Legal

Data Protection

Effective: 15 May 2026  ·  Version 1.0

Our commitments under the Tanzania Personal Data Protection Act, 2022. If you process personal data inside Sanya (customer records, employee details, etc.) this page is critical reading.

Contents

  1. Scope & Roles
  2. Data Protection Principles
  3. Controller vs Processor
  4. Your Obligations
  5. Our Obligations
  6. Cross-Border Transfers
  7. Data Breach Notification
  8. Data Subject Rights
  9. Filing Complaints
  10. Data Protection Officer
  11. Sub-Processors

1. Scope & Roles

This Data Protection notice describes how Netpoa Limited (TIN / Company Registration No. 143-477-398), operator of the Sanya brand, complies with the Personal Data Protection Act, No. 11 of 2022 and any implementing regulations issued by the Personal Data Protection Commission (PDPC) of Tanzania.

Two distinct flows of personal data run through Sanya:

Flow A — Data about our customers. When you sign up for Sanya, we collect your name, email, phone, TIN, etc. For this data, Sanya is the data controller. Our Privacy Policy governs this flow.
Flow B — Data you put into Sanya. When you enter your customer list, your employees, your suppliers, etc., that's personal data about their data subjects. For that data, you are the data controller and Sanya is your data processor. This page covers our processor obligations and your controller obligations.

2. Data Protection Principles

Under PDPA s.5, personal data must be:

  1. Processed lawfully and fairly — with a valid legal basis (contract, consent, legitimate interest, legal obligation).
  2. Collected for specified, explicit, and legitimate purposes — not re-used for unrelated purposes without fresh consent.
  3. Adequate, relevant, and limited to what is necessary.
  4. Accurate and kept up to date.
  5. Retained only as long as necessary.
  6. Processed securely — protected against unauthorised access, loss, or destruction.
  7. Subject to data-subject rights — access, correction, deletion, objection.

Sanya is designed around these principles. We expect customers to operate by them too when they use Sanya to process other people's data.

3. Controller vs Processor — what this means

3.1 When you are the controller

If you upload your customer list into Sanya, you are the controller for that data. The PDPA places the following responsibilities on you:

  • Having a valid lawful basis for collecting each piece of data (e.g. a contract with that customer, or their consent).
  • Providing your customers/employees with a privacy notice when you collect their data — telling them you'll be using Sanya to manage it.
  • Responding to data subject requests (access, correction, deletion) from your data subjects within 30 days.
  • Notifying the PDPC and affected data subjects of any breach within 72 hours of becoming aware.
  • If you process sensitive data (health, biometric, religious belief), having a stronger lawful basis (usually explicit consent).

3.2 When Sanya is your processor

As your processor, Sanya commits to:

  • Processing personal data only on your instructions (typically: do what the app is designed to do — store invoices, calculate payroll, etc.).
  • Keeping that data secure (see Section 5).
  • Not engaging sub-processors without notice — current sub-processors listed in Section 11.
  • Helping you respond to data-subject requests where reasonably possible.
  • Notifying you within 72 hours if we discover any breach affecting your data.
  • On termination, deleting or returning all personal data within 90 days (see Terms §5.4).

4. Your Obligations as a Sanya Customer

  1. Provide your own privacy notice to the people whose data you put into Sanya — clearly stating that you use Sanya as a sub-processor.
  2. Have a lawful basis for each category of personal data you process. Contracts, consent, legal obligation, and legitimate interest are the main ones.
  3. Do not upload sensitive data (medical records, biometric IDs, religious data, sexual orientation) into ordinary Sanya fields. If you need to, contact us first and we'll discuss appropriate controls.
  4. Keep data accurate. Use Sanya's edit/correct features promptly when you receive correction requests.
  5. Don't share login credentials. Each user must have their own account so the audit log identifies the actual actor.
  6. Respond to your data subjects' requests within 30 days. Sanya provides export tools (CSV/JSON) to help.
  7. Tell us if you become aware of a breach involving your Sanya workspace.

