Privacy Policy
Last updated: February 2026
1. Introduction
LitFin Limited ("LitFin," "we," "us," or "our"), a company registered in the United Republic of Tanzania with its principal office in Dar es Salaam, operates the LitFin platform ("Platform"), which facilitates loan origination between borrowers and partner banks through AI-powered technology.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Platform, including our website, mobile applications, and related services. We are committed to protecting the privacy and security of your personal data in accordance with the laws of Tanzania, including the Electronic and Postal Communications Act (EPOCA), the Cybercrimes Act, and applicable Bank of Tanzania (BoT) regulations.
By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Platform.
2. Information We Collect
We collect the following categories of information to provide and improve our services:
2.1 Personal Information
- Full legal name, date of birth, and gender
- National Identification (NIDA) number and related identity documents
- Taxpayer Identification Number (TIN)
- Contact information, including email address, phone number, and physical address
- Marital status and dependant information (where relevant to loan assessment)
2.2 Business Information
- Business name, registration number (BRELA), and TIN
- Business type, sector, and physical location
- Ownership structure and directorship details
- Business plan documentation and financial projections
- Trade licenses and regulatory permits
2.3 Financial Data
- Bank statements and account information
- Revenue, income, and expense records
- Existing loan obligations and credit history
- Collateral information and asset valuations
- Tax returns and financial statements
2.4 Usage and Device Data
- Platform interaction logs and feature usage patterns
- Conversation transcripts with Mr. Mwikila, LitFin's AI Credit Business Officer (anonymized for service improvement)
- IP address, browser type, operating system, and device identifiers
- Cookies and similar tracking technologies (see Section 8)
3. How We Use Your Information
3.1 Loan Processing and Origination
To facilitate your loan application, generate readiness assessments, produce AI-assisted business plans, and transmit completed applications to your selected partner bank for credit evaluation.
3.2 KYC/AML Compliance
To verify your identity and comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements as mandated by the Bank of Tanzania, the Financial Intelligence Unit (FIU), and the Anti-Money Laundering Act.
3.3 Service Improvement
To analyze usage patterns, improve our AI models, enhance user experience, and develop new features. All data used for AI training is anonymized and aggregated.
3.4 Communication
To send you application status updates, security alerts, service announcements, and, with your consent, promotional materials about LitFin services. You may opt out of marketing communications at any time.
5. Data Security
We implement robust technical and organizational measures to protect your data, including:
- Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
- Access Controls: Role-based access controls ensure that only authorized personnel can access personal data, with the principle of least privilege applied throughout our organization.
- Regular Audits: We conduct periodic security assessments, vulnerability scans, and penetration testing to identify and address potential risks.
- SOC 2-Aligned Practices: Our security controls are aligned with SOC 2 Type II standards, covering security, availability, processing integrity, confidentiality, and privacy.
- Incident Response: We maintain a comprehensive incident response plan to detect, contain, and remediate security breaches promptly.
6. Your Rights
You have the following rights with respect to your personal data:
- Right of Access: You may request a copy of the personal data we hold about you.
- Right to Correction: You may request that we correct any inaccurate or incomplete personal data.
- Right to Deletion: You may request that we delete your personal data, subject to our legal retention obligations (see Section 7).
- Right to Data Portability: You may request a machine-readable copy of your personal data for transfer to another service provider.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please contact us at privacy@litfin-credit.com. We will respond to your request within 30 days.
7. Data Retention
We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Financial Records: Retained for a minimum of seven (7) years in compliance with the Banking and Financial Institutions Act, 2006, and Tanzania Revenue Authority requirements.
- KYC/AML Records: Retained for a minimum of five (5) years after the termination of the business relationship, as required by the Anti-Money Laundering Act.
- Account Data: Retained for the duration of your account and for up to two (2) years following account closure.
- Usage Data: Anonymized and retained for analytical purposes for up to three (3) years.
9. International Data Transfers and Sub-Processors
Your data is primarily stored and processed within the East African region. Where it is necessary to transfer your data outside of this region (for example, to cloud service providers or AI processing services), we ensure that adequate safeguards are in place, including:
- Data processing agreements with binding contractual obligations
- Transfers only to jurisdictions with adequate data protection frameworks
- Technical safeguards such as encryption and pseudonymization
- Compliance with applicable cross-border data transfer regulations
The following sub-processors may process personal data on our behalf. The list is generated from our authoritative sub-processor registry so this page always reflects current deployments. Material additions trigger a thirty-day objection window for active organisation customers under their Data Processing Agreement.
| Processor | Purpose | Region | Transfer Mechanism | DPA |
|---|---|---|---|---|
| Supabase Inc. | Primary database, authentication, file storage, realtime | EU (eu-west-1) with replication to US for backups | EU SCCs 2021/914 + PDPA explicit consent at signup | View |
| Anthropic PBC | AI model inference (Claude family) for conversational + analysis tasks | United States | EU SCCs + zero-retention agreement on API tier | View |
| OpenAI, L.L.C. | AI model inference for conversation + voice (Realtime API, Whisper) | United States | EU SCCs + 30-day max retention, no training | View |
| DeepSeek AI | Cost-optimized batch AI inference for non-sensitive tasks only | Singapore | Contractual safeguards; never used for PII | N/A |
| ElevenLabs Inc. | Text-to-speech (Eleven v3) and speech-to-text (Scribe v2) for Swahili + English | United States + EU | EU SCCs + voice prints retained <30 days unless user opts in | View |
| Twilio Inc. | SMS, WhatsApp Business, voice telephony for staged-call walkthrough | United States with regional routing for Tanzania via local carrier | EU SCCs + Twilio binding corporate rules | View |
| Africa's Talking Ltd. | Tanzania-local SMS, USSD, voice routing (lower latency + cost) | Kenya (regional African processing) | Intra-EAC processing under EAC Treaty alignment | N/A |
| Cloudflare Inc. | Edge CDN, WAF, DDoS protection, bot management | Global edge network with EU/US primary | EU SCCs + Cloudflare DPA | View |
| RevenueCat Inc. | Mobile subscription billing, entitlements (Free/Standard/Premium) | United States | EU SCCs + RevenueCat DPA | View |
| Vercel Inc. | Frontend hosting, serverless functions, edge runtime | Global edge with EU/US primary | EU SCCs + Vercel DPA | View |
For the machine-readable version of this list (versioned JSON) see /legal/sub-processors.
10. Children's Privacy
The LitFin Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe that we may have collected information from a child under 18, please contact us at privacy@litfin-credit.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will notify you by posting the updated policy on our Platform with a revised "Last updated" date, and where appropriate, by sending you a direct notification via email or in-app message. Your continued use of the Platform after any changes constitutes your acceptance of the updated Privacy Policy.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
LitFin Limited
Data Protection Officer
Email: privacy@litfin-credit.com
Dar es Salaam, Tanzania
P.O. Box 12345, Dar es Salaam