4.1 Overview of Applicable Legal Framework

This section summarises the legal regimes relevant to our processing, the lawful bases for processing under the UK GDPR, and how they apply to our service.

• The UK GDPR and Data Protection Act 2018 establish the general rules for lawful processing of personal data (Articles 5–6, 12–23, 24–33, 44–46).
• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 impose detailed obligations on regulated firms to verify customers, monitor transactions, maintain records and report suspicious activity.
• The Proceeds of Crime Act 2002 and the Terrorism Act 2000 include criminal offence and disclosure regimes, including powers to require cooperation with competent authorities.
• The Payment Services Regulations 2017 require payment-service providers to maintain appropriate records, handle transfers properly, and protect customer funds.
• The FCA Handbook (particularly SYSC 6.3) sets out systems and controls requirements for firms subject to FCA regulation.
• The Privacy and Electronic Communications Regulations 2003 (PECR) regulate the use of cookies and electronic marketing communications.

4.2 Lawful Bases for Processing (Article 6 UK GDPR)

4.3 Special Category Data & Automated Decisions

• Where we process special category data (implied by photo ID and biometric liveness data), we rely on Article 9(2)(g) UK GDPR (substantial public interest) along with appropriate safeguards. TUMA applies enhanced safeguards when processing biometric data, including:
  1. Collecting only biometric information necessary to verify identity and detect fraud;
  2. Storing biometric templates in encrypted form using industry-standard security measures;
  3. Restricting access to authorised personnel and approved verification partners only;
  4. Prohibiting the use of biometric data for marketing, profiling, or unrelated purposes;
  5. Ensuring that biometric data is stored separately from other identity documents whenever technically possible; and
  6. Conducting regular audits to confirm compliance with biometric-processing requirements.
• Biometric data is retained only for the minimum period necessary to complete identity verification and fraud-prevention checks. Unless required for the detection or investigation of fraud, biometric templates are deleted shortly after verification has been successfully completed in accordance with TUMA’s retention schedule.
• Automated decision-making (e.g., machine-learning risk-scoring) is used to flag transactions, but we ensure human review before any legally-significant decision (Article 22 UK GDPR). We inform you of the logic, significance and envisaged consequences in relevant cases.

4.4 Accountability, Governance & Documentation

• In accordance with Article 24 and 30 UK GDPR, TUMA maintains records of processing activities, performs Data Protection Impact Assessments (DPIAs) where required (Articles 35–36), and implements organisational and technical measures to ensure and demonstrate compliance (Article 32).
• Governance is overseen by the Privacy Team, the MLRO and the Compliance Officer, reporting to senior management and the FCA, in line with FCA SYSC 6.3.
• Staff undertake mandatory training in data protection (UK GDPR), AML/CTF compliance and vendor management, ensuring our internal culture supports privacy and financial crime prevention.

8.1 Security Governance and Legal Framework

Tuma is obliged under Article 32 UK GDPR and SYSC 6.3 FCA Handbook to implement technical and organisational measures appropriate to the risks of processing. Security controls are embedded across the company’s first and second lines of defence and are continuously reviewed through internal audit and compliance oversight.

8.2 Technical Measures

• Encryption: All personal and transactional data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 standard).
• Network Protection: firewalls, intrusion-detection systems, and endpoint protection across our infrastructure.
• Access Control: role-based permissions, two-factor and multi-factor authentication (2FA/MFA), and quarterly access reviews for both UK and Kenyan staff.
• Segregation of Duties: administrative, compliance and development environments separated to limit insider risk.
• Logging & Monitoring: system logs retained for forensic and compliance purposes, reviewed by the MLRO and IT Security Lead.

8.3 Organisational Measures

• Training & Awareness: all employees complete mandatory GDPR and AML/CTF training during onboarding and refreshers annually.
• Incident Response Plan: established procedures to identify, contain, investigate and remediate any data-security incident.
• Breach Notification: in the event of a personal-data breach, Tuma will notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware (Article 33 UK GDPR). If the breach is likely to result in a high risk to individuals, we will also notify affected data subjects (Article 34 UK GDPR).
• Audit & Oversight: the Compliance Team and MLRO review security controls quarterly; findings are escalated to senior management.

8.4 Vendor Security Assurance

• External processors must demonstrate adherence to recognised standards (e.g., ISO 27001 or SOC 2 Type II) and maintain equivalent safeguards.
• Contracts require immediate notification to Tuma of any breach or sub-processing change.
• Vendor risk assessments are conducted before engagement and periodically thereafter, consistent with FCA SYSC 8 (Outsourcing).

8.5 User Responsibilities

Customers must protect their login credentials and immediately report suspected unauthorised access. Tuma will never request full card or password details via email or social media.

