App Privacy Notice

a picture of a lock

App Privacy Notice

Effective Date: 1 July 2022

1. SCOPE OF THIS PRIVACY NOTICE

1.1 This Privacy Notice applies to your use of:

  • a) The Tala mobile application software (“App”) available on our site or hosted on the Google Play Store (“App Site”), once you have downloaded or streamed a copy of the App onto your mobile telephone or handheld device (“Device”); and 
  • b) any of the services accessible through the App which are available on the App Site or any of our other sites (“Services Sites”).

1.2 InVenture Capital Corporation, a US corporation, is affiliated with different legal entities. When we mention TALA in this document, we are referring to the relevant Kenyan subsidiary company, InVenture Mobile Limited, which is the data controller responsible for processing your data and which will be clear to you when you use our App. 

1.3 If you have any questions about this Privacy Notice, please contact us via email at hellokenya@talamobile.com. 

1.4 Our Privacy Policy also applies to your use of the App and explains what personal data we collect, with whom we share it, how we may use your data and how you (the user of the Service) can prevent us from sharing certain information with certain parties. 

1.5 This Privacy Notice informs you as to how we look after your personal data when you download our App, use our products or services and tells you about your privacy rights and how the law protects you. Please read our Privacy Policy and this Privacy Notice carefully to understand our views and practices regarding your personal data and how we will treat it in accordance with the Data Protection Act, 2019.  

1.6 By accepting the terms of this Privacy Notice and our Privacy Policy, you accept and consent to the practices described in this Privacy Notice and our Privacy Policy. This Privacy Notice shall always prevail over the Privacy Policy in relation to how we use your information for the App. 

1.7 The Tala App is not intended for children, and we do not knowingly collect data relating to children. 

2. DEFINITIONS

Terms used in this Privacy Notice shall have the following meanings, and reference to the singular includes the plural (and vice versa).

2.1 “Authorities” includes any judicial, administrative, government, public or regulatory body, securities or futures exchange, court, central bank or law enforcement body, or any of their agents with jurisdiction over Tala.

2.2 “Child” means an individual who has not attained the age of eighteen (18) years.

2.3 “Comply with a legal obligation” means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to, such as (a) Laws or international guidance and internal policies or procedures, (b) any demand from Authorities or reporting, disclosure or other obligations under Laws, and (c) Laws requiring us to verify the identity of our customers.

2.4 “Consent” means processing your Customer Information  where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us via hellokenya@talamobile.com.

2.5 “Customer” or “User” means any individual within the Republic of Kenya to which Tala provides its products or services.

2.6 “Customer Information” means your Personal Data, Sensitive Personal Data, and/or Relevant Information including relevant information about you, your transactions, your use of our products and services, and your relationships with Tala.

2.7 “Laws” include any local or foreign law, regulation, judgment or court order, voluntary code, sanctions regime, an agreement between any member of Tala and an Authority, or agreement or treaty between Authorities and applicable to Tala.

2.8 “Legitimate Interest” means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). 

2.9 “Performance of Contract” means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

2.10 “Personal Data” or “Personal Information” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

2.11 “Relevant Information” means information that Tala requires for purposes of providing the Services, including, but not limited to, data relating to your phone (including, without limitation, your phone’s history) from your Equipment (meaning your mobile phone handset, SIM Card and/or other equipment which when used together enables you to access the Network), from any SMS (meaning a short message service consisting of a text message transmitted from your mobile phone to another)sent to you by the Mobile Money Providers (meaning a mobile network operator registered with the Communications Authority of Kenya) and any financial services providers relating to your use of the Mobile Money Service (meaning the money transfer and payments service provided by the Mobile Money Providers through the Mobile Money System) and such other information as  may be described in Section 3.1 below;

2.12 “Sensitive Personal Information” refers to Personal Data about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; health status, education, biometric data, genetic data, sex or the sexual orientation of a person, property details, family details including names of the person’s children, parents, spouse or spouses; any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and specifically established by an executive order or other legislative act to be kept classified.

2.13 “Services” refers to the products and features provided through the App or the App Site, including the maintenance of the App, once you have downloaded or streamed a copy of the App onto your Device.

2.14 “We”, “Our” and “Us” refer to Tala.

