Tanzania Privacy Notice

Read this Privacy Notice if you want to know how Unlimint TZ Ltd (“Unlimit” or “we” or “us” or “Company”) gathers, processes, and stores your personal data.

This Notice’s purpose is to tell you which personal data we process, how, why, and for how long we process your personal data.  It is important to Unlimit that you know your rights regarding your personal data and how to reach us.

To completely understand Unlimit and our service offering, please read this Notice with the relevant terms and conditions and Cookie Policy on our Website.

Who is Unlimit?

Unlimit and its group companies or businesses are part of a global payments and technology organisation holding various licenses and authorizations as each business is obliged to under the laws and regulations it operates in.

We provide our merchants with payment services and the platforms and applications (“platforms”) through which credit card payments services and other alternative payment methods are offered (“payment services”).

When you use our payment services through a merchant of Unlimit, the merchant is the data controller.  We suggest that you check your merchant’s privacy notice or statement if you want to know more about how your personal data is processed and shared by the merchant.

This may change depending on your chosen services and products or when they become available in Unlimit.

When you visit our Website, or you are an employee of Unlimit, Unlimit is the controller of your personal data.  Warning: Our Website may contain links to or come from websites or applications with their privacy notices or policies, which Unlimit does not control. These websites will have different privacy notices or statements, and we do not control these websites.  Unlimit does not accept any responsibility or liability for such websites.

In this Notice, the following terms are defined as below:

  • personal data” refers to information that identifies you or may identify you (depending on who you are, i.e., a merchant, cardholder, supplier or business partner and how you interact with us, we may process different types of personal data).
  • processing” of personal data refers to collecting, gathering, handling, storing, transmitting and combining personal data.
  • A “processor” is a company that provides its services to Unlimit and processes personal data on our behalf.
  • A “data subject” is a person that can be identified or identifiable from the personal data processed by a controller or processor; A “payer” is an individual that uses our payment services to complete the purchase of goods or services with the merchant.
  • A “data controller” is company which alone or jointly with others determines the purpose and means of processing of personal data; A “merchant” is a company or online service/goods provider that uses our services to enable payments so that you can pay for goods, services or both.

What this Notice tells you

This Notice contains a description of:

1. What types of personal data do we process

2. How do we collect and use personal data

3. What are the lawful purposes that we rely on to process your personal data

4. Automated decision making

5. Who do we share your personal data with

6. Data Transfers outside Tanzania

7. Website and Automatic collection – Cookies, IP addresses and other Tracking

8. How we keep your personal data secure

9. Your rights and how to raise a complaint

10. How long we keep your personal data

11. How to contact us

12. Your responsibilities

13. Changes to our Privacy Notice

What types of personal data do we process?

Various types of personal data are processed in the context of the relationship between you and Unlimit, depending on the service and product you are using. These may include:

Your personal data Name, previous names, data and place of birth, language, if you hold prominent public functions (PEPs), residence permit.
Your personal contact details Work address, home address, email address, telephone number, and other contact details.
Your identity information Passport, National ID card, Nationality, Utility bill, tax residence and tax ID.
Relevant financial information Personal bank details, professional status, employment field, employer details (including, for example, information such as certificates of directors).
Specific authentication personal data A signature or your user login to access our service dashboards.
Communications Personal data that you may provide by filling in forms or by communicating with us (e.g. directed to us in letters, emails, via our electronic channels).
Transactional and other/documents information Personal Data arising for the execution of payment transactions (including data such as date, time, amount, currencies, beneficiary details, location information and merchant details), supplementary/supporting documentary evidence related to transactions, and further information arising from contractual obligations between Unlimit and merchants.
Location and technical information Location data (for example, at the time of login or a transaction); IP addresses and device information, visitor’s information and similar information subject to our Cookie Policy.
Publicly available Personal Data Details about you from public records and available in publicly accessible databases.
Investigations data/results of due diligence and enhanced due diligence Personal data regarding criminal convictions and offences (special category of data), as part of its compliance measures with regulatory obligations, as well as other supporting documents and personal data related to the categories above.
CCTV Closed circuit television (CCTV) at our offices (which may collect videos of you).
Consents Personal Data that you agree to give us by your active consent when you use our services or visit our Website.

