Data Privacy Rights for Borrowers in Kenya 2026: What Loan Apps Can and Cannot Do With Your Data
When you install a loan app, you grant access to your M-Pesa messages, contacts, location, and phone data. Kenya's Data Protection Act (2019) and CBK regulations give you specific rights over that data. Here's what lenders can legally do β and what they can't.
The Two Laws Protecting Your Loan App Data
1. Data Protection Act, 2019 (DPA)
Kenya's landmark privacy law, enforced by the Office of the Data Protection Commissioner (ODPC). It applies to all entities processing personal data of Kenyan residents, including loan apps, banks, and SACCOs. Key provisions:
- Consent must be informed, specific, and freely given before data collection
- Data must be collected for a specific, legitimate purpose and not processed further in a manner incompatible with that purpose
- Collection must be adequate, relevant, and not excessive relative to the purpose
- Data must be accurate and kept up to date
- Data must be stored securely with appropriate technical measures
2. CBK Digital Credit Providers Regulations, 2022
Specifically governs digital lenders. Adds protections beyond the general DPA:
- No contact shaming β Cannot message your contacts about debts
- Data use limited to credit assessment β No selling to marketers
- 48-hour cancellation window β Data collected during this period must be deletable
- Complaint resolution β 14-day resolution requirement for data concerns
What Loan Apps Can and Cannot Do
| Action | Legal? | Governing Law |
|---|---|---|
| Read your M-Pesa SMS for credit scoring | β Yes (with consent) | DPA 2019 (consent) |
| Access contacts for social scoring | β οΈ Limited | DPA 2019 (proportionality) |
| Track your location | β Yes (for fraud prevention) | DPA 2019 |
| Message your contacts about your debt | β ILLEGAL | CBK Regs 2022 |
| Sell your data to advertisers | β ILLEGAL | DPA 2019, S. 31 |
| Share data with CRB | β Yes (legally required) | CRB Regulations |
| Keep your data after account deletion | β ILLEGAL (with exceptions) | DPA 2019, S. 40 |
| Access your photos/camera | β οΈ Only for ID verification | DPA 2019 (proportionality) |
| Read your call logs | β οΈ If justified for scoring | DPA 2019 |
| Share data with other lenders | β Not without consent | DPA 2019, S. 31 |
Your 8 Data Rights Under DPA 2019
- Right to be informed β Know what data is collected, why, how long it's kept, and who receives it. Loan apps must have a clear Privacy Policy accessible in the app.
- Right of access β Request a copy of all personal data the app holds about you. They must provide it within 30 days, free of charge, in a readable format.
- Right to rectification β Correct inaccurate data. If your income or employment info is wrong in their system, they must update it.
- Right to erasure β Request deletion of your personal data when it's no longer needed for the original purpose or when you withdraw consent.
- Right to restrict processing β Limit how your data is used without deleting it entirely (e.g., keep for legal records but stop using for marketing).
- Right to data portability β Receive your data in a structured, machine-readable format to transfer to another service.
- Right to object β Object to data processing for direct marketing, profiling, or any purpose beyond the original lending agreement.
- Right not to be subject to automated decisions β Challenge purely automated loan decisions. Request human review if your loan was denied by an algorithm.
How to Minimize Data Exposure
Before Installing a Loan App
- Read the Privacy Policy β Specifically the "Data We Collect" and "How We Share" sections. If either is missing or vague, reconsider
- Check permissions requested β Android shows required permissions before install. Any app requesting microphone, camera (beyond ID selfie), or file access beyond SMS is collecting more than needed
- Choose M-Pesa native when possible β M-Shwari, KCB M-Pesa, and Fuliza collect the least additional data since Safaricom already has your M-Pesa history
After Installing
- Use a secondary phone number if you have one β keeps your primary contact data separate
- Deny non-essential permissions β On Android 11+, you can deny contacts/location and still use some apps (with lower limits)
- Clear app data between loans β After repayment, use Settings β Apps β [App] β Clear Data
- Uninstall if no longer using β Don't leave loan apps running in the background if you don't have active loans
After You're Done Borrowing
- Clear all outstanding balances
- Request data deletion via the app or email (template below)
- Wait for confirmation (30 days maximum)
- Revoke app permissions in phone settings
- Uninstall the app
Data Deletion Request Template
Subject: Data Erasure Request β [Your Name] β [Your Phone Number]
Dear Data Protection Officer,
Under Section 40 of the Data Protection Act, 2019, I request the erasure of all personal data
associated with my account:
Full Name: [Name]
Phone Number: [Number]
National ID: [Last 4 digits only]
I have no outstanding obligations with your platform. Please confirm deletion of all my
personal data including but not limited to: M-Pesa transaction data, contacts data, SMS data,
location data, device information, and any derived credit scores.
Please confirm completion within 30 days as required by law. If you are unable to comply,
please provide the legal basis for retaining my data per Section 40(2) of the DPA.
