Privacy Notice

This page describes how Shabba Financial collects, uses, stores, and shares personal information. The short version is that we treat data the way a serious capital-markets institution should: with strict access controls, encrypted storage, a clear data-controller relationship, and no resale of client information to third parties under any circumstances.

If you only have time to read one section, read the rights section near the bottom. It tells you what you can ask us to do with information we hold about you, and how.

Shabba Financial Company Limited is the data controller for personal information processed through this website and through the institutional services we offer. Where we engage processors to handle data on our behalf, those processors are bound by written agreements that hold them to our standards.

We collect a deliberately narrow set of information. There are two categories.

• Institutional identification. Where required for regulatory KYC and AML verification, we collect information about counterparty entities and their authorized representatives. This includes names, roles, identification documents, and the supporting evidence required by the applicable rules.
• Technical telemetry. When you access our website or our institutional interfaces, we collect machine-level metadata such as IP addresses, browser signatures, request timestamps, and API latency. This data is used to operate the service, detect abuse, and improve performance.

We use the information we collect for a small number of clearly defined purposes:

• To provide and operate the services you have engaged us for.
• To comply with regulatory obligations, including KYC, AML, and reporting requirements.
• To secure our systems against intrusion, abuse, and fraud.
• To improve the performance and reliability of our infrastructure.
• To communicate with you about your account, our services, and regulatory matters.

We do not use personal information for advertising, profiling, or any purpose unrelated to operating a regulated financial-services business.

We do not sell personal information to third parties. We share it only where one of the following applies:

• With regulators and supervisory authorities where required by law, including the Capital Markets and Securities Authority of Tanzania.
• With infrastructure partners essential to trade settlement, clearing, and payment processing, under written agreements that bind them to confidentiality and security standards.
• With professional advisors (legal, tax, audit) under standard duties of confidence.
• Where required by court order or other legal process.

Shabba Financial operates across multiple jurisdictions. Personal information may be transferred to, stored in, or processed in countries outside the one in which it was originally collected. Where this happens, transfers are governed by Standard Contractual Clauses or equivalent safeguards where applicable to ensure consistent protection of the data.

The security of the data we hold is treated as core infrastructure, not an afterthought. Our practices include:

• Cryptographic keys managed within hardened key-management systems.
• Role-based access controls with continuous authentication for all internal access to sensitive data.
• An immutable audit log of every interaction with sensitive data, suitable for forensic review.
• Encryption of data both in transit and at rest, against current industry standards.

No security regime can guarantee absolute protection. If we ever identify a breach affecting your personal information, we will notify you and the appropriate regulator in line with the applicable rules.

We retain personal information only as long as needed to provide our services, meet our regulatory obligations, and defend any legitimate legal interest. For KYC and AML records, retention follows the statutory periods set by the applicable regulators. Once the relevant retention period has passed, we delete or anonymize the information.

Subject to applicable law, you have the right to:

• Request access to the personal information we hold about you.
• Request correction of information that is inaccurate or out of date.
• Request deletion of your information, subject to the regulatory record-keeping obligations we are bound by.
• Object to or request restriction of certain processing.
• Request that information you provided to us be transferred to another controller, where this is technically feasible.
• Withdraw consent where processing is based on consent (this does not affect the lawfulness of prior processing).
• Lodge a complaint with the applicable supervisory authority.

To exercise any of these rights, contact us at the address in the contact section below. We will respond within the timeframe required by the applicable rules.

We update this policy as our practices and the applicable rules evolve. When we make material changes, we will update the “last updated” date at the top of this page and, where appropriate, notify users by other means.