Legal · Privacy

Privacy Policy

This Privacy Policy explains how OgiAfrica Company Limited collects, uses, shares and protects personal data when you use our websites, APIs, dashboard, and related services. It is written to meet the Tanzania Data Protection Act (Act No. 11 of 2022) and aligns with GDPR principles where operations touch users outside Tanzania.

Last updated15 April 2026
Effective1 May 2026
Governing lawUnited Republic of Tanzania

1. Who we are

OgiAfrica Company Limited ("Ōgi", "we", "us") is a company incorporated in the United Republic of Tanzania (company no. 191303946) with its registered office at Regent Business Park, Chwaku Street, Dar es Salaam. We are registered as a Data Controller under the Tanzania Personal Data Protection Commission.

For any privacy-related request, contact our Data Protection Officer at dpo@ogiafrica.com.

2. Scope of this policy

This policy applies to personal data we process as a data controller — for example when you visit ogiafrica.com, sign up for a sandbox key, apply for an account, or correspond with us.

When we process personal data on behalf of our business customers (for example, payers making a transaction through a merchant on our platform), we act as a data processor. That processing is governed by our Data Processing Agreement, not this Policy.

3. Personal data we collect

Data you give us

  • Identification & contact — name, email, phone, company, role.
  • KYB/KYC records — for account holders: business registration, beneficial ownership, director IDs, proof of address. Submitted during onboarding.
  • Payment instrument data — for payers transacting through our platform: MSISDN, partial PAN (masked), bank account reference.
  • Communications — support tickets, sales conversations, email threads.

Data we collect automatically

  • Technical — IP, device, browser, operating system, timestamps, referring URL.
  • Cookies & similar — see §7.
  • API telemetry — request/response metadata (not payloads in plain text) for debugging and abuse detection.

Data from third parties

  • Identity verification providers, sanctions and PEP screening lists, credit bureau data where consented, public registers.

4. Why we process it (legal bases)

  • Contract performance — to provide the services you requested (dashboard, APIs, settlements).
  • Legal obligation — AML/CFT, BoT reporting, tax, sanctions screening.
  • Legitimate interests — fraud prevention, service security, product improvement, marketing to existing customers (with opt-out).
  • Consent — optional marketing emails, non-essential cookies, identity-check reuse across products. Consent can be withdrawn at any time.

5. How we share personal data

We do not sell personal data. We share it only with:

  • Payment rails — mobile money operators, banks, card networks, TIPS — strictly as needed to route your transactions.
  • Regulators & law enforcement — Bank of Tanzania, Financial Intelligence Unit, Tanzania Revenue Authority, courts, when legally required.
  • Sub-processors — cloud hosting, email delivery, analytics, identity verification, under written DPAs. Current list at dpa.html#subprocessors.
  • Corporate events — in a merger, acquisition or restructuring, subject to equivalent protections.

6. International transfers

Ōgi's primary and disaster-recovery data centres are in Tanzania. Some sub-processors operate outside Tanzania. Where personal data crosses borders, we rely on (a) adequacy decisions where available, (b) Standard Contractual Clauses, or (c) explicit consent, with technical safeguards including end-to-end encryption and key residency controls.

7. Cookies & similar technologies

We use cookies to keep you signed in, remember preferences, measure usage, and prevent fraud. On your first visit we surface a cookie consent banner where you can accept, reject or customise non-essential cookies. Essential cookies (authentication, CSRF protection, load-balancing) are always on.

8. Retention

We retain personal data only as long as needed for the purpose collected, then delete or anonymise.

  • Transactional records — 10 years (BoT & AML requirement).
  • KYC/KYB records — 10 years after relationship ends.
  • Support & marketing — 3 years after last interaction, or until opt-out.
  • Security logs — 12 months, then aggregated.

9. Your rights

Subject to Tanzanian law and contractual obligations, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Request deletion ("right to be forgotten") where no legal retention applies.
  • Restrict or object to certain processing.
  • Data portability in a machine-readable format.
  • Withdraw consent at any time (without affecting prior processing).
  • Lodge a complaint with the Personal Data Protection Commission.

To exercise any right, email dpo@ogiafrica.com. We respond within 30 days.

10. Security

We implement technical and organisational safeguards including end-to-end TLS 1.3 in transit, AES-256 at rest, HSM-backed key management, role-based access with SSO and hardware 2FA, least-privilege provisioning with quarterly access reviews, and 24×7 SOC monitoring. Security controls are detailed at trust.html.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to account holders at least 30 days before they take effect. The "Last updated" date above reflects the most recent revision.

12. Contact

Data Protection Officer
OgiAfrica Company Limited
Regent Business Park, Chwaku Street, Dar es Salaam, Tanzania
Email: dpo@ogiafrica.com
Phone: +255 746 400 055

Questions about this document? Email legal@ogiafrica.com or contact our compliance team.