Privacy Policy

1. Introduction

Nsubiza Ltd ("we", "us", "our"), a company registered with the Rwanda Development Board (RDB) and headquartered in Huye, Rwanda, operates the Kwa Muzehe platform ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal data in compliance with the Law No. 058/2021 of 13/10/2021 Relating to the Protection of Personal Data and Privacy of the Republic of Rwanda.

By using our Service, you consent to the data practices described in this policy.

2. Data Controller

The data controller for the purposes of this policy is:

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Account Information

• Full name
• Phone number (used as primary identifier)
• Email address (optional)
• National ID number (optional, for contract signing and RRA compliance)
• Taxpayer Identification Number / TIN (optional, for tax reporting)

3.2 Property and Tenancy Data

• Property addresses and unit details
• Lease agreement terms and rent amounts
• Payment history and transaction records
• Maintenance request details

3.3 Financial Data

• Mobile Money transaction references (MTN MoMo, Airtel Money)
• Bank account details (for payouts)
• Payment amounts and dates

3.4 Technical Data

• Device type and operating system
• IP address and approximate location
• App usage analytics (anonymized)

4. Legal Basis for Processing

In accordance with Article 30 of Law No. 058/2021, we process your personal data on the following legal bases:

• Consent: You provide explicit consent when creating your account and accepting this policy.
• Contractual necessity: Processing is necessary to provide the services you have requested (property management, rent collection, receipt generation).
• Legal obligation: We are required to generate tax-compliant receipts under Rwanda Law No. 10/2009 and to maintain records for Rwanda Revenue Authority (RRA) compliance.
• Legitimate interest: To improve our services, prevent fraud, and ensure platform security.

5. How We Use Your Data

• Rent collection and payment processing via Mobile Money and bank transfers
• Receipt generation compliant with RRA requirements
• SMS notifications including rent reminders, payment confirmations, and OTP verification
• Regulatory compliance with Rwandan tax, data protection, and financial laws
• Provide and maintain the Kwa Muzehe platform
• Provide customer support
• Improve and personalize the Service
• Detect, prevent, and address fraud or technical issues

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your data with the following third parties:

• Africa's Talking: SMS OTP delivery and notification messages — phone number and message content shared.
• MTN MoMo (MTN Rwanda): Mobile money payment processing — phone number and transaction amount shared.
• Airtel Money (Airtel Rwanda): Mobile money payment processing — phone number and transaction amount shared.
• Flutterwave: Payment aggregation — phone number, transaction amount, and transaction reference shared.
• Google Cloud Platform: Infrastructure provider (africa-south1 region, South Africa) — all data stored encrypted at rest (AES-256) and in transit (TLS 1.3).
• Government authorities: Rwanda Revenue Authority (RRA) when required by law for tax compliance purposes.
• Legal requirements: When required by a court order or lawful request from a competent authority.

7. Cross-Border Data Transfers

Your data is primarily stored on Google Cloud Platform in the africa-south1 region (Johannesburg, South Africa), encrypted at rest and in transit. Data may be processed in GCP regions outside Rwanda as necessary for service delivery and redundancy. In accordance with Articles 46-48 of Law No. 058/2021, we ensure adequate protection for any cross-border transfer through appropriate safeguards, including data processing agreements with all third-party processors.

8. Data Security

We implement appropriate technical and organizational measures including:

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• OTP-based authentication for sensitive operations
• Regular security audits and penetration testing
• Role-based access control for internal systems
• Automated backups with encryption

9. Data Retention

Active accounts are retained during service use. Upon account deletion request, personal data is purged within 90 days, except where retention is required by law. Specific retention periods:

• Financial records: 7 years after account closure (as required by RRA for tax record-keeping)
• Contracts and receipts: 10 years (as required by Rwandan commercial law)
• Technical logs: 12 months from collection
• Account data: Purged within 90 days of account deletion request, except where retention is required by law

10. Your Rights

Under Law No. 058/2021, you have the following rights regarding your personal data:

• Right of access (Article 36): Request a copy of your personal data.
• Right to rectification (Article 37): Request correction of inaccurate data.
• Right to erasure (Article 38): Request deletion of your data, subject to legal retention requirements.
• Right to restrict processing (Article 39): Request that we limit how we use your data.
• Right to data portability (Article 40): Receive your data in a structured, machine-readable format.
• Right to object (Article 41): Object to processing based on legitimate interest.
• Right to withdraw consent: Withdraw your consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact our Data Protection Officer at dpo@kwamuzehe.com or support@kwamuzehe.com. We will respond within 30 days.

11. Data Breach Notification

In the event of a personal data breach, Nsubiza Ltd will notify the National Cyber Security Authority (NCSA) within 72 hours of becoming aware of the breach, in accordance with Article 56 of Law No. 058/2021. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay.

12. Regulatory Status

Nsubiza Ltd is in the process of obtaining NCSA licensing. Regulatory approvals are pending.

13. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the National Cyber Security Authority (NCSA), the supervisory authority for data protection in Rwanda, as established under Law No. 058/2021.

14. Children's Privacy

Kwa Muzehe is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via SMS or in-app notification at least 14 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact Us