8.6 Continuous Improvement

Security measures are evaluated against evolving threats, regulatory guidance from the ICO and FCA, and international best practice (NCSC Cyber Essentials +). Updates are implemented through our quarterly governance reviews.

9.1 Overview

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, every individual whose data we process (“data subject”) enjoys specific rights. Tuma fully recognises and facilitates these rights in accordance with Articles 12 to 23 UK GDPR, applying appropriate verification, response, and documentation procedures.

Requests are free of charge (except where repetitive or excessive) and can be submitted via privacy@tuma.com, in-app forms, or written correspondence. Tuma must respond within one month of receiving a valid request, extendable by a further two months for complex cases (Article 12(3)).

9.2 Your Individual Rights

• a) Right to be Informed (Article 13–14 UK GDPR)

  You are entitled to clear, transparent information about how your data is collected, used, shared, and retained. This Privacy Policy fulfils that requirement.

  For the purposes of this Policy, the following categories of Personal Data may be collected and processed:

  • Identity Data - Includes full name, date of birth, gender, nationality, identification numbers, passport or national ID details, photos, and any other official identity information.
  • Contact Data - Includes phone numbers, email addresses, residential or postal address, E-Visa (find verification) and any other contact information provided by the Data Subject.
  • Financial Data - Includes bank account details, mobile money account numbers, payment instrument details, wallet identifiers, and other financial information used to facilitate transactions.
  • Transaction Data - Includes records of money transfers, transaction history, amounts sent or received, currencies, dates, purposes of transfer, sender and recipient details, reference numbers, and other information necessary for the execution and monitoring of transactions.
  • Device Data - Includes device identifiers, IP addresses, browser type, operating system, geolocation data, device settings, and other technical information collected when accessing or using the Tuma Platform.
  • Behavioural Data - Includes usage logs, activity patterns, clickstream data, interaction data, preferences, and behavioural insights derived from use of the Tuma Platform.
  • Biometric Data - Includes facial recognition data, liveness checks, or other biometric identifiers processed for identity verification in accordance with applicable law.
  • Communications Data - Includes chat logs, email correspondence, call logs, customer service interactions, and recordings or transcripts of communications where permitted by law.
  • AML/KYC Data - Includes information collected to comply with Anti-Money Laundering and Know Your Customer obligations such as sanctions screening results, PEP (Politically Exposed Person) checks, adverse media findings, risk scores, supporting documents, and verification results.
  • Profile Data - Includes customer profiles, account credentials, preferences, settings, eligibility assessments, risk classifications, and other derived or assigned information.
  • Marketing and Consent Data - Includes marketing preferences, opt-in/opt-out records, consent logs, and records of permissions granted for the processing of Personal Data.
• b) Right of Access (Article 15)

  You may obtain confirmation of whether Tuma holds personal data about you and request a copy of that data. We provide details of processing purposes, data categories, recipients, retention periods, and safeguards for international transfers. If a request is manifestly unfounded or excessive, we may refuse it or charge a reasonable fee as permitted by Article 12(5).

• c) Right to Rectification (Article 16)

  You can ask us to correct inaccurate or incomplete information — for example, an updated residential address, new identity document, or changed phone number. We will inform any third-party processors who hold incorrect information so they can correct their records.

• d) Right to Erasure (“Right to be Forgotten”, Article 17)

  You can request deletion of your personal data where:

  • it is no longer required for its original purpose,
  • you withdraw consent (where consent was the basis), or
  • you successfully object to processing.

  We may decline deletion if processing remains necessary to:

  • comply with AML/CTF legal obligations,
  • meet record-keeping duties under Reg. 40 MLR 2017, or
  • establish or defend legal claims.
• e) Right to Restriction of Processing (Article 18)

  You may request restriction where you contest data accuracy, the processing is unlawful but you oppose erasure, or we no longer need the data but you require it for legal purposes. During restriction, access to your data is suspended except for storage or legal use.

• f) Right to Data Portability (Article 20)

  You can request a machine-readable copy (CSV/JSON) of personal data you provided, or ask us to transmit it to another controller, where processing is based on consent or contract and performed by automated means.

• g) Right to Object (Article 21)

  You can object to processing based on our legitimate interests, such as analytics or marketing. If you object to marketing, we will immediately cease sending promotional communications.

• h) Rights relating to Automated Decision-Making and Profiling (Article 22)

  Tuma’s automated risk-scoring and fraud-detection systems are designed to protect our customers and the financial system. No decision that produces legal or significant effects (e.g., permanent account closure) is made solely by automated means; all high-risk cases are subject to human review. You may request human intervention, express your viewpoint, or contest such decisions.

9.3 Verification and Security of Requests

To protect customers from impersonation or identity theft, Tuma must verify the identity of any person making a request before disclosing or altering data (Article 12(6) UK GDPR). Verification may include:

• confirming account credentials, or
• performing a secure liveness check using selfie verification.

