PRIVACY POLICY

This Privacy Policy explains how Capital Connect Africa ("CCA", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you access or use our Platform. By using the Platform, you consent to the practices described in this Policy. If you do not agree, you must not use the Platform.

1. INTRODUCTION

Capital Connect Africa is committed to protecting your privacy and ensuring the security of your Personal Data. This Privacy Policy is issued in compliance with the Kenya Data Protection Act, 2019, the African Union Malabo Convention, and other applicable data protection laws across the jurisdictions in which we operate.

This Policy applies to all users of the Platform, including MSMEs, Investors, brokers, agents, and visitors. It covers data collected through our website (www.capitalconnect.africa), mobile applications, APIs, Lara AI, and all related services.

2. DATA CONTROLLER

Capital Connect Africa is the Data Controller for all Personal Data processed through the Platform.

• Registered Address: Upper Hill, Nairobi, Kenya

• Email:

• Data Protection Officer: +254 715 501 703

3. INFORMATION WE COLLECT

We collect and process the following categories of Personal Data:

3.1 Information You Provide Directly

• Account Information: Full name, email address, phone number, username, password, profile photo, and login credentials.

• Identity Verification: Government-issued ID, passport details, KYB/KYC documentation, business registration certificates, and tax identification numbers.

• Business Profile Data: Company name, industry, years in operation, revenue, employee count, ownership structure, financial statements, pitch decks, business plans, and investment requirements.

• Investor Profile Data: Investment preferences, portfolio details, accredited investor status, risk appetite, and sector interests.

• Communications: Messages, emails, support tickets, and chat transcripts sent through the Platform or Lara AI.

• Payment Information: Billing address, transaction history, and payment confirmation details. We do not store full credit card numbers or mobile money PINs.

3.2 Information Collected Automatically

• Device Information: IP address, browser type, operating system, device model, and unique device identifiers.

• Usage Data: Pages visited, features used, time spent, clicks, search queries, and interaction patterns.

• Location Data: General geographic location derived from your IP address or GPS (with consent).

• Cookies and Tracking Technologies: See Section 11 (Cookies) below.

3.3 Information from Third Parties

• Identity verification services and credit reference bureaus (where applicable).

• Business registries and regulatory databases.

• Social media profiles (if you choose to link them).

• Service providers who assist with fraud prevention and security.

4. LEGAL BASIS FOR PROCESSING

We process your Personal Data based on one or more of the following legal grounds:

• Consent: Where you have given explicit, informed, and unambiguous consent (e.g., for marketing communications, data sharing with investors, AI processing).

• Contractual Necessity: Processing necessary to perform our contract with you (e.g., account creation, matching services, payment processing).

• Legal Obligation: Processing required to comply with applicable laws (e.g., tax, regulatory, or court orders).

• Legitimate Interests: Processing necessary for our legitimate business interests, provided your rights do not override those interests (e.g., fraud prevention, platform security, service improvement).

5. HOW WE USE YOUR INFORMATION

We use your Personal Data for the following purposes:

• To create, verify, and manage your account and profile.

• To match MSMEs with suitable investors and vice versa.

• To facilitate introductions, communications, and connections between users.

• To provide AI-powered services through Lara AI, including chatbot support and content recommendations.

• To process payments and manage subscriptions.

• To communicate with you about account updates, service changes, and promotional offers (where consented).

• To detect, prevent, and investigate fraud, security breaches, and other prohibited activities.

• To comply with legal obligations and respond to regulatory requests.

• To improve our Platform, develop new features, and conduct analytics.

• To enforce our Terms of Service and protect our rights and users.

6. DATA SHARING AND DISCLOSURE

We do not sell your Personal Data. We share your data only in the following circumstances:

6.1 Between Users (MSMEs and Investors)

When an MSME opts in to share their business profile with investors, we share the MSME's profile data (including business name, industry, financial summaries, and contact details) with pre-qualified investors on the Platform. Investors are contractually prohibited from using MSME data for any purpose other than evaluating the specific investment opportunity presented. MSMEs may withdraw consent at any time by contacting our Data Protection Officer.

6.2 Service Providers (Data Processors)

We engage trusted third-party service providers who process Personal Data on our behalf under written data processing agreements:

Service Provider

Purpose

Anthropic, PBC

AI Services (Lara AI, content generation, matching)

Amazon Web Services

Cloud hosting and infrastructure

Google Cloud Platform

Data storage and analytics

Microsoft Azure

Cloud services and authentication

M-Pesa / Mobile Money Providers

Payment processing

Email and Communication Services

Notifications and marketing

6.3 Legal and Regulatory Disclosure

We may disclose your Personal Data where required by law, court order, regulatory directive, or to protect our rights, property, or safety, or that of our users or the public.

6.4 Business Transfers

If CCA is involved in a merger, acquisition, corporate reorganization, or sale of assets, your Personal Data may be transferred as part of that transaction. We will notify you via email or prominent notice on the Platform before your data becomes subject to a different privacy policy.

