DOWNLOAD PDF COPY OF THIS PAGE
Digital Loans Services
37%
SECTOR PERFORMANCE
35
COMPANIES ASSESSED
Overview of the Sector & Data Collectors Evaluated
The digital loan sector in East, Southern, and West Africa has grown rapidly, driven by mobile technology, fintech innovation, and limited access to traditional banking. Countries such as Kenya, Uganda, Tanzania, Rwanda, Mauritius, Zimbabwe, Nigeria, Ghana, and Botswana increasingly rely on mobile-based lending platforms to expand financial inclusion. Kenya and Nigeria lead in market maturity, while Rwanda, Mauritius, and Botswana show steady growth under evolving regulatory frameworks. Ghana and Zimbabwe's markets are developing, often amid economic or regulatory challenges.
While digital lending improves access to credit, it relies heavily on collecting sensitive personal and financial data including mobile records, transactions, geolocation, and social media activity which raises significant privacy and consumer protection concerns. Data protection laws exist across the region, but enforcement and sector-specific oversight remain uneven. Kenya and Nigeria have taken some regulatory action, whereas Uganda, Tanzania, Zimbabwe, Ghana, and Botswana face monitoring limitations. Even in more regulated countries like Rwanda and Mauritius, rapid fintech growth challenges compliance.
Common risks include limited transparency, inadequate consent for data sharing, weak security safeguards, inaccessible or incomplete privacy policies, and aggressive debt recovery practices that may violate privacy rights. Cross-border operations further complicate enforcement, leaving consumers with few avenues for redress. Overall, the sector highlights a dual reality: it promotes financial inclusion but exposes borrowers to privacy, security, and regulatory risks.
Strengthening enforcement, improving transparency, and implementing sector-specific guidance are critical to ensure digital lending supports inclusion without compromising consumer protection.
Analysis of Compliance With Each Criterion
This assessment covers a total of 35 digital lending entities, with four platforms selected from each participating country. From Nigeria, the platforms assessed were Branch Nigeria, FairMoney Nigeria, Carbon Nigeria, and Renmoney. Ghana was represented by Fido Ghana, M-Kopa Ghana, CedisPay, and Izwe Ghana. In Botswana, the selected entities were Pachi Micro Solutions, Letshego, Bayport Botswana, and ExpressCredit Botswana. Rwanda's sample included Spenn, Save, Kiva, and Pezesha Rwanda.
For Tanzania, the assessment covered PesaX Tanzania, Branch International Tanzania, MkopoWako Tanzania, and TwigaLoan. Mauritius was represented by Finclub, Fundkiss, and Cim Finance. Zimbabwe's platforms included Ecocash, Zibuko Capital, InnBucks, and eShagi. In Kenya, the selected entities were Branch International Kenya, Tala Kenya, Zenka, and LendPlus. Finally, Uganda's sample comprised Dove Cash, Mangu Cash, iSente, and Quick Sente.
Sector Findings - Digital Loans
Digital Loans Services - Nigeria
Branch Nigeria, FairMoney Nigeria, Carbon Nigeria and Renmoney in Nigeria
The assessment of the four digital lending platforms reveals a sector that has achieved formal compliance with foundational regulatory requirements but continues to face significant operational and accountability gaps in core areas of data protection. All assessed platforms fulfilled registration requirements with the national data protection regulator, each attaining a perfect score. This demonstrates clear awareness of statutory obligations and formal alignment with regulatory expectations.
In addition, all platforms made their privacy policies accessible, reflecting a commitment to basic transparency. However, while accessibility was consistent, the depth, clarity, and operational substance of these policies varied considerably.
Across the platforms, there was visible effort to recognize and implement data subject rights. Renmoney recorded the highest score in this area, followed closely by Branch Nigeria, Carbon Nigeria, and FairMoney Nigeria. These results indicate a growing sector-wide awareness of the importance of enabling individuals to access, correct, or request deletion of their personal data and to escalate complaints where necessary. Nonetheless, the moderate range of scores suggests that implementation frameworks remain underdeveloped in certain respects. Mechanisms such as defined response timelines, structured escalation procedures, and clear articulation of legal limitations require further strengthening to ensure that rights are not only acknowledged in policy but consistently operationalized in practice.
The most significant area of concern across all platforms relates to third-party data sharing. Digital lending operations inherently involve extensive information exchange with credit bureaus, verification services, collection agencies, analytics providers, and regulatory authorities. Despite this, compliance performance in this category was uniformly low. Branch Nigeria recorded the highest score among the four, followed by Renmoney, FairMoney Nigeria, and Carbon Nigeria, but all scores remained below acceptable thresholds for a high-risk sector. This pattern indicates systemic weaknesses in third-party governance, including limited disclosure of data processing safeguards, insufficient clarity around cross-border transfers, and inadequate evidence of structured oversight mechanisms. Given the volume and sensitivity of borrower data processed including identity documents, Bank Verification Numbers, financial histories, device information, and behavioral analytics weak third-party governance substantially heightens regulatory, operational, and reputational risk.
Performance in data security measures was uneven across the platforms. FairMoney Nigeria achieved the highest score in this category, suggesting relatively stronger technical and organizational safeguards. Renmoney and Branch Nigeria demonstrated moderate levels of data security implementation, while Carbon Nigeria's score was significantly lower. Considering the sensitive nature of financial and identity data handled by digital lenders, gaps in documented security controls and risk-based safeguards create material exposure to unauthorized access, fraud, and regulatory sanctions. The disparity in scores highlights inconsistent sector maturity in applying comprehensive data protection safeguards.
Transparency and breach accountability mechanisms also remain underdeveloped. None of the assessed platforms currently publishes a transparency report, limiting public insight into data practices, government requests, or incident management statistics. While some platforms demonstrated effort to establish internal data breach resolution mechanisms, the maturity of these frameworks varies considerably. Renmoney and Branch Nigeria show developing internal processes, whereas Carbon Nigeria and FairMoney Nigeria scored extremely low in this area. Given statutory obligations to notify regulators and, where applicable, affected data subjects within prescribed timelines, weak breach management structures create significant compliance vulnerability.
At an individual platform level, Renmoney demonstrates relatively stronger privacy governance within the high-risk digital lending environment. Its privacy documentation reflects awareness of the extensive categories of data collected and provides detailed explanations of processing purposes, including credit assessment, fraud prevention, loan servicing, debt recovery, and regulatory compliance. The company outlines defined retention periods, such as maintaining credit records for the duration of the loan relationship plus five years, and provides for deletion of marketing data upon request. It also describes its third-party relationships with relative clarity and offers multiple channels for data subject engagement and complaint escalation. Although improvements are still required in third-party governance and public transparency, Renmoney reflects comparatively higher privacy maturity.
Branch Nigeria demonstrates moderate compliance, with policies addressing core requirements for digital lending operations. The company outlines general categories of borrower data collected and identifies primary purposes of processing, such as credit assessment and loan management. While it acknowledges third-party sharing arrangements and provides basic rights mechanisms, disclosures relating to retention timelines and structured governance processes are less comprehensive, suggesting that compliance structures are present but not fully institutionalized.
FairMoney Nigeria similarly reflects moderate compliance. It provides contact information, acknowledges extensive data collection for credit assessment, and demonstrates comparatively strong performance in data security measures. However, transparency around retention practices, third-party safeguards, and breach management mechanisms remains limited. As a result, although certain technical safeguards appear robust, governance documentation and accountability frameworks require further development.
Carbon Nigeria demonstrates basic compliance but lacks the depth and comprehensiveness expected for a platform engaged in extensive financial data processing. While fundamental disclosures are present, its overall privacy framework appears underdeveloped relative to the operational risks inherent in digital lending. Low performance in third-party governance, data security, and breach management suggests elevated regulatory and operational exposure.
Overall, the sector exhibits strong formal compliance in terms of registration and policy publication but weaker operational compliance in high-risk areas such as third-party oversight, breach accountability, and structured security governance. The absence of transparency reporting further limits public accountability. While there is clear awareness of data protection obligations, compliance maturity remains uneven and, in some instances, fragile. Strengthening third-party governance frameworks, formalizing breach response procedures, enhancing transparency, and embedding risk-based security controls would significantly improve alignment with data protection laws and reduce regulatory exposure across Nigeria's digital lending ecosystem.
The assessment of the four digital lending platforms reveals a sector that has achieved formal compliance with foundational regulatory requirements but continues to face significant operational and accountability gaps in core areas of data protection. All assessed platforms fulfilled registration requirements with the national data protection regulator, each attaining a perfect score. This demonstrates clear awareness of statutory obligations and formal alignment with regulatory expectations.
In addition, all platforms made their privacy policies accessible, reflecting a commitment to basic transparency. However, while accessibility was consistent, the depth, clarity, and operational substance of these policies varied considerably.
Across the platforms, there was visible effort to recognize and implement data subject rights. Renmoney recorded the highest score in this area, followed closely by Branch Nigeria, Carbon Nigeria, and FairMoney Nigeria. These results indicate a growing sector-wide awareness of the importance of enabling individuals to access, correct, or request deletion of their personal data and to escalate complaints where necessary. Nonetheless, the moderate range of scores suggests that implementation frameworks remain underdeveloped in certain respects. Mechanisms such as defined response timelines, structured escalation procedures, and clear articulation of legal limitations require further strengthening to ensure that rights are not only acknowledged in policy but consistently operationalized in practice.
The most significant area of concern across all platforms relates to third-party data sharing. Digital lending operations inherently involve extensive information exchange with credit bureaus, verification services, collection agencies, analytics providers, and regulatory authorities. Despite this, compliance performance in this category was uniformly low. Branch Nigeria recorded the highest score among the four, followed by Renmoney, FairMoney Nigeria, and Carbon Nigeria, but all scores remained below acceptable thresholds for a high-risk sector. This pattern indicates systemic weaknesses in third-party governance, including limited disclosure of data processing safeguards, insufficient clarity around cross-border transfers, and inadequate evidence of structured oversight mechanisms. Given the volume and sensitivity of borrower data processed including identity documents, Bank Verification Numbers, financial histories, device information, and behavioral analytics weak third-party governance substantially heightens regulatory, operational, and reputational risk.
Performance in data security measures was uneven across the platforms. FairMoney Nigeria achieved the highest score in this category, suggesting relatively stronger technical and organizational safeguards. Renmoney and Branch Nigeria demonstrated moderate levels of data security implementation, while Carbon Nigeria's score was significantly lower. Considering the sensitive nature of financial and identity data handled by digital lenders, gaps in documented security controls and risk-based safeguards create material exposure to unauthorized access, fraud, and regulatory sanctions. The disparity in scores highlights inconsistent sector maturity in applying comprehensive data protection safeguards.
Transparency and breach accountability mechanisms also remain underdeveloped. None of the assessed platforms currently publishes a transparency report, limiting public insight into data practices, government requests, or incident management statistics. While some platforms demonstrated effort to establish internal data breach resolution mechanisms, the maturity of these frameworks varies considerably. Renmoney and Branch Nigeria show developing internal processes, whereas Carbon Nigeria and FairMoney Nigeria scored extremely low in this area. Given statutory obligations to notify regulators and, where applicable, affected data subjects within prescribed timelines, weak breach management structures create significant compliance vulnerability.
At an individual platform level, Renmoney demonstrates relatively stronger privacy governance within the high-risk digital lending environment. Its privacy documentation reflects awareness of the extensive categories of data collected and provides detailed explanations of processing purposes, including credit assessment, fraud prevention, loan servicing, debt recovery, and regulatory compliance. The company outlines defined retention periods, such as maintaining credit records for the duration of the loan relationship plus five years, and provides for deletion of marketing data upon request. It also describes its third-party relationships with relative clarity and offers multiple channels for data subject engagement and complaint escalation. Although improvements are still required in third-party governance and public transparency, Renmoney reflects comparatively higher privacy maturity.
Branch Nigeria demonstrates moderate compliance, with policies addressing core requirements for digital lending operations. The company outlines general categories of borrower data collected and identifies primary purposes of processing, such as credit assessment and loan management. While it acknowledges third-party sharing arrangements and provides basic rights mechanisms, disclosures relating to retention timelines and structured governance processes are less comprehensive, suggesting that compliance structures are present but not fully institutionalized.
FairMoney Nigeria similarly reflects moderate compliance. It provides contact information, acknowledges extensive data collection for credit assessment, and demonstrates comparatively strong performance in data security measures. However, transparency around retention practices, third-party safeguards, and breach management mechanisms remains limited. As a result, although certain technical safeguards appear robust, governance documentation and accountability frameworks require further development.
Carbon Nigeria demonstrates basic compliance but lacks the depth and comprehensiveness expected for a platform engaged in extensive financial data processing. While fundamental disclosures are present, its overall privacy framework appears underdeveloped relative to the operational risks inherent in digital lending. Low performance in third-party governance, data security, and breach management suggests elevated regulatory and operational exposure.
