Privacy Policy

Effective Date: 18 March 2026

Last Updated: 18 March 2026

This Privacy Policy explains how Castmax Technologies Limited, a company registered under the laws of the Republic of Zambia, trading as Utumba ("we", "us", "our"), collects, uses, stores, shares, and protects your personal data when you use the Utumba mobile applications, website, and related services (the "Service").

This Privacy Policy is issued in compliance with the Data Protection Act, 2024 of the Republic of Zambia and is consistent with the principles and requirements of that Act. Castmax Technologies Limited is registered as a data controller with the Office of the Data Protection Commissioner (ODPC) (registration in progress as of the effective date of this Policy).

By using the Service, you agree to the collection and use of your information in accordance with this Privacy Policy. This Policy forms part of our Terms of Service.

1. Data Controller

The data controller responsible for your personal data is:

Castmax Technologies Limited (trading as Utumba)
Email: hello@utumba.com
Lusaka, Zambia

2. Personal Data We Collect

2.1 Information You Provide

• Account Information: First name, last name, email address, phone number, and password when you register for an account.
• Profile Information: Country of residence and any additional profile details you choose to provide.
• Delivery Information: Delivery addresses you provide for order fulfillment.
• Payment Information: Mobile money phone number and provider (MTN, Airtel, Zamtel), or card details (card number, expiry date, CVV). Full card details are processed and stored in tokenised form by our payment service provider; we retain only the last four digits and card brand for your reference.
• Communication Data: Messages you send to our support team, feedback, and reviews you post on the Platform.
• Store Owner Information: If you register as a Store owner, we collect business name, business registration details, bank account or mobile money details for settlement payouts, store address, and store images.

2.2 Information Collected for Financing

If you apply for Financing (Buy Now Pay Later), we additionally collect:

• Identity Verification: Full legal name, national identity number, and a scan or photograph of your national identity document.
• Employment and Income: Employer name, employment status, monthly income, and copies of payslips.
• Banking Information: Bank name, bank account number, and bank statement documents (valid for 90 days from upload).
• Consents: Your explicit consent for accessing bank account summaries and for credit bureau reporting, including timestamps and the method of consent.

2.3 Information Collected Automatically

• Device Information: Device type, operating system, unique device identifiers, app version, and mobile network information.
• Usage Data: Pages and features accessed, search queries, browsing and purchase history, timestamps, and interaction patterns.
• Location Data: Approximate location based on IP address or, with your permission, more precise location data from your device.
• Log Data: IP address, browser type, error logs, and diagnostic data.
• Push Notification Tokens: Device tokens used to deliver push notifications if you have enabled them. You can disable push notifications at any time through your device settings.
• Crash and Diagnostic Data: Application crash reports, performance data, and diagnostic information used to improve the stability and performance of the App.
• Advertising Identifiers: We do not collect or use Apple's Identifier for Advertisers (IDFA) or Google's Advertising ID (GAID) for advertising or tracking purposes.

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Delivery

• To create and manage your account;
• To verify your identity via email and SMS one-time passwords;
• To process orders and facilitate payments between you and Stores;
• To manage Layby installment plans and Financing arrangements;
• To provide customer support and respond to your enquiries;
• To send you transactional notifications (order confirmations, payment receipts, delivery updates, pickup codes).

3.2 Financing Assessment

• To run affordability and creditworthiness assessments through our suggestion engine;
• To share your application with finance partner banks for underwriting decisions;
• To process deposits, settlements, and repayment schedules;
• To report defaults to credit bureaus (with your prior consent).

3.3 Platform Improvement

• To analyse usage patterns and improve the Service;
• To personalise your experience, including product recommendations;
• To conduct semantic product search using AI-powered embeddings;
• To monitor platform performance and detect technical issues.

3.4 Safety and Security

• To detect, investigate, and prevent fraud, unauthorised access, and other harmful activities;
• To enforce our Terms of Service and other policies;
• To comply with legal obligations and respond to lawful requests from authorities.

