1. Summary for Google Play reviewers

This section is a faithful, plain-English summary of the full policy below. It is written in the form Google Play reviewers can cross-reference against the Data Safety form submitted in the Play Console. Nothing in this summary overrides the detailed provisions that follow; in the event of any conflict, the substantive text controls.

• Who collects the data. STF Capital Private Limited, a private company registered in Zimbabwe. The mobile application is published under Google Play application identifier com.stfcapital.app.
• What personal data the app collects. Name, surname, email address, telephone number, employer and role, username, optional profile photograph, and the documents a client chooses to upload in support of a financial-services application.
• What device data the app collects. A Firebase Cloud Messaging device token (to deliver push notifications) and, where a client enables it, a flag indicating that biometric authentication has been set up on the device.
• Where the data lives. Our database and file storage are hosted by Supabase (on Amazon Web Services). Push-token routing is performed by Firebase Cloud Messaging. No personal data is sold, shared with advertising networks, or exposed to third-party analytics providers.
• How the data is protected. All traffic is TLS 1.3 encrypted in transit. All stored data is encrypted at rest with AES-256. Session tokens and any PIN hash stored on-device are held inside the Android Keystore.
• Your rights. You can, at any time, review your profile data, correct it, request a copy, restrict or object to processing, or request deletion of your account.

2. Who we are and how to reach us

The legal entity responsible for the STF Capital mobile application is STF Capital Private Limited, a private company limited by shares and registered in Zimbabwe. STF Capital is the “data controller” for the purposes of the Cyber and Data Protection Act (Chapter 12:07), the Constitution of Zimbabwe (2013) section 57 (Right to Privacy) and, where applicable, Article 4(7) of the EU General Data Protection Regulation.

3. Scope of this policy

This policy applies to the STF Capital mobile application when installed on an Android device from the Google Play Store, or on an iOS device from the Apple App Store, and to any server-side services the application communicates with that are owned or controlled by STF Capital.

This policy does not apply to:

• the STF Capital corporate website at stfcapital.org, which has its own website privacy notice;
• correspondence conducted outside the app (email threads or telephone calls);
• services offered by third parties you may elect to link to from the app; or
• data handled by your device manufacturer, mobile network operator or Google/Apple in the normal operation of the device platform.

4. Legal basis for processing

Under section 11 of the Cyber and Data Protection Act, personal data must be processed in a “lawful, fair and transparent” manner. The legal bases we rely on are:

5. Categories of personal data we collect

The STF Capital application collects only the minimum data necessary to deliver the service requested. The following tables enumerate every category of personal data the app is capable of collecting, the specific fields, the on-device path the data flows through, and the authoritative storage location.

5.1  Identity data

Field	Required?	Purpose	Storage
Given name	Yes	Addressing you correctly in messages and on documents	Supabase public.users
Surname	Yes	Same as above	Supabase public.users
Preferred username	Yes	Display handle in internal communication	Supabase public.users
Role in company	Yes	Routing to the correct advisor; underwriting context	Supabase public.users
Company name	Yes	Underwriting & compliance records	Supabase public.users, public.applications
Profile photograph	No (optional)	Personalising the profile screen	Supabase Storage profile-images/<userId>/

5.2  Contact data

Field	Required?	Purpose	Storage
Email address	Yes	Account identifier, password resets, application-status notifications	Supabase Auth + public.users
Mobile telephone number	Yes	Advisor callbacks, urgent communications	Supabase public.users

5.3  Application and financial-service data

Service type, requested products, partner institution, status history, advisor notes, clarification messages, uploaded supporting documents and deal documents produced by STF Capital. Files are validated on-device before upload, limited to 15 MB per file, and accepted types are PDF, PNG, JPG, JPEG, WEBP, DOC, DOCX, XLS, XLSX.

5.4  Account and security data

Supabase session tokens, optional 6-digit PIN (stored only as a PBKDF2-HMAC-SHA256 hash with a per-install random salt), biometric-enabled flag, failed PIN-attempt counter and last full-login timestamp. All are stored on-device in the Android Keystore and never transmitted.