Overall, the sector exhibits strong formal compliance in terms of registration and policy publication but weaker operational compliance in high-risk areas such as third-party oversight, breach accountability, and structured security governance. The absence of transparency reporting further limits public accountability. While there is clear awareness of data protection obligations, compliance maturity remains uneven and, in some instances, fragile. Strengthening third-party governance frameworks, formalizing breach response procedures, enhancing transparency, and embedding risk-based security controls would significantly improve alignment with data protection laws and reduce regulatory exposure across Nigeria's digital lending ecosystem.
Digital Loans Services - Ghana
Fido Ghana, M-Kopa Ghana, CedisPay and Izwe Ghana in Ghana
The assessment of four digital lending platforms operating in Ghana (Fido Ghana, M-Kopa Ghana, CedisPay, and Izwe Ghana) reveals a sector that demonstrates partial structural compliance with data protection requirements, but with significant weaknesses in operational transparency, third-party governance, and breach accountability. While certain platforms reflect growing privacy maturity, the overall compliance landscape remains uneven and, in some cases, fragile.
Three of the four assessed platforms (Fido Ghana, M-Kopa Ghana, and Izwe Ghana) have fulfilled registration requirements with the national data protection regulator, each attaining a perfect score. Their registrations remain valid through late 2026, reflecting formal recognition of statutory obligations and alignment with foundational regulatory requirements. In contrast, CedisPay is not registered and remains inactive, representing a critical compliance failure. As of July 15, 2025, this pattern suggests a generally positive sectoral trend toward formal compliance, but also highlights the regulatory risk posed by entities operating without registration.
All four platforms maintain publicly available privacy policies, although visibility and accessibility vary. Fido Ghana and M-Kopa Ghana lead in accessibility and readability, followed by CedisPay and Izwe Ghana. While the presence of policies indicates awareness of transparency obligations under Ghana's data protection framework, the quality and comprehensiveness of disclosures differ substantially. Fido Ghana demonstrates relatively strong transparency, providing detailed descriptions of data categories collected and outlining extensive user rights.
However, its retention timelines are vaguely defined, and it lacks a clearly articulated complaint mechanism. M-Kopa Ghana offers comprehensive disclosures, including recognition of regulator complaint channels and structured user rights, but permits third-party marketing with consent and provides limited clarity regarding law enforcement access. CedisPay clearly describes data categories, purposes of processing, and certain third-party disclosures while barring advertisers; however, it omits opt-in or opt-out controls for marketing, fails to define retention timelines in detail, and does not adequately outline complaint rights. Izwe Ghana performs weakest in this area, offering only broad descriptions of data collection, vague retention standards, extensive third-party and advertiser sharing provisions, and minimal recognition of core data subject rights or law enforcement disclosure conditions.
Implementation of data subject rights across the platforms reflects similar disparities. Fido Ghana records the strongest performance in this category, followed by M-Kopa Ghana and CedisPay, while Izwe Ghana scores significantly lower. Although all platforms demonstrate some effort to acknowledge user rights, Izwe's limited recognition of core rights raises substantial concerns regarding compliance with statutory obligations relating to access, rectification, erasure, and objection to processing. These gaps undermine accountability and reduce users' practical ability to exercise control over their personal data.
Third-party data sharing represents one of the most significant compliance risks across the sector. All four platforms share personal data with external entities as part of their lending operations, yet compliance scores in this category remain low. Fido Ghana and CedisPay record the highest performance, though still below acceptable levels, followed by M-Kopa Ghana, while Izwe Ghana scores zero. Fido permits sharing with affiliates, vendors, service providers, payment processors, credit bureaus, and government authorities, but does not name specific entities and lacks clear reporting channels for misuse or breach. M-Kopa shares data with service providers, credit agencies, debt collectors, and, with consent, marketing companies, yet does not clearly specify the categories of data shared or the conditions governing law enforcement access. CedisPay allows transfers to telecom operators, utilities, mobile money providers, and subcontractors, excluding advertisers, and limits law enforcement access to formal legal obligations. Izwe Ghana allows broad sharing, including cross-border transfers and disclosures in the context of business transfers, but provides virtually no detail on specific third parties, categories of shared data, safeguards, or reporting channels.
The low compliance levels in this area expose facilities to elevated regulatory and reputational risks, particularly given the sensitivity of financial and identity data processed in digital lending.
In relation to data security, all platforms demonstrate some level of technical implementation, particularly in SSL certification. Fido Ghana holds an A+ SSL rating and references encryption and authorized access controls in its privacy documentation, resulting in the highest overall security score among the group. M-Kopa Ghana, CedisPay, and Izwe Ghana each maintain A-level SSL ratings but perform poorly in security header configurations and provide only general references to security safeguards without specifying encryption standards, access controls, or documented breach response procedures. Although SSL implementation indicates baseline transport-layer protection, weak header configurations and vague policy disclosures reduce overall confidence in the robustness of security frameworks and limit demonstrable compliance with the requirement to implement appropriate technical and organizational safeguards.
Transparency and accountability mechanisms remain underdeveloped across all four platforms. None has published a transparency report detailing data-sharing requests, government access demands, or incident statistics. The absence of such reporting limits public oversight and reduces demonstrable accountability under data protection principles.
Internal data breach resolution mechanisms show similarly weak performance. M-Kopa Ghana records the strongest score in this category, providing multiple reporting channels including email, hotlines, and physical contacts. However, it does not clearly define investigation timelines, procedural safeguards, or notification obligations. Fido Ghana emphasizes technical safeguards such as SSL encryption but provides minimal detail regarding internal breach procedures, timelines, user notification protocols, or escalation pathways. Izwe Ghana references general technical and organizational measures but offers very limited procedural guidance on incident handling. CedisPay provides no meaningful guidance on breach reporting or management. These deficiencies create significant compliance exposure, particularly in light of statutory obligations requiring timely regulator notification and, where applicable, communication to affected data subjects.
Overall, the assessment indicates that while formal compliance indicators such as registration and policy publication are present in most cases, substantive operational compliance remains inconsistent. The strongest performers, particularly Fido Ghana and M-Kopa Ghana, demonstrate growing privacy governance maturity but still exhibit weaknesses in retention clarity, third-party specificity, and breach procedural transparency. CedisPay's lack of registration and absence of breach governance represent critical compliance failures. Izwe Ghana's limited recognition of data subject rights and minimal third-party accountability create elevated regulatory risk.
The principal implications for privacy practices within Ghana's digital lending sector are clear. Third-party governance remains insufficiently structured, breach response frameworks are inadequately documented, and transparency reporting is entirely absent. While technical safeguards such as SSL are widely implemented, broader organizational and procedural controls require strengthening to ensure full alignment with Ghana's data protection laws. Without improvements in accountability, procedural clarity, and demonstrable oversight, the sector remains vulnerable to regulatory enforcement, reputational harm, and diminished user trust.
The assessment of four digital lending platforms operating in Ghana (Fido Ghana, M-Kopa Ghana, CedisPay, and Izwe Ghana) reveals a sector that demonstrates partial structural compliance with data protection requirements, but with significant weaknesses in operational transparency, third-party governance, and breach accountability. While certain platforms reflect growing privacy maturity, the overall compliance landscape remains uneven and, in some cases, fragile.
Three of the four assessed platforms (Fido Ghana, M-Kopa Ghana, and Izwe Ghana) have fulfilled registration requirements with the national data protection regulator, each attaining a perfect score. Their registrations remain valid through late 2026, reflecting formal recognition of statutory obligations and alignment with foundational regulatory requirements. In contrast, CedisPay is not registered and remains inactive, representing a critical compliance failure. As of July 15, 2025, this pattern suggests a generally positive sectoral trend toward formal compliance, but also highlights the regulatory risk posed by entities operating without registration.
All four platforms maintain publicly available privacy policies, although visibility and accessibility vary. Fido Ghana and M-Kopa Ghana lead in accessibility and readability, followed by CedisPay and Izwe Ghana. While the presence of policies indicates awareness of transparency obligations under Ghana's data protection framework, the quality and comprehensiveness of disclosures differ substantially. Fido Ghana demonstrates relatively strong transparency, providing detailed descriptions of data categories collected and outlining extensive user rights.
However, its retention timelines are vaguely defined, and it lacks a clearly articulated complaint mechanism. M-Kopa Ghana offers comprehensive disclosures, including recognition of regulator complaint channels and structured user rights, but permits third-party marketing with consent and provides limited clarity regarding law enforcement access. CedisPay clearly describes data categories, purposes of processing, and certain third-party disclosures while barring advertisers; however, it omits opt-in or opt-out controls for marketing, fails to define retention timelines in detail, and does not adequately outline complaint rights. Izwe Ghana performs weakest in this area, offering only broad descriptions of data collection, vague retention standards, extensive third-party and advertiser sharing provisions, and minimal recognition of core data subject rights or law enforcement disclosure conditions.
Implementation of data subject rights across the platforms reflects similar disparities. Fido Ghana records the strongest performance in this category, followed by M-Kopa Ghana and CedisPay, while Izwe Ghana scores significantly lower. Although all platforms demonstrate some effort to acknowledge user rights, Izwe's limited recognition of core rights raises substantial concerns regarding compliance with statutory obligations relating to access, rectification, erasure, and objection to processing. These gaps undermine accountability and reduce users' practical ability to exercise control over their personal data.
Third-party data sharing represents one of the most significant compliance risks across the sector. All four platforms share personal data with external entities as part of their lending operations, yet compliance scores in this category remain low. Fido Ghana and CedisPay record the highest performance, though still below acceptable levels, followed by M-Kopa Ghana, while Izwe Ghana scores zero. Fido permits sharing with affiliates, vendors, service providers, payment processors, credit bureaus, and government authorities, but does not name specific entities and lacks clear reporting channels for misuse or breach. M-Kopa shares data with service providers, credit agencies, debt collectors, and, with consent, marketing companies, yet does not clearly specify the categories of data shared or the conditions governing law enforcement access. CedisPay allows transfers to telecom operators, utilities, mobile money providers, and subcontractors, excluding advertisers, and limits law enforcement access to formal legal obligations. Izwe Ghana allows broad sharing, including cross-border transfers and disclosures in the context of business transfers, but provides virtually no detail on specific third parties, categories of shared data, safeguards, or reporting channels.
The low compliance levels in this area expose facilities to elevated regulatory and reputational risks, particularly given the sensitivity of financial and identity data processed in digital lending.
In relation to data security, all platforms demonstrate some level of technical implementation, particularly in SSL certification. Fido Ghana holds an A+ SSL rating and references encryption and authorized access controls in its privacy documentation, resulting in the highest overall security score among the group. M-Kopa Ghana, CedisPay, and Izwe Ghana each maintain A-level SSL ratings but perform poorly in security header configurations and provide only general references to security safeguards without specifying encryption standards, access controls, or documented breach response procedures. Although SSL implementation indicates baseline transport-layer protection, weak header configurations and vague policy disclosures reduce overall confidence in the robustness of security frameworks and limit demonstrable compliance with the requirement to implement appropriate technical and organizational safeguards.
Transparency and accountability mechanisms remain underdeveloped across all four platforms. None has published a transparency report detailing data-sharing requests, government access demands, or incident statistics. The absence of such reporting limits public oversight and reduces demonstrable accountability under data protection principles.
Internal data breach resolution mechanisms show similarly weak performance. M-Kopa Ghana records the strongest score in this category, providing multiple reporting channels including email, hotlines, and physical contacts. However, it does not clearly define investigation timelines, procedural safeguards, or notification obligations. Fido Ghana emphasizes technical safeguards such as SSL encryption but provides minimal detail regarding internal breach procedures, timelines, user notification protocols, or escalation pathways. Izwe Ghana references general technical and organizational measures but offers very limited procedural guidance on incident handling. CedisPay provides no meaningful guidance on breach reporting or management. These deficiencies create significant compliance exposure, particularly in light of statutory obligations requiring timely regulator notification and, where applicable, communication to affected data subjects.
Overall, the assessment indicates that while formal compliance indicators such as registration and policy publication are present in most cases, substantive operational compliance remains inconsistent. The strongest performers, particularly Fido Ghana and M-Kopa Ghana, demonstrate growing privacy governance maturity but still exhibit weaknesses in retention clarity, third-party specificity, and breach procedural transparency. CedisPay's lack of registration and absence of breach governance represent critical compliance failures. Izwe Ghana's limited recognition of data subject rights and minimal third-party accountability create elevated regulatory risk.
The principal implications for privacy practices within Ghana's digital lending sector are clear. Third-party governance remains insufficiently structured, breach response frameworks are inadequately documented, and transparency reporting is entirely absent. While technical safeguards such as SSL are widely implemented, broader organizational and procedural controls require strengthening to ensure full alignment with Ghana's data protection laws. Without improvements in accountability, procedural clarity, and demonstrable oversight, the sector remains vulnerable to regulatory enforcement, reputational harm, and diminished user trust.