Regards,
[Your Name]
Comparison: Data Collected by Each App Type
| Data Type | M-Pesa Native | Bank-Backed Apps | Standalone Apps |
|---|---|---|---|
| M-Pesa history | β (internal) | β (via SMS) | β (via SMS) |
| Phone contacts | β | Some | β All require |
| SMS messages | β | Some | β All require |
| Location | β | Some | β All require |
| Device info | β | β | β |
| Call logs | β | β | Some |
| Privacy score | Best β | Medium | Most invasive |
How to Report Data Privacy Violations
Step-by-Step Reporting Process
- Document the violation β Screenshots of unauthorized messages, call recordings of harassment, evidence of contact shaming
- Complain to the app first β Email their DPO (required to have one). Give 14 days to respond
- File with ODPC β If unresolved, submit complaint to complaints@odpc.go.ke with your documentation
- Notify CBK β If the app is CBK-licensed, also file with CBK at info@centralbank.go.ke
- Report on Google Play β Flag the app for violating Google Play's Financial Services policy
- Consider legal action β For serious violations, consult a lawyer. DPA allows civil suits for damages
Choose privacy-respecting lenders
Credizen prioritizes lenders with minimal data requirements. See which licensed apps collect the least personal data.
Find Privacy-Safe Lenders βFrequently Asked Questions About Data Privacy and Loan Apps
1. Can loan apps access my phone contacts?
Licensed loan apps can request contacts access for credit scoring purposes only. Under CBK Digital Credit Providers Regulations (2022), they CANNOT contact people in your phone book for debt collection or shaming. Under the Data Protection Act 2019, contacts access must be proportionate to the purpose β scoring is allowed, but bulk harvesting and storage is not. You can deny contacts permission on some apps (Android 11+) and still receive loans, though limits may be lower.
2. How do I delete my data from a loan app?
Under Section 40 of the Data Protection Act 2019, you have the right to data erasure. Steps: (1) Close any outstanding loans, (2) Send a formal request via email to the app's data protection officer (DPO) β find their email in the app's Privacy Policy, (3) Request deletion of all personal data including M-Pesa history, contacts, SMS logs, and device data, (4) The app must respond within 30 days, (5) If they refuse or don't respond, file a complaint with the Office of the Data Protection Commissioner (ODPC) at complaints@odpc.go.ke.
3. Can loan apps sell my data to other companies?
No. Under the Data Protection Act 2019, data processors cannot share your personal data with third parties without your explicit consent. This applies to loan apps sharing data with advertisers, other lenders, or data brokers. Exceptions: (1) CRB reporting (legally mandated), (2) Law enforcement requests (court orders), (3) Fraud prevention cooperation between licensed lenders. If an app shares your data without consent, report to ODPC.
4. Why do loan apps need so many permissions?
Mobile loan apps use alternative data for credit scoring since most Kenyan borrowers lack traditional credit history. SMS access: verifies M-Pesa transactions and income patterns. Contacts: social scoring (number and type of contacts). Location: confirms you're in Kenya and assesses stability. Phone info: device fingerprinting to prevent fraud. Calendar: some apps check expense patterns. While each permission has a stated purpose, the Data Protection Act requires that data collection be 'adequate, relevant, and not excessive' for the purpose.
5. What are the penalties for apps that violate my data privacy?
Under the Data Protection Act 2019: Individuals face fines up to KES 3 million or imprisonment up to 10 years. Companies face fines up to KES 5 million or 1% of annual turnover. Under CBK Regulations: License revocation, fines up to KES 10 million for contact shaming or unauthorized data sharing. In practice, ODPC has issued several warnings and fines since 2019. CBK revoked or suspended licenses of 5 digital lenders in 2023-2024 for various violations including data misuse.
Responsible borrowing notice
Legal information: All consumer loans in Kenya are regulated by the Central Bank of Kenya (CBK). Lenders must comply with the Digital Credit Providers Act 2022 and be registered with the appropriate regulatory bodies.
Before applying: Check the total repayment amount (principal + fees + interest), Annual Percentage Rate (APR), repayment schedule, and penalties for late payment. Read the loan agreement carefully before signing.
Borrow responsibly: Only borrow what you can afford to repay. Your monthly repayment should not exceed 35% of your net monthly income. Consider your existing financial commitments before taking a new loan.
Data privacy: Loan apps will access your phone data (contacts, SMS, location) for credit assessment. Your data is protected under Kenya law and overseen by the Office of the Data Protection Commissioner (ODPC).
If you have problems: Contact the lender first to discuss repayment options. For complaints, reach out to the CBK or ODPC.
Disclaimer: Credizen.net is a comparison platform and not a lender. We help you find and compare loan offers but do not provide loans directly. All information is for educational purposes and should not be considered financial advice.
AI Orchestrator & Loan Specialist
Financial technology expert with 25+ years of experience in consumer lending, credit risk modeling, and AI-powered loan comparison platforms. Founder of Credizen, operating across 13 countries. Master's in Informatics (Czech Technical University), certified in Credit Risk Management (EBA) and AI & Machine Learning in Finance (Stanford/Coursera).