1. Introduction & Data Controller

FitPesa Ltd (South Africa) and FitPesa Ltd (Nigeria), in partnership with Avalanche Internet Solutions (Uganda), are committed to protecting your privacy while pursuing our mission of poverty alleviation and wellness. This policy explains how we handle your data when you use the FitPesa "Social Enterprise" ecosystem.

2. Information We Collect

To provide a secure and rewarding experience, we collect the following categories of data:

• Personal Identifiers: Name, email, phone number, and age (to ensure 18+ eligibility).
• Health & Activity Data: Step counts, distance, and movement duration. This may be collected via your device's sensors or integrated services (e.g., Apple HealthKit, Google Health Connect).
• Precise Location Data: We collect GPS data to verify physical movement. Note: Background location access is required to track steps while the app is closed or in the background.
• Sensitive Identity Data (KYC): For "Veteran Level" users, we collect Government ID scans and biometric "Liveness" facial scans to prevent fraud and comply with Anti-Money Laundering (AML) standards.
• Financial Data: Payment history for physical goods (via Flutterwave) and digital upgrades (via IAP). We do not store full credit card numbers on our servers.

3. How We Use Your Data

We use your information strictly for:

• Verification: Auditing movement data to issue FITP rewards fairly.
• PesaMarket Logistics: Using your address to deliver physical goods (fans, electronics, groceries).
• Social Interaction: Displaying your fitness achievements on the FitLovers community feed.
• Security: Using KYC data to ensure only real human beings reach "Veteran Status" and access redemptions.

4. Health Data Protection (Apple & Google Compliance)

Crucial Disclosure:

• FitPesa will never use health or fitness data collected via HealthKit or Health Connect for advertising or marketing purposes.
• We do not sell your health data to third-party data brokers or insurance companies.
• Your health data is used exclusively to calculate your FITP rewards and display your progress.

5. Data Sharing & Third Parties

We share only the minimum data necessary with:

• Logistics Partners: Your name/address shared with couriers for PesaMarket deliveries.
• Payment Processors: Transaction data handled by Flutterwave (Physical) and Apple/Google (Digital).
• Cloud Infrastructure: Data stored securely on Google Firebase/AWS with 256-bit encryption.
• Legal Compliance: We may disclose data if required by South African or Nigerian law enforcement.

6. Your Rights & Data Sovereignty

Regardless of your location, FitPesa grants you the following rights:

• Right to Access/Correct: You can view and edit your profile at any time.
• Right to Erasure (The "Right to be Forgotten"): You can delete your account via the in-app settings. All personal data, including KYC scans, will be purged from our active servers within 30 days.
• Right to Opt-Out: You may revoke location or health permissions at any time, though this will disable FITP earning features.

7. International Data Transfers

As a Pan-African company, your data may be processed in South Africa, Nigeria, or Uganda. We use Standard Contractual Clauses (SCCs) to ensure your data remains protected to the highest international standards (GDPR/POPIA) regardless of which regional hub is processing it.

8. Security Measures

We employ Airtight Security protocols:

• Biometric Data: Facial liveness scans are encrypted and used only for one-time verification; we do not store raw biometric templates.
• Encryption: All data in transit is protected via SSL/TLS.
• Fraud Detection: AI-driven audits monitor for GPS spoofing to protect the Poverty Alleviation fund.

9. Children's Privacy

FitPesa is a social enterprise for adults. We do not knowingly collect data from anyone under the age of 18. If we discover a minor has bypassed our age-gate, the account and all associated data will be deleted immediately.

10. Contact Our Data Protection Officer (DPO)

For privacy inquiries or to exercise your data rights: