1. Our commitment
Netpoa Limited complies with Tanzania's Personal Data Protection Act (PDPA) 2022 and the regulations made under it, overseen by the Personal Data Protection Commission. This page summarises your rights and how we meet our obligations. It complements our Privacy Policy (what we collect about you as a customer) and our Data Processing Agreement (data you put into our services).
2. Lawful bases
We process personal data on one or more of these PDPA bases:
- Contract — to deliver the service you signed up for (account, billing, support).
- Consent — where you've opted in (e.g. marketing emails); withdrawable any time.
- Legal obligation — tax, anti-fraud, lawful regulator / court orders.
- Legitimate interest — securing our platform, preventing abuse, improving the service — balanced against your rights.
3. Your rights
Under the PDPA you have the right to:
- Access — a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion, subject to our legal retention duties.
- Restriction / objection — limit or object to certain processing.
- Portability — receive your data in a usable format (most of it is self-export inside the product).
- Withdraw consent — where processing relies on consent.
- Complain — to us first, then to the Personal Data Protection Commission.
4. How to exercise them
Most access / correction / export needs are self-served inside your account or workspace. For anything else, email info@netpoa.com with your request and enough detail to verify your identity. We respond within the timeframe required by the PDPA (and always aim faster). There's no charge for a reasonable request.
5. Retention
We keep personal data only as long as needed for the purpose collected, or as the law requires (e.g. tax records). Service data follows the retention windows in each Service Schedule — typically 90 days after cancellation for SaaS workspaces, 30 days for hosting backups, after which it's permanently deleted.
6. When you're the controller
When you put other people's personal data into our services (employees, customers, church members, SMS recipients), you are the data controller and must have a lawful basis to do so — usually their consent. We process it as your processor under the DPA. Make sure you've obtained consent before, for example, uploading a contact list to SanyaSMS or adding employee records to Sanya Business.
7. Breach notification
If a breach affects personal data, we notify affected controllers within 72 hours of discovery and, where the law requires, the Personal Data Protection Commission. See Security for the controls that prevent breaches in the first place.
8. Contact
Data Protection Officer: info@netpoa.com · Netpoa Limited, Kijitonyama, Dar es Salaam, Tanzania. If unsatisfied with our response, you may complain to the Personal Data Protection Commission of Tanzania.