5.5  Device and technical data

Firebase Cloud Messaging token, operating system family and version string. We do not collect IMEI, MAC address, Android ID, SIM card serial, IP geolocation, fine GPS coordinates, SSID of Wi-Fi networks, Bluetooth peripheral lists, installed-app inventory, call history, SMS contents, calendar entries, contact book, microphone audio or keystroke patterns.

6. How we collect each category

1. Directly from you, in the app. During registration, in-app profile edits and application forms, the app asks you to type or upload the fields listed above. You always see the field being collected before you submit it.
2. Automatically by the platform. The Firebase Cloud Messaging token is generated by Google Play Services on your device and returned to the app through the standard Firebase SDK.
3. From your action inside STF Capital. When an STF advisor sends you a message or deal document through the internal workflow, that content is written to the application record.

7. Purposes of processing

1. Service delivery — creating and operating your STF Capital account, assessing your financial-services application and routing it to the correct internal team.
2. Communication — sending you notifications about the status of your application, clarification requests from your advisor and deal documents produced as a result of your application.
3. Know-Your-Customer and Anti-Money-Laundering — complying with the Banking Act, the Insurance Act and the Money Laundering and Proceeds of Crime Act of Zimbabwe.
4. Audit and record-keeping — creating a contemporaneous, tamper-evident record of who did what and when.
5. Security — detecting and preventing unauthorised access, documenting suspicious administrative activity and investigating incidents.
6. Product improvement — identifying operational friction, based exclusively on aggregate, de-identified statistics.

We do not use personal data for direct marketing or for profiling you for commercial purposes, and we will never sell it.

8. Third-party processors and sub-processors

Processor	Role	Jurisdiction	Data it can see
Supabase, Inc.	Managed Postgres database, file storage, authentication	United States (on AWS)	All personal data (encrypted at rest)
Amazon Web Services, Inc.	Underlying cloud infrastructure	United States / Ireland	Encrypted storage volumes only
Google LLC — Firebase Cloud Messaging	Push-notification delivery	Global	FCM token and notification title/body
Google LLC — Google Play	App distribution and update	Global	Your Google account identifier

We do not use Firebase Analytics, Firebase Crashlytics, Google Analytics, AdMob or any third-party advertising SDK inside the app.

9. When we share data and when we do not

• With you. You can always see, export and delete the data in your own account.
• With STF Capital staff on a need-to-know basis. Row-Level Security policies in our database enforce this at the query level.
• With the partner institution you nominate (POSB, CBZ, Alliance Insurance, etc.) when you submit an application.
• With regulators, auditors and courts where required by law.
• In connection with a corporate transaction (merger, acquisition) where the acquirer becomes bound by this policy.

We do not sell personal data. Ever. We do not provide it to advertising networks, data brokers, social networks or political organisations.

10. International data transfers

Because our managed database and notification infrastructure are operated by Supabase and Google respectively, some of your personal data is transferred outside Zimbabwe. Under section 28 of the Cyber and Data Protection Act, such transfers are permitted provided the receiving jurisdiction offers an adequate level of protection or the controller has implemented appropriate safeguards.

Safeguards we rely on include Supabase’s data-processing addendum and Standard Contractual Clauses, Google’s data-processing terms, TLS 1.3 encryption in transit and AES-256 at rest, and strict data minimisation.

11. Retention periods

Data category	Retention	Basis
Active account profile	While active + 12 months after deletion	Contract performance & dispute window
Submitted applications	7 years from final status change	Banking and insurance statutory record-keeping
Uploaded KYC and supporting documents	7 years from date of upload	Anti-money-laundering obligations
Security event log	3 years from event date	Audit and forensic investigation
Push-notification token	Until rotated or sign-out	Operational necessity
On-device session, PIN hash, biometric flag	Until sign-out or uninstall	Under your exclusive control

12. Security safeguards

12.1  In transit

• TLS 1.3 enforced at the Android Network Security Config layer.
• Cleartext HTTP blocked. User-added Certificate Authorities not trusted.

12.2  At rest on the server

• Database and file storage encrypted at rest with AES-256 by Supabase / AWS.
• Every table enforces Row-Level Security policies verified at each query.
• Uploaded documents served through one-hour signed URLs only.