3. THE DATA WE COLLECT ABOUT YOU

3.1 We may collect, use, process, store and transfer different kinds of Personal Data and Relevant Information about you including but not limited to: 

  • 3.1.1. Identity Data: first name, last name, maiden name, photograph, username or similar identifier, marital status, title, date of birth, gender, identity document type, number, and age.
  • 3.1.2. Contact Data: billing address, delivery address, email address, and telephone numbers.
  • 3.1.3. Financial Data: bank account, payment card details and codes or other banking information.
  • 3.1.4. Transaction Data: includes details about payments to and from you and details of in-App transactions.
  • 3.1.5. Device Data: includes the type of mobile device you use, device specifications (such as screen size, resolution, or CPU capacity) a unique device identifier (for example, your Device’s IMEI number, IP address, Google Play Services ADID, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system.
  • 3.1.6. Content Data: includes information stored on your Device, such as contact lists, call and SMS logs, photos, list of installed applications, or other digital content and check-ins.
  • 3.1.7. Network Data: includes information about Tala users in your network, such as volume, repayment behavior, and demographics.
  • 3.1.8. Profile Data: includes your username and password, in-App transaction history, your interests, preferences, feedback and survey responses, name, family details, age, profiling information such as level of education, bank account status, income brackets, credit information etc. collected as part of surveys conducted by Tala and our agents on behalf of Tala.
  • 3.1.9. Usage Data: includes details of your use of any of our Apps or your visits to any of our Sites including, but not limited to, traffic data and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.
  • 3.1.10. Account Servicing Data: includes records of messages received from you, your account, or your device, including customer service tickets filed through the App or via email, call logs and call recordings, and records of other interactions between you or your representatives and Tala or its agents.
  • 3.1.11. Marketing and Communications Data: includes your preferences in receiving marketing from us and our third parties and your communication preferences, as well as data provided by you in relation to special offers and promotional activities conducted by Tala.
  • 3.1.12. Location Data: includes your current location disclosed by GPS technology.
  • 3.1.13. Third Party Data: includes information obtained from credit reference agencies or bureaus, external collection agencies, identity verification and sanctions screening service providers, mobile network providers and marketing partners. 

3.2 We also may collect other information about you, your device and your use of the App in ways that we describe to you at the time of collection or otherwise with your consent. 

3.3 The collection of your data by us includes but is not limited to the following sources:

  • 3.3.1. Information you give us. This is information  you consent to giving us about you by opting in in the App, filling in forms in the App, or by corresponding with us (for example, by email or chat). It includes information you provide when you register to use the App Site, download or register an App, subscribe to any of our Services, sharing data via an App’s social media functions, entering a competition, promotion or survey, search for an App or Service and when you report a problem with an App, our Services, or any of our Sites. If you contact us, we will keep a record of that correspondence.
  • 3.3.2. Information we collect about you and your device. Each time you use our App we will automatically collect personal data including Device, Content, Identity and Usage Data. We collect this data using cookies and other similar technologies.
  • 3.3.3. Device-linked Location Data. We also use GPS technology to determine your current location. Some of our location-enabled Services require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by disabling Location Data in your settings.
  • 3.3.4. Information we receive from other sources including third parties and publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
  • 3.3.4.1. Contact, Financial, Profile and Transaction Data from third parties which include but are not limited to providers of technical, payment, delivery and general financial services such as credit reference agencies, identity verification and sanctions screening service providers, mobile network providers, and collection agencies.
  • 3.3.4.2. Identity and Contact Data from publicly available sources such as news reports and reported cases.
  • 3.3.4.3. Marketing partners and analytics providers: they may use mobile tracking technologies and/or website cookies to distinguish you from other users of the App, App Site or Service Site
  • 3.3.4.4. Other Relevant Information supplied by third parties through the contact information that you have provided to us.

3.4 The App may access the following device permissions, depending on your Equipment’s operating system and the version of the App that you have downloaded. Keep your Tala App updated to make sure you can experience the latest and most secure features.    

  • 3.4.1. Camera: We may request you to upload photos as part of our identity verification process. We may also request you to upload copies of documents as proof of income.
  • 3.4.2. Contacts: We will retrieve information about your contact lists (such as contact names and numbers, contact frequency, and date of last contact). We use this information in our credit and underwriting models to determine whether you are eligible for our Services. We use automated processing to understand your network relationships, and this also helps our fraud models verify your identity. We will never reach out to any of your contacts or provide any of your information to your contacts unless you separately and expressly direct us to do so.
  • 3.4.3. Accounts on your device: We check the list of user accounts created on your device and the email address used to create each account. This helps our fraud models verify your identity. We also use this information in its credit and underwriting models to determine whether you are eligible for our Services.
  • 3.4.4. Location: This helps our fraud models verify your identity. We also use this information in our credit and underwriting models to determine whether you are eligible for our Services. We also use location data for research purposes.
  • 3.4.5. Phone status and identity: When you sign up for a Tala account, we will retrieve your phone number from your device automatically. This ensures that the mobile number is active and accurate, and that it is linked to the device you are using to open the account.
  • 3.4.6. Text messages: We will retrieve information about the SMS stored in your device (such as message ID, direction, timestamp, phone number, and keywords). We use this information in its credit and underwriting models to determine whether you are eligible for our services. We use automated processing to understand your financial activity, and this also helps our fraud models verify your identity. We will never share the contents of your text messages.
  • 3.4.7. Receive text messages: This is used to automatically confirm the one-time password (OTP) sent to the user via SMS.
  • 3.4.8. Read, modify, or delete the contents of your SD card: We may request you to upload photos of your identification document. We may also request you to upload photos of documents as proof of income.
  • 3.4.9. Run foreground service: This permission is needed by the App to upload photos.
  • 3.4.10. Run at startup: This allows the App to send notifications to your device upon restart of your device.
  • 3.4.11. View and change network connectivity: This is used to notify the Tala App when network connectivity changes so that we can determine whether you are connected to the internet or not.
  • 3.4.12. View Wi-Fi connections: We use the IP address and network type of your device to detect and prevent fraud.
  • 3.4.13. Receive data from the internet. We need this permission in order to send requests through the App and to allow the App to access the internet.
  • 3.4.14. Prevent phone from sleeping: This permission is required by some of the features and services within the App, such as in-app messaging.
  • 3.4.15. Retrieve running apps: We will retrieve a list of apps installed on your device. We use this information in our credit and underwriting models to determine whether you are eligible for our Services.