Please note that this is a non-exhaustive list and personal data collected is strictly dependent on our relationship with you.

How do we collect and use your personal data?

1. When you submit your personal data directly to us

This can happen in different ways:

  • When you are acting as a representative of the merchant (e.g., a director or an applicant for services with us) and you agree to give to the merchant your personal data who, in turn, has a contract with us so we can provide our services to them. E.g., during the course of our business relationship with a merchant, the merchant is required to complete our application process and undergo Unlimit’s verification and compliance check which can include Personal Data.
  • When you request to receive communications from us, via email (such as a newsletter) or you complete a business enquiry form available on our Website, or any other means of communication specific to a service we provide.    You have the right to opt out of such collection at any time at your discretion.  If you want to opt-out please go to our Website.

2. Personal Data we collect when you use our services

This personal data may include the following:

  • Payment and Transactions data such as transaction details and a payment reference identifier and personal data in the context of transaction processing (such as payment instrument and transaction details, identification details, contact details, such as email, telephone, name on card, date of birth), to complete the transaction initiated by you with the merchant.
  • Profile and usage data (such as data when you connect to internet banking, or SMS services (if applicable), and may include Personal Data on how you use the services. We may collect data from devices you use to connect to the services, such as computers and mobile phones, such as your IP address and use cookies (go to our Cookie Notice).
  • Personal data we lawfully obtain from third parties, such as service providers, fraud prevention aggregation agencies, public authorities, persons that refer you to us with your permission or where required by law, our Group companies, and companies that are a part of the payments system (such as Banks, Card Schemes, alternative payment providers like M-Pesa to complete a mobile money transfer).
  • Public Data such as databases and publicly accessible sources for licenced entities, such as Unlimit, due to the nature of Unlimits’ services (e.g., this includes Registrars of Companies, AML and sanction screening databases).

What are the lawful purposes that we rely on to process your personal data?

Depending on the specific purpose for which we process your personal data, we may rely on one of the following lawful purposes.

  • Conclusion and performance of a contract
  • Legal obligation or public interest
  • Legitimate interests

In addition to the reasons given above, we may process your personal data with your specific consent where applicable laws require it.

We set out below the specific lawful purposes for which we process personal data:

1. Perform our obligations under our contracts with our merchants or banks or both which may include the following activities:

  • To verify, authenticate and authorize your identity (e.g., for Know your customer and fraud prevention purposes)
  • To provide our payment services (e.g., conduct merchant acceptance procedures to enter into a contract with the merchants)
  • To complete payment transactions for our merchants
  • To execute merchant payment requests i.e. act upon instructions of the merchant
  • To perform our contractual obligations with our merchants or banks or both which may include processing of your personal data

2. Ensure we comply with the applicable law and regulations, directive which includes the following activities:

  • To perform anti-money laundering checks and evaluations
  • For crime prevention purposes and, when required, to cooperate with authorities
  • Enforce or defend the rights of Unlimit or Unlimit group/affiliates
  • Ensure physical and technical security and business continuity
  • For internal operational support and administrative purposes (e.g., product development, audit, risk management)
  • General administrative functions (e.g. maintenance of our internal records necessary for keeping up-to-date information in our systems, general record-keeping)

3. To communicate, establish and maintain our services relationship with you

  • To provide ongoing support and handle inquiries, complaints and similar issues
  • To provide information about our products, services or both when you request it
  • To ensure that our internal procedures and protective measures against fraud, risk and financial crime are followed and that you are kept informed of this
  • To obtain reports of an online problem (e.g., with our website or payment services)
  • To notify you of any quality management change, important product or service improvement, update or upgrade.