Digital Loans Services - Botswana
Pachi Micro Solutions, Letshego, Bayport Botswana and ExpressCredit Botswana in Botswana
The assessment of the four lending institutions operating in Botswana (Pachi Micro Solutions, Bayport Botswana, Letshego, and ExpressCredit Botswana) reveals significant structural weaknesses in regulatory compliance, despite observable efforts in certain areas of privacy governance. While some institutions demonstrate emerging maturity in policy development and security safeguards, the absence of demonstrable registration compliance and weak accountability mechanisms present substantial regulatory and operational risks.
Most notably, there was no evidence to demonstrate compliance with registration requirements with the national data protection regulator for any of the assessed institutions. This represents a foundational compliance gap. Registration is a core statutory obligation under data protection law and serves as the basis for regulatory oversight and accountability. The absence of verifiable registration raises concerns about formal recognition of data processing activities and may expose the institutions to enforcement action, penalties, and reputational harm. It also signals potential weaknesses in internal compliance governance structures.
Despite this fundamental gap, all institutions have made efforts to provide accessible privacy policies. Pachi Micro Solutions and Bayport Botswana lead in this area, each achieving full scores for accessibility, while Letshego and ExpressCredit Botswana scored slightly lower but still reflect strong visibility and availability of privacy notices. This indicates sector-wide awareness of transparency obligations and a willingness to inform customers about data practices. However, the presence of accessible policies does not necessarily equate to substantive compliance, as effectiveness depends on the depth, clarity, and operational alignment of the disclosures.
In terms of data subject rights, there is demonstrable but uneven progress. Bayport Botswana records the strongest performance, followed closely by ExpressCredit Botswana and Pachi Micro Solutions, while Letshego trails significantly. The results suggest that while mechanisms for access, correction, and other user rights are acknowledged in several cases, implementation maturity varies. Lower scores indicate that some institutions may lack clearly defined procedures, timelines, or escalation channels necessary to give full practical effect to statutory rights. This inconsistency weakens accountability and may limit data subjects' ability to exercise meaningful control over their personal information.
Third-party data sharing emerges as one of the most critical areas of concern across all institutions. Each platform engages in data sharing with external parties, which is typical within lending operations involving credit bureaus, service providers, and other financial intermediaries. However, compliance scores in this category are uniformly low. Bayport Botswana performs comparatively better than its peers, yet still achieves only a modest score, followed by ExpressCredit Botswana, Pachi Micro Solutions, and Letshego with progressively weaker results. These findings indicate limited transparency regarding the categories of third parties engaged, the specific data shared, applicable safeguards, and oversight mechanisms.
Weak governance of third-party relationships significantly heightens regulatory risk, particularly given the sensitivity of financial and identity data processed by lending institutions.
Data security measures reflect comparatively stronger performance across the institutions, though important gaps remain. Bayport Botswana leads in this category, suggesting more structured technical and organizational safeguards. ExpressCredit Botswana demonstrates moderate security implementation, while Pachi Micro Solutions and Letshego show similar but less robust performance. Although these results indicate awareness of the obligation to protect personal data through appropriate safeguards, the variation in scores suggests inconsistent application of risk-based security controls. In a sector handling sensitive financial data, insufficiently documented or implemented safeguards could undermine compliance with statutory security requirements.
Transparency and accountability mechanisms are notably underdeveloped. None of the assessed institutions has published a transparency report detailing government data requests, third-party disclosures, or data protection performance metrics. The absence of such reporting limits public oversight and reduces demonstrable accountability.
Similarly, internal data breach resolution mechanisms are largely inadequate. Bayport Botswana is the only institution that demonstrates visible effort in this area, yet its score remains modest. The remaining institutions show no measurable evidence of structured breach response frameworks. Given statutory obligations to detect, investigate, and notify regulators and affected individuals of qualifying data breaches within prescribed timelines, the absence of documented breach procedures presents significant compliance exposure. Weak incident response governance increases the risk of delayed notification, regulatory penalties, and erosion of customer trust.
Overall, the findings indicate that while Botswana's lending sector shows progress in policy accessibility and, to some extent, data security, it lacks foundational regulatory alignment and robust accountability structures. The absence of verifiable registration compliance is particularly concerning, as it undermines the legitimacy of other privacy efforts. Furthermore, weak third-party governance, limited breach response mechanisms, and the absence of transparency reporting collectively point to immature privacy management frameworks.
For these institutions to achieve meaningful compliance with data protection laws, priority attention must be given to formal regulatory registration, strengthening third-party oversight arrangements, institutionalizing structured breach response procedures, and enhancing demonstrable accountability. Without these improvements, the sector remains exposed to regulatory enforcement, operational disruption, and diminished stakeholder confidence.
The assessment of the four lending institutions operating in Botswana (Pachi Micro Solutions, Bayport Botswana, Letshego, and ExpressCredit Botswana) reveals significant structural weaknesses in regulatory compliance, despite observable efforts in certain areas of privacy governance. While some institutions demonstrate emerging maturity in policy development and security safeguards, the absence of demonstrable registration compliance and weak accountability mechanisms present substantial regulatory and operational risks.
Most notably, there was no evidence to demonstrate compliance with registration requirements with the national data protection regulator for any of the assessed institutions. This represents a foundational compliance gap. Registration is a core statutory obligation under data protection law and serves as the basis for regulatory oversight and accountability. The absence of verifiable registration raises concerns about formal recognition of data processing activities and may expose the institutions to enforcement action, penalties, and reputational harm. It also signals potential weaknesses in internal compliance governance structures.
Despite this fundamental gap, all institutions have made efforts to provide accessible privacy policies. Pachi Micro Solutions and Bayport Botswana lead in this area, each achieving full scores for accessibility, while Letshego and ExpressCredit Botswana scored slightly lower but still reflect strong visibility and availability of privacy notices. This indicates sector-wide awareness of transparency obligations and a willingness to inform customers about data practices. However, the presence of accessible policies does not necessarily equate to substantive compliance, as effectiveness depends on the depth, clarity, and operational alignment of the disclosures.
In terms of data subject rights, there is demonstrable but uneven progress. Bayport Botswana records the strongest performance, followed closely by ExpressCredit Botswana and Pachi Micro Solutions, while Letshego trails significantly. The results suggest that while mechanisms for access, correction, and other user rights are acknowledged in several cases, implementation maturity varies. Lower scores indicate that some institutions may lack clearly defined procedures, timelines, or escalation channels necessary to give full practical effect to statutory rights. This inconsistency weakens accountability and may limit data subjects' ability to exercise meaningful control over their personal information.
Third-party data sharing emerges as one of the most critical areas of concern across all institutions. Each platform engages in data sharing with external parties, which is typical within lending operations involving credit bureaus, service providers, and other financial intermediaries. However, compliance scores in this category are uniformly low. Bayport Botswana performs comparatively better than its peers, yet still achieves only a modest score, followed by ExpressCredit Botswana, Pachi Micro Solutions, and Letshego with progressively weaker results. These findings indicate limited transparency regarding the categories of third parties engaged, the specific data shared, applicable safeguards, and oversight mechanisms.
Weak governance of third-party relationships significantly heightens regulatory risk, particularly given the sensitivity of financial and identity data processed by lending institutions.
Data security measures reflect comparatively stronger performance across the institutions, though important gaps remain. Bayport Botswana leads in this category, suggesting more structured technical and organizational safeguards. ExpressCredit Botswana demonstrates moderate security implementation, while Pachi Micro Solutions and Letshego show similar but less robust performance. Although these results indicate awareness of the obligation to protect personal data through appropriate safeguards, the variation in scores suggests inconsistent application of risk-based security controls. In a sector handling sensitive financial data, insufficiently documented or implemented safeguards could undermine compliance with statutory security requirements.
Transparency and accountability mechanisms are notably underdeveloped. None of the assessed institutions has published a transparency report detailing government data requests, third-party disclosures, or data protection performance metrics. The absence of such reporting limits public oversight and reduces demonstrable accountability.
Similarly, internal data breach resolution mechanisms are largely inadequate. Bayport Botswana is the only institution that demonstrates visible effort in this area, yet its score remains modest. The remaining institutions show no measurable evidence of structured breach response frameworks. Given statutory obligations to detect, investigate, and notify regulators and affected individuals of qualifying data breaches within prescribed timelines, the absence of documented breach procedures presents significant compliance exposure. Weak incident response governance increases the risk of delayed notification, regulatory penalties, and erosion of customer trust.
Overall, the findings indicate that while Botswana's lending sector shows progress in policy accessibility and, to some extent, data security, it lacks foundational regulatory alignment and robust accountability structures. The absence of verifiable registration compliance is particularly concerning, as it undermines the legitimacy of other privacy efforts. Furthermore, weak third-party governance, limited breach response mechanisms, and the absence of transparency reporting collectively point to immature privacy management frameworks.
For these institutions to achieve meaningful compliance with data protection laws, priority attention must be given to formal regulatory registration, strengthening third-party oversight arrangements, institutionalizing structured breach response procedures, and enhancing demonstrable accountability. Without these improvements, the sector remains exposed to regulatory enforcement, operational disruption, and diminished stakeholder confidence.
Digital Loans Services - Rwanda
Spenn, Save, Kiva and Standard Life Rwanda in Rwanda
The 2025 assessment of digital lending and financial service platforms in Rwanda (Spenn, Save, Kiva, and Standard Life Rwanda) indicates incremental progress in certain aspects of privacy governance when compared with the previous year, but also reveals persistent structural weaknesses that continue to undermine full compliance with data protection laws. While there are measurable improvements in transparency, user rights articulation, and technical safeguards for some providers, core accountability mechanisms remain underdeveloped, and foundational regulatory compliance gaps persist.
Most significantly, there was no evidence to demonstrate compliance with registration requirements with the national data protection regulator for any of the assessed institutions. This mirrors the concern identified in the prior review, where regulatory alignment was also weak. The continued absence of demonstrable registration compliance represents a fundamental legal risk. Registration is not merely administrative; it anchors regulatory oversight, affirms lawful processing status, and signals institutional commitment to data governance. Its absence undermines other privacy efforts and exposes the facilities to potential enforcement action.
In terms of accessible privacy policies, the sector shows relative stability with modest improvement in quality but some shifts in leadership. In the current assessment, Spenn, Save, and Standard Life Rwanda lead with strong accessibility scores, while Kiva follows closely, though its policy remains lengthy and less readable for the average user. Compared to last year, when Save led with a perfect score and Spenn and Kiva followed, accessibility remains broadly strong across the sector. The key change is not in the existence of policies, these remain in place but in their refinement and prominence. However, readability challenges persist, particularly for Kiva, whose detailed but complex policy may limit practical user comprehension despite substantive coverage.
Substantive transparency and data subject rights protections show clearer evolution. Spenn now emerges as the strongest overall performer in user rights articulation, providing clearer contact details, defined purposes for data collection, specified data categories, and articulated retention timelines.
This represents progress from the previous year, when Spenn lacked contact details and provided only conditional rights in certain areas. Kiva continues to perform relatively strongly, maintaining robust descriptions of data purposes and offering extensive user rights, including complaint mechanisms. However, its continued reliance on advertising partnerships and behavioral marketing practices moderates its compliance standing.
By contrast, Save and Standard Life Rwanda demonstrate limited improvement. Save continues to provide reasons for data collection and identify categories of data but still omits clear retention timelines and comprehensive complaint rights. Although it now includes some channels for engagement, its failure to articulate opt-in or opt-out marketing controls and structured deletion rights reflects ongoing compliance weaknesses. Standard Life Rwanda performs similarly poorly, with vague and conditional rights, incomplete data disclosure, and unspecified retention periods. These deficiencies largely mirror last year's findings, indicating stagnation in privacy governance maturity for these providers.
Third-party data sharing remains a critical area of concern, though performance patterns have shifted. In the prior assessment, Spenn led in third-party compliance with a comparatively strong score, while Kiva and Save trailed. In the current review, Kiva leads, though still at a modest level, reflecting improved transparency regarding affiliates, service providers, and platform partners. Nevertheless, it does not specify the precise data types shared. Spenn's performance in this category has declined relative to last year, as it now provides limited detail on third-party entities and data categories. Save continues to show weak transparency in third-party arrangements, and Standard Life Rwanda records the lowest performance, permitting broad third-party processing without identifying entities, safeguards, or reporting channels. Despite some reordering among the platforms, overall sector compliance on third-party governance remains low. This ongoing weakness poses significant legal and operational risk, given the sensitivity of financial and identity data processed within digital lending ecosystems.
Data security is an area where measurable improvement is evident, particularly for Kiva. Last year, Kiva led with moderate performance, while Spenn and Save lagged and all platforms failed security header assessments. In the current review, Kiva demonstrates strong SSL implementation and a high security header score, marking a significant technical improvement and strengthening its overall compliance posture. Spenn shows moderate performance with documented internal security measures, including blockchain-secured transaction history and compliance-related retention practices, though it continues to fail on security headers. Standard Life Rwanda maintains acceptable SSL certification but weak header configuration. Save remains the weakest performer in this category, referencing little to no specific data security measures in its policy. While progress is visible for Kiva and, to a lesser extent, Spenn, inconsistent implementation of layered technical safeguards across the sector continues to limit full compliance with statutory security obligations.