3.5 We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific App feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this privacy notice.

4. HOW WE USE YOUR PERSONAL DATA

4.1. We will only use your Personal Data when we are legally permitted to do so. Most commonly we will use your Personal Data in the following circumstances: 

  • 4.1. 1. Where you have given your consent before the processing of the data.
  • 4.1. 2. Where we need to perform a contract we are about to enter or have entered with you.
  • 4.1. 3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • 4.1. 4. Where we need to comply with a legal or regulatory obligation. 

4.2 We will only send you direct marketing communications by push notification, email or text if we have your consent. You have the right to withdraw that consent at any time by contacting us via email at hellokenya@talamobile.com

5. PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

Purpose/activity

Type of data

Lawful basis for processing

  1. To install the App and register you as a new App user

Identity

Contact

Financial

Device

Your consent

  1. To determine your eligibility for our Services through the use of automated processing
  2. To process in-App transactions and deliver Services including disbursing loans and collecting payments for your use of the Service
  3. To build credit models and performing credit scoring
  4. To verify your identity with the Mobile Money Providers in relation to your Mobile Money Account pursuant to the agreement between you and the relevant Mobile Money Provider for the provision of its products and services and the Mobile Money Service
  5. To verify your identity with identity verification service providers
  6. To obtain and procure your Personal Data from the Credit Bureaus and/or any other reliable sources
  7. To supply your consumer credit information to the Credit Bureaus, which may include opening and termination of an Account by you

Identity

Contact

Financial

Transaction

Device

Account Servicing

Marketing and Communications

Location

Third Party

Performance of a contract with you

Necessary for our legitimate interests (to recover debts due to us)

  1. To manage our relationship with you including notifying you of changes to the App or any Services
  2. To analyze customer behavior
  3. To contact you by telephone using auto-dialed or pre-recorded message calls or text (SMS) messages

Identity

Contact

Financial

Profile

Account Servicing

Marketing and Communications

Your consent

Performance of a contract with you

Necessary for our legitimate interests (to keep records updated and to analyze how customers use our products/ Services)

Necessary to comply with legal obligations (to inform you of any changes to our terms and conditions)

To enable you to participate in a prize draw, competition or complete a survey

Identity

Contact

Device

Profile

Marketing and Communications

Your consent

Performance of a contract with you

Necessary for our legitimate interests (to analyze how customers use our products/Services and to develop them and grow our business)

To administer and protect our business and this App including troubleshooting, data analysis and system testing

Identity

Contact

Device

Account Servicing

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security)

Performance of a contract with you

  1. To deliver content and advertisements to you
  2. To make recommendations to you about goods or services which may interest you
  3. To send you marketing notices, service updates, and promotional offers
  4. To measure and analyse the effectiveness of the advertising we serve you
  5. To monitor trends so we can improve the App

Identity

Contact

Device

Content

Profile

Usage

Marketing and Communications

Location

Consent

Necessary for our legitimate interests (to develop our products/Services and grow our business)

  1. To comply with applicable laws, regulations, and rules, such as those relating to “know-your-customer”, sanctions screening, and anti-money laundering requirements
  2. To detect and prevent fraud and other illegal uses of the Service
  3. To exchange information with any local or international law enforcement or competent regulatory or governmental agencies to assist in the prevention, detection, investigation or prosecution of criminal activities or fraud

Identity

Contact

Device

Content

Profile

Usage

Marketing and Communications

Location

Financial

Necessary to comply with legal obligations

Necessary for our legitimate interests (for running our business)

  1. To allow our partners to fulfill their obligations to you
  2. To fulfill our obligations to our partners
  3. To exchange relevant information with Tala’s service providers, dealers, agents or any other company that may be or become Tala’s subsidiary or holding company for reasonable commercial purposes relating to the Services

Identity

Contact

Device

Content

Profile

Usage

Account Servicing

Marketing and Communications

Location

Financial

Your consent

Performance of a contract with you

Necessary for our legitimate interests (for running our business)

Necessary to comply with legal obligations

6. DISCLOSURES OF YOUR PERSONAL DATA

When you consent to providing us with your Personal Data, we will also ask you for your consent to share your Personal Data with the third parties set out below for the purposes set out in the table above. 

