<\/p>\n
\n This document explains, in full, how STF Capital Private Limited (“STF
\n Capital”, “we”, “us”) handles the personal data of
\n anyone who uses the STF Capital mobile application on Android or iOS. It is the
\n controlling record for Google Play Data Safety, our Cyber and Data Protection Act
\n disclosures and any contractual warranties we give to clients about their data.\n <\/p>\n
This section is a faithful, plain-English summary of the full policy below. It is written in the form Google Play reviewers can cross-reference against the Data Safety form submitted in the Play Console. Nothing in this summary overrides the detailed provisions that follow; in the event of any conflict, the substantive text controls.<\/p>\n
com.stfcapital.app<\/code>.<\/li>\n- What personal data the app collects.<\/strong> Name, surname, email address, telephone number, employer and role, username, optional profile photograph, and the documents a client chooses to upload in support of a financial-services application.<\/li>\n
- What device data the app collects.<\/strong> A Firebase Cloud Messaging device token (to deliver push notifications) and, where a client enables it, a flag indicating that biometric authentication has been set up on the device.<\/li>\n
- Where the data lives.<\/strong> Our database and file storage are hosted by Supabase (on Amazon Web Services). Push-token routing is performed by Firebase Cloud Messaging. No personal data is sold, shared with advertising networks, or exposed to third-party analytics providers.<\/li>\n
- How the data is protected.<\/strong> All traffic is TLS 1.3 encrypted in transit. All stored data is encrypted at rest with AES-256. Session tokens and any PIN hash stored on-device are held inside the Android Keystore.<\/li>\n
- Your rights.<\/strong> You can, at any time, review your profile data, correct it, request a copy, restrict or object to processing, or request deletion of your account.<\/li>\n<\/ul>\n
2. Who we are and how to reach us<\/h2>\n
The legal entity responsible for the STF Capital mobile application is STF Capital Private Limited<\/strong>, a private company limited by shares and registered in Zimbabwe. STF Capital is the “data controller” for the purposes of the Cyber and Data Protection Act (Chapter 12:07), the Constitution of Zimbabwe (2013) section 57 (Right to Privacy) and, where applicable, Article 4(7) of the EU General Data Protection Regulation.<\/p>\n\nRegistered office<\/div>\n STF Capital Private Limited
\n Unit 9, 75 Roberts Drive, Msasa, Harare, Zimbabwe
\n Telephone: +263 242 485 079
\n Email: inquiries@stfcapital.org<\/a>
\n Website: www.stfcapital.org<\/a>\n <\/div>\n3. Scope of this policy<\/h2>\n
This policy applies to the STF Capital mobile application when installed on an Android device from the Google Play Store, or on an iOS device from the Apple App Store, and to any server-side services the application communicates with that are owned or controlled by STF Capital.<\/p>\n
This policy does not<\/strong> apply to:<\/p>\n\n- the STF Capital corporate website at stfcapital.org<\/a>, which has its own website privacy notice;<\/li>\n
- correspondence conducted outside the app (email threads or telephone calls);<\/li>\n
- services offered by third parties you may elect to link to from the app; or<\/li>\n
- data handled by your device manufacturer, mobile network operator or Google\/Apple in the normal operation of the device platform.<\/li>\n<\/ul>\n
4. Legal basis for processing<\/h2>\n
Under section 11 of the Cyber and Data Protection Act, personal data must be processed in a “lawful, fair and transparent” manner. The legal bases we rely on are:<\/p>\n
\nBases we rely on<\/div>\n\n- Consent<\/strong> — you affirmatively tick the Privacy Policy and Terms checkbox during registration and may withdraw consent at any time by deleting your account.<\/li>\n
- Performance of a contract<\/strong> — we need your data to assess your application, to underwrite or broker the financial product you request, and to keep you informed about the file.<\/li>\n
- Legal obligation<\/strong> — anti-money-laundering, know-your-customer and tax-reporting obligations arising under Zimbabwean statute.<\/li>\n
- Legitimate interest<\/strong> — fraud prevention, platform security, customer-support record-keeping and the integrity of our audit logs, which we have balanced against the reasonable expectations of our users.<\/li>\n<\/ul><\/div>\n
5. Categories of personal data we collect<\/h2>\n
