QSavings

Legal

Privacy Policy

Your privacy matters. This policy explains how QSavings collects, uses, stores, and protects your personal and financial data.

Last updated: 13 March 2026

1. Data Controller

QSavings Ltd ("QSavings", "we", "us", or "our") is the data controller responsible for your personal data. We are incorporated and operating under the laws of the Republic of Rwanda, with our registered office in Kigali, Rwanda.

For any data protection inquiries, you may contact our Data Protection Officer at privacy@qsavings.rw.

2. Personal Data We Collect

We collect and process the following categories of personal data when you use our platform:

2.1 Identity & Account Data

  • Full name
  • Email address
  • Phone number (including country code, e.g. +250)
  • Hashed password credentials
  • Google account identifier (if using Google Sign-In)
  • Preferred language (English, Kinyarwanda, or French)
  • Account creation and last login timestamps

2.2 KYC & Verification Data

  • KYC verification status
  • Identity document references (national ID, passport, or equivalent)
  • Phone and email verification status
  • OTP (One-Time Password) verification records

2.3 Financial & Transaction Data

  • Contribution amounts, frequencies, payment methods, and proof of payment
  • Loan applications including principal, interest rate, term, purpose, and repayment schedules
  • Campaign pledges and payout records
  • Sub-account funding and payout transaction history
  • Payment gateway transaction identifiers (AzamPay, MTN Mobile Money, Airtel Money)
  • Platform fee records and ledger entries
  • Mobile money phone numbers used for payments

2.4 Group & Membership Data

  • Savings group membership and share ownership
  • Committee roles (chairperson, secretary, treasurer)
  • Invitation records, join requests, and approval decisions
  • Group financial summaries and member balance sheets

2.5 Technical & Usage Data

  • IP address, browser type, device information
  • Pages visited, features used, and session duration
  • Error logs and performance metrics
  • Cookie and local storage identifiers

3. Legal Basis for Processing

We process your personal data under the following legal bases, in compliance with Rwanda's Law N° 058/2021 Relating to the Protection of Personal Data and Privacy and, where applicable, the EU General Data Protection Regulation (GDPR):

  • Contractual necessity: Processing required to perform our services — account management, contribution tracking, loan processing, campaign management, and payment facilitation.
  • Legal obligation: Compliance with Rwanda's financial regulations, anti-money laundering (AML) requirements, KYC obligations, and tax reporting.
  • Legitimate interest: Platform security, fraud prevention, service improvement, audit trail maintenance, and analytics.
  • Consent: Where required, such as for marketing communications, non-essential cookies, and optional data processing. You may withdraw consent at any time.

4. How We Use Your Data

  • Account & service delivery: Creating and managing your account, authenticating sessions, processing contributions, disbursing loans, managing campaigns, and facilitating group membership.
  • Payment processing: Initiating and reconciling mobile money transactions through our payment partner AzamPay, including MTN Mobile Money and Airtel Money.
  • Financial reporting: Generating contribution summaries, loan amortization schedules, member balance sheets, platform fee records, and audit reports.
  • Security & compliance: Verifying identity (KYC), maintaining audit logs of all data changes, preventing fraud and duplicate transactions (idempotency), and enforcing role-based access controls.
  • Communication: Sending in-app notifications for contributions, loan approvals, repayment reminders, campaign updates, and group invitations.
  • Platform improvement: Analyzing anonymized usage data to improve features, fix bugs, and optimize performance.

5. Data Sharing & Disclosure

We do not sell your personal data. We share data only in the following circumstances:

  • Payment gateway (AzamPay): Phone numbers and transaction amounts are transmitted to AzamPay to process MTN Mobile Money and Airtel Money transactions. AzamPay acts as a data processor under contractual obligations.
  • Group members: Your name, phone number, contribution history, loan status, and share ownership are visible to members and committee officers within your savings groups. This is essential to the transparency model of group savings.
  • Authentication providers: If you sign in via Google, limited profile data is exchanged with Google. Firebase is used for phone-based authentication.
  • Legal & regulatory authorities: We may disclose data when required by Rwandan law, court orders, or regulatory requests, including the National Bank of Rwanda (BNR) and Rwanda Investigation Bureau (RIB).
  • Service providers: Infrastructure and hosting providers who process data on our behalf under strict data processing agreements.

6. International Data Transfers

QSavings primarily stores and processes data within secure infrastructure. Where data is transferred outside Rwanda (e.g., to cloud hosting providers), we ensure appropriate safeguards are in place, including:

  • Standard contractual clauses (SCCs)
  • Data processing agreements with sub-processors
  • Encryption in transit and at rest
  • Compliance with Rwanda's data localization requirements where applicable

7. Data Retention

We retain personal data according to the following schedule:

Data CategoryRetention Period
Account & identity dataDuration of account + 5 years after deletion
Financial transactions & ledger10 years (regulatory requirement)
KYC documents5 years after account closure
Audit logs7 years
Payment gateway records7 years
Session & authentication tokensAutomatically expired (24h–30 days)
Technical logs & analytics12 months

8. Data Security

We implement industry-standard technical and organizational measures to protect your data:

  • Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest.
  • Authentication: JWT tokens with short-lived access tokens and secure refresh token rotation. Passwords are hashed using industry-standard algorithms.
  • Access control: Role-based permissions (platform admin, chairperson, treasurer, secretary, member) limit data access to authorized users.
  • Transaction integrity: Idempotency keys prevent duplicate financial transactions. Double-entry ledger ensures accounting accuracy.
  • Audit trail: Every data change is logged with timestamp, user identity, and before/after values.
  • Infrastructure: Hosted on secured infrastructure with regular security patches, monitoring, and incident response procedures.

9. Your Data Rights

Under Rwandan data protection law and the GDPR (where applicable), you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you.
  • Right to rectification: Correct inaccurate or incomplete personal data via your account settings or by contacting us.
  • Right to erasure: Request deletion of your personal data, subject to legal retention obligations (financial records must be retained per regulatory requirements).
  • Right to restriction: Request that we limit processing of your data in certain circumstances.
  • Right to data portability: Receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to object: Object to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, withdraw at any time without affecting prior lawful processing.

To exercise any of these rights, contact us at privacy@qsavings.rw. We will respond within 30 days.

10. Children's Privacy

QSavings is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete it promptly. If you believe a minor has provided us with personal data, please contact us at privacy@qsavings.rw.

11. Cookies & Tracking

We use cookies and similar technologies to operate the platform and improve your experience. For full details on what cookies we use, their purpose, and how to manage them, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via in-app notification and update the "Last updated" date at the top of this page. Your continued use of QSavings after such changes constitutes acceptance of the revised policy.

13. Complaints & Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

  • Rwanda: The National Cyber Security Authority (NCSA), the supervisory authority for data protection in Rwanda.
  • EU/EEA: Your local data protection authority if you are located in the European Union or European Economic Area.

We encourage you to contact us first at privacy@qsavings.rw so that we may resolve your concern directly.

14. Contact Us

QSavings LtdData Protection Officer
Kigali, Rwanda
privacy@qsavings.rw

Related legal documents

Terms of ServiceCookie Policy