6.1 Internal Third Parties being other companies in the InVenture Capital Corporation Group acting as joint controllers or processors and who are based in locations outside of Kenya and provide IT and system administration services and undertake leadership reporting.

6.2 External Third Parties such as Service providers acting as processors who include:

  • 6.2.1. Mobile Money Providers whom we use for verification in relation to your Mobile Money account pursuant to the agreement between you and the relevant Mobile Money Provider for the provision of its products and services and the Mobile Money Service;
  • 6.2.2. Credit Bureaus and/or any other reliable sources from whom we obtain and procure your Personal Data from (which may relate to your credit history) and also supply your consumer credit information which may include opening and termination of an Account by you and information on non-compliance with the Terms and Conditions of this Agreement;
  • 6.2.3. Any local or international law enforcement or competent regulatory or governmental agencies information exchange in connection with a formal request so as to assist in the prevention, detection, investigation or prosecution of criminal activities or fraud;
  • 6.2.4. Tala’s service providers, external collection agencies, dealers, agents or any other company that may be or become Tala’s subsidiary or holding company for reasonable commercial purposes relating to the Services with whom only relevant information will be exchanged;
  • 6.2.5. Tala’s professional advisors and consultants including lawyers and auditors or to any court or arbitration tribunal in connection with any legal or audit proceedings;

6.3 Third parties to whom we may choose to sell, assign, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Notice.

6.4 In business practices including but not limited to quality control, training and ensuring effective systems operation.

6.5 Any other person that we deem legitimately necessary to share the data with.

7. INTERNATIONAL TRANSFERS

7.1 Your Personal Data collected by Tala may be stored and processed outside Kenya in a location which Tala or its agents maintain facilities. 

7.2 Whenever we transfer your personal data out of Kenya, we ensure a similar degree of protection is afforded to it by ensuring adequate safeguards are implemented. We ensure your personal data is protected by requiring all our group companies and agents to follow the same rules when processing your personal data. 

8. AUTOMATED PROCESSING

We use automated processing to determine your eligibility for our Services based on the Personal Data and Relevant Information that we collect. Our fraud prevention and credit models utilize data science and machine-learning technology with little to no human intervention and are regularly tested to ensure they remain fair, accurate, and unbiased. You may object to the automated processing of your Personal Data, but doing so will prevent us from providing you with our Services. If you wish to request a reconsideration of an automated decision, you may contact us via email at hellokenya@talamobile.com. Please note that human intervention does not guarantee that the automated decision will be overturned. 

9. DATA SECURITY

9.1 All information you provide to us is stored on our secure servers. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be secured. Where we have given you (or where you have chosen) a password that enables you to access certain parts of Our App, you are responsible for keeping this password confidential. We ask you not to share this password with anyone.

9.2 Once we have received your information, we will use strict procedures and security features to try to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way. 

9.3 We will collect and store your Personal Data on your Device using application data caches and browser web storage (including HTML5) and other technology.

9.4 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

10. DATA RETENTION

10.1 To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, the need to comply with our internal policy and the applicable legal, regulatory, tax, accounting or other requirements. 

10.2 In adherence to the law, we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for certain periods after they cease being customers.

10.3 Details of retention periods for different aspects of your personal data are available in our retention policy which you can request by contacting us.

10.4 In some circumstances you can ask us to delete your data: see Your Data Subject Rights below for further information.

10.5 In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

11. YOUR DATA SUBJECT RIGHTS

11.1. Under certain circumstances you have the following rights under data protection laws in relation to your personal data. 

You have the right to:

  • 11.1.1. Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • 11.1.2. Request correction or rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • 11.1.3. Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • 11.1.4. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • 11.1.5. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
  • 11.1.6. if you want us to establish the data’s accuracy;
  • 11.1.7. where our use of the data is unlawful but you do not want us to erase it;
  • 11.1.8. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • 11.1.9. you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • 11.1.10. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • 11.1.11. Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

11.2 You also have the right to ask us not to continue to process your personal data for marketing purposes. 

11.3 You can exercise any of these rights at any time by contacting us via email at hellokenya@talamobile.com.

12. CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

12.1 We keep this Privacy Notice under regular review. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you when you next start the App or log onto one of the Services Sites. The new notice may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App or the Services.

12.2 It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you. 

13. THIRD PARTY LINKS

Our Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services.31