Privacy Policy
Effective Date: 12 October 2025 | Last Updated: 12 October 2025
A Quick Summary for You
We value your trust. This summary explains what personal data we collect and why. For full details, please read the entire policy.
All official communication will come from an @zeni.co.ke email address. We will never ask for your password by email or phone.
1. Introduction and Scope
This Privacy Policy describes how [Zeni Africa] ("Zeni", "we", "us", "our") collects, uses, stores, shares, and protects the personal data of our users ("you") in the Republic of Kenya. It applies to all services offered through our website and mobile applications.
This version of the policy applies exclusively to users residing in Kenya. As we expand our services across Africa, this policy will be updated, and you will be notified of any material changes.
2. Data Controller and Contact Details
Zeni is the Data Controller responsible for your personal data. If you have any questions about this policy or your data protection rights, please contact us.
You have the right to lodge a complaint with the data protection authority in Kenya. You can contact them at:
3. Definitions
Key terms used in this policy are defined as per the Data Protection Act, 2019.
Personal Data
Any information relating to an identified or identifiable natural person (a "Data Subject").
Sensitive Personal Data
Data revealing race, health status, ethnic origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, sex, or sexual orientation.
Processing
Any operation performed on personal data, such as collection, recording, storage, use, disclosure, or erasure.
Data Controller
The entity that determines the purpose and means of processing personal data (that's us, Zeni).
Data Processor
An entity that processes personal data on behalf of the controller.
KYC (Know Your Customer)
A mandatory process of identifying and verifying the identity of a client. This often includes ID documents and a liveness check.
Cookies
Small text files placed on your device by a website to remember your preferences and activities.
4. Lawful Basis and Purposes for Processing
We only process your personal data when we have a lawful basis to do so under the Data Protection Act, 2019. The bases we rely on include your consent, the performance of our contract with you, compliance with a legal obligation, and our legitimate interests.
Account Creation & Authentication
First and last name, email address, phone number.
To create and manage your Zeni account, provide customer support, and secure your account using One-Time Passwords (OTP) sent to your phone. We use your phone number for authentication only.
Performance of a contract.
Payments (Deposits & Withdrawals)
Payment records, transaction metadata (amount, time, participants).
To process your contributions and withdrawals accurately and to provide you with a transparent transaction history.
Performance of a contract; Legal obligation (for financial record-keeping and anti-money laundering compliance).
KYC & Identity Verification
This is required when your cumulative deposit or withdrawal activity exceeds KES 2,000.
National ID number, images of your ID (front and back), and a biometric liveness check.
To comply with Kenyan Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulations. This verification helps prevent fraud and protect all users on the platform.
Compliance with a legal obligation.
Location Data
County, region (provided by you), and automated geo-location data (IP address).
To enhance account security, prevent fraudulent access, and ensure compliance with regional financial regulations.
Legitimate interest; Compliance with a legal obligation.
Usage Logs & Analytics
Device identifiers, IP addresses, browser type, operating system, and event logs (e.g., login times, features used).
To monitor and secure our platform, detect and prevent fraud, improve our services, and analyse performance. We use Google Analytics and Vercel Analytics for this purpose, and we take steps to minimise the data shared.
Legitimate interest.
5. Data Processors, Third Parties, and Transfers
We work with trusted third-party service providers (Data Processors) to deliver our services. We have legally binding Data Processing Agreements (DPAs) with each processor to ensure they protect your data according to the law.
Supabase
For secure cloud database hosting, authentication services, and storage of user data, including encrypted KYC images.
PayHero
For processing all payments, including M-Pesa and Airtel Money transactions.
Google & Vercel
For website hosting (Vercel) and anonymised analytics (Google Analytics, Vercel Analytics) to help us improve our service.
Brevo & Zoho
For sending transactional emails (e.g., password resets, notifications from noreply@zeni.co.ke), marketing communications (with your consent), and managing support emails (via support@zeni.co.ke).