Transparency reporting remains entirely absent, unchanged from last year. None of the assessed entities has published a transparency report disclosing data access requests, government demands, or breach statistics. This persistent gap reflects a sector-wide reluctance or immaturity in proactive accountability practices. The absence of transparency reporting reduces stakeholder trust and limits demonstrable compliance with openness principles embedded in data protection frameworks.
Internal data breach resolution mechanisms show marginal improvement but remain inadequate. In the previous assessment, only Save and Kiva demonstrated limited effort, with very low scores across the sector. In the current review, Kiva leads with a modest but improved score, indicating more visible reporting channels and safeguards. Save demonstrates incremental progress, while Standard Life Rwanda shows minimal procedural clarity. Spenn, despite stronger overall policy articulation this year, performs poorly in structured breach response governance. Although there is slight movement toward formalization, the overall maturity of incident response frameworks remains weak. The continued absence of clearly defined timelines, investigation procedures, and notification protocols creates substantial regulatory exposure, particularly in a high-risk financial services environment.
In comparative terms, the sector demonstrates gradual improvement in policy refinement, articulation of user rights, and, in Kiva's case, technical security controls. However, foundational gaps identified last year particularly in registration compliance, third-party governance specificity, transparency reporting, and structured breach management largely remain unresolved. Save and Standard Life Rwanda show limited advancement, suggesting stagnation in privacy governance development. Spenn has strengthened its user rights framework but regressed in third-party transparency, while Kiva has improved significantly in technical safeguards but continues to rely on advertising-linked data practices.
Overall, the trajectory indicates incremental but uneven progress rather than systemic reform. While some platforms are evolving toward stronger alignment with data protection principles, sector-wide compliance maturity remains moderate at best. Without demonstrable regulatory registration, strengthened third-party oversight, institutionalized breach response frameworks, and proactive transparency reporting, the facilities remain exposed to regulatory scrutiny, operational disruption, and reputational risk. Continued improvement will require moving beyond policy publication toward fully embedded, demonstrable accountability mechanisms aligned with Rwanda's data protection law.
The 2025 assessment of digital lending and financial service platforms in Rwanda (Spenn, Save, Kiva, and Standard Life Rwanda) indicates incremental progress in certain aspects of privacy governance when compared with the previous year, but also reveals persistent structural weaknesses that continue to undermine full compliance with data protection laws. While there are measurable improvements in transparency, user rights articulation, and technical safeguards for some providers, core accountability mechanisms remain underdeveloped, and foundational regulatory compliance gaps persist.
Most significantly, there was no evidence to demonstrate compliance with registration requirements with the national data protection regulator for any of the assessed institutions. This mirrors the concern identified in the prior review, where regulatory alignment was also weak. The continued absence of demonstrable registration compliance represents a fundamental legal risk. Registration is not merely administrative; it anchors regulatory oversight, affirms lawful processing status, and signals institutional commitment to data governance. Its absence undermines other privacy efforts and exposes the facilities to potential enforcement action.
In terms of accessible privacy policies, the sector shows relative stability with modest improvement in quality but some shifts in leadership. In the current assessment, Spenn, Save, and Standard Life Rwanda lead with strong accessibility scores, while Kiva follows closely, though its policy remains lengthy and less readable for the average user. Compared to last year, when Save led with a perfect score and Spenn and Kiva followed, accessibility remains broadly strong across the sector. The key change is not in the existence of policies, these remain in place but in their refinement and prominence. However, readability challenges persist, particularly for Kiva, whose detailed but complex policy may limit practical user comprehension despite substantive coverage.
Substantive transparency and data subject rights protections show clearer evolution. Spenn now emerges as the strongest overall performer in user rights articulation, providing clearer contact details, defined purposes for data collection, specified data categories, and articulated retention timelines.
This represents progress from the previous year, when Spenn lacked contact details and provided only conditional rights in certain areas. Kiva continues to perform relatively strongly, maintaining robust descriptions of data purposes and offering extensive user rights, including complaint mechanisms. However, its continued reliance on advertising partnerships and behavioral marketing practices moderates its compliance standing.
By contrast, Save and Standard Life Rwanda demonstrate limited improvement. Save continues to provide reasons for data collection and identify categories of data but still omits clear retention timelines and comprehensive complaint rights. Although it now includes some channels for engagement, its failure to articulate opt-in or opt-out marketing controls and structured deletion rights reflects ongoing compliance weaknesses. Standard Life Rwanda performs similarly poorly, with vague and conditional rights, incomplete data disclosure, and unspecified retention periods. These deficiencies largely mirror last year's findings, indicating stagnation in privacy governance maturity for these providers.
Third-party data sharing remains a critical area of concern, though performance patterns have shifted. In the prior assessment, Spenn led in third-party compliance with a comparatively strong score, while Kiva and Save trailed. In the current review, Kiva leads, though still at a modest level, reflecting improved transparency regarding affiliates, service providers, and platform partners. Nevertheless, it does not specify the precise data types shared. Spenn's performance in this category has declined relative to last year, as it now provides limited detail on third-party entities and data categories. Save continues to show weak transparency in third-party arrangements, and Standard Life Rwanda records the lowest performance, permitting broad third-party processing without identifying entities, safeguards, or reporting channels. Despite some reordering among the platforms, overall sector compliance on third-party governance remains low. This ongoing weakness poses significant legal and operational risk, given the sensitivity of financial and identity data processed within digital lending ecosystems.
Data security is an area where measurable improvement is evident, particularly for Kiva. Last year, Kiva led with moderate performance, while Spenn and Save lagged and all platforms failed security header assessments. In the current review, Kiva demonstrates strong SSL implementation and a high security header score, marking a significant technical improvement and strengthening its overall compliance posture. Spenn shows moderate performance with documented internal security measures, including blockchain-secured transaction history and compliance-related retention practices, though it continues to fail on security headers. Standard Life Rwanda maintains acceptable SSL certification but weak header configuration. Save remains the weakest performer in this category, referencing little to no specific data security measures in its policy. While progress is visible for Kiva and, to a lesser extent, Spenn, inconsistent implementation of layered technical safeguards across the sector continues to limit full compliance with statutory security obligations.
Transparency reporting remains entirely absent, unchanged from last year. None of the assessed entities has published a transparency report disclosing data access requests, government demands, or breach statistics. This persistent gap reflects a sector-wide reluctance or immaturity in proactive accountability practices. The absence of transparency reporting reduces stakeholder trust and limits demonstrable compliance with openness principles embedded in data protection frameworks.
Internal data breach resolution mechanisms show marginal improvement but remain inadequate. In the previous assessment, only Save and Kiva demonstrated limited effort, with very low scores across the sector. In the current review, Kiva leads with a modest but improved score, indicating more visible reporting channels and safeguards. Save demonstrates incremental progress, while Standard Life Rwanda shows minimal procedural clarity. Spenn, despite stronger overall policy articulation this year, performs poorly in structured breach response governance. Although there is slight movement toward formalization, the overall maturity of incident response frameworks remains weak. The continued absence of clearly defined timelines, investigation procedures, and notification protocols creates substantial regulatory exposure, particularly in a high-risk financial services environment.
In comparative terms, the sector demonstrates gradual improvement in policy refinement, articulation of user rights, and, in Kiva's case, technical security controls. However, foundational gaps identified last year particularly in registration compliance, third-party governance specificity, transparency reporting, and structured breach management largely remain unresolved. Save and Standard Life Rwanda show limited advancement, suggesting stagnation in privacy governance development. Spenn has strengthened its user rights framework but regressed in third-party transparency, while Kiva has improved significantly in technical safeguards but continues to rely on advertising-linked data practices.
Overall, the trajectory indicates incremental but uneven progress rather than systemic reform. While some platforms are evolving toward stronger alignment with data protection principles, sector-wide compliance maturity remains moderate at best. Without demonstrable regulatory registration, strengthened third-party oversight, institutionalized breach response frameworks, and proactive transparency reporting, the facilities remain exposed to regulatory scrutiny, operational disruption, and reputational risk. Continued improvement will require moving beyond policy publication toward fully embedded, demonstrable accountability mechanisms aligned with Rwanda's data protection law.
Digital Loans Services - Tanzania
PesaX Tanzania, Branch International Tanzania, MkopoWako Tanzania and TwigaLoan in Tanzania
The 2025 assessment of digital lending platforms in Tanzania (PesaX, Branch International Tanzania, MkopoWako, and TwigaLoan) shows a mixed pattern of improvement and regression when compared with the previous year. While certain platforms have made notable progress in transparency and user rights articulation, structural weaknesses persist across the sector, particularly in regulatory registration, third-party governance, transparency reporting, and breach accountability. Overall, compliance maturity remains uneven and, in several respects, stagnant.
Most fundamentally, there is still no visible evidence that any of the assessed platforms has fulfilled registration requirements with the national data protection regulator. This mirrors last year's position and represents a continuing foundational compliance gap. Registration is a core statutory requirement under Tanzania's data protection framework, and the absence of demonstrable compliance undermines the legitimacy of other privacy measures. Without regulatory registration, these platforms operate in a posture of legal vulnerability, exposing themselves to potential enforcement action and reputational damage.
In the area of accessible privacy policies, the sector reflects both improvement and decline. This year, only PesaX and Branch International Tanzania achieved strong accessibility scores. PesaX shows the most significant improvement, moving from a score of 0% last year to 88% in the current assessment. This shift indicates a meaningful effort to establish baseline transparency through a publicly available and reasonably readable privacy policy. Branch International Tanzania maintains its prior strong performance, demonstrating consistency in policy visibility and accessibility. In contrast, MkopoWako, which previously scored moderately well, and TwigaLoan now record no measurable performance in this category. MkopoWako's decline from 63% to 0% marks a substantial regression in transparency, while TwigaLoan's continued absence of visible policy disclosures reflects ongoing non-compliance. Compared to last year, therefore, transparency gains by PesaX are offset by deterioration at MkopoWako and continued stagnation at TwigaLoan.
Pre-collection data transparency and recognition of data subject rights show a similar pattern of divergence. PesaX records a significant improvement, rising from 0% to 67%, demonstrating enhanced disclosure regarding data processing purposes and greater acknowledgment of user rights prior to data collection. Branch International Tanzania records a slight decline, falling from 42% to 39%, though it remains one of the stronger performers in this area. MkopoWako experiences a dramatic drop from 63% last year to 0%, suggesting either removal of previously available information or failure to maintain compliance structures. TwigaLoan continues to score 0%, reflecting persistent non-recognition of core data subject rights. These developments indicate that while one new entrant has strengthened its privacy posture, the broader sector has not collectively progressed. Instead, compliance improvements appear isolated rather than systemic.
Third-party data sharing remains a critical area of concern. All platforms were found to share personal data with third parties, yet compliance levels remain low. PesaX shows marked improvement, rising from 0% last year to 40%, thereby becoming the strongest performer in this category. This suggests increased transparency regarding external data disclosures. However, even this leading score remains modest and signals incomplete compliance. Branch International Tanzania declines slightly from 24% to 20%, while MkopoWako and TwigaLoan continue to record no measurable compliance. Compared with last year, the sector has not achieved substantive progress in third-party governance. While PesaX's improvement is notable, overall performance indicates continued weaknesses in specifying third-party entities, clarifying data categories shared, articulating legal justifications, and documenting safeguards. Given the sensitivity of financial and identity data processed by digital lenders, inadequate third-party oversight creates significant regulatory and consumer protection risks.
In contrast, data security demonstrates relative stability, though with limited advancement. Branch International Tanzania maintains its leading position with a strong score of 72%, supported by a high SSL server rating. However, while its technical safeguards appear robust at the transport layer, policy disclosures remain general and lack detailed explanation of internal controls. MkopoWako and TwigaLoan maintain their prior modest scores of 22%, reflecting limited but consistent implementation of security measures. PesaX records a slight decline in this area, dropping from 22% last year to 17%, indicating potential weakening in documented safeguards or technical configurations. Compared with the previous assessment, therefore, there is no substantial sector-wide improvement in comprehensive security governance.
While baseline protections exist, the absence of detailed technical, organizational, and procedural disclosures limits confidence in full compliance with statutory security obligations.
Transparency reporting and internal data breach resolution remain the weakest areas across the sector, with no observable change from last year. None of the platforms has published a transparency report detailing government requests, third-party disclosures, or incident statistics. Similarly, there is no demonstrable evidence of structured internal data breach resolution mechanisms across any of the assessed entities. This continued absence of formalized breach response frameworks such as defined reporting timelines, user notification procedures, and regulatory escalation pathways poses a serious compliance risk. Under data protection law, timely breach notification and accountability are not optional; failure to institutionalize such mechanisms increases exposure to regulatory penalties and reputational harm.
When viewed comparatively against last year's findings, the sector's trajectory is uneven. PesaX demonstrates the most significant improvement, moving from near-total non-performance to moderate compliance in transparency, user rights articulation, and third-party disclosure. Branch International Tanzania remains the most stable performer, maintaining strong accessibility and security scores but showing slight declines in certain transparency metrics. MkopoWako exhibits the most pronounced regression, losing ground in areas where it previously demonstrated moderate compliance. TwigaLoan remains unchanged at a minimal compliance level.
