom you have a contractual relationship. In such instances, Mombo Sacco will act in accordance with the instructions given by the data controller.

1.3 If you have any questions about this Privacy Notice, please contact us via email at support@mombo.africa

1.4 Please read this Privacy Notice and our Privacy Policy carefully to understand our practices regarding your personal data in accordance with the Data Protection Act, 2019. By expressing your acceptance of the terms of this Privacy Notice and our Privacy Policy (through the Mombo App, or other Channels ), you accept and understand that your personal data will be processed in accordance with this Privacy Notice and our Privacy Policy.

1.5 Mombo App’s Services are not intended for children, and we do not knowingly collect data relating to children.

2. DEFINITIONS

2.1 “Channels” means any system or medium (including the Mombo App, Unstructured Supplementary Service Data (USSD) and web whether internet based, mobile device based or not), which may be established by Mombo Sacco from time to time to enable you to access and utilise one or more of the Services.

2.2 “Children” means individuals below the age of eighteen (18) years.

2.3 “Consent” means an express, unequivocal, free, specific, and informed indication of your wishes by a statement or by a clear affirmative action.

2.4 “Customer” or “User” means any individual to which Mombo Sacco provides its Services.

2.5 “Personal data” means any information relating to an identified or identifiable individual, which shall include Sensitive personal data.

2.6 “Sensitive personal data” means personal data about an individual’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the individual’s child(ren), parent(s), spouse(s), or the individual’s sex or the sexual orientation.

2.7 “Services” refers to the financial products and features provided by Mombo Sacco to Customers through the Mombo App, through its partner channels, or through other Channels.

2.8 “We”, “Our” and “Us” refer to Mombo Sacco.

3. THE DATA WE COLLECT ABOUT YOU

3.1 Mombo Sacco will collect personal data from you as you use our Services. This includes the following:

  • Identity Data: includes your full name, title, date of birth, age, gender, identity document,KRA pin certificate number and photo or image.
  • Profile Data: includes your level of education, employment status and income information, images, marital status, and other details you submit in response to surveys administered by Mombo Sacco or Mombo Sacco’s agents.
  • Contact Data: includes your present address, permanent address, email address, and mobile numbers.
  • Financial Data: includes your bank account statement, contract of employment, payslips,M-Pesa statement, title deed, logbooks, mobile account number, remittance account number, and payment card details.
  • Transaction Data: includes payments and transfers to and from you, and your Mombo App or Channel transaction history.
  • Device Data: includes the type of mobile device you use, device specifications (such as screen size, resolution, memory, or CPU capacity), unique device identifiers (IMEI number, IP address, Google Play Services ADID, MAC address), mobile network carrier, and mobile operating system.
  • Content Data: includes information stored on your device, such as contact lists, call and SMS logs, and list of installed applications.
  • Network Data: includes information about Mombo Sacco users in your network, such as volume, repayment behaviour, and demographics.
  • Usage Data: includes your username, password or PIN, OTP, and details of your use of the Mombo App or Channels.
  • Communications Data: includes records of messages received from you, your account, or your device, including customer service tickets filed through the App, Channels or via email, call logs and call recordings, and records of other interactions between you or your representatives and Mombo Sacco or its agents.
  • Marketing Data: includes your preferences in receiving promotional messages from us and our authorised third parties, as well as data provided by you in relation to special offers and promotional activities conducted by Mombo Sacco.
  • Location Data: includes your current location determined by geolocation technology.
  • Third Party Data: includes information about you that we obtain from partners, credit reference agencies or bureaus, external collection agencies, identity verification and sanctions screening service providers, mobile network providers, and marketing partners.

3.2 We also may collect other information about you, your device, and your use of the App or Channels in ways that we describe to you at the time of collection.

