SOMXCHANGE

At Somxchange and Digital Services Ltd, we value your privacy and are deeply committed to protecting your personal information in accordance with the Somali Data Protection Act (Law No. 005/2023) and all relevant financial regulations (AML/CFT). This Privacy Policy explains in detail how we collect, use, store, share, and safeguard your data when you use our website, mobile applications (including True Shilling), and related services (collectively, the “Services”).

1. Information Collection

We collect information to provide, improve, and secure our digital financial Services. The categories of data collected include:

1.1. Personal & Identification Data (Mandatory for KYC/AML)

• Registration Data: Full name, date of birth, gender, nationality, physical address, email address, and mobile phone number.
• Identification Data: Scans or photos of Government-issued National ID, Passport, or other official identification documents required for Know Your Customer (KYC) compliance.
• Sensitive Personal Data: If required for identity verification, this may include biometric data (e.g., facial scan for verification). We will always seek explicit consent before processing sensitive data.

1.2. Financial and Transaction Data

• Transaction Details: Amounts, dates, times, nature of transactions, recipient or sender account details, and any associated reference numbers.
• Financial Account Data: Bank account numbers or other payment instrument details linked to your Somxchange account.
• Credit Data: Information regarding any credit extended to you (e.g., True Shilling loans), including payment history and repayment status (for Credit Reporting purposes).

1.3. Technical and Usage Data

• Device Information: Type of device, operating system, hardware model, unique device identifiers, and mobile network information.
• Location Data: General location derived from your IP address or precise GPS location (if you grant permission via app settings).
• App Usage Statistics: Information on how you interact with the app, pages viewed, features used, and crash reports.

1.4. Information is collected:

• Directly from you when you register an account, perform transactions, or contact support.
• Automatically through your use of our Services.
• From third parties, such as regulatory bodies, identity verification services, or Credit Reference Bureaus.

2. The Collection, Processing, and Use of Personal Data

We process your data lawfully, fairly, and transparently, ensuring strict adherence to the principles of Purpose Limitation and Data Minimization as required by the Somali DPA.

2.1. Legal Basis for Processing

We rely on the following legal bases to process your personal data:

• Contractual Necessity: Processing is necessary to provide the Services you have requested (e.g., executing payments, managing your account).
• Legal Obligation: Processing is necessary to comply with legal requirements, including AML/CFT laws (Know Your Customer/Due Diligence), fraud prevention, and mandatory regulatory reporting to the Central Bank of Somalia (CBS) and the Financial Reporting Centre (FRC).
• Legitimate Interests: Processing is necessary for our legitimate business interests, provided your fundamental rights are not overridden (e.g., internal research, security auditing, and service improvement).
• Consent: We process certain data (e.g., sending marketing communications, using optional biometric authentication) based on your freely given, specific, and informed consent.

2.2. Purposes of Use

Personal data is used strictly for the following legitimate business purposes:

• Account creation, verification, and authentication (KYC).
• Processing and settlement of all financial transactions.
• Providing customer support and resolving disputes.
• Improving our Services, features, and user experience.
• Detecting, investigating, and preventing fraud, illegal activities, and security breaches.
• Data Retention: We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or for a period mandated by Somali financial law (e.g., transaction records must be retained for at least five (5) years after the termination of the customer relationship).

3. How We Use Cookies and Tracking Technologies

Somxchange uses cookies and similar technologies (e.g., local storage) to ensure the security and functionality of the Service.

• Functionality & Security: Cookies are used to remember your preferences (like language), maintain your logged-in session, and enhance security protocols (e.g., recognizing your device).
• Analytics: We use cookies to analyze website and app usage, helping us understand performance and identify areas for improvement.
• User Control: You may control or disable cookies through your browser or device settings. Please be aware that disabling essential cookies may severely impact the functionality and security of the Somxchange platform.

4. Data Protection and Security

Somxchange implements strong administrative, technical, and physical security measures to protect your data against unauthorized access, loss, misuse, or disclosure, in compliance with the Somali DPA.

• Encryption: We use industry-standard encryption (e.g., TLS/SSL) to protect data both in transit and at rest.
• Fund Security: We store customer funds with established, licensed financial institutions, segregated from our own operational accounts, as required by law.
• Access Control: Access to your personal data is strictly limited to authorized personnel who require the data to perform their job functions (principle of least privilege).
• Data Protection Officer (DPO): We have appointed a Data Protection Officer to oversee compliance with this policy and the Somali DPA.

5. Sharing of Information

We do not sell your personal data. Information may be shared only under the following strictly controlled circumstances:

• Regulatory Authorities: We share mandatory reports and data with the Central Bank of Somalia (CBS), Financial Reporting Centre (FRC), and the Data Protection Authority (DPA) to comply with legal and regulatory obligations.
• Service Providers: We share data with trusted third-party service providers (e.g., cloud storage, payment processors, identity verification services) who perform functions necessary to deliver the Services. These providers are contractually obligated to protect your data and process it only in accordance with our instructions and the Somali DPA.
• Cross-Border Data Transfers: Should your data be transferred outside of Somalia (e.g., for international payment processing), we will ensure that adequate safeguards are in place, such as transfers only to countries providing an adequate level of protection or subject to the User’s explicit consent.

6. Your Rights as a Data Subject

In accordance with the Somali Data Protection Act (2023), you have the following rights regarding your personal data:

To exercise any of these rights, please contact our Data Protection Officer using the contact details provided below.

7. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our platform or by email. Your continued use of Somxchange after the effective date of the updated policy constitutes your acceptance of the updated terms.

8. Contact Us

If you have any questions or concerns about this Privacy Policy, your data rights, or how your data is handled, please contact our Data Protection Officer: