Thamanisha← Back to home

Privacy Policy

Last updated: 5 June 2026

This policy explains what personal data Thamanisha processes, why, and the rights you have under the Kenya Data Protection Act, 2019 (DPA). Thamanisha is registered with the Office of the Data Protection Commissioner (ODPC). We treat all financial data as sensitive and apply data minimisation throughout: we collect the least we need to run the Service.

1. Data we process

Account data

When you create an account: your name, email address and/or phone number, and your authentication identifiers. We never see or store your password in plain text — sign-in is handled by our authentication provider.

Preferences (stored on your device)

Language, currency, theme and role preferences are stored in your browser's local storage — they stay on your device and are not transmitted to us.

Product analytics (local-first)

Funnel events (for example "onboarding step completed") are currently recorded only in a small buffer in your browser's local storage — no personal data, step and plan names only, and nothing is sent over the network. If we later add a server-side analytics sink, this policy and the in-product consent controls will be updated first.

Error reports

When error monitoring is enabled, crash reports (error message, stack trace, browser version) are sent to our monitoring processor so we can fix failures. We do not include your financial data in error reports.

Connected financial data (only if you connect accounts)

If you choose to connect a financial account, we receive read-only data (balances, holdings, transactions) through tokenised, scoped consents. We never receive or store your bank or brokerage credentials. Every connection appears in your consent ledger — provider, scope, date granted — with a one-tap revoke.

Documents you upload

Files you upload for analysis (receipts, statements, payslips) are processed to produce your analysis and stored encrypted. You can delete them at any time.

2. Why we process it (lawful bases)

  • Contract — operating your account, subscriptions and the features you use.
  • Consent — connecting accounts, uploading documents, marketing messages. Each consent is recorded and revocable.
  • Legitimate interest — security, fraud prevention, fixing errors.
  • Legal obligation — tax, accounting and regulatory record-keeping.

3. What we never do

  • We never sell your personal data.
  • We never move, hold or custody your money.
  • We never store your bank or brokerage credentials.
  • We never use your data to give you personalised investment advice — the Service is educational (Cap. 485A; see the Terms of Service).

4. Sharing and processors

We share data only with processors needed to run the Service — authentication, payments, error monitoring and (if you connect accounts) regulated data-aggregation providers — under contracts that bind them to protect it. We disclose data to authorities only where the law requires.

5. International transfers

Some processors operate outside Kenya (for example for diaspora account connections). Where data leaves Kenya we rely on the DPA's transfer safeguards, including appropriate contractual protections and transfers to jurisdictions with adequate protection.

6. Security and retention

Data is encrypted in transit and at rest, access is logged and audited, and connections are read-only by design. We keep personal data only as long as needed for the purposes above or as the law requires, then delete or anonymise it. Deleting your account removes your personal data subject to statutory retention periods.

7. Your rights (DPA 2019)

You have the right to:

  • be told what data of yours we hold, and access it ("Download my data" in Settings);
  • correct inaccurate data;
  • delete your data ("Delete account" in Settings);
  • object to or restrict processing, including withdrawing any consent ("Manage consents" in Settings);
  • data portability — receive your data in a usable format;
  • complain to the Office of the Data Protection Commissioner (odpc.go.ke).

We respond to rights requests within the timelines the DPA sets.

8. Cookies and local storage

The web app uses local storage for your preferences and the local analytics buffer described above. We do not use third-party advertising cookies or cross-site trackers.

9. Children

The Service is for adults (18+). We do not knowingly process children's data.

10. Changes and contact

We will give notice of material changes in the product or by email before they take effect. Data protection questions and rights requests: privacy@thamanisha.com.