Privacy Policy

The data controller is Ubepari PC Co LTD, a company incorporated in Tanzania, with its head office at Magomeni Usalama, Dar es Salaam. This means we decide what personal data to collect and how it is used, and we are accountable to you and to the Personal Data Protection Commission for how we handle it.

For privacy questions, write to support@ubeparipc.com with "Privacy" in the subject line. We aim to respond within 7 days.

From you directly when you sign up, verify, or transact:

• your mobile number in the format 255XXXXXXXXX; • your first and last name; • your email address (optional); • your NIDA number or passport details during KYC; • a photo or scan of your ID document; • your employer or business name (optional, during KYC); • details of the products you reserve and the plan you choose; • the phone number you use to authorise each mobile-money payment.

Automatically when you use the service:

• basic device information (browser, operating system, approximate IP-based location) for security and fraud prevention; • the dates, amounts, status and provider of each payment; • messages you send to our AI Tech Tips assistant.

From our payment aggregator (Evmark / iPAB):

• a transaction reference, provider reference, and the status (success / failure) of each payment authorised against your phone number.

We collect your data only for the purposes listed below, and each is backed by a legal basis under the Personal Data Protection Act, 2022.

• Operating the service (performance of contract): creating your account, processing payments, fulfilling orders, managing hire-purchase plans. • KYC and credit decisions (legal obligation and legitimate interest): verifying your identity, assessing credit, preventing fraud and money laundering. • Customer support (performance of contract): answering questions, processing complaints, handling warranty. • Fraud and security (legitimate interest): logging, detecting suspicious activity, protecting other users and the business. • AI recommendations (performance of contract, with your explicit action): when you use AI Tech Tips, we send your question and our product catalog to our AI provider (see section 4). We do not send your name, phone number, NIDA, or any other identifier. • Service improvement (legitimate interest): aggregated, de-identified analysis of how people use the service. We do not use this to profile individuals. • Legal compliance (legal obligation): meeting our obligations under tax, financial-services, data-protection, and consumer-protection law.

We do not sell your data. We share it only with the processors below, each under a written agreement that limits what they may do with it:

• Evmark Tanzania Ltd, operating under the iPAB International merchant arrangement — for all mobile-money and card payment processing. They receive your phone number, the amount, and a reference code. • Messaging-service.co.tz — our SMS gateway. They receive your phone number and the message text (OTP codes, order confirmations). • Supabase, Inc. — our database and file-storage provider. Your account, KYC documents, and transaction records are stored on Supabase infrastructure in the EU-West (Ireland) region. • OpenAI, Inc. — our AI provider for the AI Tech Tips feature. They receive the text of your question and our product catalog; they do not receive your personal identifiers. Inputs to the OpenAI API are not used to train their models under their standard commercial terms. • Vercel, Inc. — our hosting and CDN provider. They see request metadata (IP, user-agent, URL) used to deliver pages and defend against abuse.

We will share your data with law enforcement, regulators, or courts if we are legally required to, and with our professional advisers (lawyers, auditors) where necessary and under duty of confidence.

Some of our processors are outside Tanzania. Supabase stores your account and KYC data in the European Union (Ireland), OpenAI processes AI requests in the United States, and Vercel operates a global CDN. All transfers are made under contractual terms that require those processors to protect your data at a level equivalent to Tanzanian standards under the Personal Data Protection Act, 2022.

If you object to international transfer of your personal data, you should not use Ubepari Wallet and we cannot provide the service to you. Please write to support@ubeparipc.com if you wish to object and close your account.

We keep your data only as long as we need it.

• Account and contact details: while your account is open, plus 7 years after closure (to meet tax and financial-records law). • KYC documents (ID photos and NIDA): while your account is open, plus 7 years after closure, unless a specific law requires a shorter period. • Payment records: 10 years, in line with financial-records legislation. • OTP codes: deleted within 10 minutes of issue; phone + code-hash rows expire automatically. • AI Tech Tips messages: 90 days for support and quality review, then deleted. • Server logs (IP, user-agent): 90 days, then aggregated or deleted.

Your data is encrypted in transit (TLS) and at rest on our providers' infrastructure. KYC documents live in a private storage bucket that only service-role operations on our server can read. Access to your account is protected by phone + OTP; we do not use static passwords. Our database enforces row-level security so that one user cannot read another user's rows even if our application layer has a bug.

We train our team on data handling. We limit access to personal data to the staff who need it for their role. We log access to sensitive data.

No system is perfectly secure. If we ever suffer a personal-data breach that is likely to result in risk to your rights, we will notify you and the Personal Data Protection Commission within the timelines set by the Personal Data Protection Act, 2022.

Under the Personal Data Protection Act, 2022 you have the right to:

• Access — ask for a copy of the personal data we hold about you. • Rectification — ask us to correct inaccurate or incomplete data. • Erasure — ask us to delete your data, subject to retention periods we are legally required to keep. • Objection — object to processing based on legitimate interest. • Restriction — ask us to stop processing your data temporarily while a query is resolved. • Portability — receive your data in a machine-readable format. • Withdraw consent — for any processing that was based on your consent. • Complain — lodge a complaint with the Personal Data Protection Commission of Tanzania.

To exercise any of these rights, write to support@ubeparipc.com from the email or phone number on your account. We respond within 30 days and may ask for proof of identity before acting.

We use one essential cookie — ubepari-session — to keep you signed in. It is set after you verify an OTP and is removed when you sign out. It is marked HttpOnly and Secure and cannot be read by scripts in the browser.

We also use local storage for your theme preference (light / dark) and your language choice (English / Swahili). These do not identify you.

We do not use advertising cookies or third-party analytics cookies by default. If this ever changes, we will update this policy and ask for your consent where required.

Ubepari Wallet is not directed at people under 18. We do not knowingly collect data from anyone under 18. If you believe a child has given us data, write to support@ubeparipc.com and we will delete it.

We may update this policy. If the update materially affects how we use your data, we will notify you by SMS, email, or in-app message at least 14 days before it takes effect. The version and "last updated" date at the top of this page always reflect the current version.

Write to support@ubeparipc.com, call +255 683 491 481, or visit our head office at Magomeni Usalama, Dar es Salaam. Mark privacy queries clearly so they reach the right team.