Zeni LogoZeni
Get Started

Privacy Policy

Effective Date: 13 December , 2025|Version 1.0

Quick Summary

We value your trust. This summary explains what personal data we collect and why.\n\nWho we are: We are Zeni, a platform helping Kenyan Chamas, Saccos, and Investment Clubs manage their money.\n\nWhat we collect: To create your account, we need your name, email, and phone number. To process payments, we handle transaction data. For higher transaction amounts (above KES 2,000), we are required by law to ask for your ID and a liveness check (KYC).\n\nWhy we collect it: We use your data to provide our service, keep your account secure, process payments, and comply with Kenyan law.\n\nWho we share it with: We only share data with trusted partners (processors) who help us run our service, like payment providers and data storage hosts. We never sell your data.\n\nYour rights: You have rights over your data, including the right to access, correct, or delete it.\n\nAll official communication will come from an @zeni.co.ke email address.

All official communication will come from an @zeni.co.ke email address. We will never ask for your password.

1. Introduction and Scope

This Privacy Policy describes how [Zeni Africa] (\"Zeni\", \"we\", \"us\", \"our\") collects, uses, stores, shares, and protects the personal data of our users (\"you\") in the Republic of Kenya. It applies to all services offered through our website and mobile applications.

This version of the policy applies exclusively to users residing in Kenya. As we expand our services across Africa, this policy will be updated, and you will be notified of any material changes.

2. Data Controller and Contact Details

Zeni is the Data Controller responsible for your personal data. If you have any questions about this policy or your data protection rights, please contact us.

  • Legal Entity: [Zeni Africa]
  • Privacy Enquiries: privacy@zeni.co.ke

You have the right to lodge a complaint with the data protection authority in Kenya. You can contact them at:

The Office of the Data Protection Commissioner (ODPC)
Website: www.odpc.go.ke
Email: info@odpc.go.ke

3. Definitions

Key terms used in this policy are defined as per the Data Protection Act, 2019.

  • Personal Data: Any information relating to an identified or identifiable natural person (a \"Data Subject\").
  • Sensitive Personal Data: Data revealing race, health status, ethnic origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, sex, or sexual orientation.
  • Processing: Any operation performed on personal data, such as collection, recording, storage, use, disclosure, or erasure.
  • Data Controller: The entity that determines the purpose and means of processing personal data (that's us, Zeni).
  • Data Processor: An entity that processes personal data on behalf of the controller.
  • KYC (Know Your Customer): A mandatory process of identifying and verifying the identity of a client. This often includes ID documents and a liveness check.
  • Cookies: Small text files placed on your device by a website to remember your preferences and activities.

4. Lawful Basis and Purposes for Processing

We only process your personal data when we have a lawful basis to do so under the Data Protection Act, 2019.

Account Creation & Authentication

  • Data Collected: First and last name, email address, phone number.
  • Purpose: To create and manage your Zeni account, provide customer support, and secure your account using One-Time Passwords (OTP).
  • Lawful Basis: Performance of a contract.

Payments (Deposits & Withdrawals)

  • Data Collected: Payment records, transaction metadata (amount, time, participants).
  • Purpose: To process your contributions and withdrawals accurately and to provide you with a transparent transaction history.
  • Lawful Basis: Performance of a contract; Legal obligation.

KYC & Identity Verification

  • Trigger: Required when cumulative activity exceeds KES 2,000.
  • Data Collected: National ID number, images of your ID (front and back), and a biometric liveness check.
  • Purpose: To comply with Kenyan Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulations.
  • Lawful Basis: Compliance with a legal obligation.

Location Data

  • Data Collected: County, region, and automated geo-location data (IP address).
  • Purpose: To enhance account security, prevent fraudulent access, and ensure compliance.
  • Lawful Basis: Legitimate interest; Compliance with a legal obligation.

5. Data Processors, Third Parties, and Transfers

We work with trusted third-party service providers (Data Processors).

  • Supabase: Database hosting, authentication, and secure storage.
  • PayHero: Payment processing (M-Pesa, Airtel Money).
  • Google & Vercel: Hosting and anonymised analytics.
  • Brevo & Zoho: Transactional emails and customer support.

Cross-Border Data Transfers: We ensure that any transfer of personal data outside Kenya complies with the Data Protection Act by verifying adequate data protection laws or using standard contractual clauses.

6. Data Retention

  • Account Information: Retained for the duration your account is active.
  • Transaction Records: Retained for a minimum of seven (7) years (Financial/Tax laws).
  • KYC Documents: Retained for seven (7) years after account closure (AML regulations).
  • Usage Logs: Retained for up to 24 months.

7. Your Data Subject Rights

Under the Data Protection Act, you have the right to:

  • Be Informed
  • Access your data
  • Rectification (Correction)
  • Erasure (Deletion)
  • Restrict Processing
  • Data Portability
  • Object to processing
  • Not be subject to automated decision-making

To exercise any of these rights, please email us at privacy@zeni.co.ke.

8. Consent & Children's Data

You have the right to withdraw your consent at any time. Zeni's services are not intended for individuals under the age of 18.

9. Security Measures

We implement robust measures including strict Access Control, Secure Storage (Encrypted at rest), Password-less Security, and Regular Audits.

10. Data Protection by Design

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

11. Data Breach Notification

In the event of a breach likely to result in risk to your rights, we will notify the ODPC and affected users within 72 hours where feasible.

12. Cookies

We use Essential Cookies for site function and Analytics Cookies (Google/Vercel) to improve our service.

13. Changes to This Privacy Policy

We may update this policy. We will notify you of significant changes via email or platform notice.

Technical Annex

  • Data Categories: Identity, Contact, Financial, Biometric, Transactional, Technical, Usage.
  • Encryption: TLS 1.2+ in transit, AES-256 at rest.
  • DPA Requirement: All new processors must sign a Data Processing Agreement.

Still have questions?

Data Protection Officer

privacy@zeni.co.ke

ODPC Kenya

www.odpc.go.ke