← Back

Gwiza Privacy Policy

Gwiza Fintech LTD Effective date: 30 May 2026 · Last updated: 30 May 2026

1. Who we are

This Privacy Policy explains how Gwiza Fintech LTD ("Gwiza", "we", "us", or "our") collects, uses, shares, and protects your personal information when you use the Gwiza application and the website at gwizafintech.com (together, the "Service").

Gwiza is a personal financial operating system. We help you see, organise, and act on your own money. Gwiza is non-custodial: we never hold your funds. When you choose to move money, Gwiza sends an instruction to a licensed payment partner that executes the transaction; the money moves between your own accounts and the recipient, not through us.

For the purposes of Rwanda's Law N° 058/2021 of 13/10/2021 relating to the protection of personal data and privacy, Gwiza Fintech LTD is the data controller for the personal data described in this policy.

Contact: admin@gwizafintech.com · 17 KG 676 Street, Amahoro, Kimihurura, Gasabo, Kigali, Rwanda.

2. Scope

This policy applies to everyone who uses the Service. By creating an account or using Gwiza, you acknowledge the practices described here. If you do not agree, please do not use the Service.

3. The information we collect

a. Information you give us directly

  • Account details: your name, email address, and the password you set (stored only in a securely hashed form).
  • Financial profile: information you enter to set up your finances — income sources, payday timing, expenses, debts and loan terms, savings goals, property plans, investments, and budgets.
  • Advisor conversations: the questions and messages you send to Advisor Gwiza, our in-app guidance feature.
  • Support and correspondence: anything you send us when you contact support or subscribe to communications.

b. Financial transaction data from SMS (Android only)

  • With your explicit permission, on Android devices Gwiza reads the SMS messages your financial services send you — mobile money operators (such as MTN MoMo and Airtel Money) and licensed banks — to detect and record your own transactions automatically.
  • Messages are filtered and matched on your device. From financial messages we extract transaction details — amount, direction (money in or out), counterparty or merchant, reference, balance where shown, and timestamp — and add them to your private ledger.
  • We do not read, parse, store, or transmit the content of personal (non-financial) SMS, and we do not upload your SMS inbox.
  • This feature is not available on iOS, which does not permit apps to read SMS. On iOS you record transactions by other means (such as manual entry).

Status: the native Android application providing this on-device auto-capture is currently in development. Until it is released, you can record transactions through the existing web flow or by manual entry.

c. Information we collect automatically

  • Basic device and usage information needed to run and secure the Service.
  • Local settings stored on your device (for example, your chosen display theme). These stay on your device.
  • On the website at gwizafintech.com, your sign-in session is stored locally in your browser. We do not use third-party advertising or analytics tracking cookies.

d. Information from payment execution partners

  • When you initiate a payment through the Service, our licensed payment partners process the transaction and may return confirmation details (such as status and reference) that we record against your account.

4. How we use your information

We use your information to:

  • create and secure your account and authenticate you;
  • build and maintain your ledger, budgets, goals, and reports — the core purpose of the Service;
  • detect and record your transactions automatically from financial SMS (Android, with your consent);
  • provide Advisor Gwiza guidance in response to your questions;
  • initiate payment instructions you request, through our payment partners;
  • send you Service and, if you opt in, newsletter communications;
  • maintain security, prevent fraud and abuse, and meet our legal and regulatory obligations.

We do not sell your personal data. We do not use your data for third-party advertising.

5. Our legal bases (Law N° 058/2021, Article 46)

  • Your consent — for reading financial SMS, for optional communications, and where otherwise required. You can withdraw consent at any time.
  • Performance of a contract — to provide the Service you have signed up for.
  • Compliance with a legal obligation — including financial-sector and data-protection requirements.
  • Our legitimate interests — to keep the Service secure and to improve it, balanced against your rights.

6. How payments work (non-custodial model)

Gwiza initiates payment instructions; it does not hold, receive, or move your money itself. Execution is performed by licensed partners (for example, RSwitch / eKash and the relevant mobile money operator or bank). When you authorise a payment, the details necessary to execute it are shared with the relevant partner. Those partners process that data under their own terms and applicable law.

7. Advisor Gwiza and AI processing

Advisor Gwiza generates guidance using Anthropic's Claude API. When you ask a question, the relevant context (such as parts of your financial profile and your question) is sent to Anthropic to generate a response. Anthropic processes this to produce the reply and, under its commercial API terms, does not use it to train its models. Advisor Gwiza provides general guidance and is not a substitute for licensed financial, legal, or tax advice.