4. To market our product and services

  • To provide information about our products, services or both
  • To improve and customise the content of our advertisements, promotions, and advertising that you may be interested in
  • To gather statistics and analytics for internal purposes and improvement of services and Website

The provision of marketing activities is subject to the applicable laws of the country in which the marketing and communication activity occurs. This means that you can in Tanzania actively opt-in to receive such marketing communications. You are entitled to opt-out from receiving such marketing by clicking on the opt-out or unsubscribe link(s) provided in Unlimit marketing communications. 

Unlimit’s services are not intended or designed to attract minors. If we learn that we collected the personal data of a minor without first receiving verifiable parental consent, we will delete the information as soon as possible.

Automated decision-making

Automated decision-making means making decisions through automated means of processing personal data without human intervention. We do not generally use automated decision-making in establishing and carrying out a business relationship.

We process personal data for the purposes of protecting payers against fraud or unauthorized transactions and preventing and monitoring fraud as required under applicable law. We use systems to make automated suggestions or decisions based on information we have or collect from other authorized sources (such as banks and card schemes) for fraud prevention and anti-money laundering/ terrorist financing. This helps us ensure we can react quickly and efficiently, with an aim also to protect our Platform, our merchants and payers. If we determine a risk of fraud or unauthorised activity, we may stop activity on the account/block the payment instrument or refuse access to them.

Who do we share your personal data with?

1. Internally within Unlimit group companies and affiliates

Unlimit shares your personal data within Unlimit to carry out its operations as a global company. This means that Unlimit may share personal data with third parties from within the same group of companies to which Unlimit belongs. We may disclose your personal information to:

  • Provide and receive support services and technical services
  • Contribute to research, data analytics and studies to improve our products and services.

2. Externally

We do not share personal data with third parties unless this is necessary for our legitimate business needs to carry out requests, provide services or as required or permitted by law. Third parties under these circumstances include:

(i) Merchants

Unlimit share your personal data with merchants to process a payment transaction.  For example, when you buy products or services using Unlimit payment services, we may provide the merchant with your credit card billing address to help complete an individual’s payment transaction.

(ii) Service Providers

We will disclose personal data to third-party partners and service providers (processors), so they can process it on our behalf where required. These service providers must provide assurances in accordance with applicable data protection laws and associated requirements. (e.g., being bound contractually to data protection, privacy, security and confidentiality obligations). We will only share personal data as is strictly necessary for them to provide their services to us.

 (iii) Auditors, advisors and consultants

We may disclose personal data for purposes and in the context of audits (e.g., external card scheme audits, regulatory authority audits, security audits –  such as Quality Security Assessors for PCI DSS Level 1,  to legal and other compliance advisors who investigate security issues, risks, complaints.

This means that your personal data may be transferred and disclosed to the following type of businesses/entities, regulators and advisors:

  • Money laundering and fraud prevention aggregation or agencies for compliance and verification services and risk prevention services. This is required to verify your identity, ensure protection against fraud, and confirm eligibility for our services/products.
  • Banks (other credit and financial service institutions) and similar institutions. These enable us to provide our payment services and include correspondent banks such as intermediary banks.
  • Payment Card Systems (SWIFT, Visa, MasterCard). These enable us to provide our card processing services.
  • Companies assisting us with the provision of our services (e.g., technological services, solutions, support such as support/maintenance/development of IT applications, technology, website management, telephony/SMS services)
  • Customer support service providers and marketing service providers
  • Entities of Unlimit Group which are affiliated/related to us, acting as processors or controllers to provide services, streamlined services, ensure quality and effectiveness across the group
  • Administrative service providers
  • Auditing and accounting services and consultants
  • External legal advisors

Unlimit takes all reasonable measures to ensure that every third party involved in processing your personal data has the required organizational and technical protections, including the required data processing and transfer agreements where necessary. When required under applicable law, we may provide you with a list of our sub-processors or suppliers upon request by contacting us at [email protected].

