Data Privacy Policy | mBenki

Data Privacy Policy

Effective date: 15 August 2025

Entity: mBenki Business Solutions Zambia Ltd (“mBenki”, “we”, “us”, “our”)

1. Purpose & Scope

This Policy explains how we collect, use, disclose, secure, retain, and delete personal data across mBenki’s operations, including:

  • Website & online tools contact forms, analytics, cookies, portals, and apps.
  • Smart Agents onboarding, training, performance, compliance.
  • Customers/consumers engaged by Smart Agents or via our digital channels.
  • Participating institutions whose products/services we market and help distribute.

2. Our Roles & Data Commission Registration

  • Role classification: we act as Data Controller for our own operations (e.g., Smart Agent management, platform security, marketing). We act as Data Processor when handling consumer data on behalf of a participating institution during a product journey.
  • Registration status: mBenki is required to be registered with the Office of the Data Protection Commissioner (ODPC) in its role as a Data Controller and, where applicable, as a Data Processor. Certificate/registration number will be published here when issued.
  • Data Protection lead contact details appear in Section 19 (Contact & Disclosures).

3. Definitions (plain language)

  • Personal data: information that identifies or can identify a person.
  • Controller: decides why/how personal data is processed.
  • Processor: handles personal data for a controller under instructions.
  • Processing: any operation on personal data (collect, store, use, share, delete).
  • Special/sensitive data: personal data requiring higher protection.

4. Data We Collect

  • Identification & contact: names, national ID details where lawful/required, phone, email.
  • Smart Agent professional: onboarding, certifications, training completion, quality reviews.
  • Interaction & application: product interests, eligibility checkpoints, application status/outcomes, support history.
  • Operational/telemetry: timestamps, activity events, device/app logs for quality and security.
  • Website/app/device: IP address, device identifiers, usage analytics and events consistent with your choices.

5. Why We Use Data (Purposes & Legal Bases)

  • Deliver services to institutions and consumers; enable agent-led sales; standardize field engagements; digitize interactions.
  • Provide analytics and reporting to institutions (dashboards, conversion/ROI tracking, market insights).
  • Train and support Smart Agents (knowledge tools, quality assurance, compliance).
  • Maintain security, prevent fraud, and meet legal/regulatory obligations.
  • Communicate about services and, where permitted, send marketing with simple opt-out.
  • Legal bases: consent, contractual necessity, legal obligation, and legitimate interests in secure, efficient operations.

6. How We Collect Data

  • Directly from you: forms, chats, calls, events, or during agent interactions.
  • From Smart Agents: details captured in the field through mBenki apps.
  • From institutions: product rules, eligibility inputs, and application status updates.
  • Automatically: via cookies/SDKs, device data, and system logs (see Section 12).

7. Sharing & Disclosures

  • Service providers: hosting, analytics, training, communications, and support under written contracts.
  • Participating institutions: data shared as needed to fulfil product journeys (lead transfer, eligibility, applications).
  • Legal/regulatory: when required by law, to protect rights or prevent fraud.
  • Business changes: if we reorganize or transfer parts of our business, we will protect the data and notify where appropriate.

8. Cross-Border Processing & Localization

  • Preference: data is processed/stored in Zambia where feasible.
  • Transfers occur only when necessary and subject to legally required safeguards and written agreements with processors/partners.
  • Sensitive data receives heightened protection; cross-border handling follows applicable approvals/conditions.

9. Security

  • Access management: least-privilege, strong authentication for privileged roles, periodic reviews.
  • Protection: TLS in transit; proportionate encryption and key management at rest.
  • Monitoring: audit logs for sensitive actions; anomaly detection; secure engineering practices.
  • No system is impenetrable we continuously improve our controls.

10. Retention & Disposal

  • Operational logs/telemetry: generally up to 12 months, then delete or aggregate.
  • Lead & application records: for the service lifecycle and contractual/statutory periods; then delete or anonymize.
  • Smart Agent records: for the engagement term plus statutory labor/tax periods; training/QA for defined dispute windows.
  • Financial/transaction records: per law and tax requirements.
  • Backups: not for active use; securely rotated/overwritten on scheduled cycles.

11. Your Rights & How to Exercise Them

  • Rights: access, rectification, erasure, objection to certain processing, and withdrawal of consent where relied upon.
  • How: submit a request via email or web form (Section 19). We verify identity and act without undue delay, updating you on progress for complex requests.
  • If we act as Processor, we will relay your request to the relevant institution and assist their response.
  • Complaints: you may contact the ODPC if you are not satisfied with our response.

12. Cookie, SDK & Tracking Policy

What we use

  • Strictly necessary: required to operate the site/portals.
  • Performance/analytics: improve features and reliability.
  • Marketing: measure campaigns and show relevant content.

Your choices

  • Consent: optional cookies run only after opt-in via our banner or settings.
  • Withdraw: change preferences anytime via “Cookie Settings.”
  • Signals: we will respect supported browser-level preference signals where technically feasible.
  • Data handling: identifiers may include IP, device IDs, session IDs; we minimize retention and rotate identifiers where possible.
  • Banner copy (example): “We use cookies to operate our site, improve performance, and show relevant content. Click ‘Accept all’ to consent or manage your choices.”

13. Smart Agent Data Handling

  • Confidentiality & accuracy: protect customer and institutional information; use approved scripts and current product materials; avoid misrepresentation.
  • Device hygiene: enable lock/PIN; keep OS/apps updated; do not store customer photos or PII outside approved apps; never share credentials.
  • Minimum necessary: collect only fields required for each product journey; provide just-in-time notices before sensitive capture.
  • Telemetry: location/call capture may be used for quality/compliance with clear notice and limited access.
  • Incidents & complaints: escalate immediately via designated support channels; cooperate with investigations and remediation.
  • On termination: return company equipment and delete any mBenki or institutional data from personal devices as directed.

14. Children’s Data

Our services are intended for adults and business users; we do not knowingly collect data from children. If discovered, we will delete it promptly.

15. Incident Response & Breach Notification

  • Process: detect, triage, contain, investigate, notify, remediate, and document.
  • Notifications: institutions first where we act as Processor; notify authorities and affected individuals when required by law or contract.
  • Post-incident: we apply lessons learned and improve controls.

16. Vendor & Sub-Processor Management

  • Due diligence: assess privacy/security controls before onboarding.
  • Contracts: require confidentiality, security, assistance with rights requests, and breach duties.
  • Visibility: maintain an inventory of processors and material sub-processors; notify institutions of significant changes where contractually required.

17. Data Deletion & Withdrawal of Consent

  • Scope: remove from active systems; place beyond use in backups pending scheduled overwrites.
  • Downstream: notify relevant processors/partners to erase links and copies where feasible.
  • Limits: we may retain data required by law or for legal claims and will restrict processing in the interim.
  • Request data deletion: by logging into your mBenki Pro app and choose “close account”.

18. Changes to This Policy

We will post updates here and revise the effective date. Continued use after updates indicates acceptance. Material changes will be communicated appropriately.

19. Contact & Corporate Disclosures

Official details for notices, requests, and complaints:

  • Legal name: mBenki Business Solutions Zambia Ltd
  • PACRA registration no.: 120230053952
  • Registered address (for service): Plot No. 20436, Yotam Muleya Road, Libala South, Libala Mall, Lusaka, Zambia
  • Telephone: (260) 773 158 012
  • Email (general/privacy): information@mbenki.com | privacy@mbenki.com
  • Directors/office bearers: Pamfred Hasweeka (CEO), Chris Sinchende (COO), Chimuka Moonde (CTO)