5. Our Obligations & Security Measures

5.1 Technical

  • TLS 1.2+ in transit on every connection.
  • Encryption at rest via our hosting provider's storage encryption.
  • Database-per-tenant isolation — your data and another customer's data live in separate MySQL databases, not just separate tables.
  • Password hashing using Argon2 / bcrypt — Sanya cannot read user passwords.
  • Two-factor authentication available to every user, required for super-admins.
  • Daily off-site backups, encrypted, retained 30 days.
  • Vulnerability patching on operating system, PHP, and dependencies within 7 days of security advisories.
  • Rate limiting + honeypot + IP throttling on signup and login endpoints.

5.2 Organisational

  • Internal access to customer data is logged and restricted to support cases the customer has explicitly opened.
  • Confidentiality agreements with all staff and contractors.
  • Privacy-by-design reviews for every new feature before release.
  • Quarterly access-audit of who can read what.

6. Cross-Border Data Transfers

Our hosting provider's servers may be located in the European Union or East Africa. Where personal data leaves Tanzania, we rely on the following safeguards per PDPA s.36:

  • The destination jurisdiction provides an adequate level of protection (EU GDPR exceeds PDPA standards).
  • Contractual data-protection clauses bind the recipient.
  • Encryption protects data while in transit and at rest abroad.

If you require Tanzania-only data residency, contact dpo@sanya.tz — we'll discuss what's feasible for your plan.

7. Data Breach Notification

If we discover a personal data breach affecting your workspace, we will:

  1. Notify you within 72 hours of discovery via your registered admin email, with:
    • Nature of the breach, including categories & approximate number of data subjects affected.
    • Likely consequences.
    • Measures taken or proposed to address it.
    • Contact point for further information.
  2. Cooperate with your investigation and PDPC notification (the PDPC notification is your responsibility as controller, but we'll provide everything you need).
  3. Publish a post-mortem within 30 days describing the root cause and remediation.

8. Data Subject Rights

If you are an individual whose data is being processed by a Sanya customer (e.g. you received an invoice from a Sanya user), you have the right to:

  • Access your data — ask the controller (the Sanya customer, not Sanya itself) for a copy.
  • Correct inaccurate data.
  • Erase data ("right to be forgotten") subject to legal retention.
  • Object to processing, particularly for direct marketing.
  • Restrict processing while a dispute is investigated.
  • Data portability — export your data yourself in a machine-readable format (CSV / JSON) using the in-app tools, to move it elsewhere.
  • Lodge a complaint with the PDPC.

Direct your request to the Sanya customer that holds your data. If they are unresponsive, escalate to dpo@sanya.tz and we'll facilitate.

9. Filing Complaints

If you believe Sanya has not complied with PDPA:

  1. Email dpo@sanya.tz with the details. We respond within 5 business days.
  2. If we cannot resolve the matter, escalate to the Personal Data Protection Commission (PDPC) of Tanzania.

10. Data Protection Officer (DPO)

Netpoa Limited (Sanya) has appointed a Data Protection Officer per PDPA s.18.

  • Email: dpo@sanya.tz
  • Post: Netpoa Limited (Sanya) — DPO, Kijitonyama, Dar es Salaam, Tanzania
  • Response SLA: 5 business days for initial response; 30 days for resolution.

11. Sub-Processors

The categories of sub-processors who may process personal data on our behalf:

Sub-processor type Purpose Region
Online payment partnerMobile money + card + bank payment processingTanzania
SMS delivery partnerSMS gateway (reminders, OTPs, customer notifications)Tanzania
Managed hosting providerServer infrastructure, daily encrypted backupsEU / East Africa
Email delivery partnerTransactional email deliveryEU

We will notify customers by email at least 14 days before adding a new sub-processor. If you object to a new sub-processor on data-protection grounds, contact us to discuss alternatives or terminate.

Asking which specific vendors we use today? The current vendor identity for each function is available on request — email dpo@sanya.tz. We disclose this in the signed Data Processing Agreement (DPA) for enterprise customers and on request for any data subject.

This page is informational and works alongside the Terms of Service and Privacy Policy. For an executable Data Processing Agreement, see our DPA template — fill in your company details, sign, and email to legal@sanya.tz. We countersign within 2 business days.

Questions?

Email support@sanya.tz or write to Netpoa Limited, Kijitonyama, Dar es Salaam, Tanzania.

For data-protection requests specifically, contact our DPO at dpo@sanya.tz.