Privacy Policy

Effective date: 29 September 2025
Version: v1.0

This Privacy Policy explains how we (“Pesa Leo”, “we”, “us”) collect, use, share, and protect personal data when you use our mobile application, website(s), and related services (the “Services”). The Services are intended for adults (18+) only.

1. Who We Are & Scope

Data Controller / Lender: NOVACORE TECHNOLOGIES LIMITED
Registered address: Region Dar Es Salaam, Tanzania
Data Protection / Privacy contact: cs.help@novacoretechnologieslimited.com
Scope: This Policy covers Pesa Leo’s mobile app(s), website(s), and customer support channels. If a term is not defined here, the meaning in applicable law applies (e.g., Tanzania PDPA, AML laws).

2. Legal Bases for Processing

We process personal data under one or more of the following legal bases (as applicable):

Contract: To provide the Services you request (e.g., account creation, loan processing, repayments).
Legal obligation: To meet requirements under financial, tax, anti‑money laundering (AML/CFT), and consumer protection laws.
Legitimate interests: To protect our platform and users from fraud and abuse, improve the Services, and ensure information security.
Consent: For optional permissions and features (e.g., financial‑SMS analysis, approximate location, selected photos). You may withdraw consent at any time through device settings or in‑app controls.

3. What We Collect

We follow data minimization: we only collect what is necessary for specified purposes.

A. Information you provide

Identity/KYC: Full name, government‑issued ID details, date of birth, selfie (if applicable), address.
Contact details: Phone number, email address.
Profile & circumstances: Marital status, occupation, employer, income range (if relevant to credit assessment).
Financial & repayment: Bank account details for disbursement/repayment, repayment records.
Emergency contact (user‑provided only): Name, phone number, relationship. You must obtain the contact’s prior consent before submission.
Support content: Information and images you voluntarily provide to customer support.

B. Information from your device (with your permission)

App activity & diagnostics: Login timestamps, session events, crash logs, error codes—used to secure the service and fix issues.
Device information: Device model, OS version, mobile network type, screen metrics, app version, and an app‑scoped identifier (e.g., Android ID).
Approximate location (city‑level only): Used for region eligibility checks and fraud prevention; we do not collect precise GPS coordinates or background location.
Photos you select: Only images you explicitly choose to upload (e.g., for KYC or support); we do not auto‑scan your gallery.
Financial‑SMS ( financial only): Before requesting SMS permission, we show a prominent used only for fraud prevention. If you opt in, we analyze financial notifications within a ≤110‑day window (e.g., bank alerts, payment confirmations). Processing occurs on‑device to extract necessary fields such as sender ID, transaction amount, balance, currency, and timestamps.We automatically filter messages using predefined financial keywords（eg.”jumla""malipo""akaunti|deni""vat""salio”tsh""pesa""umepokea”） while absolutely excluding personal chats, advertisements, unrelated verification codes, and non-financial content.

C. What we do not collect

Your phone’s contact list, call logs, or microphone/camera feeds without a specific, opt‑in action by you.
Installed apps list or QUERY_ALL_PACKAGES‑style data—except our own app’s version and status.
Precise location or continuous tracking.

4. How We Use Data

Provide and operate the Services: account creation, credit assessment, loan approval/disbursement, repayments, customer support.
Compliance and safety: identity verification (KYC), AML/CFT screening, regulatory reporting, detection and prevention of fraud/abuse, information security.
Service quality: diagnostics, analytics, and service improvement (e.g., crash reports, performance tuning).
Communications: service notices, legally required information, and (with consent) optional product updates. You can manage preferences in‑app.

5. Automated Decisions & Human Review

For credit risk assessment and fraud detection, we may use automated models (scoring). We ensure meaningful human review of key outcomes upon request, and you may contact us to express your viewpoint or contest a decision.

We share personal data only as needed and with safeguards:

Service providers: cloud hosting, KYC and credit reference bureaus, payment/banking partners, telecom verification, analytics strictly for app performance. Providers are bound by confidentiality and security obligations.
Regulators and law enforcement: where required by law or lawful order.
Corporate transactions: if we undertake a merger, acquisition, financing, or reorganization, data may be transferred under confidentiality protections.
Research & statistics: we may use aggregated or de‑identified data for reporting, product improvement, and financial inclusion research. We do not sell personal data and we do not use your data for third‑party advertising.

7. Retention

We retain personal data only for as long as necessary for the purposes described or as required by law. In particular:

KYC & transaction/loan records: retained for not less than 10 years after the later of (i) completion of the transaction(s), (ii) formal end of the business relationship, or (iii) completion of any AML/CFT analysis or risk assessment, in line with Tanzania’s Anti-Money Laundering Act.
KYC identity images/documents (used for customer due diligence): retained with KYC records for the statutory period above. Support-only attachments not used for CDD may be deleted within 30 days after case closure.
Credit reporting (CRB) data: once shared with a licensed Credit Reference Bureau, the CRB retains credit information for up to 6 years from final loan repayment, bankruptcy, assignment or write-off, per CRB Regulations.
App logs & diagnostics: typically up to 180 days.
Device security/fraud signals: typically up to 90 days, unless an investigation is ongoing.
Financial-SMS derived fields (not raw content): typically up to 180 days for verification and dispute resolution. When retention ends, we delete or irreversibly de-identify the data.

8. International Transfers & Storage

We use reputable infrastructure providers. Where data is processed outside Tanzania, we apply appropriate safeguards (contractual protections, encryption in transit and at rest, access controls) to ensure a level of protection comparable to local requirements. Details are available upon request from our privacy contact.

9. Security

We implement administrative, technical, and physical safeguards, including encryption in transit (TLS) and at rest, access controls, least‑privilege policies, employee training, vulnerability management, and incident response procedures. No method is 100% secure, but we continuously improve our controls.

10. Your Rights

Subject to law, you may have the right to access, rectify, erase, restrict or object to processing, withdraw consent, and request human review of significant automated decisions. To exercise rights, contact cs.help@novacoretechnologieslimited.com. We will respond within statutory timelines. You may also lodge a complaint with the competent supervisory authority in Tanzania.

11. Your Controls

You can manage certain permissions (e.g., location, SMS, photos) via device settings or in‑app controls. Disabling optional permissions may limit related features but will not block access to unrelated functions. You can request account deletion and data export via our support channel. You can delete your app account and associated data in-app via My Profile → Account → Delete Account. Alternatively, submit a web request at https://www.novacoretechnologieslimited.com/user-out/ will confirm and complete deletion within 30 days, except where retention is required by law (e.g., AML/financial record-keeping).

12. Children

The Services are for adults (18+). We do not knowingly process children’s data. If we learn a user is under 18, we will suspend the account and delete related data as required by law.

13. Changes to This Policy

We may update this Policy to reflect operational, legal, or regulatory changes. Material changes will be communicated in‑app and/or by email at least 30 days before they take effect unless an earlier change is required by law. The latest version will always be available in‑app and on our website.

14. Contact Us

Privacy & data requests: cs.help@novacoretechnologieslimited.com
Postal address: Region Dar Es Salaam, Tanzania