Privacy Policy

Fantom Capital Limited ("we", "us", or "our") is a duly licensed microfinance institution incorporated under the laws of Kenya, regulated by the Central Bank of Kenya. Our registered offices are located at Ruaraka Square, Thika Road, Nairobi, Kenya.

We provide personal loans, logbook loans, check-off loans, landlord loans, and related financial products through our website www.fancap.co.ke and our physical branches. This Privacy Policy explains how we collect, use, protect, and share information about you when you use our services, visit our website, or interact with us in any capacity.

Fantom Capital Limited acts as the data controller of your personal information and is responsible for the lawful and secure handling of that information.

We collect the following categories of personal data to provide, assess, and improve our lending services:

a) Identity & Contact Information

• Full name, date of birth, gender, and nationality
• National ID number or passport number
• KRA Personal Identification Number (PIN)
• Residential and postal address
• Phone number(s) and email address
• Photographs (where required for identity verification)

b) Financial Information

• Bank account details, M-Pesa mobile money records, and SACCO statements
• Income level, employment status, employer details, and salary slips
• Credit history, Credit Reference Bureau (CRB) reports, and loan repayment records
• Outstanding debts, liabilities, and financial obligations

c) Vehicle & Asset Information (Logbook Loans)

• Vehicle make, model, year of manufacture, and type of use
• Vehicle registration number and logbook details
• Estimated vehicle value and professional valuation reports
• Insurance policy details

d) Technical & Usage Data

• IP address, browser type, and operating system
• Pages visited, time spent on our website, and referral sources
• Device identifiers and geographic location data (where consent is given)
• Cookie data and session information

e) Communication Records

• Correspondence through email, SMS, WhatsApp, and telephone
• Records of complaints, queries, and feedback
• Records of consent provided for marketing or data processing

We use your personal data for the following purposes:

• Loan Processing & Assessment: To evaluate your creditworthiness, process your loan application, verify submitted documents, and determine your eligibility for our financial products.
• Identity Verification: To confirm your identity, prevent fraud, and comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations.
• Account Management: To create and manage your customer account, process payments, send statements, and update you on your loan status.
• Communication: To send you important notifications about your loan, repayment schedules, account updates, and responses to your enquiries via SMS, email, or telephone.
• Legal Compliance: To comply with our obligations under the Banking Act, the Microfinance Act, the Kenya Data Protection Act 2019, CRB regulations, tax laws, and any other applicable legislation.
• Credit Reporting: To submit and receive data from licensed Credit Reference Bureaus (CRBs) for credit assessment purposes.
• Debt Recovery: Where necessary, to recover overdue amounts through lawful means, including engagement of authorised debt recovery agents.
• Service Improvement: To analyse website usage patterns and improve the functionality, security, and user experience of our platform.
• Marketing (with consent): To send you information about new products, promotions, and financial tips. You may opt out at any time by contacting us at [email protected].

Under the Kenya Data Protection Act 2019, we rely on the following legal bases to process your personal data:

• Contractual Necessity: Processing is necessary to assess, approve, and administer your loan application and any resulting loan agreement.
• Consent: Where you have explicitly given us permission to process your data for specific purposes, such as marketing communications. You have the right to withdraw consent at any time.
• Legal Obligation: Where processing is required to comply with applicable laws and regulations, including CRB submissions, tax reporting, and AML obligations.
• Legitimate Interests: Where processing is necessary for our legitimate business interests, such as fraud prevention, security monitoring, and service improvement, provided such interests are not overridden by your rights and interests.

We do not sell or rent your personal information to any third party. We may share your data with the following categories of recipients only where strictly necessary:

• Credit Reference Bureaus (CRBs): Licensed CRBs such as TransUnion, Metropol, and CreditInfo, as required by the Credit Reference Bureau Regulations.
• Regulatory Authorities: The Central Bank of Kenya, Kenya Revenue Authority, the Office of the Data Protection Commissioner, and other government bodies as required by law.
• Law Enforcement: Police, courts, and other law enforcement or legal authorities when compelled by a court order or lawful legal process.
• Service Providers: Trusted third parties who provide services on our behalf, including IT support, SMS/email communication providers, vehicle valuers, debt collection agencies, and professional advisors (lawyers and auditors). All such parties are bound by confidentiality obligations and data processing agreements.
• Insurance Providers: For the purposes of loan protection and insurance cover, where applicable.
• Acquirers & Successors: In the event of a merger, acquisition, or sale of business assets, your data may be transferred to the acquiring entity, subject to equivalent data protection obligations.

