Privacy Policy

1.0 Introduction & Scope of Policy

Fulusi Group Limited (“Fulusi”, “We”, “Our”, or “Us”) is a privately owned limited company and Fintech entity based in Kenya, committed to providing financial solutions through simple, secure tools and teams that people can trust.

We take your privacy and the confidentiality of your information very seriously. This Privacy Policy (“Statement” or “Policy”) explains how we collect, use, store, process, and share your personal information, and our privacy practices in strict compliance with the Data Protection Act, 2019 (Laws of Kenya), the Data Protection (General) Regulations, 2021, and any other applicable Kenyan statutory data laws.

1.1 Acceptance and Consent

By downloading the App hosted on the Google Play Store or our site (“App Site”), or using our Services, you confirm that you have read, understood, and agree to be bound by the terms of this Policy. Pursuant to Section 25 of the Data Protection Act, 2019, you expressly consent to the collection, use, storage, cross-border transfer, processing, and disclosure of your personal information by Us and our permitted Third-Party Providers in the manner set out herein.

Fraud Prevention Notice: You certify that all information provided by you is true and correct. Any misrepresentations or falsities will be considered an act to defraud Fulusi and its partners.

1.2 Withdrawal of Consent

You can withdraw your consent to our collection, processing, or use of your personal information at any time by making a written request via email to wecare@fulusigroup.com or via the contact links on the App. However, please note that if you withdraw your consent, we may be unable to continue providing all or part of our Services to you, and we reserve the right to terminate our relationship or block/close your account in accordance with lawful terms.

1.3 Relationship with Other Terms

This statement should be read together with the Terms of Use, Loan Account Agreements, and any additional terms applicable to Fulusi products and services. Where there is a conflict regarding data processing practices, this Privacy Policy shall prevail.

2.0 Definitions

“App” means the Fulusi mobile application software available on our site or hosted on the Google Play Store.

“Authorities” includes any judicial, administrative, public, or regulatory body, any government, Tax Authority, securities or futures exchange, court, central bank, or law enforcement body with jurisdiction over Fulusi.

“Compliance Obligations” means obligations of Fulusi to comply with local or international laws, regulatory guidance, demands from Authorities, and "Know Your Customer" (KYC) or Anti-Money Laundering (AML) identification frameworks.

“Customer” or “User” or “You” means any individual within the Republic of Kenya (or operating markets) to whom Fulusi provides its products or services, including:

1. Past, current, or prospective retail consumers/subscribers.

2. Agents, dealers, and/or merchants recognized under applicable Kenyan regulations.

3. Contractors, subcontractors, suppliers, or visitors gaining access to Fulusi premises.

“Customer Information” means your Personal Data, confidential information, and/or Tax Information.

“Data Controller” has the meaning assigned to it under the Data Protection Act, 2019, referring to a person, company, or other body that determines the purpose and means of personal data processing.

“Data Subject” refers to any living individual whose personal data is collected, held, or processed, as recognized under Kenyan law.

“Financial Crime” means money laundering, terrorist financing, bribery, corruption, tax evasion, fraud, evasion of economic or trade sanctions, or any attempts to circumvent laws relating to these matters.

● “Laws” include the Constitution of Kenya, 2010, the Data Protection Act, 2019, statutory regulations, judgments or court orders, voluntary codes, or treaties applicable to Fulusi.

“Personal Data” or “Personal Information” refers to any information relating to an identified or identifiable natural person as defined under Section 2 of the Data Protection Act, 2019. This includes identifiers such as names, identification numbers, telephone numbers, location data, online identifiers, account data, appearance, credit card numbers, or biometric data.

“Processing” means any operation or set of operations performed on personal data, including collecting, recording, organizing, structuring, storing, modifying, consulting, using, publishing, combining, erasing, and destroying data.

“Sensitive Personal Information” refers to personal information concerning an individual’s race, ethnic origin, marital status, age, color, religious/philosophical/political affiliations, health,

genetic/sexual life, criminal records, or government-issued identification details, as classified under Section 46 of the Data Protection Act, 2019.

“Supplier” means any third party, vendor, contractor, or organization that acts as a data processor or data controller in a business relationship with Fulusi.

“Tax Authorities” means the Kenya Revenue Authority (KRA) or foreign tax, revenue, or monetary authorities.

“Tax Information” means documentation or information about your tax status.

3.0 Information We Collect

We collect information about you directly, automatically through your device interactions, and from reputable third parties in line with the data minimization principles of Kenyan law.

