Legal · Privacy

Privacy Policy

How Sohana collects, uses, stores, and protects your personal data — explained in plain language.

Version · 1.0 (draft) Effective · 1 May 2026 Last reviewed · 1 May 2026 Active
First draft · pending legal review

This policy is a working first draft written in plain English. We are working with counsel to finalise the legally binding version before public launch. If anything is unclear or seems incomplete, please reach out to privacy@sohana.app — we'd rather hear from you.

01 · Who we are

Sohana is a financial-technology platform digitising community-based savings systems (ROSCAs) for Africa and the global diaspora. We are pre-launch and currently operating in beta. As we obtain regulatory authorisations (ACPR in France, FCA in the UK, FINTRAC in Canada), the legal entity acting as data controller will be confirmed in this policy.

Beta-stage notice: Sohana is currently a beta-stage platform. We collect personal data to operate the service and prepare for regulated launch. No real-money transactions are processed during beta.

02 · What we collect

We collect only what we need to operate the service and meet regulatory obligations. Data falls into four categories.

Information you give us directly

  • Account data: name, email, phone number, password (stored hashed, never in plaintext), Hanatag handle
  • KYC data: first name, last name, date of birth, gender, nationality, country of residence, occupation, source of funds, and identity documents you upload (passport, national ID, driver's licence, residence permit, proof of address)
  • Profile data: base currency preference, language, notification settings, bio
  • Communications: messages you send to support, complaints, press inquiries, partnership inquiries, career applications

Information generated through your use of Sohana

  • Transaction data: contributions, payouts, wallet operations, ROSCA participation, pool contributions, campaign donations
  • Behavioural data: on-time contribution rate, completion rate, group diversity, tenure — used to calculate your Njangi Credit Score (NCS)
  • Activity logs: login timestamps, IP address, device type, browser, pages visited within the platform

Information we receive from third parties

  • Payment partner data: when we go live with licensed payment providers, transaction confirmations and settlement data
  • Identity verification partners: at launch, KYC verification responses from regulated providers
  • Sanctions & PEP screening: at launch, results from regulated screening providers (AML compliance)

Information we do not collect

  • We do not collect biometric data beyond what is required for KYC document verification
  • We do not track you across other websites or use third-party advertising cookies
  • We do not collect data from your device's contacts, photos, or location unless you explicitly grant access for a specific feature

03 · How we use your data

We use your data for clearly defined purposes — never for things you wouldn't expect.

PurposeExamplesRequired?
Operating the service Authentication, ROSCA participation, contribution tracking, payouts, NCS calculation Required
Regulatory compliance KYC, AML, sanctions screening, fraud detection, audit trail, regulatory reporting Required
Security & integrity Detecting suspicious activity, preventing account takeovers, audit logs Required
Service improvements Aggregated anonymous analytics, identifying friction points, building new features Legitimate interest
Communications Transactional notifications, security alerts, complaint responses Required
Marketing & updates Newsletter, product announcements, feature launches Opt-in only

We do not sell your data. We do not share it with advertisers. We do not use it to train AI models.

Under GDPR and similar frameworks, we process your data on one of these legal bases:

  • Contract performance — we need your data to deliver the service you signed up for
  • Legal obligation — KYC, AML, anti-fraud, and regulatory reporting are mandated by law
  • Legitimate interest — fraud prevention, platform security, aggregated analytics that don't override your rights
  • Consent — for optional things like marketing emails or analytical cookies. You can withdraw consent at any time

05 · Sharing & transfers

We share your data only when necessary, only with vetted parties, and only under strict contractual safeguards.

Who we share with

  • Hosting infrastructure — Railway (US/EU), our cloud platform. Data encrypted in transit and at rest.
  • Identity verification partners — at launch, regulated KYC providers in each jurisdiction. Document data shared only for verification, not retained by them beyond regulatory requirements.
  • Payment institutions — at launch, licensed EMIs and PIs in each market for transaction processing. Only the data they need to process your payment.
  • Regulatory authorities — when legally required, including ACPR, FCA, FINTRAC, tax authorities, and law enforcement. Only on lawful request.
  • Other ROSCA / Pool members — only the data the platform shows them: name, Hanatag, public profile, and your participation in shared circles. Never your private contact details, KYC documents, or payment information.

International transfers

Sohana operates across Europe, Africa, and North America. Your data may cross borders to provide the service. Where data leaves your jurisdiction, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where they exist (e.g. EU–UK, EU–Canada PIPEDA)
  • Additional safeguards on a case-by-case basis where neither applies

06 · How long we keep your data

Different data has different retention requirements. We don't hold things longer than we need to.

Data typeRetention periodReason
Account dataWhile your account is active + 30 days after closureTo allow account reactivation
KYC documents5–7 years after account closureRegulatory requirement (AML)
Transaction records5–10 yearsRegulatory requirement (financial records)
Activity logs12 monthsSecurity & fraud detection
Marketing consentUntil you withdraw itYour choice, always
Complaint records3 years after resolutionAudit + dispute resolution

After retention periods expire, data is either deleted or fully anonymised so it can no longer be linked to you.

07 · Your rights

Under GDPR and similar frameworks, you have the following rights. We will honour them within 30 days of a verified request.

  • Right of access — see what data we hold about you, in a portable format
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure — request deletion (subject to legal retention requirements)
  • Right to restrict processing — pause specific uses while a dispute is investigated
  • Right to data portability — receive your data in a machine-readable format to take elsewhere
  • Right to object — to processing based on legitimate interest, especially marketing
  • Right to withdraw consent — for any processing where consent is the legal basis
  • Right not to be subject to automated decisions — including profiling that has legal effects on you
  • Right to lodge a complaint — with your data protection authority. The full list is on the European Data Protection Board's website (edpb.europa.eu)

To exercise any of these rights, email privacy@sohana.app. We will verify your identity before processing the request and respond within 30 days. There is no fee for reasonable requests.

08 · Security

Security is not a feature — it's the foundation. Full detail is on our security page. In summary, we use:

  • Password hashing — PBKDF2-SHA256 with 260,000 iterations and per-user random salts. Plaintext passwords never touch our database.
  • Encryption in transit — TLS 1.3 on all connections
  • Encryption at rest — encrypted storage on infrastructure level
  • Role-based access control — internal staff see only what their role requires
  • Audit trails — every administrative action is logged and attributable
  • Session security — SameSite cookies, server-side validation, automatic revocation

If you suspect a security incident on your account, email security@sohana.app immediately.

09 · Children

Sohana is not intended for use by anyone under 18. We require date-of-birth verification at registration and enforce an 18+ minimum age. If we learn that a minor has created an account, we will close it and delete any associated personal data.

10 · Changes to this policy

We may update this policy as the platform evolves, as we obtain regulatory authorisations, and as we expand to new markets. When we make material changes, we will:

  • Update the "last reviewed" date at the top of this page
  • Notify you by email at least 14 days before the changes take effect, where the change is material
  • Maintain a public version history (planned) so you can see what changed

If you disagree with a change, you can close your account before it takes effect. Continued use after the effective date constitutes acceptance.

11 · Contact

Privacy questions, requests, or concerns

For all data-protection matters, including exercising any of your rights, please email us. We aim to respond to verified requests within 30 days, often much faster.

privacy@sohana.app

For complaints relating specifically to data, you can also raise a formal complaint via our complaints process — we treat data complaints as high-priority by default.