All data sharing is conducted in strict compliance with the Kenya Data Protection Act 2019 and the applicable data processing agreements.

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, and to comply with our legal and regulatory obligations. The following general retention periods apply:

• Active loan accounts: For the full duration of the loan relationship.
• Closed loan accounts: For a minimum of seven (7) years after the loan is fully settled, as required by financial regulations and tax laws.
• Unsuccessful loan applications: For up to two (2) years from the date of the application decision.
• Website usage and technical data: For up to twelve (12) months from the date of collection.
• Marketing consent records: Until you withdraw consent, plus an additional period as required by law.

When your data is no longer required, we will securely delete or anonymise it in accordance with our data destruction procedures.

Under the Kenya Data Protection Act 2019, you have the following rights with respect to your personal data:

• Right to Access: You have the right to request a copy of the personal data we hold about you, free of charge, subject to certain legal exceptions.
• Right to Rectification: You have the right to request correction of any inaccurate, incomplete, or outdated personal information we hold about you.
• Right to Erasure: You may request the deletion of your personal data where it is no longer necessary for the purposes it was collected, where consent has been withdrawn, or where processing is unlawful — subject to our legal retention obligations.
• Right to Object: You have the right to object to the processing of your personal data for direct marketing purposes or where processing is based on our legitimate interests.
• Right to Data Portability: Where technically feasible, you may request that we transfer your personal data to you or another organisation in a structured, commonly used, machine-readable format.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya if you believe your data rights have been violated.

Fantom Capital Limited implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. Our security measures include:

• Secure Socket Layer (SSL/TLS) encryption for all data transmitted over our website
• Password hashing and secure credential storage using industry-standard algorithms
• Role-based access controls restricting staff access to data on a need-to-know basis
• Regular security audits and vulnerability assessments of our IT systems
• Physical security controls at our offices and data processing locations
• Staff training on data protection obligations and secure data handling practices
• Incident response procedures for detecting, reporting, and addressing data breaches

In the event of a data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Office of the Data Protection Commissioner within the timeframes prescribed by law.

While we take all reasonable precautions, no system is completely impenetrable. We encourage you to protect your account credentials and to notify us immediately at [email protected] if you suspect any unauthorised access to your account.

Our website uses cookies and similar tracking technologies to enhance your browsing experience and to analyse website performance. Cookies are small text files stored on your device when you visit our website.

Types of Cookies We Use

• Essential Cookies: Strictly necessary for the operation of our website, including user authentication, session management, and security. These cannot be disabled.
• Analytical Cookies: Help us understand how visitors interact with our website by collecting anonymous statistical data (e.g., Google Analytics). This helps us improve our services.
• Functional Cookies: Remember your preferences (such as language or region settings) to personalise your experience.
• Marketing Cookies (with consent only): Used to deliver relevant advertisements and track the effectiveness of our marketing campaigns. These are only placed with your explicit consent.

You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. For more information on managing cookies, visit www.allaboutcookies.org.

Our website may contain links to third-party websites, applications, or services that are not operated by Fantom Capital Limited. These links are provided for your convenience and informational purposes only.

We have no control over the content, privacy practices, or security of third-party sites. We strongly encourage you to review the privacy policies of any third-party websites you visit. Fantom Capital Limited is not responsible or liable for the privacy practices or content of such external sites.

Our third-party service providers (such as M-Pesa payment processing by Safaricom, Google Analytics, and SMS gateway providers) are subject to their own privacy policies and operate under data processing agreements with us.

Our financial services are intended solely for adults aged 18 years and above. We do not knowingly collect, use, or store personal data from individuals under the age of 18.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at [email protected]. We will take prompt steps to delete any such data from our records.

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations. We will notify you of any material changes by:

• Posting the updated policy on this page with a revised "Last Updated" date
• Sending a notification to the email address registered to your account (for significant changes)
• Displaying a prominent notice on our website

Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically to stay informed about how we protect your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact our Data Protection Officer: