Privacy Policy

Effective date: 1 June 2026

Digital Hope Technologies Limited, trading as TumaSend ("we", "us", "our"), is committed to protecting the privacy and security of personal data. This Privacy Policy describes how we collect, use, store, share, and protect personal data in connection with the TumaSend platform and services. It applies to all users of our platform, including account holders, authorised users within a business account, and visitors to our website.

This Policy is drafted in compliance with the Republic of Malawi's Electronic Transactions and Cybersecurity Act (2016) and applicable data protection principles derived from international standards, including the General Data Protection Regulation (GDPR) of the European Union, to the extent that our services are accessed by individuals in jurisdictions where such standards apply.

1. Data Controller

Digital Hope Technologies Limited is the data controller responsible for your personal data. For any data protection enquiries, you may contact our Data Protection Officer at dpo@tumasend.com.

2. Personal Data We Collect

We collect the following categories of personal data:

2.1 Account and Registration Data

When you create an account, we collect your full name, email address, phone number, and password (stored in hashed form). If you register using a Google account, we receive your name, email address, and profile picture from Google.

2.2 Business Verification (KYC) Data

To comply with regulatory requirements and prevent fraud, we collect business information including your company name, registration number, tax identification number, business address, and identity documents for directors or authorised representatives. This data is processed and stored securely and is used solely for verification purposes.

2.3 Usage and Activity Data

We collect records of your use of the platform, including messages sent, campaigns created, API call logs, billing transactions, and dashboard activity. This data is used to provide the service, generate reports, detect abuse, and improve the platform.

2.4 Recipient Contact Data

When you upload contact lists or send messages through TumaSend, we process the phone numbers, email addresses, and other contact information you provide. We process this data solely as a data processor on your instructions. You, as the Customer, remain the data controller for your recipients' personal data and are responsible for ensuring you have their lawful consent to receive communications.

2.5 Technical and Device Data

We automatically collect IP addresses, browser type and version, operating system, referring URLs, pages visited, time and date of access, and session identifiers. This data is used for security monitoring, platform analytics, and troubleshooting.

2.6 Payment Data

Payment transactions are processed by Paychangu, a third-party payment processor. We do not store full card or mobile money account details. We retain transaction references, amounts, and timestamps for billing records and financial compliance purposes.

2.7 Feedback and Communications

If you submit feedback through the platform or contact our support team, we retain those communications along with metadata such as the page from which feedback was submitted, your account identifier, and the date and time of submission. This data is used to improve our services.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

  • Performance of a contract: To provide the TumaSend platform and associated services as described in our Terms of Service.
  • Legal obligation: To comply with applicable Malawian laws, regulations, and directions from competent authorities, including MACRA requirements and anti-money laundering obligations.
  • Legitimate interests: To operate, secure, and improve our platform; to prevent fraud and abuse; to communicate service-related updates; and to conduct internal analytics and marketing activities, provided these interests do not override your fundamental rights and freedoms.
  • Consent: Where we send you direct marketing communications beyond service-related notifications, we will rely on your explicit consent and provide a clear mechanism to withdraw it at any time.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Creating and managing your account and verifying your identity;
  • Delivering the messaging, USSD, OTP, and analytics services you have requested;
  • Processing payments and maintaining billing records;
  • Communicating with you about your account, service updates, security notices, and billing matters;
  • Investigating and preventing fraud, abuse, policy violations, and security incidents;
  • Complying with legal obligations, including responding to lawful requests from regulatory authorities;
  • Improving and developing our platform through aggregated analytics and internal research;
  • Sending you internal marketing communications about TumaSend products, features, and updates that may be relevant to your business. You may opt out of marketing communications at any time using the unsubscribe link in any email we send or by contacting us directly.

Regarding internal marketing: we may use your account information, usage patterns, and business type to send you targeted communications about TumaSend services, new features, and relevant offers. We do not sell your personal data to third parties for their marketing purposes.

5. Data Sharing and Third Parties

We do not sell your personal data. We share personal data only in the following circumstances:

5.1 Service Providers

We use carefully selected third-party service providers to help us operate the platform. These providers process data only on our instructions and are contractually required to protect your data. Our current key sub-processors include:

  • Google LLC (Firebase Authentication, Firebase Storage, Google Cloud) — account authentication and file storage;
  • Paychangu — payment processing;
  • Malawian mobile network operators (Airtel Malawi, TNM) — SMS and USSD message routing.

5.2 Legal and Regulatory Disclosure

We may disclose your personal data to law enforcement, regulatory authorities, or other third parties when required by applicable Malawian law, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

Some of our service providers, including Google LLC, are located outside of Malawi. When we transfer your personal data internationally, we take steps to ensure that appropriate safeguards are in place to protect your data, including relying on standard contractual clauses or the service provider's certification under recognised international data protection frameworks.

7. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide our services. Following account closure, we retain data for the following periods, unless a longer retention period is required by law:

  • Account and profile data: 3 years after account closure;
  • KYC documents and verification records: 7 years, as required by Malawian financial regulations;
  • Billing and transaction records: 7 years, as required by applicable tax and financial laws;
  • Message logs: 12 months from the date of sending;
  • Technical and access logs: 6 months;
  • Feedback submissions: retained indefinitely in aggregated or anonymised form; identifiable feedback deleted within 2 years of submission.

8. Your Data Subject Rights

Subject to applicable law, you have the following rights in relation to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you;
  • Right to rectification: You may request that inaccurate or incomplete data be corrected;
  • Right to erasure: You may request that we delete your personal data, subject to our legal obligations to retain certain records;
  • Right to restriction: You may request that we restrict the processing of your data in certain circumstances;
  • Right to data portability: You may request a machine-readable copy of data you have provided to us;
  • Right to object: You may object to processing based on legitimate interests, including for direct marketing purposes;
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact our Data Protection Officer at dpo@tumasend.com. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include encryption of data in transit (TLS) and at rest, access controls based on the principle of least privilege, regular security reviews, and multi-factor authentication options for account access.

No method of transmission over the internet or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay as required by applicable law.

10. Cookies and Tracking

Our platform uses strictly necessary cookies and session tokens to authenticate users and maintain secure sessions. We do not use third-party advertising or tracking cookies. Analytics data is collected in aggregate and anonymised form to understand platform usage patterns and improve the service.

11. Children

TumaSend is a business-to-business platform not directed at individuals under the age of 18. We do not knowingly collect personal data from persons under 18. If you believe we have inadvertently collected such data, please contact us immediately and we will take steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Where changes are material, we will notify you by email or by a prominent notice within the platform at least 14 days before the changes take effect. Continued use of the platform after notification constitutes your acceptance of the revised Policy.

13. Contact and Complaints

For general privacy enquiries, contact us at privacy@tumasend.com. For data protection matters, contact our Data Protection Officer at dpo@tumasend.com.

If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction, or with MACRA in Malawi.

Digital Hope Technologies Limited trading as TumaSendTerms of ServiceBack to TumaSend