9.4 Exercising Your Rights and Escalation

If you wish to exercise any of the above rights, contact privacy@tuma.com.

If you are dissatisfied with our response, you may escalate your complaint to the Information Commissioner’s Office (ICO):

• Website: www.ico.org.uk
• Phone: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow SK9 5AF

9.5 Children’s Data

TUMA does not onboard or provide services to individuals under the age of eighteen (18). All customers must be adults with full legal capacity to enter into financial and contractual arrangements.

TUMA does not knowingly collect or process Personal Data relating to children, except in limited circumstances where a minor may be a recipient of a remittance transaction. In such cases, only the minimum Personal Data necessary to facilitate the lawful transfer of funds shall be processed, and solely for the purpose of fulfilling the transaction.

When processing Personal Data relating to minors, TUMA shall implement enhanced safeguards, including:

• Ensuring that any data collected about a minor is strictly limited, relevant, and necessary for the remittance transaction;
• Verifying that the data is provided by an adult customer acting lawfully and in the minor’s best interests;
• Limiting access to such data to authorised personnel only;
• Avoiding any profiling, marketing, or automated decision-making concerning minors; and
• Applying additional security, retention, and confidentiality controls in accordance with the UK GDPR and the Data Protection Act 2018.

TUMA does not use children’s data for marketing, analytics, or any secondary or unrelated purpose.

10.1 Regulatory Context

Our use of cookies and similar technologies complies with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the UK GDPR.

Under Regulation 6 PECR, we must:

1. Provide clear information on the purpose of cookies or similar tools, and
2. Obtain consent before storing or accessing information on a user’s device, except for strictly-necessary cookies.

10.2 What Cookies Are

Cookies are small text files stored on your device to recognise your browser or app session. SDKs (Software Development Kits) perform similar functions within the mobile application environment.

10.3 Types of Cookies We Use

10.4 Analytics and Performance Tools

Tuma uses Google Analytics, Firebase SDK, and similar platforms for aggregated statistical insight. Data collected includes: time on page, navigation path, number of clicks, screen views, device model, operating system, IP-based region, and events triggered in-app.

These analytics are configured to anonymise IP addresses and do not track or store card or identity information.

10.5 Consent Mechanism

• Upon first visiting our website or installing our app, you will see a cookie banner explaining categories of cookies used.
• Non-essential cookies are disabled until you explicitly opt in by selecting “Accept” or enabling categories in settings.
• You can withdraw consent or modify preferences at any time via our Cookie Settings panel or browser/app settings.

(Legal basis: Article 6(1)(a) UK GDPR – consent; Reg. 6 PECR.)

10.6 Managing and Deleting Cookies

You can:

• use browser settings to block or delete cookies,
• use “Do Not Track” browser options, or
• reset app permissions.

Refusing cookies may affect certain features, but essential services (such as transaction execution) will remain available.

10.7 Data Security and Retention of Cookie Information

Cookie identifiers are pseudonymised and retained for a maximum of 13 months (consistent with ICO guidance). We do not use cookies to store sensitive financial, biometric, or identification information.

10.8 Further Information

For more on cookies and your choices, visit www.allaboutcookies.org or the ICO’s guidance on cookies and similar technologies.

11.1 Purpose of this Section

Transparency requires that data subjects are informed whenever the controller makes material changes to how personal data is processed. In line with Article 12(1) UK GDPR, Tuma provides this section to describe how our Privacy Policy is maintained, reviewed, and communicated to users and stakeholders.

11.2 Review Cycle and Change Triggers

Tuma maintains a formal Privacy Policy review schedule consistent with its internal compliance calendar under FCA SYSC 6.3.7 R.

• Quarterly Review: The Privacy Team and Compliance Officer review this Policy every three months to confirm continued compliance with data-protection, AML/CTF, and payment-service legislation.
• Interim Updates: We will update the Policy whenever one or more of the following occur:
  • new or amended laws or regulatory guidance (e.g., ICO, FCA, HM Treasury, EU EDPB updates);
  • adoption of new technologies or vendors that materially alter how personal data is processed;
  • significant organisational changes, such as new group entities or changes in operational jurisdiction;
  • findings from internal audits, risk assessments, or data-protection impact assessments (DPIAs);
  • new user-facing functionality that requires additional data collection (e.g., referral programmes, marketing tools).

11.3 Version Control and Record Keeping

In compliance with Article 30 UK GDPR (records of processing activities) and Accountability Principle – Article 5(2), Tuma maintains version control logs for each iteration of this Privacy Policy. Each record includes:

• version number (current v3.1);
• effective date of publication;
• summary of changes;
• approval date by the Compliance Committee;
• confirmation of review by the MLRO and Privacy Team.

Historic versions are archived securely for five years to demonstrate compliance and audit traceability.