3.1 Information You Submit to Us (Submitted Information)

This includes information provided by filling in forms on the App or App Site, corresponding with us via email/chat, or applying for loans and financial services. Examples include:

● Name, physical address, email address, phone number, and SIM card details.

● Age, username, password, PIN, and registration parameters.

● Financial and credit history, mobile money account details (e.g., M-Pesa records), bank account details where applicable.

● Personal descriptions and photographs/selfies for identity verification.

3.2 Information We Collect from Your Smartphone & Device

Each time you visit our Sites or use our App, we may automatically access and collect parameters through your device's operating system permissions (which you explicitly grant):

Device Information: Technical data including your mobile device type, unique device identifiers (IMEI, UUID, or serial numbers), SIM card parameters, mobile network operator, operating system, browser type, approximate location, and time zone settings.

Location Data: Approximate or precise location derived via GPS technology or cellular networks. This is strictly used to verify serviceability, fulfill regulatory compliance, and prevent fraud.

SMS Logs: Our systems programmatically review your device SMS transaction alerts to analyze your financial history, determine risk profiles, and personalize credit/loan offers. We do not read personal messages.

Contacts List: Access to contact lists or social media contact frameworks used solely for automated fraud detection and network mapping. Fulusi will never call, message, or spam your contacts.

Installed Apps: System telemetry verifying the presence of a fixed number of installed applications on your device to personalize loan options and run risk assessments.

Calendar Data: Access to device calendars to automatically schedule, remind, and manage loan repayment deadlines.

Log Information: Details of your interactions with our systems, including traffic data, weblogs, clickstream tracking, and date/time stamps.

3.3 Information Received from Third Parties (Third-Party Information)

To satisfy regulatory obligations, verify identity, and manage credit risk, we obtain financial and demographic data from external systems, including:

● Mobile Network Operators (e.g., Safaricom), the Integrated Population Registration Systems (IPRS), and government identity registries.

● Commercial Banks, Payment Service Providers, Intermediaries, and Switch networks.

● Debt collection agencies, employers, and professional marketing lists.

3.4 Cookies and Tracking Technologies

We, our marketing partners, and our analytics providers use cookies, web beacons, and mobile tracking technologies to distinguish you from other users. You can adjust your browser or device settings to decline cookies; however, doing so may restrict access to vital features of our Service Sites.

4.0 Lawful Bases and Principles for Processing Data

4.1 Data Protection Principles

In accordance with Section 25 of the Data Protection Act, 2019, Fulusi ensures that your personal data is:

● Processed lawfully, fairly, and in a transparent manner.

● Collected for explicit, specified, and legitimate purposes.

● Adequate, relevant, and limited to what is necessary (data minimization).

● Accurate and kept up to date.

● Kept in a form which permits identification of data subjects for no longer than is necessary.

● Processed in a manner that ensures appropriate security against unauthorized or unlawful processing.

4.2 Lawful Basis for Processing

We process personal data under the following legal frameworks provided under Kenyan law:

1. Contractual Performance: To execute Product/Service Agreements, evaluate loan eligibility, and administer financial transactions.

2. Legitimate Business Interests: To protect our platforms, enhance service delivery, and mitigate financial exposure.

3. Mandatory Legal Obligations: To satisfy compliance, AML/CFT tracking, tax reporting, and statutory rules.

4. Consent: Explicit permissions granted by you at the device or application level.

5. Public Interest / Vital Interests: Protecting your critical personal welfare.

5.0 Disclosure and Sharing of Your Information

Any disclosure of your data will be on a strict need-to-know basis, subject to Kenyan regulations and robust contractual confidentiality terms. We may share your information with:

Fulusi Corporate Group: Our subsidiaries, parent companies, local operating branches, and permitted assigns.

Contracted Service Providers: Financial institutions, switch providers, clearinghouses, payment gateways, and cloud infrastructure platforms helping us deliver services.

Credit and Collection Partners: Accredited Credit Reference Bureaus (CRBs) for regular submission of basic credit histories, debt collection companies, and legal firms.

Regulatory & Judicial Authorities: Law enforcement agencies, the Central Bank of Kenya, the Kenya Revenue Authority (KRA), or courts of competent jurisdiction when formal subpoenas or statutory laws mandate compliance.

Corporate Restructuring: Prospective buyers, sellers, or merger partners in the event that Fulusi transfers, sells, reorganizes, or disposes of all or part of its business assets, subject to the recipient maintaining identical data protection safeguards under Kenyan law.

