Privacy Policy

Introduction

Welcome to Nissmart Limited (“Nissmart”, “we”, “our”, or “us”).

We value your privacy and are committed to safeguarding your personal information.

This Privacy Policy explains how we collect, use, store, and share your personal data when you use our digital platforms — including our products Nissave, NiSchool, and NiFund — through our websites, mobile applications, and other online services (collectively referred to as “our Services”).

By using our Services, you acknowledge that you have read and understood this Privacy Policy and agree to how we handle your personal data as described below.

Who We Are

Nissmart Limited is a technology company incorporated in Kenya, offering digital financial and educational solutions designed to improve savings, investment, and school management experiences.

We are registered with the Office of the Data Protection Commissioner (ODPC) as both a Data Controller and a Data Processor, in accordance with the Kenya Data Protection Act, 2019.

For any questions regarding this policy, please contact our Data Protection Officer (DPO):

📧 privacy@nissmart.com

Information We Collect

We collect and process personal information necessary to provide our services and comply with legal obligations.

Information you provide directly:

Full name, national ID or passport number, and date of birth

Mobile phone number, email address, and postal address

Financial information such as deposits, withdrawals, and savings plan details

Parent or guardian details (for minor savings)

School information (for NiSchool users)

Information collected automatically:

App usage data and interactions

Approximate location (where permitted)

Information received from third parties:

Payment partners, fund managers, and mobile network operators (for verification and transaction processing)

How We Use Your Information

We process your personal data to:

  • Create and manage your account
  • Verify your identity (KYC and compliance checks)
  • Facilitate deposits, withdrawals, and investments
  • Generate savings reports and statements
  • Communicates notifications, updates, and offers (where you consent)
  • Comply with legal and regulatory obligations
  • Enhance and personalize your user experience
  • We will never sell, rent, or lease your personal data to third parties.

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

Application Data. If you use our application(s), we also may collect the following information if you choose to provide us with access or permission:

  • Mobile Device Access. We may request access or permission to certain features from your mobile device, including your mobile device’s camera, contacts, sms messages, and other features. If you wish to change our access or permissions, you may do so in your device’s settings.
  • Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device’s settings.

This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our internal analytics and reporting purposes.

Legal Basis for Processing

We rely on several lawful grounds for processing your data, including:

  • Consent — You have agreed to the processing of your data.
  • Contractual necessity — To provide services you’ve subscribed to.
  • Legal obligation — To comply with regulations from CMA, CBK, or ODPC.
  • Legitimate interest — To prevent fraud, improve operations, and ensure system security.

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
  • To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
  • To fulfil and manage your orders. We may process your information to fulfil and manage your orders, payments, returns, and exchanges made through the Services.
  • To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.
  • To send you marketing and promotional communications. We may process the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time. For more information, see “WHAT ARE YOUR PRIVACY RIGHTS?”
  • To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
  • To evaluate and improve our Services, products, marketing, and your experience. We may process your information when we believe it is necessary to identify usage trends, determine the effectiveness of our promotional campaigns, and to evaluate and improve our Services, products, marketing, and your experience.
  • To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them.
  • To comply with our legal obligations. We may process your information to comply with our legal obligations, respond to legal requests, and exercise, establish, or defend our legal rights.

Data Sharing and Disclosure

We may share your personal data only with trusted and authorized third parties:

  • Fund Managers— to manage pooled investments and returns
  • Payment Providers and Banks — to process deposits and withdrawals
  • Mobile Operators (Safaricom) — to facilitate STK Push and SMS confirmations
  • Regulators (CMA, ODPC, CBK) — for statutory reporting and compliance
  • Auditors and Legal Advisors — for audit and governance purposes

All partners are bound by confidentiality and must comply with the Data Protection Act, 2019.

Data Retention

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us keeping your personal information for longer than the period of time in which users have an account with us.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Your Rights

Under the Kenya Data Protection Act, 2019, you have the right to:

  • Access your personal data
  • Request correction of inaccurate or incomplete information
  • Request deletion (“right to be forgotten”)
  • Object to processing for marketing or profiling
  • Withdraw your consent at any time
  • Request a copy of your data (data portability)

In Short: You may review, change, or terminate your account at any time, depending on your country, province, or state of residence.

  • Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in the section ‘HOW CAN YOU CONTACT US ABOUT THIS NOTICE?’ below.
  • However, please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
  • Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, replying “STOP” or “UNSUBSCRIBE” to the SMS messages that we send, or by contacting us using the details provided in the section ‘HOW CAN YOU CONTACT US ABOUT THIS NOTICE?’ below. You will then be removed from the marketing lists. However, we may still communicate with you — for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.

If you would at any time like to review or change the information in your account or terminate your account, you can:

  • Log in to your account settings and update your user account.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

Cookies and similar technologies: Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services.

To exercise these rights, contact our Data Protection Officer (DPO) at:
📧 privacy@nissmart.com

Children’s Data

For users saving for minors under Nissave, parental or guardian consent is required before collecting or processing data relating to a child.
This information will only be used for education or savings purposes and will not be used for marketing.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at privacy@nissmart.com

Data Security

We have implemented robust technical and organizational safeguards, including:

  • Data encryption (in transit and at rest)
  • Access control and authentication systems
  • Secure servers and cloud infrastructure
  • Regular audits and vulnerability testing
  • Breach response and notification protocols (within 72 hours)

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

Cross-Border Transfers

If personal data is transferred outside Kenya (e.g., to cloud servers), we ensure compliance with the Data Protection Act, 2019, including the use of contractual safeguards and encryption standards.

Data Breach Notification

In the event of a data breach:

  • The incident will be immediately investigated by our DPO.
  • Affected users and the ODPC will be notified within 72 hours.
  • Mitigation and corrective actions will be taken promptly.

Policy Updates

We may review this Privacy Policy from time to time to reflect service improvements or regulatory changes.
If updates are made, we will notify you via email, in-app alerts, or on our website.

Contact Us

If you have questions, concerns, or complaints regarding this policy or our data protection practices, please contact:

Nissmart Limited
P.O. Box 8231–00300, Nairobi, Kenya
📧 privacy@nissmart.com
🌐 www.nissmart.com

Consent

By registering, accessing, or using any of Nissmart’s services — including Nissave, NiSchool, and NiFund — you consent to the collection, processing, and use of your personal data as described in this Privacy Policy.

If you do not agree to any part of this policy, please discontinue using our services.