Privacy Policy

Effective: 2026-05-20 · Issued by: Netpoa Limited, Dar es Salaam, Tanzania

Contents

Who We Are
What Data We Collect
How We Use Your Data
Lawful Basis
Who We Share With
Retention
Your Rights
How We Protect Data
Cookies & Tracking
International Transfers
Children
Changes
Contact / DPO

1. Who We Are

Netpoa Limited (TIN / Company Registration No. 143-477-398) is a company registered in the United Republic of Tanzania. We operate Netpoa internet infrastructure (hosting, domains, Cloud VPS, business email, SSL) and the Sanya family of software brands (Sanya Business at sanya.tz, SanyaSMS at sanya.tz/sms, Kanisa MS at kanisa.or.tz).

For privacy purposes, we are the data controller for information about our customers — the businesses and individuals who sign up with us. If you are using our software as someone's customer or employee (e.g. an invoice was generated for you by a Sanya subscriber), that subscriber is the data controller and we are their data processor. The rest of this policy is written from the perspective of our direct customers.

2. What Data We Collect

2.1 You give us directly

Identity: Your full name, business name, role.
Contact: Email address, phone number.
Business details: TIN, VRN where applicable, business address.
Authentication: Password (stored hashed, never in plaintext), two-factor codes.
Billing: The plan you chose, cycle, payment confirmations from our online payment partner or your bank.

2.2 Generated automatically when you use our services

Service activity: What you do in the service — invoices issued, SMS sent, files uploaded — the records you generate to run your business.
Usage logs: IP address, browser type, pages visited, timestamps. Retained for 90 days for security and debugging.
Audit log: Significant actions (logins, password changes, subscription changes). Retained for 2 years.

2.3 Data you put into your account or workspace

When you enter customer records, employee details, supplier information, website content, email, or other business data into any Netpoa service, that data belongs to you. We process it on your behalf. We never sell it, mine it for advertising, or share it outside what's needed to run the service.

2.4 What we do NOT collect

Card numbers — our online payment partner handles those directly; they never touch our servers.
Government IDs (NIDA, passports) unless you choose to upload them as attachments.
Personal data from non-Tanzanian advertising networks, brokers, or data aggregators.

3. How We Use Your Data

We use your data only for these purposes:

Providing the service — running your hosting account, processing your domain renewals, delivering your SMS, operating your workspace.
Billing & subscription management — charging your plan, sending invoices, suspending overdue accounts.
Customer support — when you contact us, we look at your account to help you.
Security & abuse prevention — detecting fraudulent signups, brute-force logins, malware-hosting accounts, SMS abuse.
Service improvement — anonymous aggregate analytics to decide what to build next. Never tied to individual identities in published reports.
Legal compliance — when required by Tanzanian law, court order, or regulator.

We do not run advertising. We do not have a marketing data team. We do not enrich your profile with data bought from third parties. The only "marketing" data use is: if you opt in, we may email you about new Netpoa features and services.

4. Lawful Basis for Processing

Under Tanzania's Personal Data Protection Act 2022 and similar laws, we process your data on these grounds:

Contract — providing the service you signed up for.
Legal obligation — keeping records required by Tanzanian tax, accounting, and AML rules.
Legitimate interest — security, fraud prevention, infrastructure operations.
Consent — for marketing emails (opt-in only; you can revoke at any time).

We share personal data only with the third parties strictly necessary to operate Netpoa services:

Sub-processor type	Purpose	Data shared
Online payment partner	Payment processing (mobile money + cards + banks)	Order ID, amount, your name + email + phone
SMS delivery partner	SMS gateway (reminders, OTP codes, notifications)	Recipient phone, message body
Managed hosting provider	Server infrastructure and storage	All workspace / hosting data, encrypted at rest
Domain registries	Domain registration / renewal / WHOIS	Registrant name, address, email (per registry policy)
Email delivery partner	Transactional email delivery	Recipient email, message body

Each sub-processor is bound by a contract that requires equivalent data-protection standards. We do not sell or rent personal data, period.