8. Who we share information with

We share personal data only with service providers ("processors") who help us run the Service, under contracts that require them to protect it and use it only on our instructions:

Provider Purpose
Supabase Secure database and authentication
Vercel Application and website hosting
Anthropic Advisor Gwiza AI responses
Resend Sending emails and newsletters (if you subscribe)
Payment partners (e.g. RSwitch / eKash, mobile money operators, banks) Executing payment instructions you initiate

We may also disclose information where required by law, regulation, or valid legal process, or to protect the rights, safety, and security of users, the public, or Gwiza.

9. Where your data is stored and international transfers (Law N° 058/2021, Articles 48–50)

Some of our service providers — including Supabase (database and authentication), Vercel (application and website hosting), and Anthropic (Advisor Gwiza AI responses) — store or process data on servers outside Rwanda. Gwiza Fintech LTD holds a valid registration certificate from the National Cyber Security Authority (NCSA) authorising this storage outside Rwanda, as required by Article 50 of Law N° 058/2021, and observes the conditions set by Articles 48 to 50 governing the transfer and storage of personal data abroad.

10. How long we keep your data (Law N° 058/2021, Article 52)

In line with Article 52 of Law N° 058/2021, Gwiza retains your personal data until the purposes of the processing are fulfilled. We may retain personal data for a longer period only on the grounds the law allows, namely where:

  1. retention is authorised by law;
  2. retention is required by a contract concluded between the parties;
  3. the personal data relates to a function or activity for which it is collected or processed;
  4. it is needed for preventing, detecting, investigating, prosecuting, or punishing an offender;
  5. it is needed for protecting national security;
  6. it is needed for enforcing a court order;
  7. it is needed for enforcing legislation relating to the collection of public revenues;
  8. it is needed for conducting proceedings before a court;
  9. it is needed for carrying out research authorised by a relevant authority; or
  10. you consent.

At the end of the retention period, we destroy your personal data in a manner that prevents its reconstruction in an intelligible form. You can request deletion of your account and data at any time (see Section 12), subject to the grounds above.

11. SMS permission — detail and control (Android)

Status: the native Android application is currently in development. The controls below take effect once it is released; until then, no SMS permission is requested by any Gwiza app.

  • Gwiza requests the SMS permission only when you choose to turn on automatic transaction tracking, and only after showing you a clear in-app explanation.
  • The permission is used solely to read financial messages and record your transactions. Personal messages are never read, stored, or sent anywhere; your inbox is never uploaded.
  • You can decline the permission and still use Gwiza by entering transactions manually.
  • You can turn it off at any time in the app's Settings, or revoke the permission in your device's system settings. Revoking it stops all SMS access immediately.
  • We never sell SMS or transaction data, and never share it with third parties for advertising or marketing.

12. Your rights

Under Law N° 058/2021 you have the right to:

  • access the personal data we hold about you (Article 18);
  • rectify inaccurate or incomplete data (Article 24);
  • erase your data ("right to be forgotten"), subject to legal retention requirements (Article 23);
  • restrict processing (Article 22) or object to processing (Article 19);
  • data portability — receive your data in a structured, readable format (Article 20);
  • withdraw consent at any time, without affecting processing done before withdrawal (Article 8).

To exercise any of these, contact us at admin@gwizafintech.com. We will respond within the timeframes required by law (generally thirty (30) days). If you are not satisfied, you may appeal to, or lodge a complaint with, Rwanda's data protection supervisory authority, the National Cyber Security Authority (NCSA).

13. Security

We protect your data with measures including encrypted connections, hashed passwords, and row-level access controls so that your records can be read only by you. No system is perfectly secure, but we work continuously to safeguard your information. In line with Article 43 of the law, we will notify the NCSA within 48 hours, and you where required, of any personal data breach likely to affect you.

14. Age requirement

Gwiza is intended for adults (18 years and older). We do not knowingly collect personal data from children. Where the law requires consent for a person under sixteen (16), it must be given by a holder of parental responsibility. If you believe a child has provided us data, contact us and we will delete it.

15. Changes to this policy

We may update this policy from time to time. We will post the updated version here with a new "Last updated" date and, for significant changes, notify you in the app or by email.

16. Contact us

Questions, requests, or complaints:

Gwiza Fintech LTD 17 KG 676 Street, Amahoro, Kimihurura, Gasabo, Kigali, Rwanda Company TIN: 156157915 Email: admin@gwizafintech.com Data protection contact: Yvette Kagoyire (admin@gwizafintech.com)

© 2026 Gwiza Fintech Ltd · Kigali, Rwanda