Effective Date: 1 June 2026
Last Updated: 1 June 2026
Jurisdiction: United Republic of Tanzania
This Privacy Policy explains how NewHope Technology ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use the NewHope SMS platform. We comply with Tanzania's Personal Data Protection Act (PDPA) 2022.
1. Who We Are
NewHope Technology is a technology company registered and operating in Morogoro, Tanzania. We operate the NewHope SMS platform — a bulk SMS, OTP, and API messaging service — at newhope.co.tz.
For the purposes of Tanzania's Personal Data Protection Act 2022, NewHope Technology is the Data Controller of the personal data described in this Policy.
2. Data We Collect
| Category | Data Items | Purpose |
|---|
| Account Data |
Full name, business name, email address, phone number, password (hashed) |
Account creation and authentication |
| KYC Data |
National ID (NIDA), Business License, BRELA certificate, TRA documents, document images |
Regulatory compliance and identity verification |
| Financial Data |
Payment transactions, mobile money reference numbers, top-up history, credit balance |
Payment processing and account management |
| SMS & Message Data |
Recipient phone numbers, message content, delivery timestamps, sender IDs, message status |
Service delivery and reporting |
| Technical Data |
IP address, browser type, device information, API usage logs, session tokens |
Security, analytics, and system improvement |
| Communication Data |
Emails and support messages sent to us |
Customer support and dispute resolution |
3. How We Collect Data
We collect personal data through the following means:
- Directly from you — when you register an account, complete KYC, make payments, send SMS messages, or contact our support team
- Automatically — through server logs, cookies, and API access records when you use our platform or API
- From third parties — payment confirmation data from mobile money operators (Vodacom, Airtel, Tigo) to verify top-ups
- From SMS gateway providers — delivery status reports for messages sent through our platform
4. How We Use Your Data
We use your personal data strictly for the following purposes:
- Creating and managing your account
- Verifying your identity and complying with KYC/AML regulations
- Processing payments and managing SMS credits
- Delivering SMS messages and providing delivery reports
- Communicating service updates, billing notices, and security alerts
- Investigating and preventing fraud, abuse, and prohibited activities
- Complying with legal obligations and responding to lawful government requests
- Improving our platform through anonymised usage analytics
- Resolving disputes and enforcing our Terms of Service
We will never sell your personal data to third parties for commercial advertising purposes.
5. Legal Basis for Processing
Under Tanzania's Personal Data Protection Act 2022, we process your data on the following legal bases:
- Contract performance — to deliver the services you have contracted with us
- Legal obligation — to comply with KYC/AML requirements under Tanzanian law
- Legitimate interests — for fraud prevention, platform security, and service improvement
- Consent — where you have explicitly agreed (e.g., marketing communications)
6. KYC Data Handling
KYC documents and identity data are treated with the highest level of sensitivity:
- Documents are stored in encrypted form on secure servers located in Tanzania
- Access is restricted to authorised compliance staff (IT and CEO roles) only
- Documents are not shared with third parties except as required by TCRA, TRA, or law enforcement under lawful process
- Once KYC is approved, documents are archived and access is further restricted
- If KYC is rejected, uploaded documents are deleted within 30 days of the rejection decision unless a re-submission is pending
Your identity documents are never used for any purpose other than regulatory verification and are never sold, rented, or licensed to any commercial third party.
7. SMS & Message Data
When you use our platform to send SMS messages:
- Message content and recipient numbers are processed by our system and forwarded to SMS gateway providers for delivery
- Message logs (recipient, timestamp, status, cost) are retained for 12 months and accessible through your dashboard
- We do not read message content except to enforce our Acceptable Use Policy when specific violations are reported
- Recipient phone numbers you upload are processed solely for the purpose of sending your requested messages and are not added to any marketing database
You are responsible for ensuring you have lawful authority to message the recipients you upload. You must maintain your own records of consent obtained from your message recipients.
8. Data Sharing & Disclosure
We may share your data only in the following circumstances:
- SMS Gateway Providers — recipient numbers and message content are passed to gateway partners (under data processing agreements) solely to deliver your messages
- Mobile Money Operators — payment reference data is shared with Vodacom, Airtel, or Tigo to verify and process top-up transactions
- Legal & Regulatory Authorities — we will disclose data to TCRA, TRA, Tanzania Police Force, or courts when required by a valid legal order
- Business Transfers — in the event of a merger, acquisition, or asset sale, user data may be transferred to the acquiring entity subject to equivalent privacy protections
We do not share personal data with advertisers, data brokers, or any other commercial third parties.
9. Data Storage & Security
We implement industry-standard technical and organisational measures to protect your data:
- Encryption at rest — all databases and file stores use AES-256 encryption
- Encryption in transit — all data transmitted between your browser/app and our servers uses TLS 1.2+
- Password security — user passwords are stored as bcrypt/PBKDF2 hashes and never in plain text
- API key security — API secrets are stored hashed and displayed only once at creation
- Access controls — role-based access controls (RBAC) limit data access to authorised staff only
- Audit logging — all administrative data access is logged and regularly reviewed
- Regular backups — encrypted backups are performed daily and stored securely
Despite our best efforts, no system is completely secure. In the event of a data breach affecting your rights, we will notify you within 72 hours of becoming aware of the breach, as required by the PDPA 2022.
10. Data Retention
We retain your data for the following periods:
- Account data — for the duration of your account plus 2 years after closure
- KYC documents — 7 years from account closure (as required by TRA financial regulations)
- Transaction & payment records — 7 years (statutory financial record requirements)
- SMS message logs — 12 months from sending date, then anonymised
- API access logs — 90 days for security monitoring
- Support communications — 3 years from the date of last communication
After retention periods expire, data is securely deleted using industry-standard data destruction methods.
11. Your Rights
Under the Personal Data Protection Act 2022 and applicable law, you have the following rights regarding your personal data:
Right to Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your data (subject to legal retention obligations).
Right to Restriction
Request that we limit how we process your data in certain circumstances.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests.
To exercise any of these rights, email us at info@newhope.co.tz with the subject line "Data Rights Request". We will respond within 30 days.
12. Cookies & Tracking
Our website uses the following types of cookies:
- Strictly necessary — session cookies required for authentication and security (cannot be disabled)
- Functional — remember your preferences such as language and UI settings
- Analytics — anonymised usage data to understand how visitors use our site (you may opt out)
We do not use advertising or tracking cookies. You can control cookies through your browser settings, though disabling strictly necessary cookies will prevent you from using the platform.
13. Children's Privacy
The NewHope SMS Service is not intended for or directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has registered an account, please contact us immediately at info@newhope.co.tz and we will delete the account promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to you by email at least 14 days before they take effect. The date of the most recent revision is shown at the top of this page.
Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of those changes.
Last updated: 1 June 2026 — Version 1.0