3.5 Communications

• To send you service-related notifications via email and SMS;
• To send promotional communications and newsletters if you have opted in. You may unsubscribe at any time.

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

• Contractual Necessity: Processing necessary to perform our contract with you (e.g., processing your orders, managing your account, administering Layby or Financing plans).
• Consent: Where you have given explicit consent (e.g., bank history access for financing, credit bureau reporting, marketing communications).
• Legitimate Interests: Where processing is necessary for our legitimate interests, such as fraud prevention, service improvement, and platform security, provided these interests do not override your fundamental rights.
• Legal Obligation: Where processing is required to comply with applicable Zambian law or regulatory requirements.

5. How We Share Your Data

We share your personal data only as necessary and with appropriate safeguards:

5.1 Stores and Vendors

When you place an order, we share your name, delivery address, and contact details with the relevant Store to fulfill your order.

5.2 Payment Service Providers

We share payment details with our authorised payment service providers to process transactions securely. Our payment providers operate under strict data protection and PCI-DSS compliance standards.

5.3 Finance Partner Banks

If you apply for Financing, your KYC documents, employment information, income details, and bank statements are shared with the applicable finance partner bank for underwriting and credit decisions. This sharing occurs only with your explicit consent.

5.4 Service Providers

We engage trusted third-party service providers to assist in delivering the Service:

• Email Delivery: For sending transactional and promotional emails;
• SMS Delivery: For sending verification codes and notifications;
• Cloud Storage: For storing product images, documents, and application data;
• Content Delivery: For delivering images and static assets efficiently;
• Error Monitoring: For detecting and resolving application errors;
• Analytics: For understanding service usage and performance.

These providers process data only on our instructions and are bound by appropriate data processing agreements.

5.5 Legal Requirements

We may disclose your data if required by law, regulation, court order, or government authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Retention

• Account Data: Retained for as long as your account is active. Upon account closure, data is retained for a reasonable period to fulfil legal and regulatory obligations.
• Transaction and Financial Data: Retained for a minimum of 7 years as required for auditing, regulatory compliance, and dispute resolution.
• Financing and KYC Documents: Retained for a minimum of 7 years from the date the financing arrangement concludes, in accordance with regulatory requirements.
• Marketing Data: Retained until you withdraw consent or unsubscribe.
• Usage and Analytics Data: Retained in aggregated or anonymised form indefinitely for statistical and service improvement purposes.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption at Rest: Sensitive data and documents are encrypted using industry-standard encryption (AES-256).
• Encryption in Transit: All data transmitted between your device and our servers is protected using TLS 1.2 or higher.
• Access Controls: Role-based access control (RBAC) ensures that only authorised personnel can access personal data on a need-to-know basis.
• Payment Security: Card details are tokenised by our payment service provider. We never store full card numbers on our systems.
• Audit Trails: All access to sensitive data is logged and monitored.
• Regular Reviews: We regularly review and update our security practices to address emerging threats.

While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

8. Data Localisation

In compliance with the Data Protection Act, 2024, we are committed to meeting data localisation requirements for sensitive personal data processed on the Platform. Financial data, identity documents, and other sensitive personal data are stored with appropriate safeguards. Where data is stored or processed outside the Republic of Zambia by our service providers, we ensure that adequate protections are in place through data processing agreements that meet the requirements of the Act.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Office of the Data Protection Commissioner (ODPC) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by the Data Protection Act, 2024;
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
• Provide details of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach;
• Document all data breaches, including their effects and the remedial actions taken, for audit and regulatory purposes.

10. Your Rights

Under the Data Protection Act, 2024 and applicable law, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to our legal retention obligations. Where data is subject to a legal hold or regulatory retention requirement, we will inform you of the applicable restriction.
• Right to Restrict Processing: You may request that we restrict the processing of your data in certain circumstances.
• Right to Data Portability: You may request a machine-readable copy of the personal data you have provided to us.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to Object: You may object to processing based on legitimate interests.
• Right to Be Notified: You have the right to be notified of data processing activities concerning your personal data, as provided under the Act.

