Last Updated: November 25, 2025
Effective Date: November 25, 2025
Privacy Policy
🔒 Your Privacy Matters: At ZimCrowd, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains in detail how we collect, use, share, and safeguard your data in compliance with the Zimbabwe Data Protection Act, GDPR, CCPA, and other applicable data protection laws.
Introduction
Welcome to the Privacy Policy of ZimCrowd Technologies (Pvt) Ltd ("ZimCrowd," "we," "us," or "our"). ZimCrowd is a peer-to-peer lending platform dedicated to connecting investors and borrowers within a secure, trust-based financial ecosystem.
This policy applies to your use of our Platform, which includes our official website (zimcrowd.com), the mobile application, and all related services, features, and content. By accessing or using our Platform, you are signifying that you have read, understood, and agree to the practices outlined in this Privacy Policy.
📍 Data Controller Information
As the data controller, we determine the purposes and means of processing your personal information.
Company Name: ZimCrowd Technologies (Pvt) Ltd
Physical Address: 123 Samora Machel Avenue, Harare, Zimbabwe
Email: privacy@zimcrowd.com
Phone: +263 710 467 317
Data Protection Officer: privacy@zimcrowd.com
User Agreement: By using our Platform, you acknowledge and agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.
1. Information We Collect
We collect information to provide our services, manage risk, and comply with anti-money laundering (AML) and know-your-customer (KYC) regulations.
1.1 Information You Provide Directly
This data is provided when you register, apply for a loan, or use our services.
Personal Identification
- Personal Identification: Full name, date of birth, gender, National ID number, passport number, and your photo for initial identity verification
- Contact Information: Primary email address, phone numbers (mobile/landline), physical residential address, and postal address
- Financial Information: Bank account details, income/employment verification, credit history/score, transaction history, and Tax ID (TIN)
- Verification Documents: Government ID, proof of address, payslips, bank statements, and tax certificates
- Profile Information: Username, password (hashed), profile picture, preferences, investment goals, and loan purpose
- Communication Data: Messages, support tickets, feedback, surveys, and call recordings (with consent)
1.2 Information Collected Automatically
When you interact with the Platform, we automatically collect data necessary for performance and security.
- Device Information: IP address, device type/OS, browser version, unique identifiers (IMEI, advertising ID), and mobile network info
- Usage Data: Pages visited, duration, links clicked, search queries, features used, and session data
- Location Data: Approximate location (IP) and precise GPS data (with permission) for verification
- Cookies: Cookie IDs, pixel tags, local storage, and aggregated analytics data
- Log Data: Access times, server error logs, referral URLs, and API requests
1.3 Information from Third Parties
We acquire data from trusted external sources to fulfill our legal obligations and manage risk.
- Credit Bureaus: TransUnion Zimbabwe, Zimbabwe Credit Reference Bureau (credit scores, history, payment behavior)
- Identity Verification: Onfido (UK), Jumio (USA), Trulioo (Canada) (identity confirmation, fraud checks, sanctions screening)
- Payment Processors: Stripe, PayPal, EcoCash, OneMoney (transaction status and details)
- Social Media: Profile info if you connect via Facebook or Google OAuth
- Public Sources: Publicly available government data for verification
1.4 Sensitive Personal Information
⚠️ Sensitive Data: We process sensitive personal information only with your explicit, separate consent where strictly necessary for our core services or legal compliance.
- Biometric Data: Used exclusively for facial recognition verification against ID
- Health Information: Only if necessary for specific insurance products
- Criminal Records: Only for fraud prevention and agent screening
Note: You have the unconditional right to refuse consent, though this may impact service availability.