6.0 Data Storage and International Transfers

6.1 Secure Cloud Infrastructure

Your personal data is captured locally and safely transferred to our secure cloud infrastructure.

6.2 Cross-Border Transfer Requirements

In accordance with Section 48 and 49 of the Data Protection Act, 2019, and the Data Protection (General) Regulations, 2021, cross-border transfers of personal data outside Kenya are strictly protected. By accepting this policy, you provide your explicit consent for transborder data processing. Fulusi

guarantees that appropriate safeguards are in place, confirming that our cloud providers and foreign group entities maintain privacy mechanisms that strictly align with Kenyan legal requirements.

7.0 Data Security and Safeguards

At Fulusi, information security is our highest priority. We implement robust physical, operational, managerial, and technical controls to satisfy our legal obligations under Section 41 of the Data Protection Act, 2019.

Encryption Protocols: We use industry-standard encryption protocols (SSL/TLS) for data in transit and advanced encryption standards (AES) for data at rest.

Access Barriers: Implementation of rigorous identity authentication, structural firewalls, information classification matrixes, and strict role-based access limits.

Verification Measures: To secure your information, we will verify your identity using security questions or your registered PIN before disclosing personal logs or processing core requests.

Third-Party Oversight: We contractually require all external processors to deploy identical protective controls.

8.0 Data Retention Policy

Fulusi retains your personal data only for as long as is strictly necessary to implement and manage your transactions, fulfill our contracts, or comply with legal, regulatory, tax, and accounting requirements.

Statutory Holding Frame: Under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) of Kenya, we are legally required to retain your financial records, KYC data, and transaction details for a minimum of seven (7) years from the formal termination or conclusion of your relationship with us.

Outstanding Obligations: Data erasure requests will be denied if you have outstanding loans, pending duties, or if the data is required to establish legal defenses, manage active complaints, or support prospective litigation.

Indefinite Retention: Information that is completely anonymized and can no longer be linked to you may be kept indefinitely for trend analysis.

9.0 Your Rights as a Data Subject

Pursuant to Section 26 of the Data Protection Act, 2019, you possess full, enforceable rights as a Kenyan data subject, including the:

Right to be Informed: To receive clear updates that your personal data is being collected and understand its usage.

Right of Access: To request copies of the personal information we hold about you and receive

details on how it is processed.

Right to Rectification: To request immediate correction of inaccurate, false, or misleading data.

Right to Erasure (Right to be Forgotten): To request deletion of your information, subject to the 7-year statutory retention limitation under financial laws.

Right to Object and Restrict Processing: To object to direct marketing or request restricted processing of specific details.

Right to Data Portability: To receive your personal data in a structured, commonly used, and machine-readable format, or request its transfer to another data controller.

Automated Decision-Making Rights: The right not to be subject to decisions based solely on automated processing (like credit profiling) under Section 35 of the Act, unless it is necessary for performing a contract with us or is explicitly authorized by law.

If a request to delete your data is denied due to regulatory obligations, Fulusi will provide a clear, written reason within one month of receiving your request.

10.0 Regulatory Compliance and Third-Party Policies

10.1 Third-Party Hyperlinks

Our web and app platforms may contain links to external third-party websites. Fulusi does not control, endorse, or verify the contents or privacy policies of these external sites. Clicking these links is entirely at your own risk.

10.2 Third-Party Data Subjects

If you provide us with information regarding another individual (such as a Next of Kin or emergency contact), you confirm that you have obtained their explicit consent to share their personal information with us for processing under Kenyan law.

10.3 Breach Notification

In strict compliance with Section 43 of the Data Protection Act, 2019, we will report any critical data breach or security incident affecting your personal information to the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours, and notify you directly where there is a high risk to your rights and freedoms.

11.0 Amendments, Complaints, and Contacts

11.1 Amendments to This Policy

Fulusi reserves the right to amend, update, or modify this Privacy Policy at any time. Any changes will take effect immediately upon being posted on our official website or when you launch the App. Your

continued use of the services confirms your acceptance of the updated terms.

11.2 Contact Us

For any questions, comments, or to exercise your data subject rights, please contact our Data Protection Officer (DPO):

Email: dataprivacy@fulusigroup.com / wecare@fulusigroup.com

Customer Care Phone: +254 711 082130

© 2026 Fulusi Group Limited. All Rights Reserved.