Privacy Policy
This Privacy Policy explains how Haandi Ltd ("Haandi", "we", "us", "our") collects, uses, shares, and protects personal information when you use our platform, app, USSD service, WhatsApp service, or website (collectively, the "Service"). It is issued in compliance with the Republic of Rwanda's Law N° 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy, and reflects best-practice principles drawn from the EU General Data Protection Regulation (GDPR).
1. Who We Are
Haandi Ltd is a private limited company incorporated in the Republic of Rwanda. Our registered office is in Kigali. For all matters relating to this Privacy Policy you may contact our Data Protection Officer (DPO) at privacy@haandi.rw or by writing to: Haandi Ltd, Attn: DPO, [Registered Office Address], Kigali, Rwanda.
2. Scope
This Policy applies to:
- Clients (individuals or businesses) who book services through Haandi.
- Service providers registered on Haandi.
- Visitors to our website, USSD code, app, or WhatsApp service.
- Trainees enrolled in Haandi Academy programmes.
It does not apply to third-party websites, services, or partners that are linked from our Service but operated by third parties under their own privacy policies.
3. Personal Information We Collect
3.1 Information you provide directly
| Category | Examples | Source |
|---|---|---|
| Identity information | Full name, date of birth, gender, national ID number, photograph | Account creation, KYC |
| Contact information | Mobile phone number, email, residential and service address | Account, bookings |
| Payment information | MTN MoMo / Airtel Money number, transaction history | Payments |
| Provider profile | Skills, certifications, experience, work photos, references | Provider onboarding |
| Booking information | Service requested, location, time, special instructions | Bookings |
| Reviews & feedback | Ratings, written reviews, complaints | Post-service |
| Communications | Messages with support, in-app chats, call recordings (with notice) | Customer support |
3.2 Information we collect automatically
- Device data: device type, operating system, app version, mobile network, screen resolution.
- Usage data: pages viewed, features used, search queries, click events, time spent.
- Location data: approximate location (always); precise GPS location (only with your permission and only for bookings in progress).
- Log data: IP address, access timestamps, error reports.
- Cookies and similar technologies on our website (see our Cookies notice in-app).
3.3 Information from third parties
- Mobile money providers (MTN, Airtel) — payment confirmation status (not your full account balance).
- National ID Authority (NIDA) — verification confirmation only (yes/no), not the underlying record.
- Rwanda National Police — criminal record clearance status (yes/no) for providers.
- Public sources — for fraud detection and identity verification.
4. How We Use Your Information (Lawful Bases)
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account | Performance of contract |
| Matching clients with providers and processing bookings | Performance of contract |
| Processing payments via MoMo | Performance of contract; legal obligation (AML) |
| Verifying provider identity, certifications, and clearances | Legal obligation; legitimate interests (trust & safety) |
| Sending booking confirmations and service updates | Performance of contract |
| Customer support & dispute resolution | Performance of contract; legitimate interests |
| Quality assurance, ratings, fraud prevention | Legitimate interests |
| Marketing and promotions | Consent (you may withdraw at any time) |
| Compliance with tax, accounting, and regulatory requirements | Legal obligation |
| Aggregated, anonymised research and reporting | Legitimate interests |
5. Sharing Your Information
We share your information only as needed to deliver the Service and only with the following categories of recipients:
- Service providers (the platform's "supply side") — limited information needed to deliver your booking (name, location, phone for the booking, special instructions). Full national ID is never shared.
- Clients — provider's name, photo, ratings, certified skills, contact for the booking.
- Payment partners (MTN MoMo, Airtel Money, banks) — for processing transactions.
- Insurance partners — limited to information needed for claims handling under our Insurance Programme.
- Cloud hosting and infrastructure providers (e.g., AWS, Google Cloud) — under data processing agreements.
- Communications providers (SMS, email, WhatsApp Business API) — for notifications.
- Government authorities — when required by Rwandan law or court order.
- Professional advisers (auditors, lawyers, regulators) — under confidentiality.
- Successors in business — in the event of a merger, acquisition, or asset sale, with notice to you.
We do not sell your personal information to anyone.
6. International Transfers
Some of our infrastructure providers operate outside Rwanda (for example, AWS in the Cape Town region of South Africa). When we transfer personal data outside Rwanda, we do so under safeguards consistent with Law N° 058/2021, including data processing agreements, appropriate technical measures, and (where applicable) the authorisation of the National Cyber Security Authority.
7. How Long We Keep Your Information
| Category | Retention period |
|---|---|
| Account & profile data (active users) | For as long as your account is active |
| Account data after deactivation | 2 years (for fraud prevention & dispute resolution), then deleted or anonymised |
| Booking and transaction records | 10 years (Rwandan tax law requirement) |
| Payment records | 10 years (BNR & tax law) |
| KYC / national-ID verification | 5 years after account deactivation (AML/CFT) |
| Reviews & ratings | Anonymised on the platform indefinitely; personal identifiers removed on account deletion |
| Marketing preferences | Until you withdraw consent |
| Customer support correspondence | 3 years |
8. Your Rights
Subject to Rwandan law, you have the following rights in relation to your personal data:
- Right of access — to know what personal data we hold about you.
- Right of rectification — to correct inaccurate or incomplete data.
- Right of erasure — to request deletion of your personal data (see our Data Deletion Request Policy).
- Right to restrict processing — to limit how we use your data in certain circumstances.
- Right to object — to object to processing based on our legitimate interests, including direct marketing.
- Right to portability — to receive your data in a structured, commonly used format.
- Right to withdraw consent — at any time, where processing is based on consent.
- Right to lodge a complaint — with the National Cyber Security Authority (NCSA) of Rwanda.
To exercise any right, contact our DPO at privacy@haandi.rw. We will respond within 30 calendar days, or notify you of any extension.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access control with least-privilege defaults.
- Multi-factor authentication for staff with privileged access.
- Regular vulnerability scanning and quarterly penetration testing.
- Logging and monitoring of access to personal data.
- Annual security awareness training for all employees.
- 72-hour data-breach notification protocol to the NCSA and affected users.
10. Children
The Service is not intended for individuals under 18 years of age. Haandi Academy may admit applicants from age 18 with valid national ID. If we discover that we have collected personal data from a person under 18 without parental authorisation, we will delete it promptly.
11. Cookies & Similar Technologies
Our website uses essential, analytics, and (with consent) marketing cookies. You can control cookies through your browser settings. The app and USSD service do not use cookies but may store local preferences and authentication tokens for your convenience.
12. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified to you by email, in-app notice, or SMS at least 14 days before they take effect. The current version date is shown at the top of this Policy.
13. Contact