Legal

Privacy Policy

How Chamabox™ collects, uses, stores and protects the personal and financial information of members, administrators and visitors — aligned with the Kenya Data Protection Act, 2019.

Last updated: May 1, 2026

1. Who We Are

Chamabox™ ("we", "us", "our") is the data controller for personal data processed about administrators, treasurers, members and visitors to chamabox.com. We are registered in Kenya and comply with the Data Protection Act, 2019.

2. Data We Collect

  • Account data: full name, email, phone number, role.
  • Member data: ID number (where collected by the group), next-of-kin, contribution and loan history.
  • Payment data: M-Pesa transaction references, amounts and timestamps. We do not store your M-Pesa PIN.
  • Usage data: IP address, browser, pages visited, actions taken — for security and product improvement.
  • Support data: messages, attachments and call notes you share with us.

3. Lawful Basis & Purposes

We process personal data:

  • To deliver the Service you subscribed to (contractual necessity).
  • To process M-Pesa payments and issue receipts (contractual necessity).
  • To send transactional alerts — payment confirmations, loan due dates, statements (legitimate interest).
  • To meet legal obligations such as tax, AML and record-keeping (legal obligation).
  • To send product updates and marketing only where you have consented (consent — withdrawable any time).

4. Who We Share Data With

  • Safaricom PLC — to initiate STK push and receive payment callbacks.
  • HostPinnacle / hosting providers — to host the infrastructure.
  • Email & SMS providers — to deliver notifications you trigger.
  • Government and law-enforcement — only where compelled by valid Kenyan legal process.

We never sell personal data, and we never expose one group's data to another group.

5. Data Retention

We retain Customer Data for the lifetime of your subscription plus a thirty (30) day export grace period. Financial and audit records may be retained for up to seven (7) years to satisfy Kenyan statutory requirements.

6. Security

  • All traffic is encrypted in transit via HTTPS/TLS.
  • Passwords are stored using bcrypt hashing.
  • Sensitive credentials (such as Daraja keys) are encrypted at rest.
  • Multi-tenant isolation enforces strict row-level separation between groups.
  • Daily off-site backups are retained for thirty (30) days.

7. Your Rights

Under the Data Protection Act, 2019 you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or outdated data.
  • Request deletion (subject to legal retention obligations).
  • Object to or restrict certain processing.
  • Receive a copy of your data in a portable format.
  • Withdraw consent at any time, where consent is the lawful basis.
  • Lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

Exercise these rights by emailing info@chamabox.com. We respond within seven (7) business days.

8. International Transfers

Our primary infrastructure is hosted in Kenya. Where any sub-processor stores data outside Kenya, we ensure equivalent safeguards through contractual clauses.

9. Children

The Service is not directed to persons under the age of 18. We do not knowingly collect data from children. Junior savings accounts must be operated by a parent or guardian who is the named account holder.

10. Changes to This Policy

We will notify you of material changes by email and post a revised version on this page with the new effective date.

11. Contact Our Data Protection Lead

Email info@chamabox.com with "Data Protection" in the subject line.

Questions about this policy?

We're happy to clarify anything. Reach out and we'll respond within one business day.

Contact Us info@chamabox.com
Chamabox™

Chamabox™ Support

Online · replies in minutes

👋 Hi there! How can we help you get started with Chamabox™ today?

WhatsApp Chat

+254 708 927 425

Call Us

+254 708 927 425

Email Us

info@chamabox.com

Powered by Chamabox™