Overall, while individual platforms have made targeted improvements, the Tanzanian digital lending sector has not achieved systemic progress in data protection compliance. Core weaknesses identified last year particularly, the absence of regulatory registration, inadequate third-party governance, lack of transparency reporting, and failure to institutionalize breach response mechanisms remain unresolved. Incremental gains by certain providers are offset by stagnation or regression among others. As a result, the sector continues to face substantial legal, operational, and reputational risks. Meaningful alignment with Tanzania's data protection laws will require not only accessible policies and technical safeguards, but demonstrable regulatory registration, strengthened third-party oversight, and fully operational accountability frameworks embedded across all platforms.
The 2025 assessment of digital lending platforms in Tanzania (PesaX, Branch International Tanzania, MkopoWako, and TwigaLoan) shows a mixed pattern of improvement and regression when compared with the previous year. While certain platforms have made notable progress in transparency and user rights articulation, structural weaknesses persist across the sector, particularly in regulatory registration, third-party governance, transparency reporting, and breach accountability. Overall, compliance maturity remains uneven and, in several respects, stagnant.
Most fundamentally, there is still no visible evidence that any of the assessed platforms has fulfilled registration requirements with the national data protection regulator. This mirrors last year's position and represents a continuing foundational compliance gap. Registration is a core statutory requirement under Tanzania's data protection framework, and the absence of demonstrable compliance undermines the legitimacy of other privacy measures. Without regulatory registration, these platforms operate in a posture of legal vulnerability, exposing themselves to potential enforcement action and reputational damage.
In the area of accessible privacy policies, the sector reflects both improvement and decline. This year, only PesaX and Branch International Tanzania achieved strong accessibility scores. PesaX shows the most significant improvement, moving from a score of 0% last year to 88% in the current assessment. This shift indicates a meaningful effort to establish baseline transparency through a publicly available and reasonably readable privacy policy. Branch International Tanzania maintains its prior strong performance, demonstrating consistency in policy visibility and accessibility. In contrast, MkopoWako, which previously scored moderately well, and TwigaLoan now record no measurable performance in this category. MkopoWako's decline from 63% to 0% marks a substantial regression in transparency, while TwigaLoan's continued absence of visible policy disclosures reflects ongoing non-compliance. Compared to last year, therefore, transparency gains by PesaX are offset by deterioration at MkopoWako and continued stagnation at TwigaLoan.
Pre-collection data transparency and recognition of data subject rights show a similar pattern of divergence. PesaX records a significant improvement, rising from 0% to 67%, demonstrating enhanced disclosure regarding data processing purposes and greater acknowledgment of user rights prior to data collection. Branch International Tanzania records a slight decline, falling from 42% to 39%, though it remains one of the stronger performers in this area. MkopoWako experiences a dramatic drop from 63% last year to 0%, suggesting either removal of previously available information or failure to maintain compliance structures. TwigaLoan continues to score 0%, reflecting persistent non-recognition of core data subject rights. These developments indicate that while one new entrant has strengthened its privacy posture, the broader sector has not collectively progressed. Instead, compliance improvements appear isolated rather than systemic.
Third-party data sharing remains a critical area of concern. All platforms were found to share personal data with third parties, yet compliance levels remain low. PesaX shows marked improvement, rising from 0% last year to 40%, thereby becoming the strongest performer in this category. This suggests increased transparency regarding external data disclosures. However, even this leading score remains modest and signals incomplete compliance. Branch International Tanzania declines slightly from 24% to 20%, while MkopoWako and TwigaLoan continue to record no measurable compliance. Compared with last year, the sector has not achieved substantive progress in third-party governance. While PesaX's improvement is notable, overall performance indicates continued weaknesses in specifying third-party entities, clarifying data categories shared, articulating legal justifications, and documenting safeguards. Given the sensitivity of financial and identity data processed by digital lenders, inadequate third-party oversight creates significant regulatory and consumer protection risks.
In contrast, data security demonstrates relative stability, though with limited advancement. Branch International Tanzania maintains its leading position with a strong score of 72%, supported by a high SSL server rating. However, while its technical safeguards appear robust at the transport layer, policy disclosures remain general and lack detailed explanation of internal controls. MkopoWako and TwigaLoan maintain their prior modest scores of 22%, reflecting limited but consistent implementation of security measures. PesaX records a slight decline in this area, dropping from 22% last year to 17%, indicating potential weakening in documented safeguards or technical configurations. Compared with the previous assessment, therefore, there is no substantial sector-wide improvement in comprehensive security governance.
While baseline protections exist, the absence of detailed technical, organizational, and procedural disclosures limits confidence in full compliance with statutory security obligations.
Transparency reporting and internal data breach resolution remain the weakest areas across the sector, with no observable change from last year. None of the platforms has published a transparency report detailing government requests, third-party disclosures, or incident statistics. Similarly, there is no demonstrable evidence of structured internal data breach resolution mechanisms across any of the assessed entities. This continued absence of formalized breach response frameworks such as defined reporting timelines, user notification procedures, and regulatory escalation pathways poses a serious compliance risk. Under data protection law, timely breach notification and accountability are not optional; failure to institutionalize such mechanisms increases exposure to regulatory penalties and reputational harm.
When viewed comparatively against last year's findings, the sector's trajectory is uneven. PesaX demonstrates the most significant improvement, moving from near-total non-performance to moderate compliance in transparency, user rights articulation, and third-party disclosure. Branch International Tanzania remains the most stable performer, maintaining strong accessibility and security scores but showing slight declines in certain transparency metrics. MkopoWako exhibits the most pronounced regression, losing ground in areas where it previously demonstrated moderate compliance. TwigaLoan remains unchanged at a minimal compliance level.
Overall, while individual platforms have made targeted improvements, the Tanzanian digital lending sector has not achieved systemic progress in data protection compliance. Core weaknesses identified last year particularly, the absence of regulatory registration, inadequate third-party governance, lack of transparency reporting, and failure to institutionalize breach response mechanisms remain unresolved. Incremental gains by certain providers are offset by stagnation or regression among others. As a result, the sector continues to face substantial legal, operational, and reputational risks. Meaningful alignment with Tanzania's data protection laws will require not only accessible policies and technical safeguards, but demonstrable regulatory registration, strengthened third-party oversight, and fully operational accountability frameworks embedded across all platforms.
Digital Loans Services - Mauritius
Finclub, Fundkiss and Cim Finance in Mauritius
Just as in the previous year, none of the platforms demonstrated any visible effort to comply with registration requirements with the national data protection regulator. This continued omission remains a significant compliance gap, as registration is a foundational obligation under the Data Protection Act 2017 and signals accountability to regulatory oversight. The absence of progress in this area suggests that, despite improvements in certain operational practices, formal regulatory alignment remains weak across the sector.
At the same time, all three platforms maintained strong performance in making their privacy policies accessible. Fundkiss retained its leading position with a perfect score of 100%, unchanged from last year. FinClub and Cim Finance each maintained scores of 88%, also unchanged. This consistency demonstrates sustained commitment to transparency at the point of access to information. From a compliance perspective, clear and visible privacy notices are essential to meeting statutory transparency obligations and to fostering user trust. However, accessibility alone does not guarantee substantive compliance, as the quality and completeness of disclosures remain equally important.
In relation to pre-collection data transparency and the observance of data subject rights, the sector recorded notable shifts compared to last year. Fundkiss improved significantly from 52% to 73%, moving from last place to joint leader. FinClub, which had led in the previous year with 77%, declined slightly to 72%. Cim Finance also experienced a marginal decrease, from 54% to 53%. These changes indicate that while overall performance remains moderate, leadership in this area has shifted. Fundkiss's improvement suggests a strengthening of its disclosures around data collection purposes and user rights, enhancing its alignment with legal requirements concerning informed consent and fair processing. FinClub's slight decline, though not dramatic, suggests stagnation or minor gaps in maintaining best practice standards. Cim Finance's marginal drop signals limited progress in deepening transparency obligations. Collectively, the data suggests incremental improvement but no sector-wide transformation in embedding robust user empowerment mechanisms.
Third-party data sharing remains the weakest area of compliance across all platforms, despite some movement compared to last year. All platforms, as before, share user data with third parties. Fundkiss improved from 24% to 34%, FinClub declined from 36% to 26%, and Cim Finance rose from 0% to 18%. Although Cim Finance's increase represents progress from a baseline of no compliance, overall scores remain low across the board. These persistently weak results raise significant compliance concerns, particularly given that data sharing and cross-border transfers are heavily regulated under the Data Protection Act 2017 and comparable international standards such as the GDPR. Insufficient specificity about third-party recipients, safeguards, and categories of shared data increases regulatory risk and may expose the platforms to enforcement action or reputational harm in the event of misuse or breach by external partners.
Data security practices present a contrasting picture of stability. Cim Finance maintained its leading position with 94%, while Fundkiss and FinClub sustained their previous scores of 61% and 56%, respectively. The absence of change suggests that security frameworks have neither significantly improved nor deteriorated. Cim Finance's consistently high score indicates mature technical and organisational safeguards, reinforcing resilience against unauthorised access or data loss. However, for Fundkiss and FinClub, maintaining mid-range scores without improvement suggests that security investments have plateaued. Given the increasing sophistication of cyber threats, static performance may not be sufficient to meet evolving legal expectations regarding "appropriate technical and organisational measures."
Transparency reporting remains largely unchanged. Cim Finance continued to be the only platform publishing a transparency report, retaining a perfect score of 100%, while Fundkiss and FinClub again scored 0%. This sustained disparity reinforces Cim Finance's relative strength in public accountability and openness about its data governance practices. Transparency reporting contributes positively to compliance culture, demonstrating proactive disclosure beyond minimum legal requirements.
The continued absence of such reporting by the other platforms limits public visibility into their data handling practices and may weaken stakeholder confidence.
Internal data breach resolution mechanisms show mixed and concerning trends. FinClub and Fundkiss improved slightly from 0% to 8%, indicating initial steps toward formalising internal processes. In contrast, Cim Finance declined from 17% to 0%, eliminating the limited progress it had previously made. Overall, performance in this area remains critically low. The absence of clear internal breach response procedures, defined timelines, impartial investigation guarantees, and structured reporting channels poses substantial compliance risks. Under data protection law, prompt detection, documentation, and notification of breaches are mandatory obligations. Weak internal frameworks could delay response times, increase harm to affected individuals, and heighten exposure to regulatory penalties.
A closer review of the privacy policies reinforces these scoring patterns. FinClub's policy is formally aligned with the Data Protection Act 2017 and references international standards such as the GDPR. It defines lawful bases for processing, outlines categories of collected data, and describes retention periods of up to seven years or longer where legally required. It also recognises user rights and provides complaint mechanisms through its Data Protection Officer and the Mauritius Data Protection Office. These features indicate structural alignment with statutory requirements. However, its reduced score in third-party data transfers suggests that, in practice, disclosures around external data sharing may lack sufficient granularity or safeguards.
Fundkiss's policy remains highly accessible and transparent in structure, providing detailed descriptions of collected data and contact information. Its improvement in pre-collection transparency is reflected in clearer articulation of purposes and rights. Nevertheless, retention periods remain vaguely defined as "required by law," and third-party disclosures lack specificity. Although user rights are recognised and consent is required for targeted marketing, limited detail on security safeguards and breach handling procedures weakens demonstrable accountability. The absence of clearly defined breach notification obligations may expose the company to legal vulnerability in the event of an incident.
Cim Finance's policy is visible and structured but omits key contact details and provides only general retention language. While it continues to lead in data security and transparency reporting, its decline in breach resolution scoring suggests a potential gap between formal policy commitments and internal procedural robustness. The absence of explicit user breach notification procedures or detailed reporting channels limits practical compliance effectiveness.
Compared to last year, the overall trajectory of the sector can be characterised as incremental rather than transformative. Accessibility of privacy policies and security safeguards remain stable. Leadership in pre-collection transparency has shifted from FinClub to Fundkiss. Third-party data transfer compliance remains the most significant structural weakness, despite modest improvements by Fundkiss and Cim Finance. Internal breach management continues to be critically underdeveloped across the sector, with no platform demonstrating strong compliance in this area. Registration with the national regulator remains entirely unaddressed.
In conclusion, while certain improvements, particularly by Fundkiss in transparency and by Cim Finance in maintaining strong security and reporting practices indicate gradual maturation of privacy governance, systemic compliance gaps persist. Weaknesses in regulatory registration, third-party data transfer safeguards, and internal breach resolution mechanisms continue to expose the platforms to regulatory enforcement risks, reputational damage, and potential erosion of user trust. Without substantive progress in these high-risk areas, the sector's privacy practices remain only partially aligned with the full requirements of applicable data protection laws.
