Chama Login

Privacy Policy

Last Updated: June 2026

ChamaPay ("we", "us", "our"), operated by Nelimax Technologies, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our platform.

1. Information We Collect

Account Information: Name, phone number, email address, member ID, and access codes provided during Chama registration.

Financial Data: Contribution records, savings balances, loan applications, repayment history, fine records, share purchases, and withdrawal records.

Payment Data: M-Pesa transaction references, phone numbers used for STK push, and payment confirmations. We do not store M-Pesa PINs or full M-Pesa account details.

KYC Documents: National ID copies, passport photos, payslips, and other documents uploaded for loan applications or identity verification.

Attendance Records: Meeting attendance status (present/absent) as recorded by Chama Admins.

Usage Data: Device information, IP addresses, browser type, app version, login timestamps, pages visited, and feature usage patterns.

Communication Data: Messages sent through the Platform's contact-admin feature, notifications, and SMS delivery status.

2. How We Use Your Information

We use your data to: (a) provide and maintain the Platform's financial management services; (b) process M-Pesa contributions, payments, and withdrawals; (c) manage loan applications, approvals, and repayment tracking; (d) generate financial reports and statements for your Chama; (e) send transaction notifications, OTPs, and system alerts via SMS and email; (f) verify member identity and prevent fraud; (g) enforce Chama rules (fines, missed contributions); (h) improve Platform features and user experience; (j) comply with legal and regulatory requirements; (k) communicate service updates and changes.

3. Data Sharing & Third Parties

We share data only as follows:

Within Your Chama: Your financial records, contribution history, and member profile are visible to your Chama Admin and designated officials as configured by the Admin.

Safaricom (M-Pesa): Transaction data is shared with Safaricom solely to process STK push payments and verify transactions via the Daraja API.

SMS Providers: Phone numbers are shared with SMS delivery services solely to send OTPs and transaction notifications.

Legal Requirements: We may disclose data if required by law, court order, or regulatory authority.

We do not: Sell your data to advertisers. Share data between different Chamas. Share data with unrelated third parties for marketing. Allow cross-tenant data access.

4. Data Security

We implement industry-standard security measures: (a) AES-256 encryption for stored sensitive data; (b) TLS/SSL encryption for all data in transit; (c) Bcrypt/Argon2 password hashing; (d) Session fingerprinting and token-based authentication; (e) Multi-tenant database isolation preventing cross-group data access; (f) Regular security audits and penetration testing; (g) Role-based access controls limiting data visibility; (h) Automatic session expiration and token revocation.

While we implement robust security, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify affected users within 72 hours of any confirmed breach.

5. Data Retention

We retain your data for as long as your Chama account is active. After account deletion or Chama dissolution: (a) Financial records are retained for 7 years as required by Kenyan tax and financial regulations; (b) KYC documents are deleted within 90 days; (c) Usage logs are anonymized after 12 months; (d) Member profiles are deleted within 30 days of Chama closure unless legal retention applies.

6. Your Rights

Under applicable data protection laws (including Kenya's Data Protection Act, 2019 and GDPR where applicable), you have the right to: (a) Access — request a copy of all personal data we hold about you; (b) Rectification — request correction of inaccurate data; (c) Deletion — request deletion of your personal data (subject to legal retention requirements); (d) Portability — request export of your data in a machine-readable format; (e) Restriction — request restriction of processing in certain circumstances; (f) Objection — object to processing based on legitimate interests; (g) Withdraw Consent — withdraw consent for data processing at any time.

To exercise these rights, contact our Data Protection Officer at privacy@chamapay.co.ke. We will respond within 30 days.

7. Cookies & Tracking

ChamaPay uses essential session cookies for authentication and security. We use Google Analytics for aggregate usage statistics. We do not use advertising cookies or cross-site tracking. Session cookies are HttpOnly and Secure, lasting until your session expires.

8. Children's Privacy

ChamaPay is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we discover a minor's data has been collected, it will be deleted immediately.

9. International Data Transfers

Your data is stored on servers located in Kenya. If you access ChamaPay from outside Kenya, you consent to your data being transferred to and processed in Kenya. We ensure appropriate safeguards are in place for international transfers where required.

10. Data Protection Officer

For privacy-related inquiries or complaints, contact our Data Protection Officer:
Email: privacy@chamapay.co.ke
Address: Nelimax Technologies, Nairobi, Kenya
Response Time: Within 30 days of receiving your request.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last Updated" date at the top reflects the most recent revision. Continued use after changes constitutes acceptance.

12. Contact Us

For any questions about this Privacy Policy:
Nelimax Technologies
Email: privacy@chamapay.co.ke
Website: chamapay.co.ke