To exercise any of these rights, please contact us at hello@utumba.com. We will respond to your request within 30 days.

10.1 Complaints to the Data Protection Commissioner

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of the Republic of Zambia. The ODPC can be contacted at:

Office of the Data Protection Commissioner
Website: www.dataprotection.gov.zm
Lusaka, Zambia

We encourage you to contact us first at hello@utumba.com so that we may attempt to resolve your concern before you escalate to the ODPC.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete such data promptly. If you believe that a child has provided us with personal data, please contact us at hello@utumba.com.

12. International Data Transfers

Your personal data may be transferred to and processed in countries outside the Republic of Zambia where our service providers operate. When such transfers occur, we ensure that appropriate safeguards are in place, including data processing agreements that provide a level of protection consistent with Zambian data protection standards.

13. Automated Decision-Making

We use automated systems in the following contexts:

• Financing Suggestion Engine: Our system generates a creditworthiness suggestion based on your income, banking, and shopping history. This suggestion assists finance partner banks in their underwriting decisions but does not constitute a final automated decision. Banks retain ultimate authority over credit approvals.
• Fraud Detection: We use automated tools to identify and flag potentially fraudulent transactions for review.
• Order Management: Automatic cancellation of unpaid orders after 24 hours and automatic defaulting of Layby orders after 3 consecutive missed installments.

You have the right to request human review of any decision that significantly affects you.

14. Cookies and Similar Technologies

Our use of cookies and similar technologies on the web platform is described in our separate Cookie Policy. For mobile applications, we use local storage and device identifiers as described in Section 2.3 of this Privacy Policy.

15. App Store Data Collection Summary

The following table summarises the data categories collected and shared through the Utumba mobile applications, for the purposes of Apple App Store Privacy Labels and Google Play Data Safety disclosures:

Data Category	Collected	Shared	Linked to Identity	Purpose
Name	Yes	With Stores (for orders)	Yes	Account, orders
Email Address	Yes	With service providers	Yes	Account, notifications
Phone Number	Yes	With Stores, SMS provider	Yes	Verification, orders
Physical Address	Yes	With Stores (for delivery)	Yes	Order fulfillment
Payment Information	Yes	With payment provider	Yes	Payment processing
Purchase History	Yes	No	Yes	Order management
Product Interaction	Yes	No	Yes	Recommendations, search
Device ID	Yes	No	No	Analytics, fraud detection
Crash Data	Yes	With error monitoring	No	App stability
Performance Data	Yes	With monitoring tools	No	App performance
Approximate Location	Yes	No	No	Service localisation
Photos (KYC only)	Yes (financing)	With finance partners	Yes	Identity verification
Financial Documents	Yes (financing)	With finance partners	Yes	Credit assessment
Advertising ID (IDFA/GAID)	No	No	N/A	Not collected
Contacts	No	No	N/A	Not collected
Health Data	No	No	N/A	Not collected

16. Data Protection Officer

Castmax Technologies Limited has designated a privacy contact responsible for overseeing compliance with the Data Protection Act, 2024 and this Privacy Policy. For all data protection matters, you may contact:

Data Protection Contact
Castmax Technologies Limited
Email: hello@utumba.com
Lusaka, Zambia

The Data Protection Contact is responsible for monitoring compliance with applicable data protection legislation, advising on data protection impact assessments, and serving as the point of contact for the ODPC and data subjects.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated Policy on the Platform and, where practicable, by email or in-app notification. The "Last Updated" date at the top of this Policy indicates the most recent revision. Your continued use of the Service after any changes constitutes acceptance of the updated Policy.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Castmax Technologies Limited (trading as Utumba)
Data Protection Contact
Email: hello@utumba.com
Lusaka, Zambia