Data protection – Mobifarm

1. Who we are

Mobifarm Ventures Ltd ("Mobifarm", "we", "us") is a company registered in Kenya with its registered office at Runda Shopping Center, 1st Floor, Suite 008, Nairobi. We are a data controller under the Kenya Data Protection Act 2019.

2. What data we collect

2.1 Data you give us directly

Identity: full name, National ID or passport number, date of birth, photograph.
Contact: phone number, email address, residential address.
Financial: M-Pesa statements, bank statements (where provided), income evidence, employment or business details.
Asset: details of the bike or tuk-tuk being financed (make, model, chassis number, engine number).
Guarantor: your guarantor's name, ID number, contact, and relationship to you.
Application: driving licence details, past rental history, dealer relationship.

2.2 Data we collect automatically

Loan servicing: payment history, arrears status, restructures, restructuring correspondence.
GPS tracking: location of the financed asset, triggered only on specific events (suspected theft, serious default, lawful order) and not for routine movement monitoring.
Website & app usage: IP address, browser type, pages visited, interactions. We may use cookies and similar technologies for analytics and performance.

2.3 Data we receive from third parties

Credit Reference Bureaus (CRBs): credit history and any adverse listings, accessed with your consent as part of the loan application.
Safaricom: M-Pesa transaction data related to your payment to us, accessed through the Daraja integration.
Insurers: claim status and settlement data.
NTSA: vehicle registration and title information.
Dealers: assessment of the asset, assessment of you as a customer.

3. Why we use your data — the legal bases

We only process your data where we have a lawful basis under the Kenya Data Protection Act 2019. Our bases are:

Purpose	Legal basis
To assess your loan application	Performance of the contract you have entered into or asked to enter into
To disburse and service your loan	Performance of the contract
To check your credit with CRBs	Consent (granted at application) and compliance with legal obligation
To prevent fraud, including duplicate asset financing	Legitimate interest and compliance with legal obligation
To track the financed asset for recovery in theft or serious default	Legitimate interest and performance of the contract
To comply with anti-money-laundering (AML) and know-your-customer (KYC) laws	Compliance with legal obligation
To send you service-related communication (SMS, WhatsApp, email)	Performance of the contract and legitimate interest
To send you marketing communication	Consent (you can opt out at any time)
To improve our products and services	Legitimate interest — using aggregated or anonymised data

4. Who we share your data with

We share your data only with parties who need it for the purposes above and who are bound by confidentiality and data protection obligations equivalent to ours. These include:

Licensed Credit Reference Bureaus (CRBs) — we submit your payment performance as required by law.
Insurers — to issue and service your insurance policy.
Payment and telecommunication providers — Safaricom (for M-Pesa) and SMS gateway providers.
NTSA — for joint registration and release of interest.
Tracker service providers — to operate the GPS unit on your asset.
Professional advisors — auditors, lawyers, and regulators where required by law.
Debt recovery agents — only where lawfully engaged after all reasonable attempts to reach you directly have failed.
Law enforcement — in response to a lawful order or where we are legally required to.
Purchasers of the loan book — in the event of a securitisation or assignment, where your loan is transferred with the same terms.

We do not sell your data to anyone. Ever.

5. International transfers

Your data is primarily stored and processed in Kenya. Where a service provider we use operates outside Kenya (for example, cloud hosting), we only transfer your data to jurisdictions that offer adequate protection under the Act, or under binding contractual safeguards that require equivalent protection. You can ask us for a list of such providers and the safeguards in place.

6. How long we keep your data

We retain your data for the following periods:

Loan application (if not approved): 12 months from the date of the application.
Active loan: for the life of the loan.
Closed loan (settled or written off): seven (7) years from closure, in line with tax and financial record-keeping obligations.
Marketing consent records: for as long as consent remains current, plus two years after withdrawal.
Website analytics: typically 26 months in aggregated form.

7. Your rights

You have the following rights under the Kenya Data Protection Act 2019:

Right of access. You can ask us for a copy of the personal data we hold about you.
Right to rectification. You can ask us to correct inaccurate or incomplete data.
Right to erasure. You can ask us to delete your data, subject to our legal obligations to retain it.
Right to restriction. You can ask us to restrict how we use your data in certain circumstances.
Right to object. You can object to processing based on legitimate interest, including marketing.
Right to data portability. Where processing is automated and based on consent or contract, you can ask us to give you your data in a machine-readable format.
Right to withdraw consent. Where we process your data based on consent, you can withdraw it at any time. This won't affect processing that has already happened.
Right to lodge a complaint. You can complain to the Office of the Data Protection Commissioner (ODPC) at any time.

To exercise any of these rights, contact our Data Protection Officer (see section 10).

8. Security

We protect your data with appropriate technical and organisational measures, including:

Encryption of data in transit and at rest.
Role-based access control — staff only access the data they need for their job.
Audit logging of all access to sensitive records.
Periodic security reviews and penetration testing.
Staff training on data protection and information security.

9. Data breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of it, as required by law. We will also notify you directly where the breach is likely to result in high risk, with a description of what happened and what we are doing about it.

10. Contact us / Data Protection Officer

Our Data Protection Officer oversees compliance with this policy. You can contact them at:

Data Protection Officer
Mobifarm Ventures Ltd
Runda Shopping Center, 1st Floor, Suite 008, Nairobi
Email: dpo@mobifarm.co.ke

11. Supervisory authority

You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), which is the supervisory authority for data protection in Kenya. Contact details for the ODPC are available on its official website.

12. Changes to this policy

We may update this policy from time to time. The current version is always available at this URL. Material changes will be communicated to active customers by SMS or email.

Last updated: May 2026

Data protection.