2. How We Use Your Information
📋 Legal Basis for Processing
- Contract Performance: Necessary to provide requested services (loans, transactions)
- Legal Obligation: Compliance with laws (AML/CTF, tax reporting)
- Legitimate Interests: Fraud prevention, security, service improvement
- Consent: Marketing and optional features (revocable)
2.1 Service Provision
- Account management and profile maintenance
- Loan processing from application to disbursement
- Credit scoring (ZimScore) calculation
- Lender-borrower matching based on risk/preferences
- Payment processing (deposits, withdrawals, repayments)
- Kairo AI financial coaching
- Customer support and troubleshooting
2.2 Security & Fraud Prevention
- KYC verification of identity and legitimacy
- Fraud detection and blocking suspicious patterns
- Risk assessment of borrower/lender profiles
- AML/CTF screening against sanctions lists
- Security monitoring and logging
2.3 Legal & Regulatory Compliance
- RBZ reporting compliance
- FIU suspicious activity reporting (SARs)
- ZIMRA tax reporting (income, interest, fees)
- Responding to valid legal requests
- Record keeping (7 years minimum)
2.4 Communication
- Transactional emails/SMS (approvals, reminders, alerts)
- Support ticket responses
- Service announcements and updates
2.5 Platform Improvement
- Usage analytics for feature optimization
- Performance monitoring (app/website stability)
- Feature development based on feedback
- Personalization of interface and content
2.6 Marketing (With Consent)
- Promotional content (emails, SMS, push) about opportunities
- Personalized advertisements based on profile
3. How We Share Your Information
🚫 We Do Not Sell Your Data: We adhere to a strict policy: We DO NOT sell your personal data to third parties. Data is only shared under necessity and strict contractual agreements.
3.1 With Other Platform Users
To Lenders, we share: anonymized borrower profile, loan purpose, amount, ZimScore, employment/income range, and repayment history.
Identity Disclosure: Full legal identity is only shared with the funder (lender) AFTER loan funding/disbursement for legal recourse.
3.2 With Service Providers
We use specialized, secure third parties subject to strict data processing agreements:
- Payment Processing: Stripe (USA), PayPal (USA), EcoCash (Zim), OneMoney (Zim)
- Cloud Hosting: AWS (USA), Vercel (USA), Supabase (USA)
- Identity Verification: Onfido (UK), Jumio (USA), Trulioo (Canada)
- Credit Bureaus: TransUnion Zimbabwe, Zimbabwe Credit Reference Bureau
- Communications: SendGrid (USA), Twilio (USA), Firebase (USA)
- Analytics: Google Analytics (USA), Mixpanel (USA), Sentry (USA)
- Customer Support: Intercom (USA), Zendesk (USA)
3.3 With Regulatory Authorities
- RBZ: Regulatory/compliance reporting
- FIU: AML/CTF reporting
- ZIMRA: Tax reporting
- Law Enforcement: Verified legal requests
3.4 For Legal Reasons
- Comply with laws/orders
- Enforce Terms of Service
- Protect rights/property/safety
- Investigate fraud
3.5 Business Transfers
In merger/acquisition, data may transfer with notification via email/platform notice.
4. Data Security
4.1 Technical Measures
- Encryption: 256-bit SSL/TLS (transit) and AES-256 (rest)
- Infrastructure: Enterprise cloud hosting, firewalls, intrusion detection
- Access Controls: MFA and strict Role-Based Access Control (RBAC)
4.2 Organizational Measures
- Training: Mandatory privacy/security training for staff
- Confidentiality: Need-to-know access, NDAs for all staff
- Auditing: Regular security audits and compliance reviews
- Incident Response: Tested plan for swift mitigation
4.3 Data Breach Notification
⚠️ Data Breach Protocol: In the event of a breach:
- We notify affected users within 72 hours
- We report to regulatory authorities
- We provide details and protective guidance
5. Your Privacy Rights
5.1 Right to Access
Request copy of data and processing details (accessible via dashboard).
5.2 Right to Rectification
Request correction of inaccurate data (update via account settings).
5.3 Right to Erasure ("Right to be Forgotten")
Request deletion of data. Note: Transaction/KYC records retained for 7 years for legal compliance.
5.4 Right to Restriction
Request temporary limit on processing (e.g., during accuracy challenges).
5.5 Right to Data Portability
Receive data in structured format (JSON/CSV) for transfer.
5.6 Right to Object
Object to legitimate interest processing or opt-out of marketing.
5.7 Right to Withdraw Consent
Withdraw consent anytime (doesn't affect prior lawful processing).
5.8 How to Exercise Rights
Contact: privacy@zimcrowd.com | +263 710 467 317 | Dashboard Settings > Privacy
Process: We require ID verification. Response time: 30 days.
5.9 Right to Complain
Lodge complaint with Zimbabwe Data Protection Authority (info@dataprotection.gov.zw). Contact our DPO first.
