Data Privacy Policy

Effective date: 15 August 2025
Entity: mBenki Business Solutions Zambia Ltd (“mBenki”, “we”, “us”, “our”)

1. Purpose & Scope

This Policy explains how we collect, use, disclose, secure, retain, and delete personal data across mBenki’s operations, including:

  • Website & online tools contact forms, analytics, cookies, portals, and apps.

  • Smart Agents onboarding, training, performance, compliance.

  • Customers/consumers engaged by Smart Agents or via our digital channels.

  • Participating institutions whose products/services we market and help distribute.

2. Our Roles & Data Commission Registration

  • Role classification we act as Data Controller for our own operations (e.g., Smart Agent management, platform security, marketing). We act as Data Processor when handling consumer data on behalf of a participating institution during a product journey.

  • Registration status mBenki is required to be registered with the Office of the Data Protection Commissioner (ODPC) in its role as a Data Controller and, where applicable, as a Data Processor. Certificate/registration number will be published here when issued.

  • Data Protection lead contact details appear in Section 19 (Contact & Disclosures).

3. Definitions (plain language)

  • Personal data information that identifies or can identify a person.

  • Controller decides why/how personal data is processed.

  • Processor handles personal data for a controller under instructions.

  • Processing any operation on personal data (collect, store, use, share, delete).

  • Special/sensitive data personal data requiring higher protection.

4. Data We Collect

  • Identification & contact names, national ID details where lawful/required, phone, email.

  • Smart Agent professional onboarding, certifications, training completion, quality reviews.

  • Interaction & application product interests, eligibility checkpoints, application status/outcomes, support history.

  • Operational/telemetry timestamps, activity events, device/app logs for quality and security.

  • Website/app/device IP address, device identifiers, usage analytics and events consistent with your choices.

5. Why We Use Data (Purposes & Legal Bases)

  1. Deliver services to institutions and consumers; enable agent-led sales; standardize field engagements; digitize interactions.

  2. Provide analytics and reporting to institutions (dashboards, conversion/ROI tracking, market insights).

  3. Train and support Smart Agents (knowledge tools, quality assurance, compliance).

  4. Maintain security, prevent fraud, and meet legal/regulatory obligations.

  5. Communicate about services and, where permitted, send marketing with simple opt-out. Legal bases consent, contractual necessity, legal obligation, and legitimate interests in secure, efficient operations.

6. How We Collect Data

  • Directly from you forms, chats, calls, events, or during agent interactions.

  • From Smart Agents details captured in the field through mBenki apps.

  • From institutions product rules, eligibility inputs, and application status updates.

  • Automatically via cookies/SDKs, device data, and system logs (see Section 12).

7. Sharing & Disclosures

  • Service providers hosting, analytics, training, communications, and support under written contracts.

  • Participating institutions data shared as needed to fulfil product journeys (lead transfer, eligibility, applications).

  • Legal/regulatory when required by law, to protect rights or prevent fraud.

  • Business changes if we reorganize or transfer parts of our business, we will protect the data and notify where appropriate.

8. Cross-Border Processing & Localization

  • Preference data is processed/stored in Zambia where feasible.

  • Transfers occur only when necessary and subject to legally required safeguards and written agreements with processors/partners.

  • Sensitive data receives heightened protection; cross-border handling follows applicable approvals/conditions.

9. Security

  • Access management least-privilege, strong authentication for privileged roles, periodic reviews.

  • Protection TLS in transit; proportionate encryption and key management at rest.

  • Monitoring audit logs for sensitive actions; anomaly detection; secure engineering practices.

  • No system is impenetrable we continuously improve our controls.

10. Retention & Disposal

  • Operational logs/telemetry generally up to 12 months, then delete or aggregate.

  • Lead & application records for the service lifecycle and contractual/statutory periods; then delete or anonymize.

  • Smart Agent records for the engagement term plus statutory labor/tax periods; training/QA for defined dispute windows.

  • Financial/transaction records per law and tax requirements.

  • Backups not for active use; securely rotated/overwritten on scheduled cycles.

11. Your Rights & How to Exercise Them

  • Rights access, rectification, erasure, objection to certain processing, and withdrawal of consent where relied upon.

  • How submit a request via email or web form (Section 19). We verify identity and act without undue delay, updating you on progress for complex requests.

  • If we act as Processor, we will relay your request to the relevant institution and assist their response.

  • Complaints you may contact the ODPC if you are not satisfied with our response.

12. Cookie, SDK & Tracking Policy

  • What we use

    • Strictly necessary required to operate the site/portals.

    • Performance/analytics improve features and reliability.

    • Marketing measure campaigns and show relevant content.

  • Your choices

    • Consent optional cookies run only after opt-in via our banner or settings.

    • Withdraw change preferences anytime via “Cookie Settings.”

    • Signals we will respect supported browser-level preference signals where technically feasible.

  • Data handling identifiers may include IP, device IDs, session IDs; we minimize retention and rotate identifiers where possible.

  • Banner copy (example) “We use cookies to operate our site, improve performance, and show relevant content. Click ‘Accept all’ to consent or manage your choices.”

13. Smart Agent Data Handling

  • Confidentiality & accuracy protect customer and institutional information; use approved scripts and current product materials; avoid misrepresentation.

  • Device hygiene enable lock/PIN; keep OS/apps updated; do not store customer photos or PII outside approved apps; never share credentials.

  • Minimum necessary collect only fields required for each product journey; provide just-in-time notices before sensitive capture.

  • Telemetry location/call capture may be used for quality/compliance with clear notice and limited access.

  • Incidents & complaints escalate immediately via designated support channels; cooperate with investigations and remediation.

  • On termination return company equipment and delete any mBenki or institutional data from personal devices as directed.

14. Children’s Data

Our services are intended for adults and business users; we do not knowingly collect data from children. If discovered, we will delete it promptly.

15. Incident Response & Breach Notification

  • Process detect, triage, contain, investigate, notify, remediate, and document.

  • Notifications institutions first where we act as Processor; notify authorities and affected individuals when required by law or contract.

  • Post-incident we apply lessons learned and improve controls.

16. Vendor & Sub-Processor Management

  • Due diligence assess privacy/security controls before onboarding.

  • Contracts require confidentiality, security, assistance with rights requests, and breach duties.

  • Visibility maintain an inventory of processors and material sub-processors; notify institutions of significant changes where contractually required.

17. Data Deletion & Withdrawal of Consent

  • Scope remove from active systems; place beyond use in backups pending scheduled overwrites.

  • Downstream notify relevant processors/partners to erase links and copies where feasible.

  • Limits we may retain data required by law or for legal claims and will restrict processing in the interim.

18. Changes to This Policy

We will post updates here and revise the effective date. Continued use after updates indicates acceptance. Material changes will be communicated appropriately.

19. Contact & Corporate Disclosures

Official details for notices, requests, and complaints

  • Legal name mBenki Business Solutions Zambia Ltd

  • PACRA registration no. 120230053952

  • Registered address (for service) Plot No. 20436, Yotam Muleya Road, Libala South, Libala Mall, Lusaka, Zambia

  • Telephone (260) 773 158 012

  • Email (general/privacy) information@mbenki.com | privacy@mbenki.com

  • Directors/office bearers Pamfred Hasweeka (CEO), Chris Sinchende (COO), Chimuka Moonde (CTO)