(iv) Regulatory authorities, law enforcement, courts

We may disclose personal data to comply with applicable legislation and regulatory obligations, to respond to requests of regulatory authorities, government and law enforcement agencies, courts and court orders in the Republic of Tanzania, such as:

  • Central Banks
  • Financial Investigative authorities and the Police (subject to the receipt of a subpoena, court order or similar lawful request or procedure)
  • Tax Authorities
  • Other regulators, authorities and public bodies where applicable under Tanzanian legislation.

Other recipients may be any person/legal entity/organisation for which you ask your data to be transferred (e.g. reference etc.) or give your consent to transfer personal data.

Here are some additional scenarios in which we may also disclose your personal data:

  • If we are under a duty to disclose or share your personal data to comply with any legal or regulatory obligation or request;
  • To apply or enforce the Terms and Conditions or any other agreement in place in the context of our relationship and to investigate potential breaches;
  • To protect Unlimit’s rights, safety or property, or that of our customers or third parties/the public. This includes exchanging information with other companies and organisations for the purposes of money laundering, fraud prevention and equivalent risks;
  • If Unlimit or substantially all of its assets are acquired by a third party, in which case personal data held by it will be one of the transferred assets; or
  • If Unlimit or substantially all of its assets are acquired by a third party, in which case personal data held by it about its merchants will be one of the transferred assets

Data Transfers outside Tanzania

Your personal data may be processed locally in Tanzania, in the EEA, or in jurisdictions in which Unlimit operates subject to applicable law.

Your personal data may be transferred to countries where such countries are deemed adequate if the transfer is necessary and has a legal basis as described in this Notice, for example (i) when necessary to carry out and in the context of transactions (e.g., card transactions, payment orders to third countries, through a correspondent bank in the third country); or (ii) based on the instructions or consent of a data subject.

In the context of data processing undertaken by third parties on our behalf, your personal data may also be processed by staff operating outside of Tanzania when they are performing technical duties and support, duties related to the processing of your orders or provision of support services.

We aim to take all steps reasonably necessary to ensure that your personal data is treated securely in transit and at rest.

Website and Automatic collection – Cookies, IP addresses and other Tracking

Unlimit’s Website contains forms that website visitors may use. When website visitors send us information online via forms on the website, in the context of the provision of services, the information will be used for purposes and in ways set out in the Privacy Notice.

In some instances, Unlimit and other entities (such as service providers) may use cookies and other technologies to collect certain types of data automatically when you visit Unlimit websites and online platforms. The collection of this data enables Unlimit to improve the security, and usability of Unlimit’s websites and online resources and to measure the effectiveness of marketing activities. We may collect information about your computer or mobile device (including, for example type of operating system and browser) for system administration.

For detailed information on cookies and the purposes for which we use them, please refer to our Cookie Notice.

An IP address is a number assigned to your computer when you access the internet from your browser, which allows computers and servers to recognise and communicate with one another. IP addresses of website visitors may be recorded for IT security and diagnostic purposes. This information may also be used in aggregate form to conduct website trends and performance analysis. In the context of the provision of services, IP addresses may also be used for the purposes and in ways set out in with the Privacy Notice including fraud prevention.

How we keep your personal data secure?

Unlimit has established and regularly reviews its security internal policies and procedures for secure processing of personal data in order to protect personal data from unauthorised access, loss, misuse, alteration or destruction.

We ensure to the best of our abilities that access to personal data is limited to persons on a need-to-know basis, and that persons who have access are required to maintain its confidentiality. We utilise a series of technology and security solutions to protect personal data (such as storage of information you provide us on secure servers, perimeter security mechanisms, such as encryption etc.).

Transmission of information via the internet is not completely secure. We cannot guarantee the security of data transmitted to us via email, to our website or online resources; such transmissions are at your own risk.

Unlimit follows the payments industry standards regarding the protection of payment card information. Unlimit’s payment card infrastructure is regularly audited to maintain the highest level of security certification with the Payments Card information Security Standard Council (PCI) in respect of protecting card data.