We may only disclose your data to an authority where the law genuinely compels us to — and the very short list of triggers is:

A Tanzanian court order or warrant issued against Netpoa Limited and naming the data sought.
A lawful national-security or law-enforcement request backed by the relevant statutory instrument.

You will be told. If a request like this ever lands on us about your data, we will notify you before producing anything, so you have a chance to challenge it in court or with a lawyer. This is unconditional: it cannot happen behind your back. The only thing the law can do is delay our notice — for example, a sealed warrant that prohibits disclosure for a defined period — and even then we commit to telling you the moment that restriction lifts, with a summary of what was produced and to whom.

To be explicit about what is not on the list: we do not hand over customer data on the basis of an informal request, phone call, or email from any agency — including TRA, BoT, the police, intelligence services, or any other authority. Every disclosure requires a written legal instrument that we can name, dated, and acted on under counsel.

6. How Long We Keep Data

Active service data: For as long as your subscription is active.
After cancellation: 90 days, then permanently deleted (unless legally required to retain longer).
Audit logs: 2 years.
Billing records: 7 years (required by Tanzanian tax law).
Domain WHOIS records: for the life of the domain plus registry-mandated retention afterwards.
Marketing opt-in records: Until you revoke consent, plus a brief "do not email" record retained indefinitely so we don't re-email you by accident.

7. Your Rights

Under Tanzania's PDPA you have the right to:

Access — Request a copy of the personal data we hold about you.
Correct — Ask us to fix inaccurate or incomplete information.
Delete — Request deletion ("right to be forgotten"), subject to our legal retention obligations.
Restrict processing — Ask us to pause certain processing while a dispute is investigated.
Object — To processing based on legitimate interest, particularly direct marketing.
Portability — Export your data in a machine-readable format (CSV, JSON) to move it elsewhere.
Withdraw consent — Any time, for any consent-based processing.
Complain — File a complaint with us first, then escalate to the Tanzania Personal Data Protection Commission.

To exercise any of these rights, email info@netpoa.com. We respond within 5 business days and complete most requests within 30 days.

8. How We Protect Data

Encryption in transit — TLS 1.2+ on every connection.
Encryption at rest — Database encryption on our hosting provider.
Database isolation — Every SaaS tenant has its own database (DB-per-tenant). One customer's data cannot leak into another's through application bugs.
Password hashing — Argon2 / bcrypt; we never store passwords in plaintext.
Two-factor authentication — Available on every account, required for super-admins.
Access controls — Netpoa staff access to your account is logged and limited to support cases you've explicitly opened with us.
Daily off-site backups — Retained for 30 days.
Breach notification — If we discover a data breach affecting your data, we'll notify you within 72 hours of discovery, per PDPA.

9. Cookies & Tracking

Our websites use a small number of essential cookies (session, auth, preferences). We do not use advertising cookies, marketing pixels, or third-party analytics on customer-facing pages. Full details in our Cookie Policy.

10. International Data Transfers

Our primary infrastructure is hosted with managed providers with servers located in the European Union and/or East Africa. Data may transfer outside Tanzania in the course of normal hosting operations. Where data leaves Tanzania, we ensure it is protected by:

Hosting provider compliance with GDPR (which exceeds PDPA in most respects).
Contractual safeguards in our hosting agreements.
Encryption at rest and in transit.

11. Children

Netpoa services are B2B. We do not knowingly collect personal data from anyone under 18. If you become aware of a minor's data being processed through any Netpoa service, please contact info@netpoa.com immediately and we will remove it.

12. Changes to This Policy

We will notify you of material changes by email at least 14 days before they take effect. The "Effective" date at the top of this page is your authoritative source.

13. Contact / Data Protection Officer

For any privacy concern, contact our Data Protection Officer:

Email: info@netpoa.com
Post: Netpoa Limited — Data Protection, Kijitonyama, Dar es Salaam, Tanzania

You may also lodge a complaint with the Personal Data Protection Commission (PDPC) of Tanzania.