12.3  At rest on your device

• Session tokens, PIN hash and biometric flag inside Android Keystore.
• Android Backup disabled (allowBackup=false).
• PIN hashed with PBKDF2-HMAC-SHA256, 100,000 iterations, per-install salt.
• Exponential lockout after five failed PIN attempts (30s → 1m → 5m → 1h).

13. Breach notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

1. notify the Postal and Telecommunications Regulatory Authority of Zimbabwe without undue delay and, where feasible, within 72 hours;
2. notify affected users directly, by email and by in-app banner;
3. publish a plain-language post-incident summary on stfcapital.org within 30 days.

14. Your rights as a data subject

• Right of access — copy of the personal data we hold about you.
• Right to rectification — correct inaccurate data.
• Right to erasure — delete the data we hold about you.
• Right to restrict processing — pause processing during a dispute.
• Right to data portability — structured, machine-readable copy.
• Right to object — to processing based on legitimate interests.
• Right not to be subject to solely automated decisions.
• Right to withdraw consent — at any time.
• Right to lodge a complaint — with the Data Protection Authority.

15. How to exercise your rights

Three equally valid channels, no fee, English / Shona / Ndebele accepted:

1. In the app. Open your Profile screen to update details, trigger a password reset, or request account deletion.
2. By email. inquiries@stfcapital.org with subject “Data Subject Request”.
3. By post. STF Capital Private Limited, Attn: DPO, Unit 9, 75 Roberts Drive, Msasa, Harare, Zimbabwe.

Substantive requests are answered within 30 days, extendable to 60 for complex cases with written notice.

16. Children and vulnerable persons

The app is intended for adults only. You must be at least 18 to register. We do not knowingly collect data from children; if discovered, it is deleted promptly.

17. Automated decisions and profiling

Underwriting and advisory decisions are always taken by a natural person. No outcome that materially affects you is produced solely by an automated system. You have the right to obtain human intervention, express your point of view and contest any decision.

18. Analytics, cookies and similar technologies

The mobile app sets no cookies. No Google Analytics, Firebase Analytics, Crashlytics, Mixpanel, Amplitude, Segment, Hotjar, Fullstory, Sentry, Bugsnag or comparable telemetry. No advertising identifiers, no Facebook Pixel, no TikTok Pixel, no third-party behavioural SDK.

19. Advertising identifiers and third-party SDKs

We do not access the Google Advertising ID (AAID) or the iOS IDFA. The only third-party SDKs embedded in the app are listed in our Open Source Attributions page.

20. Zimbabwe Cyber and Data Protection Act compliance

The Cyber and Data Protection Act [Chapter 12:07] of 2022 is the controlling data-protection statute in Zimbabwe. Our practices map to its operative provisions:

CYBDPA provision	Our practice
Section 11 — lawfulness, fairness and transparency	Purposes and bases in §4, §7; fields disclosed in §5 before collection.
Section 12 — purpose limitation	Each field has a single declared purpose; not repurposed for marketing, profiling or sale.
Section 13 — data minimisation	Minimum data needed, set out in §5.
Section 14 — accuracy	Users correct their own data in-app; rectification in §15.
Section 15 — storage limitation	Retention in §11, enforced by automated lifecycle jobs.
Section 16 — integrity and confidentiality	Safeguards in §12.
Section 17 — accountability	This policy, DPIAs and RoPAs available on regulator request.
Sections 18–22 — data subject rights	§14, §15.
Section 23 — breach notification	72-hour to Authority; direct to users. §13.
Section 28 — international transfers	§10.

21. International alignment (GDPR / OECD)

For users in the EEA or UK, this policy is read alongside the EU GDPR (Reg. 2016/679) and retained UK GDPR. We designate our Zimbabwean office as the central contact for Data Subject Access Requests in those territories and answer on the GDPR timetable (one calendar month).

22. Changes to this policy

We update this policy whenever practices change materially. When we do: the Version/Effective date fields at the top change, an in-app banner notifies active users, and a plain-language changelog is appended at the bottom of this page.

23. Contact and data protection officer

You may also lodge a complaint with the Data Protection Authority of Zimbabwe, administered under POTRAZ at www.potraz.gov.zw.