Just as in the previous year, none of the platforms demonstrated any visible effort to comply with registration requirements with the national data protection regulator. This continued omission remains a significant compliance gap, as registration is a foundational obligation under the Data Protection Act 2017 and signals accountability to regulatory oversight. The absence of progress in this area suggests that, despite improvements in certain operational practices, formal regulatory alignment remains weak across the sector.
At the same time, all three platforms maintained strong performance in making their privacy policies accessible. Fundkiss retained its leading position with a perfect score of 100%, unchanged from last year. FinClub and Cim Finance each maintained scores of 88%, also unchanged. This consistency demonstrates sustained commitment to transparency at the point of access to information. From a compliance perspective, clear and visible privacy notices are essential to meeting statutory transparency obligations and to fostering user trust. However, accessibility alone does not guarantee substantive compliance, as the quality and completeness of disclosures remain equally important.
In relation to pre-collection data transparency and the observance of data subject rights, the sector recorded notable shifts compared to last year. Fundkiss improved significantly from 52% to 73%, moving from last place to joint leader. FinClub, which had led in the previous year with 77%, declined slightly to 72%. Cim Finance also experienced a marginal decrease, from 54% to 53%. These changes indicate that while overall performance remains moderate, leadership in this area has shifted. Fundkiss's improvement suggests a strengthening of its disclosures around data collection purposes and user rights, enhancing its alignment with legal requirements concerning informed consent and fair processing. FinClub's slight decline, though not dramatic, suggests stagnation or minor gaps in maintaining best practice standards. Cim Finance's marginal drop signals limited progress in deepening transparency obligations. Collectively, the data suggests incremental improvement but no sector-wide transformation in embedding robust user empowerment mechanisms.
Third-party data sharing remains the weakest area of compliance across all platforms, despite some movement compared to last year. All platforms, as before, share user data with third parties. Fundkiss improved from 24% to 34%, FinClub declined from 36% to 26%, and Cim Finance rose from 0% to 18%. Although Cim Finance's increase represents progress from a baseline of no compliance, overall scores remain low across the board. These persistently weak results raise significant compliance concerns, particularly given that data sharing and cross-border transfers are heavily regulated under the Data Protection Act 2017 and comparable international standards such as the GDPR. Insufficient specificity about third-party recipients, safeguards, and categories of shared data increases regulatory risk and may expose the platforms to enforcement action or reputational harm in the event of misuse or breach by external partners.
Data security practices present a contrasting picture of stability. Cim Finance maintained its leading position with 94%, while Fundkiss and FinClub sustained their previous scores of 61% and 56%, respectively. The absence of change suggests that security frameworks have neither significantly improved nor deteriorated. Cim Finance's consistently high score indicates mature technical and organisational safeguards, reinforcing resilience against unauthorised access or data loss. However, for Fundkiss and FinClub, maintaining mid-range scores without improvement suggests that security investments have plateaued. Given the increasing sophistication of cyber threats, static performance may not be sufficient to meet evolving legal expectations regarding "appropriate technical and organisational measures."
Transparency reporting remains largely unchanged. Cim Finance continued to be the only platform publishing a transparency report, retaining a perfect score of 100%, while Fundkiss and FinClub again scored 0%. This sustained disparity reinforces Cim Finance's relative strength in public accountability and openness about its data governance practices. Transparency reporting contributes positively to compliance culture, demonstrating proactive disclosure beyond minimum legal requirements.
The continued absence of such reporting by the other platforms limits public visibility into their data handling practices and may weaken stakeholder confidence.
Internal data breach resolution mechanisms show mixed and concerning trends. FinClub and Fundkiss improved slightly from 0% to 8%, indicating initial steps toward formalising internal processes. In contrast, Cim Finance declined from 17% to 0%, eliminating the limited progress it had previously made. Overall, performance in this area remains critically low. The absence of clear internal breach response procedures, defined timelines, impartial investigation guarantees, and structured reporting channels poses substantial compliance risks. Under data protection law, prompt detection, documentation, and notification of breaches are mandatory obligations. Weak internal frameworks could delay response times, increase harm to affected individuals, and heighten exposure to regulatory penalties.
A closer review of the privacy policies reinforces these scoring patterns. FinClub's policy is formally aligned with the Data Protection Act 2017 and references international standards such as the GDPR. It defines lawful bases for processing, outlines categories of collected data, and describes retention periods of up to seven years or longer where legally required. It also recognises user rights and provides complaint mechanisms through its Data Protection Officer and the Mauritius Data Protection Office. These features indicate structural alignment with statutory requirements. However, its reduced score in third-party data transfers suggests that, in practice, disclosures around external data sharing may lack sufficient granularity or safeguards.
Fundkiss's policy remains highly accessible and transparent in structure, providing detailed descriptions of collected data and contact information. Its improvement in pre-collection transparency is reflected in clearer articulation of purposes and rights. Nevertheless, retention periods remain vaguely defined as "required by law," and third-party disclosures lack specificity. Although user rights are recognised and consent is required for targeted marketing, limited detail on security safeguards and breach handling procedures weakens demonstrable accountability. The absence of clearly defined breach notification obligations may expose the company to legal vulnerability in the event of an incident.
Cim Finance's policy is visible and structured but omits key contact details and provides only general retention language. While it continues to lead in data security and transparency reporting, its decline in breach resolution scoring suggests a potential gap between formal policy commitments and internal procedural robustness. The absence of explicit user breach notification procedures or detailed reporting channels limits practical compliance effectiveness.
Compared to last year, the overall trajectory of the sector can be characterised as incremental rather than transformative. Accessibility of privacy policies and security safeguards remain stable. Leadership in pre-collection transparency has shifted from FinClub to Fundkiss. Third-party data transfer compliance remains the most significant structural weakness, despite modest improvements by Fundkiss and Cim Finance. Internal breach management continues to be critically underdeveloped across the sector, with no platform demonstrating strong compliance in this area. Registration with the national regulator remains entirely unaddressed.
In conclusion, while certain improvements, particularly by Fundkiss in transparency and by Cim Finance in maintaining strong security and reporting practices indicate gradual maturation of privacy governance, systemic compliance gaps persist. Weaknesses in regulatory registration, third-party data transfer safeguards, and internal breach resolution mechanisms continue to expose the platforms to regulatory enforcement risks, reputational damage, and potential erosion of user trust. Without substantive progress in these high-risk areas, the sector's privacy practices remain only partially aligned with the full requirements of applicable data protection laws.
Digital Loans Services - Zimbabwe
Ecocash, Zibuko Capital, InnBucks and eShagi in Zimbabwe
The current assessment of the digital loans sector reveals a marked regression in several core areas of data protection compliance when compared with last year's findings. As in the previous review, none of the platforms demonstrated visible effort to fulfil registration requirements with the national regulator. This continued absence of regulatory registration remains a foundational compliance gap. Registration is a basic accountability obligation under data protection law, and failure to demonstrate compliance in this area weakens regulatory oversight and signals limited institutional commitment to formal governance standards.
In contrast to this stagnation, there has been a significant shift in the accessibility of privacy policies. eShagi emerged this year as the only platform demonstrating meaningful effort, scoring 88%, a substantial improvement from 0% last year. This indicates a notable step toward transparency and suggests a developing recognition of the importance of informing users about data practices. However, this positive development is offset by sharp declines elsewhere. EcoCash, which previously led the sector with a perfect score of 100%, dropped to 0%, while InnBucks declined from 75% to 0%. Zibuko Capital maintained its previous score of 0%.
This reversal is significant. Last year, EcoCash and InnBucks were recognised for comparatively strong transparency through accessible privacy policies. Their current absence of demonstrable accessibility raises concerns about diminished openness and reduced user awareness of data handling practices. Without accessible policies, users are deprived of essential information regarding the nature, purpose, and scope of data processing, undermining the principle of informed consent and exposing these platforms to heightened regulatory and reputational risk.
The regression is even more pronounced in the area of data subject rights and pre-collection transparency. This year, only eShagi made any effort, scoring a modest 6%, up from 0%. EcoCash dropped from 65% to 0%, and InnBucks from 49% to 0%, while Zibuko Capital again remained at 0%. In last year's analysis, EcoCash and InnBucks had demonstrated relative strength in this category, indicating some recognition of users' rights to access, correct, or object to the processing of their personal data.
Their complete decline to zero suggests either the withdrawal of previously available safeguards or a lack of demonstrable evidence of their continued implementation. From a compliance perspective, this represents a serious setback. Respect for data subject rights is central to modern data protection frameworks, and failure to operationalise these rights exposes organisations to legal sanctions and erodes consumer trust.
Third-party data sharing presents an equally troubling trajectory. All platforms continue to share data with third parties, yet compliance scores have fallen dramatically. InnBucks dropped from 70% to 0%, and EcoCash from 24% to 0%, while eShagi and Zibuko Capital maintained 0% from last year. Previously, EcoCash and InnBucks had shown measurable effort in regulating and disclosing third-party transfers, particularly EcoCash with a relatively strong 70% score. The complete erosion of these safeguards suggests either diminished transparency or weakened contractual and organisational controls governing data sharing. Given that third-party transfers are among the highest-risk aspects of data processing, particularly where cross-border transfers or financial data are involved, this decline significantly heightens compliance risks. Inadequate oversight of third parties can lead to unlawful disclosures, loss of control over personal data, and liability for downstream misuse.
In the area of data security, the sector presents a more mixed picture. All platforms demonstrated some effort to maintain security safeguards, though performance shifted. EcoCash continues to lead with 50%, despite a decline from 67%. InnBucks improved from 28% to 44%, reflecting strengthened technical or organisational security controls. Zibuko Capital dropped from 45% to 28%, while eShagi maintained its previous score of 28%. Compared to last year, where EcoCash led at 67% and Zibuko Capital followed at 45%, the overall trend suggests a levelling downward, with the exception of InnBucks' improvement. While the presence of some security controls is positive, declining or stagnant scores may indicate insufficient adaptation to evolving cybersecurity threats. Under data protection law, security measures must be "appropriate" and responsive to risk; therefore, failure to continuously strengthen safeguards may result in non-compliance over time.
Transparency reporting shows a noteworthy development. EcoCash is now the only platform publishing a transparency report, achieving a perfect score of 100%, up from 0% last year. The other platforms remain at 0%, unchanged. This marks a positive shift for EcoCash, signalling enhanced openness regarding its data governance practices. Transparency reports contribute to accountability by informing the public about data requests, disclosures, and oversight mechanisms. However, the absence of similar reporting by the other platforms limits sector-wide transparency and constrains stakeholder scrutiny.
As in the previous year, none of the platforms demonstrated any effort to establish internal data breach resolution mechanisms. Scores remain at 0% across the board. This persistent weakness is particularly concerning. Effective breach management frameworks including internal reporting channels, investigation procedures, user notification timelines, and mitigation strategies are mandatory components of data protection compliance. Without them, platforms risk delayed responses to incidents, greater harm to affected individuals, and increased exposure to regulatory penalties.
Overall, the comparison with last year reveals a sector that has regressed in critical transparency and accountability measures, despite isolated improvements. eShagi's emergence in privacy policy accessibility represents a positive development, and InnBucks' improved security score suggests incremental operational strengthening. EcoCash's adoption of a transparency report also marks progress in public accountability. However, these gains are overshadowed by the widespread decline in privacy policy accessibility, data subject rights observance, and third-party data transfer compliance.
The current findings indicate that the digital loans sector is struggling to maintain consistent compliance with data protection laws. The erosion of previously demonstrated safeguards, particularly by EcoCash and InnBucks, signals instability in privacy governance frameworks. Persistent failure to address regulatory registration and breach management further compounds compliance vulnerabilities. Unless the platforms adopt sustained and comprehensive data protection strategies, grounded in transparency, user rights protection, secure third-party oversight, and formal regulatory engagement, they remain exposed to legal enforcement risks, reputational damage, and diminished consumer trust.
The current assessment of the digital loans sector reveals a marked regression in several core areas of data protection compliance when compared with last year's findings. As in the previous review, none of the platforms demonstrated visible effort to fulfil registration requirements with the national regulator. This continued absence of regulatory registration remains a foundational compliance gap. Registration is a basic accountability obligation under data protection law, and failure to demonstrate compliance in this area weakens regulatory oversight and signals limited institutional commitment to formal governance standards.
In contrast to this stagnation, there has been a significant shift in the accessibility of privacy policies. eShagi emerged this year as the only platform demonstrating meaningful effort, scoring 88%, a substantial improvement from 0% last year. This indicates a notable step toward transparency and suggests a developing recognition of the importance of informing users about data practices. However, this positive development is offset by sharp declines elsewhere. EcoCash, which previously led the sector with a perfect score of 100%, dropped to 0%, while InnBucks declined from 75% to 0%. Zibuko Capital maintained its previous score of 0%.
This reversal is significant. Last year, EcoCash and InnBucks were recognised for comparatively strong transparency through accessible privacy policies. Their current absence of demonstrable accessibility raises concerns about diminished openness and reduced user awareness of data handling practices. Without accessible policies, users are deprived of essential information regarding the nature, purpose, and scope of data processing, undermining the principle of informed consent and exposing these platforms to heightened regulatory and reputational risk.