7. AI PROCESSING AND LARA AI

Our Platform uses AI Services provided by Anthropic, PBC to power Lara AI and other intelligent features. The following applies to all AI processing:

• Your conversations with Lara AI and inputs to AI features may be transmitted to Anthropic's servers in the United States for processing.

• Anthropic does not use API data to train its AI models under our commercial agreement.

• API logs are retained for 7 days and then automatically deleted, unless Zero Data Retention has been activated.

• Sub-processors include Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

• AI-generated outputs (matching recommendations, chatbot responses, generated documents) are provided for informational purposes only and do not constitute investment advice from CCA.

• You must independently verify all AI-generated content before relying on it for business, investment, legal, or financial decisions.

8. DATA RETENTION

We retain your Personal Data for as long as necessary to fulfill the purposes for which it was collected, including:

• While your account is active and for 7 years thereafter for legal, tax, and regulatory compliance purposes.

• Until you withdraw consent (where processing is based on consent), after which we will delete your data within 30 days, unless legal obligations require retention.

• API processing logs: 7 days (Anthropic).

• Aggregated and anonymized data may be retained indefinitely for analytics and research purposes.

9. CROSS-BORDER DATA TRANSFERS

Capital Connect Africa operates across multiple African jurisdictions. Your Personal Data may be transferred to and processed in countries outside your country of residence, including Kenya, the United States, and the European Union.

We ensure that all cross-border transfers are protected by appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the relevant data protection authorities.

• Data Processing Addendums (DPAs) with all third-party processors.

• Adequacy decisions where applicable.

10. DATA SECURITY

We implement appropriate technical and organizational security measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256).

• Multi-factor authentication (MFA) for account access.

• Regular security audits and vulnerability assessments.

• Access controls and role-based permissions for staff.

• Incident response and breach notification procedures.

While we take every reasonable precaution, no method of transmission over the internet or electronic storage is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

11. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance your experience on our Platform. By continuing to use the Platform, you consent to our use of cookies as described below.

11.1 Types of Cookies We Use

11.2 Managing Cookies

You can manage or disable cookies through your browser settings. However, disabling essential cookies may prevent certain features of the Platform from functioning correctly. For more information, see our detailed Cookie Policy.

12. YOUR DATA PROTECTION RIGHTS

Depending on your jurisdiction, you may have the following rights regarding your Personal Data:

Right

Description

Access

Request a copy of the Personal Data we hold about you.

Correction

Request that we correct inaccurate or incomplete data.

Erasure ("Right to be Forgotten")

Request deletion of your Personal Data where there is no overriding legal basis for continued processing.

Restriction

Request that we restrict processing of your data in certain circumstances.

Data Portability

Receive your data in a structured, commonly used, machine-readable format.

Objection

Object to processing based on legitimate interests or direct marketing.

Withdraw Consent

Withdraw consent at any time where processing is based on consent.

Complain

Lodge a complaint with your local data protection authority.

12.1 Exercising Your Rights

To exercise any of these rights, contact our Data Protection Officer at or call +254 715 501 703. We will respond within 30 days of receiving your request. We may require identity verification before fulfilling your request.

13. MSME DATA CONSENT AND WITHDRAWAL

MSMEs must provide explicit, informed, and unambiguous consent before their business data is shared with potential investors on the Platform. This consent is collected during profile setup and can be reviewed in your account settings.

To withdraw consent:

• Navigate to Account Settings > Privacy > Data Sharing and toggle off investor sharing; or

• Email with the subject line "Withdraw Data Sharing Consent"; or

• Call +254 715 501 703.

Withdrawal will take effect within 7 business days. Your profile will no longer be visible to new investors, though existing connections and communications may remain accessible.

14. CHILDREN'S PRIVACY

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete such information.

15. THIRD-PARTY LINKS

The Platform may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. Material changes will be notified to you via:

• Email to your registered address;

• Prominent notice on the Platform; or

• In-app notification.

Continued use of the Platform after changes constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically.

17. PAN-AFRICAN COMPLIANCE

We are committed to complying with the data protection laws of every jurisdiction in which we operate, including:

• Kenya: Data Protection Act, 2019 (Regulated by the Office of the Data Protection Commissioner)

• Nigeria: Data Protection Act, 2023 (Regulated by the Nigeria Data Protection Commission)

• South Africa: Protection of Personal Information Act, 2013 (POPIA) (Regulated by the Information Regulator)

• Ghana: Data Protection Act, 2012 (Act 843)

• Rwanda: Law No. 058/2021 Relating to the Protection of Personal Data and Privacy

• Uganda: Data Protection and Privacy Act, 2019

• Ethiopia: Personal Data Protection Proclamation, 2024

• African Union: Convention on Cyber Security and Personal Data Protection (Malabo Convention)

• European Union: General Data Protection Regulation (GDPR) (EU) 2016/679, where applicable to EU-based users

18. CONTACT INFORMATION

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Department

Contact

Data Protection Officer

DPO Phone

+254 715 501 703

General Support

Phone

+254 792 724 103

Physical Address

Capital Connect Africa, Upper Hill, Nairobi, Kenya

BY CONTINUING TO USE THE PLATFORM, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY AND OUR DATA PRACTICES.