← Back

Privacy Policy

Last updated: 14 April 2026

This Privacy Policy describes how Gwiza Fintech Ltd (“we”, “us”) collects, uses, and protects your personal data when you use G.wiza.

We operate under Rwanda Law N° 058/2021 on the protection of personal data and privacy. For a plain-language overview and data controls, see the Data security & privacy page.

1. Data we collect

  • Account: email address, password hash, display name.
  • Financial profile: income sources, goals, debts, expenses, investment holdings — all entered by you.
  • Plan & execution data: allocation plans, payday history, agent runs.
  • Advisor conversations: messages you send to Advisor Gwiza, stored so context persists across sessions.
  • Technical: session token, device type, basic request logs for security.

We do not collect your national ID number, bank credentials, SMS messages, or contacts.

2. Why we collect it

  • To run the Service and give you planning and execution reminders.
  • To personalise Advisor Gwiza's answers based on your profile.
  • To secure your account and detect abuse.
  • To comply with Rwandan legal obligations.

3. Legal basis

We process your data based on (a) the contract with you to provide the Service, (b) your consent when you accept these terms at signup, and (c) our legitimate interest in keeping the Service secure.

4. How long we keep it

We retain your data for as long as your account is active. When you delete your account, every row we hold about you is permanently erased within 30 days. Aggregated, anonymised analytics may be retained beyond that.

5. Who we share with

  • Supabase (Frankfurt, EU) — database and authentication hosting.
  • Anthropic — Advisor Gwiza messages are sent to Claude for inference. Anthropic does not train on your conversations.
  • Vercel — application hosting and logs.

We never sell your data. We never share your individual financial data with banks, telcos, or third parties without your explicit consent.

6. Your rights

Under Rwanda Law N° 058/2021 you have the right to access, correct, export, and delete your data, and to withdraw consent. You can exercise all of these directly from the security page, or by emailing privacy@gwiza.rw.

7. Security

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Row-level security locks every record to its owning account. Sessions expire automatically after 7 days of inactivity.

8. Children

G.wiza is not directed at children under 16. If you believe a child has created an account, contact us and we will delete it.

9. Changes

If we materially change this policy, we will notify you in the app and, where required, ask for renewed consent.

10. Contact

Gwiza Fintech Ltd, Kigali, Rwanda.
General: hello@gwiza.rw
Privacy: privacy@gwiza.rw

© 2026 Gwiza Fintech Ltd · Kigali, Rwanda