3.3 We process your personal data from the following sources:

  • 3.3.1 Information you give us. This is information you submit to us or allow us to access by expressing your acceptance in the Mombo App, through USSD transaction, or by other recorded means, including by filling in forms or by corresponding with us or interacting with our website or social media accounts.
  • 3.3.2 Information we collect from your device. This is information you allow us to access by installing the Mombo App or accessing our Channels on your Device and enabling certain device permissions.
  • 3.3.3 Third Party Data and publicly available sources. We may receive personal data about you from various third parties, partners and public sources such as:
  1. 3.3.3.1 Financial, Profile and Transaction Data from providers of technical, payment, delivery, and general financial services such as mobile network providers, money service businesses, USSD service providers, and external collection agencies.
  2. 3.3.3.2 Contact, Financial, Profile and Transaction Data from identity verification and sanctions screening service providers and credit reference agencies.
  3. 3.3.3.3 Communications Data from your interactions with our external collection agencies.
  4. 3.3.3.4 Identity, Profile, and Contact Data from partners and publicly available sources.

3.4 If you fail to provide or withhold any or all of the personal data that Mombo Sacco requests, we may be unable to provide you with our Services.

4. PURPOSES AND LAWFUL BASIS FOR WHICH WE WILL USE YOUR PERSONAL DATA

4.1 We will only process your personal data when we have a lawful basis to do so. In most instances, we will process your personal data under one of the following circumstances:

  • 4.1.1 Where you have given your consent for the processing of your personal data.
  • 4.1.2 Where we need to perform a contract with you, or where we need to take steps at your request before entering into a contract with you.
  • 4.1.3 Where we need to comply with a legal obligation.
  • 4.1.4 Where it is necessary for our legitimate interests (or those of a third party), and where your interests and fundamental rights do not override those interests.

PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

Purpose/activity

Type of data

Lawful basis for processing

a.     To install the Mombo App or Channel set up and register you as a new App or Channel user

Device

 Usage

Contact

Your consent

a. To create your Mombo App or Channel user profile 

b. To verify your identity through internal or outsourced tools or services

c. To determine your eligibility for our Services through the use of automated and manual processing, including credit scoring and fraud prevention through machine learning technology

d. To conduct additional verification of your credit and financial history through credit reference agencies, credit bureaus, and other reliable sources

e. To process transactions and deliver Services including disbursing loans and collecting payments for your use of the Services

f. To process customer savings, credit insurance, medical insurance,motor vehicle with insurer or insurance brokers.

Images

Personal documents

Identity

Profile

Financial

Contact

Content

Network

Location

Third Party

Performance of a contract with you 

Necessary for our legitimate interests (to conduct responsible lending)

Necessary for regulatory compliance

a. To perform manual and automated screening of your profile and your transactions pursuant to Anti-Money Laundering, Counter Terrorist Financing and Counter Proliferation Financing (AML/CFT/CPF) regulations

b. To submit reports of covered and suspicious transactions to the Financial Reporting Centre (FRC)

c. To supply your account transaction history to the credit bureaus, which may include information on repayments and defaults and account opening and closing

d. To exchange information with any local or international law enforcement or competent authority to assist in the prevention, detection, investigation or prosecution of criminal activities

e. To supply your transaction and repayment information in the reporting and remittance of relevant taxes to the Kenya Revenue Authority (KRA)

Contact 

Usage

Communications 

Marketing

Third Party

Performance of a contract with you 

Necessary for our legitimate interests (to keep records updated and to analyse how customers use our products/ Services)

a. To deliver content and advertisements to you 

b. To make recommendations to you about goods or services which may interest you

c. To send you marketing notices, announcements about optional service updates, and promotional offers

d. To measure and analyse the effectiveness of the advertising we serve you 

e. To monitor trends so we can improve our Services

f. To enable you to participate in a prize draw, competition or complete a survey