Cross-Border Data Transfers
Some of our processors may be located outside of Kenya. We ensure that any transfer of personal data outside Kenya complies with the Data Protection Act. We do this by verifying that the recipient country has adequate data protection laws or by using appropriate safeguards, such as standard contractual clauses. Where required by law for specific data types, we ensure processing occurs on servers located within Kenya.
6. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal, regulatory, or business requirements.
Account Information
Retained for the duration your account is active.
Transaction Records
Retained for a minimum of seven (7) years to comply with financial and tax laws.
KYC Documents
Retained for seven (7) years after the closure of your account, as required by AML/CTF regulations.
Usage Logs & Analytics
Retained for up to 24 months for security and performance analysis.
7. Your Data Subject Rights
Under the Data Protection Act, you have the following rights over your personal data:
Right to be Informed
To know how we are processing your data.
Right of Access
To request a copy of the personal data we hold about you.
Right to Rectification
To ask us to correct any inaccurate or incomplete data.
Right to Erasure
To request the deletion of your data where there is no compelling reason for us to keep it.
Right to Restrict Processing
To block or suppress the processing of your data in certain circumstances.
Right to Data Portability
To receive your data in a portable format.
Right to Object
To object to processing, particularly for direct marketing.
Rights on Automated Decision-Making
To not be subject to a decision based solely on automated processing.
To exercise any of these rights, please email us at privacy@zeni.co.ke. We will respond to your request within 30 days. We may need to verify your identity before processing your request.
8. Consent, Withdrawal, and Children's Data
Where we rely on your consent to process data (such as for marketing communications), we will obtain it through a clear and explicit opt-in. You have the right to withdraw your consent at any time by using the "unsubscribe" link in our emails or by contacting us.
Zeni's services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will take steps to delete it immediately.
9. Security Measures
We implement robust technical and organisational measures to protect your personal data. These include:
Access Control
Strict role-based access controls ensure that only authorised personnel can access your data, especially sensitive KYC information.
Secure Storage
All data, including ID images, is stored securely in Supabase's managed infrastructure.
Password Security
We hash tokens for sessions and will never ask you for your password.
Regular Audits
We plan to conduct regular security audits and penetration testing to identify and address vulnerabilities.
10. Data Protection by Design and DPIAs
We are committed to the principles of data protection by design and by default. We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, such as implementing our KYC and liveness check system, to identify and mitigate privacy risks before they are introduced.
11. Data Breach Notification
In the unfortunate event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ODPC without undue delay, and where feasible, within 72 hours of becoming aware of it. We will also notify affected users directly and provide guidance on steps you can take to protect yourself.
12. Cookies and Tracking Technologies
We use cookies to operate and improve our service.
Essential Cookies
These are necessary for the website to function, such as keeping you logged in. You cannot opt-out of these.
Analytics Cookies
We use Google Analytics and Vercel Analytics to understand how you use Zeni so we can improve it. This data is aggregated and anonymised where possible. You can opt-out of Google Analytics by using their browser add-on.
You can manage your cookie preferences through your browser settings.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or through a notice on our platform. The "Last Updated" date at the top of this policy will always indicate the latest version.
Technical Annex for Developers & Partners
This section provides a summary of our data processing practices for technical review.
Data Categories
Identity, Contact, Financial, Biometric (KYC), Transactional, Technical (IP, device), Usage.
Primary Processors
Supabase (DB/Storage/Auth), PayHero (Payments), Brevo/Zoho (Email), Google/Vercel (Analytics/Hosting).
Storage Locations
Primary data processing in Kenya where required by law. Global processors used with appropriate cross-border transfer safeguards.
Encryption
TLS 1.2+ in transit, AES-256 at rest.
Access Control
Role-Based Access Control (RBAC) for all internal systems. Access to sensitive data (KYC) is restricted to a named, trained compliance team.
DPA Requirement
All new processors must sign a Data Processing Agreement that complies with the Data Protection Act, 2019 before onboarding.