11.4 Communication of Changes to Users

Tuma distinguishes between material and non-material updates:

• Non-material updates (editorial, formatting, clarification) will take effect immediately upon posting to the website and app. We are not obliged to individually notify customers of such minor edits.
• Material updates (affecting lawful bases, new categories of data, new purposes of processing, or transfers to new countries) will be announced through:
  • an in-app notification and/or website banner for at least 30 days following publication;
  • a concise summary of changes published alongside the new Policy.

Users are encouraged to review this Policy periodically to stay informed of how their data is handled.

(Legal reference: Articles 12, 13(3) UK GDPR – duty to inform data subjects of further processing; Recital 60 – changes to processing require renewed transparency.)

11.5 Accessibility and Language

• The Privacy Policy is published publicly on both the Tuma website and within the Tuma mobile application, ensuring equal accessibility for all users, including those outside the UK.
• A readable and legally-accurate English version is the controlling document. Translations may be provided for convenience but will not modify the legal interpretation of the English version.

(Compliance reference: Article 12(1) – information must be provided in a clear, concise, and easily accessible form.)

11.6 Stakeholder Communication and Training

Material policy changes trigger communication to:

• Employees and contractors, who must confirm understanding through internal compliance acknowledgment tools;
• Vendors and processors, through formal amendment notices to their Data-Processing Agreements (Article 28(3));
• Regulators or auditors, if the change materially affects compliance posture or operational risk.

This ensures alignment with SYSC 6.3.8 R (senior-management responsibility for communication and training).

11.7 User Acceptance

By continuing to use the Tuma platform after a revised Privacy Policy becomes effective, you acknowledge that you have read and understood the updated version.

Where consent is the lawful basis for specific processing (e.g., marketing, cookies), we will request renewed consent if the update changes the nature of that processing.

11.8 Contact for Policy Updates

For clarification about past or upcoming Privacy Policy changes, users may contact the Tuma Privacy Team via privacy@tuma.com or the Compliance Team via support@tuma.com.

All correspondence is logged as part of Tuma’s accountability records under Article 24 UK GDPR.

11.9 Legal Effect and Jurisdiction

This Privacy Policy, including future updates, is governed by and construed in accordance with the laws of England and Wales.

Any disputes or proceedings arising from its interpretation or application shall fall under the exclusive jurisdiction of the courts of England and Wales.

12.1 Accountability and Oversight Framework

Tuma maintains a comprehensive governance structure that integrates data-protection, anti-money-laundering (AML), and operational-risk controls. This framework implements the Accountability Principle under Articles 5(2) and 24 UK GDPR, requiring controllers to demonstrate ongoing compliance through documented policies, risk assessments, and training.

12.2 Roles and Responsibilities

• Privacy Team: Oversees privacy-compliance implementation, responds to data-subject requests, and conducts periodic reviews.
• Money Laundering Reporting Officer (MLRO): Identifies and reports suspicious activity to relevant authorities and ensures compliance with MLR 2017 and the Proceeds of Crime Act 2002.
• Compliance Officer: Monitors adherence to FCA Handbook SYSC 6.3 (Systems and Controls), oversees vendor and outsourcing risk, and coordinates quarterly compliance reviews.
• Senior Management: Receives periodic reports from Compliance and Privacy Teams, approves remediation plans, and ensures adequate resourcing.

12.3 Training and Awareness

All employees, contractors, and temporary staff must complete GDPR and AML/CTF training during onboarding and at least annually thereafter. Training modules include secure-data handling, recognising suspicious activity, incident reporting, and escalation procedures. Completion and comprehension are recorded in central training logs for FCA and ICO audit readiness.

12.4 Internal Controls and Auditing

• Quarterly Access Reviews: Confirm that only authorised staff can access personal data.
• Vendor Audits: Assess compliance of all processors with contractual security and confidentiality requirements (Article 28 UK GDPR; FCA SYSC 8).
• Privacy Impact Assessments (DPIAs): Conducted for new technologies or major process changes (Articles 35–36 UK GDPR).
• Audit Logs: Maintained for a minimum of five years to evidence compliance for FCA or ICO audits.

12.5 Reporting and Continuous Improvement

The Privacy Team, MLRO, and Compliance Officer meet quarterly to review privacy and AML metrics, breach reports, and audit findings. Action items are documented and tracked to completion. Outcomes may include updating policies, modifying vendor controls, or enhancing technical safeguards.

12.6 Alignment with Regulatory Guidance

Tuma’s governance model aligns with:

• FCA Handbook SYSC 3.2 and 6.3, emphasising effective systems, controls, and senior-management accountability.
• ICO Accountability Framework, embedding privacy-by-design, transparency, and proactive risk management.
• HM Treasury AML/CTF Guidance for financial institutions operating as Payment Service Providers.