The regression is even more pronounced in the area of data subject rights and pre-collection transparency. This year, only eShagi made any effort, scoring a modest 6%, up from 0%. EcoCash dropped from 65% to 0%, and InnBucks from 49% to 0%, while Zibuko Capital again remained at 0%. In last year's analysis, EcoCash and InnBucks had demonstrated relative strength in this category, indicating some recognition of users' rights to access, correct, or object to the processing of their personal data.
Their complete decline to zero suggests either the withdrawal of previously available safeguards or a lack of demonstrable evidence of their continued implementation. From a compliance perspective, this represents a serious setback. Respect for data subject rights is central to modern data protection frameworks, and failure to operationalise these rights exposes organisations to legal sanctions and erodes consumer trust.
Third-party data sharing presents an equally troubling trajectory. All platforms continue to share data with third parties, yet compliance scores have fallen dramatically. InnBucks dropped from 70% to 0%, and EcoCash from 24% to 0%, while eShagi and Zibuko Capital maintained 0% from last year. Previously, EcoCash and InnBucks had shown measurable effort in regulating and disclosing third-party transfers, particularly EcoCash with a relatively strong 70% score. The complete erosion of these safeguards suggests either diminished transparency or weakened contractual and organisational controls governing data sharing. Given that third-party transfers are among the highest-risk aspects of data processing, particularly where cross-border transfers or financial data are involved, this decline significantly heightens compliance risks. Inadequate oversight of third parties can lead to unlawful disclosures, loss of control over personal data, and liability for downstream misuse.
In the area of data security, the sector presents a more mixed picture. All platforms demonstrated some effort to maintain security safeguards, though performance shifted. EcoCash continues to lead with 50%, despite a decline from 67%. InnBucks improved from 28% to 44%, reflecting strengthened technical or organisational security controls. Zibuko Capital dropped from 45% to 28%, while eShagi maintained its previous score of 28%. Compared to last year, where EcoCash led at 67% and Zibuko Capital followed at 45%, the overall trend suggests a levelling downward, with the exception of InnBucks' improvement. While the presence of some security controls is positive, declining or stagnant scores may indicate insufficient adaptation to evolving cybersecurity threats. Under data protection law, security measures must be "appropriate" and responsive to risk; therefore, failure to continuously strengthen safeguards may result in non-compliance over time.
Transparency reporting shows a noteworthy development. EcoCash is now the only platform publishing a transparency report, achieving a perfect score of 100%, up from 0% last year. The other platforms remain at 0%, unchanged. This marks a positive shift for EcoCash, signalling enhanced openness regarding its data governance practices. Transparency reports contribute to accountability by informing the public about data requests, disclosures, and oversight mechanisms. However, the absence of similar reporting by the other platforms limits sector-wide transparency and constrains stakeholder scrutiny.
As in the previous year, none of the platforms demonstrated any effort to establish internal data breach resolution mechanisms. Scores remain at 0% across the board. This persistent weakness is particularly concerning. Effective breach management frameworks including internal reporting channels, investigation procedures, user notification timelines, and mitigation strategies are mandatory components of data protection compliance. Without them, platforms risk delayed responses to incidents, greater harm to affected individuals, and increased exposure to regulatory penalties.
Overall, the comparison with last year reveals a sector that has regressed in critical transparency and accountability measures, despite isolated improvements. eShagi's emergence in privacy policy accessibility represents a positive development, and InnBucks' improved security score suggests incremental operational strengthening. EcoCash's adoption of a transparency report also marks progress in public accountability. However, these gains are overshadowed by the widespread decline in privacy policy accessibility, data subject rights observance, and third-party data transfer compliance.
The current findings indicate that the digital loans sector is struggling to maintain consistent compliance with data protection laws. The erosion of previously demonstrated safeguards, particularly by EcoCash and InnBucks, signals instability in privacy governance frameworks. Persistent failure to address regulatory registration and breach management further compounds compliance vulnerabilities. Unless the platforms adopt sustained and comprehensive data protection strategies, grounded in transparency, user rights protection, secure third-party oversight, and formal regulatory engagement, they remain exposed to legal enforcement risks, reputational damage, and diminished consumer trust.
Digital Loans Services - Kenya
Branch International Kenya, Tala Kenya, Zenka and LendPlus in Kenya
The current assessment of the leading digital lending platforms shows measurable progress in certain compliance areas, alongside persistent structural weaknesses that continue to affect alignment with data protection law. Compared with last year, the most notable improvement is in regulatory registration. Branch International, Zenka and LendPlus each achieved a perfect score of 100% for fulfilling registration requirements with the national regulator. Branch International and LendPlus improved from 88%, while Zenka maintained its previous perfect score. In contrast, Tala Kenya declined from 100% and no longer demonstrates full compliance in this area.
This shift represents an important development. Registration with the regulator is a foundational legal obligation and signals formal recognition of oversight authority. The improvement by Branch International and LendPlus suggests strengthening institutional alignment with statutory requirements, likely influenced by heightened regulatory scrutiny in the sector. Tala's decline, however, raises compliance concerns, particularly given its previous leadership position. Failure to maintain registration undermines accountability and exposes a platform to potential enforcement action.
All platforms continue to demonstrate visible effort in maintaining accessible privacy policies. Tala now leads with 100%, improving from 75%. Branch International maintained its score of 88%, Zenka improved from 75% to 88%, and LendPlus declined from 88% to 75%. Compared to last year, where Branch International and LendPlus led, leadership has shifted to Tala. This overall consistency indicates that transparency through published privacy notices remains embedded practice across the sector. Given the data-intensive nature of digital lending, where algorithmic credit scoring relies on behavioural and financial data, accessible privacy policies are essential for meeting transparency and informed consent obligations. However, accessibility alone does not guarantee substantive compliance; the completeness and specificity of disclosures remain critical.
Performance in observing data subject rights reflects moderate but uneven progress. Branch International remains the leader at 70%, though slightly down from 72%. LendPlus improved significantly from 54% to 67%, demonstrating stronger recognition of user rights. Zenka declined from 64% to 60%, while Tala improved marginally from 56% to 58%. Compared to last year, the ranking order remains broadly similar, but LendPlus shows the most meaningful upward movement. These scores suggest that platforms are gradually operationalising rights such as access, correction, and objection. Nevertheless, declines for Branch International and Zenka indicate that maintaining compliance requires sustained effort. Since digital lending decisions can materially affect individuals' access to credit, weak implementation of data subject rights may expose platforms to legal challenges, particularly where automated decision-making is involved.
Third-party data sharing continues to represent the weakest area of compliance, despite some improvements. All platforms share user data with third parties, yet compliance scores remain low. LendPlus leads at 38%, improving from 20%. Zenka declined from 46% to 32%. Branch International improved from 16% to 26%, and Tala improved from 6% to 16%. Compared to last year, there is some overall upward movement except for Zenka's decline, but the scores remain modest. Given that digital lenders routinely share data with credit reference bureaus, analytics providers, and marketing partners, inadequate disclosure and safeguards in third-party transfers create substantial regulatory risk. Data protection laws impose strict conditions on onward transfers, particularly where sensitive financial or behavioural data are involved. Persistently low scores suggest incomplete contractual safeguards, limited transparency regarding recipients, or insufficient user notification mechanisms.
In the area of data security, performance remains relatively stable. LendPlus maintained a strong score of 78%, as did Branch International at 72%. Tala declined from 78% to 61%, while Zenka maintained 45%. Compared to last year, there is general stability, with Tala showing the only significant drop. The maintenance of relatively high security scores for Branch International and LendPlus indicates sustained investment in technical and organisational safeguards. However, Zenka's comparatively lower and unchanged score suggests room for strengthening resilience against evolving cybersecurity threats. Given the sensitivity of financial and behavioural data processed in algorithmic lending models, inadequate or declining security measures could result in serious legal and reputational consequences in the event of a breach.
As in the previous year, none of the platforms publish transparency reports; all scored 0% again. This continued absence of public reporting limits external accountability and weakens public confidence. Transparency reports are increasingly regarded as best practice, particularly in sectors involving automated profiling and significant economic impact on individuals. Their absence suggests that, despite regulatory pressure, platforms remain reluctant to disclose detailed information about data requests, government access, or internal governance practices.
Internal data breach resolution mechanisms also remain an area of serious concern. Zenka maintained a modest score of 17%, unchanged from last year. Branch International remained at 0%. Tala declined from 17% to 0%, and LendPlus fell from 8% to 0%. Compared to last year, there has been regression rather than improvement. Effective breach response frameworks including internal reporting channels, defined investigation timelines, and clear user notification procedures are mandatory components of modern data protection compliance. The widespread absence of demonstrable mechanisms indicates vulnerability to delayed incident response and potential non-compliance with statutory breach notification requirements.
Overall, compared with last year's analysis, the sector demonstrates progress in regulatory registration and moderate improvements in third-party transfer practices for some platforms. Privacy policy accessibility remains consistently strong, and data security safeguards are largely maintained. However, declines in internal breach resolution readiness, the absence of transparency reports, and continuing weaknesses in third-party data governance indicate that compliance maturation remains incomplete.
The overall trajectory suggests that leading digital lenders are responding to regulatory scrutiny and enforcement pressure, particularly in formal registration and public-facing transparency measures. Nevertheless, significant gaps persist in operational accountability mechanisms. Given that these platforms rely on algorithmic analysis of extensive personal, financial, and behavioural data to determine access to credit, incomplete compliance in areas such as third-party transfers, breach response, and transparency reporting poses heightened legal and reputational risks. Without sustained investment in comprehensive privacy governance frameworks, the sector may struggle to fully meet evolving data protection standards and maintain user trust in an increasingly regulated digital finance environment.
The current assessment of the leading digital lending platforms shows measurable progress in certain compliance areas, alongside persistent structural weaknesses that continue to affect alignment with data protection law. Compared with last year, the most notable improvement is in regulatory registration. Branch International, Zenka and LendPlus each achieved a perfect score of 100% for fulfilling registration requirements with the national regulator. Branch International and LendPlus improved from 88%, while Zenka maintained its previous perfect score. In contrast, Tala Kenya declined from 100% and no longer demonstrates full compliance in this area.
This shift represents an important development. Registration with the regulator is a foundational legal obligation and signals formal recognition of oversight authority. The improvement by Branch International and LendPlus suggests strengthening institutional alignment with statutory requirements, likely influenced by heightened regulatory scrutiny in the sector. Tala's decline, however, raises compliance concerns, particularly given its previous leadership position. Failure to maintain registration undermines accountability and exposes a platform to potential enforcement action.
All platforms continue to demonstrate visible effort in maintaining accessible privacy policies. Tala now leads with 100%, improving from 75%. Branch International maintained its score of 88%, Zenka improved from 75% to 88%, and LendPlus declined from 88% to 75%. Compared to last year, where Branch International and LendPlus led, leadership has shifted to Tala. This overall consistency indicates that transparency through published privacy notices remains embedded practice across the sector. Given the data-intensive nature of digital lending, where algorithmic credit scoring relies on behavioural and financial data, accessible privacy policies are essential for meeting transparency and informed consent obligations. However, accessibility alone does not guarantee substantive compliance; the completeness and specificity of disclosures remain critical.
Performance in observing data subject rights reflects moderate but uneven progress. Branch International remains the leader at 70%, though slightly down from 72%. LendPlus improved significantly from 54% to 67%, demonstrating stronger recognition of user rights. Zenka declined from 64% to 60%, while Tala improved marginally from 56% to 58%. Compared to last year, the ranking order remains broadly similar, but LendPlus shows the most meaningful upward movement. These scores suggest that platforms are gradually operationalising rights such as access, correction, and objection. Nevertheless, declines for Branch International and Zenka indicate that maintaining compliance requires sustained effort. Since digital lending decisions can materially affect individuals' access to credit, weak implementation of data subject rights may expose platforms to legal challenges, particularly where automated decision-making is involved.
Third-party data sharing continues to represent the weakest area of compliance, despite some improvements. All platforms share user data with third parties, yet compliance scores remain low. LendPlus leads at 38%, improving from 20%. Zenka declined from 46% to 32%. Branch International improved from 16% to 26%, and Tala improved from 6% to 16%. Compared to last year, there is some overall upward movement except for Zenka's decline, but the scores remain modest. Given that digital lenders routinely share data with credit reference bureaus, analytics providers, and marketing partners, inadequate disclosure and safeguards in third-party transfers create substantial regulatory risk. Data protection laws impose strict conditions on onward transfers, particularly where sensitive financial or behavioural data are involved. Persistently low scores suggest incomplete contractual safeguards, limited transparency regarding recipients, or insufficient user notification mechanisms.