The STF Capital application collects only the minimum data necessary to deliver the service requested. The following tables enumerate every category of personal data the app is capable of collecting, the specific fields, the on-device path the data flows through, and the authoritative storage location.<\/p>\n
5.1 Identity data<\/h3>\n
\n\n\nField<\/th>\n Required?<\/th>\n Purpose<\/th>\n Storage<\/th>\n<\/tr>\n<\/thead>\n \n\nGiven name<\/td>\n Yes<\/td>\n Addressing you correctly in messages and on documents<\/td>\n Supabase public.users<\/code><\/td>\n<\/tr>\n\nSurname<\/td>\n Yes<\/td>\n Same as above<\/td>\n Supabase public.users<\/code><\/td>\n<\/tr>\n\nPreferred username<\/td>\n Yes<\/td>\n Display handle in internal communication<\/td>\n Supabase public.users<\/code><\/td>\n<\/tr>\n\nRole in company<\/td>\n Yes<\/td>\n Routing to the correct advisor; underwriting context<\/td>\n Supabase public.users<\/code><\/td>\n<\/tr>\n\nCompany name<\/td>\n Yes<\/td>\n Underwriting & compliance records<\/td>\n Supabase public.users<\/code>, public.applications<\/code><\/td>\n<\/tr>\n\nProfile photograph<\/td>\n No (optional)<\/td>\n Personalising the profile screen<\/td>\n Supabase Storage profile-images\/<userId>\/<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n5.2 Contact data<\/h3>\n
\n\n\nField<\/th>\n Required?<\/th>\n Purpose<\/th>\n Storage<\/th>\n<\/tr>\n<\/thead>\n \n\nEmail address<\/td>\n Yes<\/td>\n Account identifier, password resets, application-status notifications<\/td>\n Supabase Auth + public.users<\/code><\/td>\n<\/tr>\n\nMobile telephone number<\/td>\n Yes<\/td>\n Advisor callbacks, urgent communications<\/td>\n Supabase public.users<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n5.3 Application and financial-service data<\/h3>\n
Service type, requested products, partner institution, status history, advisor notes, clarification messages, uploaded supporting documents and deal documents produced by STF Capital. Files are validated on-device before upload, limited to 15 MB per file, and accepted types are PDF, PNG, JPG, JPEG, WEBP, DOC, DOCX, XLS, XLSX.<\/p>\n
5.4 Account and security data<\/h3>\n
Supabase session tokens, optional 6-digit PIN (stored only as a PBKDF2-HMAC-SHA256 hash with a per-install random salt), biometric-enabled flag, failed PIN-attempt counter and last full-login timestamp. All are stored on-device in the Android Keystore and never transmitted.<\/p>\n
5.5 Device and technical data<\/h3>\n
Firebase Cloud Messaging token, operating system family and version string. We do not<\/strong> collect IMEI, MAC address, Android ID, SIM card serial, IP geolocation, fine GPS coordinates, SSID of Wi-Fi networks, Bluetooth peripheral lists, installed-app inventory, call history, SMS contents, calendar entries, contact book, microphone audio or keystroke patterns.<\/p>\n6. How we collect each category<\/h2>\n\n- Directly from you, in the app.<\/strong> During registration, in-app profile edits and application forms, the app asks you to type or upload the fields listed above. You always see the field being collected before you submit it.<\/li>\n
- Automatically by the platform.<\/strong> The Firebase Cloud Messaging token is generated by Google Play Services on your device and returned to the app through the standard Firebase SDK.<\/li>\n
- From your action inside STF Capital.<\/strong> When an STF advisor sends you a message or deal document through the internal workflow, that content is written to the application record.<\/li>\n<\/ol>\n
7. Purposes of processing<\/h2>\n\n- Service delivery<\/strong> — creating and operating your STF Capital account, assessing your financial-services application and routing it to the correct internal team.<\/li>\n
- Communication<\/strong> — sending you notifications about the status of your application, clarification requests from your advisor and deal documents produced as a result of your application.<\/li>\n
- Know-Your-Customer and Anti-Money-Laundering<\/strong> — complying with the Banking Act, the Insurance Act and the Money Laundering and Proceeds of Crime Act of Zimbabwe.<\/li>\n
- Audit and record-keeping<\/strong> — creating a contemporaneous, tamper-evident record of who did what and when.<\/li>\n
- Security<\/strong> — detecting and preventing unauthorised access, documenting suspicious administrative activity and investigating incidents.<\/li>\n
- Product improvement<\/strong> — identifying operational friction, based exclusively on aggregate, de-identified statistics.<\/li>\n<\/ol>\n
We do not use personal data for direct marketing or for profiling you for commercial purposes, and we will never sell it.<\/p>\n
8. Third-party processors and sub-processors<\/h2>\n