Privacy Policy

Effective date: 7 May 2026 · Last updated: 7 May 2026

This Privacy Policy explains how InnBucks Zimbabwe (Pvt) Ltd ("InnBucks", "we", "us", "our") collects, uses, shares and protects your personal information when you use the InnBucks mobile application, website (innbucks.co.zw), and related services (collectively, the "Services").

We process personal information in accordance with the Cyber and Data Protection Act [Chapter 12:07] of Zimbabwe (2021) and any other applicable data-protection laws.

1. Data controller and contact

The data controller responsible for your personal information is:

InnBucks Zimbabwe (Pvt) Ltd
2 Northridge Close, Northridge Park
Borrowdale, Harare, Zimbabwe
Email: [email protected]
Phone: +263 8677 569 569

2. Information we collect

We collect the following categories of personal information when you register for and use the InnBucks Services:

2.1 Information you provide

Identity information — full name, date of birth, gender, national ID number, photograph or selfie used for verification.
Contact information — mobile phone number, email address, residential or business address.
Account credentials — username, PIN, password, biometric registration (fingerprint or face ID, where supported on your device).
Financial information — bank account details, debit/credit card details (tokenised by our payment processors), wallet balance, transaction history, beneficiary details for transfers.
Know-Your-Customer (KYC) records — documents and information required to comply with Zimbabwean anti-money laundering and financial regulation, including proof of identity and proof of address.
Customer support records — messages, call recordings, complaints and any other communications you send us.

2.2 Information collected automatically

Device and usage data — device model, operating system, app version, mobile network, IP address, language preference, time zone, in-app actions and screens viewed.
Location data — approximate location based on IP address, and (only with your permission) precise GPS location for outlet-finder features.
Transaction metadata — date, time, amount, merchant and reference for each payment, top-up or transfer.
Cookies and similar technologies — see section 12.

2.3 Information from third parties

Payment networks and partner banks — to authorise and settle transactions.
Identity verification providers — to confirm KYC details against official records.
Loyalty partners and merchants — to award and redeem points and run promotions.

3. How we use your information

We use your personal information to:

Create and manage your InnBucks account and authenticate you when you log in.
Process your payments, transfers, top-ups, bill payments and card transactions, and award and redeem loyalty rewards.
Comply with KYC, anti-money-laundering and other regulatory obligations.
Detect, prevent and investigate fraud, suspicious activity and security incidents.
Provide customer support and respond to your enquiries and complaints.
Send you transactional communications (e.g. transaction alerts, OTPs, security notices).
Send you marketing communications about InnBucks products and partner offers, where you have consented or where permitted by law. You can opt out at any time.
Improve and develop our Services through analytics and aggregated reporting.
Enforce our Terms and Conditions and protect our legal rights.

4. Legal basis for processing

We process your personal information on the following legal bases:

Performance of a contract — to deliver the Services you have signed up for.
Legal obligation — to comply with Zimbabwean financial, tax and data-protection laws.
Legitimate interests — to keep our Services secure, prevent fraud, and improve our products, provided your interests and rights do not override ours.
Consent — for activities such as marketing communications and access to optional device features (e.g. precise location, contacts). You can withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell your personal information. We share it only as described below:

Banks, payment processors and card networks — to execute the transactions you request.
Identity-verification and credit-bureau providers — to confirm who you are and meet KYC requirements.
Cloud hosting and infrastructure providers — who store and process data on our behalf under contract.
Customer support, communications and analytics providers — who help us run and improve the Services.
Loyalty partners and merchants — to award, redeem and reconcile rewards you have earned with them.
Regulators, law-enforcement and courts — where required by law or where we believe in good faith that disclosure is necessary to protect rights, property or safety.
Successors in a corporate transaction — if we are involved in a merger, acquisition or sale of assets, your information may be transferred, subject to this Policy.

All third parties acting as our processors are required to handle your information in line with our instructions and applicable law.

6. International data transfers

Some of our service providers operate outside Zimbabwe. Where we transfer your information internationally, we put in place appropriate safeguards (such as contractual protections) and rely on transfer mechanisms permitted by the Cyber and Data Protection Act and any guidance issued by POTRAZ.

7. Data retention

We keep your personal information only for as long as necessary for the purposes set out in this Policy, including:

For the duration of your InnBucks account, plus any period required to complete pending transactions and disputes.
For up to five (5) years after account closure, or longer where required by financial-services or tax regulations.
Longer where we are subject to a legal hold, court order or regulatory request.

Once retention periods expire, we delete or anonymise your personal information.

8. Security

We use technical and organisational measures designed to protect your information, including encryption in transit and at rest, access controls, monitoring and regular security testing. No system is perfectly secure; we ask you to keep your PIN, password and biometric credentials confidential and to notify us immediately at [email protected] if you suspect unauthorised access to your account.

9. Data breach notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) within the time limits required by the Cyber and Data Protection Act, and we will inform affected users without undue delay where the law requires.

10. Your rights

Subject to applicable law, you have the right to:

Access — request confirmation of whether we hold information about you and obtain a copy.
Rectification — ask us to correct inaccurate or incomplete information.
Deletion — ask us to delete your information where there is no compelling reason for us to keep it.
Restriction — ask us to restrict processing in certain circumstances.
Objection — object to processing based on legitimate interests, and opt out of direct marketing at any time.
Portability — receive your information in a structured, commonly used format and have it transmitted to another controller, where technically feasible.
Withdraw consent — where processing is based on consent.
Lodge a complaint — with POTRAZ, the data-protection authority for Zimbabwe, or any other competent supervisory authority.

To exercise any of these rights, contact us at [email protected]. We will respond within one month of receiving your request and verifying your identity.

11. Children's privacy

The InnBucks Services are intended for users aged 18 and over. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.

12. Cookies and similar technologies

Our website uses cookies and similar technologies to keep you signed in, remember your preferences, measure traffic and improve performance. You can control cookies through your browser settings. Disabling certain cookies may affect the functioning of the website. Our mobile app uses analogous device identifiers for similar purposes.

13. "Do Not Track" signals

Our website does not currently respond to "Do Not Track" browser signals. We will update this section if that changes.

14. Changes to this policy

We may update this Privacy Policy from time to time. The "Effective date" at the top of this page tells you when the latest version took effect. If the changes are material, we will notify you through the app, by email or by another reasonable means before they take effect. Where the law requires fresh consent, we will ask for it.

15. How to contact us

If you have questions, concerns or complaints about this Policy or how we handle your information:

InnBucks Zimbabwe (Pvt) Ltd
2 Northridge Close, Northridge Park, Borrowdale, Harare, Zimbabwe
Email: [email protected]
Phone: +263 8677 569 569

You also have the right to contact POTRAZ — Postal and Telecommunications Regulatory Authority of Zimbabwe — as the supervisory authority for data protection in Zimbabwe.

16. Definitions

Personal information / Personal data — any information relating to an identified or identifiable natural person.
Processing — any operation performed on personal information, such as collection, storage, use, disclosure, or erasure.
Data controller — the person or entity that determines the purposes and means of processing personal information (in this case, InnBucks).
Data processor — a person or entity that processes personal information on behalf of the controller.
Services — the InnBucks mobile application, website (innbucks.co.zw) and any related products or features.
POTRAZ — the Postal and Telecommunications Regulatory Authority of Zimbabwe, designated as the data-protection authority under the Cyber and Data Protection Act.
Cyber and Data Protection Act — the Cyber and Data Protection Act [Chapter 12:07] of Zimbabwe, 2021.