In the area of data security, performance remains relatively stable. LendPlus maintained a strong score of 78%, as did Branch International at 72%. Tala declined from 78% to 61%, while Zenka maintained 45%. Compared to last year, there is general stability, with Tala showing the only significant drop. The maintenance of relatively high security scores for Branch International and LendPlus indicates sustained investment in technical and organisational safeguards. However, Zenka's comparatively lower and unchanged score suggests room for strengthening resilience against evolving cybersecurity threats. Given the sensitivity of financial and behavioural data processed in algorithmic lending models, inadequate or declining security measures could result in serious legal and reputational consequences in the event of a breach.
As in the previous year, none of the platforms publish transparency reports; all scored 0% again. This continued absence of public reporting limits external accountability and weakens public confidence. Transparency reports are increasingly regarded as best practice, particularly in sectors involving automated profiling and significant economic impact on individuals. Their absence suggests that, despite regulatory pressure, platforms remain reluctant to disclose detailed information about data requests, government access, or internal governance practices.
Internal data breach resolution mechanisms also remain an area of serious concern. Zenka maintained a modest score of 17%, unchanged from last year. Branch International remained at 0%. Tala declined from 17% to 0%, and LendPlus fell from 8% to 0%. Compared to last year, there has been regression rather than improvement. Effective breach response frameworks including internal reporting channels, defined investigation timelines, and clear user notification procedures are mandatory components of modern data protection compliance. The widespread absence of demonstrable mechanisms indicates vulnerability to delayed incident response and potential non-compliance with statutory breach notification requirements.
Overall, compared with last year's analysis, the sector demonstrates progress in regulatory registration and moderate improvements in third-party transfer practices for some platforms. Privacy policy accessibility remains consistently strong, and data security safeguards are largely maintained. However, declines in internal breach resolution readiness, the absence of transparency reports, and continuing weaknesses in third-party data governance indicate that compliance maturation remains incomplete.
The overall trajectory suggests that leading digital lenders are responding to regulatory scrutiny and enforcement pressure, particularly in formal registration and public-facing transparency measures. Nevertheless, significant gaps persist in operational accountability mechanisms. Given that these platforms rely on algorithmic analysis of extensive personal, financial, and behavioural data to determine access to credit, incomplete compliance in areas such as third-party transfers, breach response, and transparency reporting poses heightened legal and reputational risks. Without sustained investment in comprehensive privacy governance frameworks, the sector may struggle to fully meet evolving data protection standards and maintain user trust in an increasingly regulated digital finance environment.
Digital Loans Services - Uganda
Dove Cash, Mangu Cash, iSente and Quick Sente in Uganda
The current assessment of digital loan providers indicates a sector that remains structurally weak in regulatory compliance, with limited progress since last year and regression in key areas. Most notably, none of the platforms now demonstrate compliance with registration requirements before the national regulator. Mangu Cash, which previously achieved a perfect score of 100% for registration, dropped to 0%, while Dove Cash, iSente and Quick Sente each maintained their prior scores of 0%. This marks a significant regression compared to last year, when Mangu Cash stood out as the only compliant entity. Registration is a foundational requirement under data protection law and signals formal accountability to the regulator. The complete absence of demonstrable compliance across the sector raises concerns about weak regulatory engagement and exposes these platforms to enforcement risk.
In contrast, privacy policy accessibility remains one of the few stable areas of performance. Dove Cash, Mangu Cash and Quick Sente each maintained strong scores of 88%, unchanged from last year, while iSente declined from 88% to 75%. This suggests that, despite broader compliance gaps, most platforms continue to prioritise having visible and readable privacy notices. However, accessibility does not necessarily equate to substantive compliance. The quality, completeness and operationalisation of the commitments contained in those policies remain uneven.
Performance in recognising and operationalising data subject rights shows modest improvement overall.
Dove Cash remains the leader at 61%, though slightly down from 63%. Mangu Cash improved significantly from 37% to 48%, while iSente and Quick Sente each improved to 43%, up from 37% and 33% respectively. Compared to last year, this reflects incremental progress in embedding user rights frameworks. Nonetheless, the scores remain moderate, indicating that while rights such as access, rectification and restriction may be acknowledged, full implementation particularly concerning erasure and complaint rights remains incomplete. Weak protection of data subject rights is especially problematic in digital lending, where automated decisions directly affect individuals' access to credit and financial opportunities.
Third-party data transfers remain consistently weak and have deteriorated in some cases. All platforms share personal data with third parties, yet compliance scores are low. Dove Cash leads with only 16%, down from 24%, while Mangu Cash, iSente and Quick Sente each maintained 10% from last year. The stagnation and decline in this area highlight persistent opacity regarding the nature of shared data, the identity of recipients, and applicable safeguards. Given that digital lenders routinely interact with advertisers, analytics providers and potentially credit reference agencies, insufficient transparency and contractual control over third-party transfers pose significant legal and reputational risks. Data protection laws impose strict obligations on controllers to ensure that downstream processors handle personal data lawfully; failure to do so may result in joint liability for misuse.
Data security practices present a more varied picture. iSente now leads with 78%, improving from 72%. Mangu Cash maintained a strong 72%. Dove Cash held steady at 45%, while Quick Sente declined sharply from 72% to 45%. Compared to last year, security remains one of the stronger compliance areas overall, though performance is inconsistent. While relatively higher scores suggest the presence of technical safeguards, such as secure hosting or encryption measures, policy disclosures often lack specificity. For example, Mangu Cash references security measures and advises users on password management but does not clearly detail internal technical controls. In a sector handling sensitive financial and behavioural data, insufficiently articulated security frameworks may undermine compliance with statutory obligations requiring "appropriate technical and organisational measures."
Transparency reporting remains entirely absent. As in the previous year, none of the platforms published a transparency report. This continued omission limits public accountability and prevents users from understanding how frequently data is shared with government agencies or other third parties.
The absence of transparency reporting is consistent with broader sectoral weaknesses and reflects limited adoption of best practices in proactive disclosure.
Internal data breach resolution mechanisms also remain critically underdeveloped. Mangu Cash maintained a modest score of 8%, reflecting only vague references to breach handling, while Dove Cash, iSente and Quick Sente each maintained 0%. Compared to last year, there has been no meaningful improvement. Policies generally lack clear timelines for reporting and investigation, guarantees of impartiality, or defined notification procedures. In practice, this means that in the event of a data breach, users may not be informed promptly, and internal response processes may lack structure and accountability. Under data protection law, such deficiencies can lead to regulatory sanctions and increased harm to affected individuals.
A closer examination of policy content reinforces these findings. Mangu Cash's privacy policy is accessible and written in clear language. It outlines categories of data collected and states that data is retained "as required by law," but does not specify precise retention periods. It recognises certain data subject rights, such as access and rectification, and permits opt-out from behavioural marketing. However, it does not clearly provide for the right to erasure or detailed complaint procedures before the regulator. Although categories of third-party recipients are listed, the specific nature of the data shared is not disclosed. While multiple communication channels are provided, breach handling procedures lack defined timelines and structured reporting processes.
Quick Sente similarly maintains an accessible policy that clearly explains the purpose of data collection and lists categories of data gathered. However, it provides limited contact information, relies on general retention language, and scores zero on internal breach resolution. These patterns indicate that while formal policy documents exist, operational accountability mechanisms remain weak.
In comparison with last year, the sector shows modest gains in data subject rights recognition and some improvements in security for specific platforms, particularly iSente. However, it has regressed significantly in regulatory registration compliance and experienced declines in third-party transfer transparency and, in some cases, data security. Transparency reporting and breach resolution remain unchanged at critically low levels.
Overall, the persistent absence of registration, transparency reporting and robust breach management frameworks suggests systemic compliance immaturity. Given the sensitive nature of financial data processed by these platforms, ongoing weaknesses expose them to regulatory penalties, reputational harm and erosion of user trust. Without comprehensive improvements in governance, transparency and incident management, the sector risks remaining structurally vulnerable under evolving data protection enforcement regimes.
The current assessment of digital loan providers indicates a sector that remains structurally weak in regulatory compliance, with limited progress since last year and regression in key areas. Most notably, none of the platforms now demonstrate compliance with registration requirements before the national regulator. Mangu Cash, which previously achieved a perfect score of 100% for registration, dropped to 0%, while Dove Cash, iSente and Quick Sente each maintained their prior scores of 0%. This marks a significant regression compared to last year, when Mangu Cash stood out as the only compliant entity. Registration is a foundational requirement under data protection law and signals formal accountability to the regulator. The complete absence of demonstrable compliance across the sector raises concerns about weak regulatory engagement and exposes these platforms to enforcement risk.
In contrast, privacy policy accessibility remains one of the few stable areas of performance. Dove Cash, Mangu Cash and Quick Sente each maintained strong scores of 88%, unchanged from last year, while iSente declined from 88% to 75%. This suggests that, despite broader compliance gaps, most platforms continue to prioritise having visible and readable privacy notices. However, accessibility does not necessarily equate to substantive compliance. The quality, completeness and operationalisation of the commitments contained in those policies remain uneven.
Performance in recognising and operationalising data subject rights shows modest improvement overall.
Dove Cash remains the leader at 61%, though slightly down from 63%. Mangu Cash improved significantly from 37% to 48%, while iSente and Quick Sente each improved to 43%, up from 37% and 33% respectively. Compared to last year, this reflects incremental progress in embedding user rights frameworks. Nonetheless, the scores remain moderate, indicating that while rights such as access, rectification and restriction may be acknowledged, full implementation particularly concerning erasure and complaint rights remains incomplete. Weak protection of data subject rights is especially problematic in digital lending, where automated decisions directly affect individuals' access to credit and financial opportunities.
Third-party data transfers remain consistently weak and have deteriorated in some cases. All platforms share personal data with third parties, yet compliance scores are low. Dove Cash leads with only 16%, down from 24%, while Mangu Cash, iSente and Quick Sente each maintained 10% from last year. The stagnation and decline in this area highlight persistent opacity regarding the nature of shared data, the identity of recipients, and applicable safeguards. Given that digital lenders routinely interact with advertisers, analytics providers and potentially credit reference agencies, insufficient transparency and contractual control over third-party transfers pose significant legal and reputational risks. Data protection laws impose strict obligations on controllers to ensure that downstream processors handle personal data lawfully; failure to do so may result in joint liability for misuse.
Data security practices present a more varied picture. iSente now leads with 78%, improving from 72%. Mangu Cash maintained a strong 72%. Dove Cash held steady at 45%, while Quick Sente declined sharply from 72% to 45%. Compared to last year, security remains one of the stronger compliance areas overall, though performance is inconsistent. While relatively higher scores suggest the presence of technical safeguards, such as secure hosting or encryption measures, policy disclosures often lack specificity. For example, Mangu Cash references security measures and advises users on password management but does not clearly detail internal technical controls. In a sector handling sensitive financial and behavioural data, insufficiently articulated security frameworks may undermine compliance with statutory obligations requiring "appropriate technical and organisational measures."
Transparency reporting remains entirely absent. As in the previous year, none of the platforms published a transparency report. This continued omission limits public accountability and prevents users from understanding how frequently data is shared with government agencies or other third parties.
The absence of transparency reporting is consistent with broader sectoral weaknesses and reflects limited adoption of best practices in proactive disclosure.
Internal data breach resolution mechanisms also remain critically underdeveloped. Mangu Cash maintained a modest score of 8%, reflecting only vague references to breach handling, while Dove Cash, iSente and Quick Sente each maintained 0%. Compared to last year, there has been no meaningful improvement. Policies generally lack clear timelines for reporting and investigation, guarantees of impartiality, or defined notification procedures. In practice, this means that in the event of a data breach, users may not be informed promptly, and internal response processes may lack structure and accountability. Under data protection law, such deficiencies can lead to regulatory sanctions and increased harm to affected individuals.
A closer examination of policy content reinforces these findings. Mangu Cash's privacy policy is accessible and written in clear language. It outlines categories of data collected and states that data is retained "as required by law," but does not specify precise retention periods. It recognises certain data subject rights, such as access and rectification, and permits opt-out from behavioural marketing. However, it does not clearly provide for the right to erasure or detailed complaint procedures before the regulator. Although categories of third-party recipients are listed, the specific nature of the data shared is not disclosed. While multiple communication channels are provided, breach handling procedures lack defined timelines and structured reporting processes.
Quick Sente similarly maintains an accessible policy that clearly explains the purpose of data collection and lists categories of data gathered. However, it provides limited contact information, relies on general retention language, and scores zero on internal breach resolution. These patterns indicate that while formal policy documents exist, operational accountability mechanisms remain weak.
In comparison with last year, the sector shows modest gains in data subject rights recognition and some improvements in security for specific platforms, particularly iSente. However, it has regressed significantly in regulatory registration compliance and experienced declines in third-party transfer transparency and, in some cases, data security. Transparency reporting and breach resolution remain unchanged at critically low levels.
Overall, the persistent absence of registration, transparency reporting and robust breach management frameworks suggests systemic compliance immaturity. Given the sensitive nature of financial data processed by these platforms, ongoing weaknesses expose them to regulatory penalties, reputational harm and erosion of user trust. Without comprehensive improvements in governance, transparency and incident management, the sector risks remaining structurally vulnerable under evolving data protection enforcement regimes.