Identity

Profile 

Contact 

Financial 

Transaction 

Device 

Content 

Network

Usage

Communications 

Marketing 

Location 

Third Party

Performance of a contract with you 

Necessary for our legitimate interests (for running our business)

a. To conduct research and testing of product features and modifications to the Services, including experimentation with limited user segments prior to general availability

b. To develop and refine machine learning models for fraud prevention, credit scoring, underwriting, and other automated decision-making processes

c. To administer training for Mombo Sacco personnel and conduct performance evaluations

d. To conduct quality assurance and internal audit

e. To conduct statistical analysis, including behavioral analysis and profiling.

f. To seek professional advice, including, in connection with any legal proceedings (including any prospective legal proceedings), for obtaining legal advice or for establishing, exercising or defending legal rights;

Identity

Profile 

Contact 

Financial 

Transaction 

Device 

Content 

Network

Usage

Communications 

Marketing 

Location 

Third Party

Necessary for our legitimate interests (to maintain Service quality and for the continuous improvement of our Services)
   
   

5. DISCLOSURES OF YOUR PERSONAL DATA

When you consent to providing us with your personal data, we will also ask you for your consent to share your personal data with the third parties set out below for the purposes set out in the table above.

5.1 Internal Third Parties being Mombo Sacco partner companies acting as joint controllers or processors and provide system administration and other shared services.

5.2 External Third Parties such as:

  • 5.2.1 Data controllers with whom you have a contractual relationship and for whom Mombo Sacco acts as a data processor;
  • 5.2.2 Mobile money providers whom we use for verification in relation to your mobile money account, pursuant to the agreement between you and the relevant mobile money provider;
  • 5.2.3 Credit bureaus and/or any other reliable sources from whom we may obtain your personal data and also supply your consumer credit information which may include information on repayments and defaults and account opening and closing;
  • 5.2.4 Any local or international law enforcement or competent regulatory or governmental agencies in connection with an official request so as to assist in the prevention, detection, investigation or prosecution of criminal activities or fraud;
  • 5.2.5 Mombo Sacco’s service providers, such as external collection agencies, rating agency correspondents, insurer or insurance broker, direct or indirect provider of credit protection and fraud prevention agencies who are acting as data processors upon the instructions of Mombo Sacco;
  • 5.2.6 Mombo Sacco’s agents or any other company that may be or become Mombo Sacco’s affiliate entity, for reasonable commercial purposes relating to the Services;
  • 5.2.7 Mombo Sacco’s professional advisors and consultants including lawyers and auditors or to any court or arbitration tribunal in connection with any legal or audit proceedings;

5.3 Third parties to whom we may choose to sell, assign, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice.

5.4 Any other person that we deem legitimately necessary to share the data with, in all cases in compliance with the Data Protection Act, 2019.

6. INTERNATIONAL TRANSFERS

6.1 Your personal data collected by Mombo Sacco shall be stored and processed outside of Kenya in a location where Mombo Sacco or its agents maintain facilities, including the use of cloud storage and cloud computing technology.

6.2 Whenever we transfer your personal data outside of Kenya, we ensure a similar degree of protection is afforded to it by ensuring adequate safeguards are implemented. We ensure your personal data is protected by requiring all our affiliate companies, personnel, and agents to follow the same rules when processing your personal data.

7. AUTOMATED PROCESSING

We use automated processing to determine your eligibility for our Services based on the personal data that we collect. Our fraud prevention and credit models utilise both data science, machine-learning technology and human intervention and are regularly tested to ensure they remain fair, accurate, and unbiased. You may object to the automated processing of your personal data, but doing so will prevent us from providing you with our Services. If you wish to request a reconsideration of an automated decision, you may contact us via email at support@mombo.africa. Please note that human intervention does not guarantee that the automated decision will be overturned.

8.1 Mombo Sacco implements an Information Security Management System to maintain the confidentiality, integrity, and availability of Mombo Sacco’s information resources, in keeping with our commitments, industry standards and global best practices. You may refer to our Privacy Policy for further details on the data governance and security measures that we implement.

8.2 Where you have chosen or have been given a password, PIN or OTP code that enables you to access certain parts of the Mombo App or Channels portal, you are responsible for keeping this password, PIN or OTP code confidential. Never share this password, PIN or OTP code with anyone. Mombo Sacco will never ask you to provide us with your password PIN or OTP code.