Your Rights and how to raise a complaint

Depending on the applicable law, you may have rights as afforded under applicable data protection law – these rights are afforded to natural persons who are data subjects of personal data which we hold as a controller.

We ensure that you may exercise your rights under applicable privacy and data protection laws, which means that Unlimit endeavors to provide reasonable assistance in respect to requests from individuals regarding the processing of personal data. Please note that your rights are not absolute and may be subject to other applicable laws and regulations.

In terms of the Tanzania under the Personal Data Protection Act, 2023 and its corresponding laws, regulations and frameworks, you may exercise the following rights:

  •  Access your personal data (access rights): You have the right to ask us if we process personal information that relates to you and you may ask us to provide you with details of the personal information we process about you (as required under applicable laws);
  • Erase, block, destruct or rectify your personal data: You can ask us to have personal data we process about you fixed or blocked or destroyed, subject to the satisfaction of the PDPC (who must be copied in your request to us);
  • Withdraw your consent: You may withdraw consent to processing of your sensitive personal data that you have given us or when consent is the lawful basis for our processing;
  • Prevent processing of your personal data: You can require us to suspend or not begin the processing of personal data where such personal data processing is likely to cause substantial damage to you;
  • Prevent processing of personal data for direct marketing purposes: You can require us to require to stop processing your personal data for purposes of direct marketing
  • Automated decision making: You may require us to ensure that any decision taken by us or by our processors that significantly affects your rights shall not be based solely on the processing by automatic means.

Exercising your rights

Please contact our Data Protection Officer directly at contact details (mentioned in Section 13) to exercise your rights or if you have questions about the use of your personal data. We request you to submit your data subject requests in the format provided by the Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023 (“Regulations”) under Form No, 4, 5, 6 as may be applicable to your request. The format can be accessed here.

You may be subject to identity verification procedures and measures in order to ensure that no personal data is disclosed to unauthorized persons. We may also request additional clarifications (as may be required) to process your request within the timelines required as per applicable laws.

Complaints

If you have any complaints about the use of your personal data, please notify and/or file a complaint with the Unlimit data protection function directly using the contact details indicated below. We will investigate and inform you regarding your complaint.

If you believe that we have not been able to resolve your complaint, you may submit a complaint by following the guidelines set by PDPC which can be accessed here.

How long do we keep your personal data

Our obligations primarily determine our retention period under applicable legislation to retain data for a specific time. Destruction will only be possible after the lapse of this period.

We are obliged to keep Transaction data (including personal data) during the business relationship and for a minimum period of 10 years after business relationship termination, or after Customer application rejection/withdrawal, per AML legislation and other requirements applicable to our business.

The retention period may be extended in case of other lawful reasons justifying longer retention (such as for complaints handling, legal proceedings, investigations, regulatory, tax, money laundering and crime and fraud prevention purposes).

How to contact us

Data Protection Function
Unlimint TZ Ltd

Our corporate address is:

Region Dar Es Salaam, District Kinondoni, Ward Mwananyamala, Postal code 14108,

Street Victoria Area, Road Along New Bagamoyo Road , Plot/Block number 34/1.

Building Name: Tanhouse, Sixth Floor Office Number 2

Email: [email protected] 

Your Responsibilities

You are responsible for ensuring that the information provided to Unlimit by you/about you or on your behalf is accurate and up to date. You must inform us if anything changes as soon as possible.

If you provide information about another person, you must direct them to this Privacy Notice and ensure they agree to Unlimit using their information as described.

Changes to our Privacy Notice

We may revise or update our Privacy Notice from time to time. In such a case, we make the most recent version of the Privacy Notice available to you, informing you accordingly by displaying the updated version and relevant date of update.

You are advised to visit our Website frequently to consult our Privacy Notice in its most recent version.

Version 1.0_DP_Unlimint TZ Limited_ May 2024

2024-05 Unlimit Tanzania Privacy Notice

Region Products may vary
Language Select language
We’ve got all your details, thanks!
We’ve received your application form.

One of our sales team will be
in touch ASAP.

Close