6. Cookies and Tracking Technologies
6.1 Types of Cookies
- Essential: Required for session, auth, security (cannot disable)
- Functional: Preferences (language, currency)
- Analytics: Usage tracking
- Marketing: Targeted ads
| Type | Cookie | Provider | Duration |
|---|
| Analytics | _ga | Google Analytics | 2 years |
| Analytics | _gid | Google Analytics | 24 hours |
| Analytics | _gat | Google Analytics | 1 minute |
| Analytics | mp_* | Mixpanel | 1 year |
| Marketing | _fbp | Facebook | 3 months |
| Marketing | fr | Facebook | 3 months |
| Marketing | _gcl_* | Google Ads | 90 days |
6.2 Managing Cookies
- Consent Banner: Accept/manage on first visit
- Browser Settings: Refuse cookies entirely
- Opt-out Tools: Google Analytics Opt-Out
Note: Disabling essential cookies impacts functionality. See Cookie Policy.
7. International Data Transfers
As a global platform, we transfer data internationally to trusted partners.
7.1 Countries
- USA: Cloud hosting (AWS), payments (Stripe/PayPal), analytics (Google)
- EU: Regulatory compliance partners
- UK/Canada: Identity verification (Onfido, Trulioo)
7.2 Safeguards
We protect transfers via:
- Standard Contractual Clauses (SCCs): EU-approved data protection agreements
- Certifications: Partners must have ISO 27001/SOC 2
- Encryption: Full encryption during transit
By using the Platform, you consent to these necessary international transfers.
8. Data Retention
We retain data only as long as necessary for service provision and legal compliance.
8.1 Retention Periods
| Data Type | Period | Reason |
|---|
| Active Accounts | Duration of service | Service provision |
| Transactions | 7 years | RBZ/ZIMRA compliance |
| KYC Docs | 7 years after close | AML/CTF compliance |
| Communications | 3 years | Support/Disputes |
| Marketing | Until opt-out | Consent |
| Closed Accounts | 90 days | Grace period |
8.2 Deletion
After retention, data is securely deleted or anonymized. Backups deleted within 90 days.
9. Children's Privacy
Our Platform is strictly for users aged 18 and older.
9.1 Age Requirement
We verify age via government ID during KYC. Minors are not permitted to use the service.
9.2 If Child Data Discovered
If we discover data from a minor, we will:
- Delete data within 48 hours
- Terminate the account immediately
- Notify parents/guardians if possible
9.3 Parental Rights
Parents can report concerns to privacy@zimcrowd.com (Subject: "Child Privacy").
10. Automated Decision-Making
We use automated processing for efficient lending decisions.
10.1 ZimScore Credit Scoring
ZimScore: Our automated credit scoring algorithm.
- Factors: Payment history, income, debt ratio, Platform behavior
- Impact: Determines loan approval, interest rates, and limits
10.2 Fraud Detection
Automated monitoring may flag/block suspicious transactions to prevent fraud.
10.3 Your Rights
You have the right to request human review of automated decisions, challenge the decision, and obtain an explanation of the logic.
11. Marketing Communications
11.1 Types
With consent: Investment newsletters, SMS promotions, push notifications, and personalized offers.
11.2 Opting Out
You can opt-out anytime via:
- "Unsubscribe" link in emails
- Replying "STOP" to SMS
- Account Settings dashboard
- Emailing privacy@zimcrowd.com
Note: Transactional service emails (security, payments) cannot be opted out of.
12. Third-Party Links
External Sites: Our Platform contains links to third-party websites (partners, social media). This Privacy Policy DOES NOT apply to them. We are not responsible for their content or practices. Please review their policies.
13. California Privacy Rights (CCPA)
For California residents:
- Right to Know: Request specific data collected and usage details
- Right to Delete: Request deletion (subject to transaction exceptions)
- Right to Opt-Out: We DO NOT sell data, so there is no need to opt-out of sales
- Non-Discrimination: No service penalty for exercising rights
Exercise: Email privacy@zimcrowd.com with subject "CCPA Request". Response: 45 days.
14. European Privacy Rights (GDPR)
For EU/EEA residents:
- Rights: Access, Rectification, Erasure, Restriction, Portability, Objection (see Section 5)
- Complaint: Right to lodge complaint with supervisory authority
- Transfers: Protected by Standard Contractual Clauses (SCCs)
Supervisory Authority: Contact your local DPA or the European Data Protection Board.
15. Changes to This Policy
We update this policy to reflect legal/operational changes.
- Notification: Email and Dashboard alert for material changes
- Notice Period: 30 days for significant changes
- Acceptance: Continued use implies agreement
16. Contact Us
Data Protection Officer
- Email: privacy@zimcrowd.com
- Phone: +263 710 467 317
- Address: 123 Samora Machel Avenue, Harare, Zimbabwe
Timelines: General inquiries (5 days), Rights requests (30 days).
Other Contacts