8.3 We have put in place procedures to deal with any suspected breach of personal data and will notify you and any applicable regulatory authority when we are legally required to do so.

9. DATA RETENTION

9.1 Being a registered reporting institution under the Proceeds of Crime and Anti-Money Laundering Act, as amended (POCAMLA), Mombo Sacco has the obligation to retain certain records for a period of at least seven (7) years or such longer period as the FRC may require, from the date of the relevant transaction or following the termination of an account or business relationship with Mombo Sacco. To ensure Mombo Sacco’s ability to comply with this obligation, Mombo Sacco will retain relevant personal data associated with your account for a period of ten (10) years from the date of the closure of your Mombo Sacco account.

9.2 In some circumstances, such as when you have no outstanding credit balance with Mombo Sacco and or partner companies, you can ask us to close your Mombo Sacco account and delete the associated personal data (subject to Mombo Sacco’s record retention obligations under the POCAMLA as mentioned above): see the section on Your Data Subject Rights below for further information.

9.3 In some circumstances we will anonymise your information such that it will no longer constitute personal data. In such cases we may use anonymised information for whatever legitimate purpose without further notice to you.

10. YOUR DATA SUBJECT RIGHTS

10.1 As a data subject, you have the following rights in relation to your personal data:

  • To be informed of the uses for which your personal data is processed;
  • To access your personal data in our custody, as well as information about:
  1. the purposes for which we process your personal data;
  2. the categories of personal data processed;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
  4. where possible, the period for which the personal data may be stored, or the criteria used to determine the period for storage and retention;
  5. where the personal data is not collected from you as the data subject, any available information as to the source of collection.
  • To object to the processing of all or part of your personal data (unless we have compelling legitimate interests to continue the processing, or when it is necessary for the establishment, exercise, or defence fo a legal claim);
  • To correct or rectify false, inaccurate, outdated, incomplete, or misleading data about you (subject to verification, such as examination of supporting documents);
  • To erase or delete data that is false, misleading, irrelevant, excessive, unlawfully obtained, or which we are no longer authorised to retain. Your right to erasure will not apply if it is necessary for us to continue to process your personal data to comply with a legal obligation, or for to establish, exercise, or defend a legal claim.
  • To copy, port, or receive your personal data in a structured, commonly used, and machine-readable format, or to have your personal data ported to another data controller or data processor.

10.2 You may request that we restrict the processing of your personal data in the following circumstances:

  • 10.2.1 where need to verify the accuracy of data that you are contesting;
  • 10.2.2 where our use of the data is unlawful but you do not want us to erase it;
  • 10.2.3 where the purpose of the processing has been achieved, but the we need your personal data to establish, exercise or defend legal claims;
  • 10.2.4 you have objected to our use of your data but we need to determine whether we have overriding legitimate grounds to use it.

10.3 You have the right to object to the processing of your personal data for direct marketing purposes, and you can opt out of direct marketing communications by asking us not to send you direct marketing messages.

10.4 You may withhold or withdraw your consent in cases where we rely on your consent as the lawful basis for processing of your Personal Data. Doing so may prevent us from providing you with our Services.

10.5 You or your authorised representative can exercise any of these rights at any time, subject to our verification and review, by contacting us via email at support@mombo.africa.

11. CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

11.1 We keep this Privacy Notice under regular review. Changes to this Privacy Notice will be posted on this page and, where appropriate, notified to you through either the Mombo App or Channels, Website email, or SMS.

11.2 It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

12. OTHER TERMS AND CONDITIONS

There may be specific terms and conditions in our third parties and/or partners’ legal agreements that govern the collection, use and disclosure of your Personal Data. Such other terms and conditions must be read in conjunctions with this Privacy Statement.

12. THIRD PARTY LINKS

Our Services may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. Please check these policies before you submit any personal data to these websites or use these services.