Data Protection Privacy Statement

We at ZB Financial Holdings (ZBFH) take our responsibilities under the Zimbabwe’s Cyber and Data Protection Act [Chapter 12:07] (“Data Protection Act”) seriously. We also recognise the importance of the personal data you have entrusted to us and are committed to keeping it private.

We care about protecting the personal information of our customers and visitors who use our website www.zb.co.zw (‘Site’), our products or services (collectively, our "Users").

This Policy governs the manner in which ZBFH collects, uses, shares, maintains, processes and discloses information collected from users (each, a "User", you). This policy applies to the Site and all products and services offered by ZBFH. In this policy, "we", "us" and "our" refers to ZBFH and ZBFH Corporate Group.

This policy covers personal information, including any information we collect, use and share from you, as described further below. This policy applies to all websites in the ZBFH corporate group, our products and services, and our mobile applications (collectively, the "Services"). This policy does not cover how our Users may use or share data that they collect using our services.

When you use any of our product or Service, your personal information will be collected, used, and shared consistent with the provisions of this policy as well as the agreements/contracts related to particular products and services offered by us.

1. INFORMATION WE COLLECT FROM YOU

1.1 Personal identification information

We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, register on the site, and in connection with other activities, services, features or resources we make available on our Site. Users may be asked for, as appropriate, name, email address, mailing address, phone number, etc. Users may, however, visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities. Any information submitted to us during a Support issue will only be made available to us.

1.2 Non-personal identification information

We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site, such as the operating system and the Internet service provider's utilized and other similar information.

1.3 Web Server Logs

When you visit our Site, we may track information to administer the Site and analyze its usage. With each visit we may automatically collect the following information:

technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;

information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our Site (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number.

1.4 Web browser cookies

Our Site may use "cookies" to enhance User experience. User's web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. Cookies are small text files stored on your computer by your browser. They are used for many things, such as remembering whether you’ve visited the site before, so that you remain logged in – or to help us work out how many new website visitors we get each month. Cookies do not include Personal Information about you, they cannot harm your computer, and do not contain any viruses.

Certain cookies are essential to the proper function of our Site. You may choose to set your web browser to refuse cookies, or to alert you when cookies are being sent; you do this through your browser settings. If you do so, note that some parts of the Site may not function properly. If you turn cookies off, you will not have access to many features that make your experience more efficient and some of our services will not function properly. Blocking or deleting cookies from the Site may prevent you from using the Site. We do not track your personal activities when you’re not on our Site. We use analytics cookies to help us understand what content is most useful to our Users.

1.5 Our Business Products

We will collect your personal data in accordance with the Cyber and Data Protection Act. We will notify you of the purposes for which your personal data may be collected, used, disclosed and/or processed, as well as obtain your consent for the collection, use, disclosure and/or processing of your personal data for the intended purposes, unless an exception under the law permits us to collect and process your personal data without your consent.

1.6 Third Party Technologies

We use Google services (such as Analytics, Remarketing, Display). You can read about how Google uses data when you use our sites or apps here. We use Remarketing with Google Analytics to advertise online. Third-party vendors, including Google, may show our ads on sites across the Internet. We and third-party vendors, including Google, use first-party and third-party cookies together to inform, optimize, and serve ads based on a person’s past visits to our website. You are able to opt out from all this here.

We use Mailerlite (Email Alerts, Contact Management & Marketing) to stay in contact with others, including creating, sending, and managing emails and other information related to Subscribers. You can read about how Mailerlite uses data when you use our sites or apps here.

2. PURPOSES FOR COLLECTION, USE, DISCLOSURE AND PROCESSING OF PERSONAL DATA

The personal data which we collect from you may be collected, used, disclosed and/or processed for various purposes including providing our services to you and meeting our legal and regulatory obligations. Depending on the circumstances, for example, we may/will need to process your personal data for:

processing your enquiries and application for account opening as well as products and services;

providing you with products and/or services, the entry into and/or performance of any transactions with us, and the facilitation of any of the foregoing;

administering and/or managing your relationship and/or account(s) with us (including the outsourcing of any related functions to authorised service providers or third party vendors who provide operational services to us;

carrying out your instructions or responding to any enquiries by you;

carrying out due diligence or other screening activities (including background checks) in accordance with legal or regulatory obligations or risk management procedures (including but not limited to those designed to combat financial crime, “know-your customer”, anti-money laundering, counter-terrorist financing or anti-bribery), that may be required by law or that may have been put in place by us;

dealing in any matters relating to the products and/or services offered or provided by us under the agreement(s) between you and us (including the printing and mailing of correspondence, statements, invoices, confirmations, advices, information, reports or notices to you, which could involve disclosure of certain personal data to bring about delivery of the same as well as on the external cover of envelopes/mail packages);

facilitating your business asset transactions (which may extend to any mergers, acquisitions or asset sales);

the recovery of any and all amounts owed to us;

the process of reviewing and approving the account(s), and the conduct of initial and anticipatory credit checks and assessments, relevant checks, ongoing assessment and verification of ongoing credit worthiness and standing;

preventing, detecting and investigating crime, fraud, misconduct, any unlawful action or omission, whether relating to your application or any other matter relating to your account(s), and whether or not there is any suspicion of the aforementioned;

managing our infrastructure and business operations, and complying with policies and procedures that may be required by law, applicable regulation, guidelines or notices and/or that may have been put in place by us;

monitor and record telephone conversations, voice or video conferences and all electronic communications for record keeping, quality training and investigation purposes;

the purposes of communicating with you and record-keeping;

to publish your feedback at our internal and external events, feedback exercises and/or as part of our marketing and promotional activities;

sending you the relevant notifications and/or newsletters for our products or services you may have subscribed for;

processing and/or storing information related to your relationship with us;

complying with applicable law, regulations, guidelines and/or notices in administering and managing your relationship with us;

the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure, where necessary. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others;

the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice, where necessary. The legal basis for this processing is our legitimate interests, namely the proper protection of our business, products and services against risks;

the protection of our users and public at large. We use information to help improve the safety and reliability of our services. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm us, our users, or the public;

the purpose of analytics and measurement to understand how our services are used and for ensuring that our services are working as intended, such as tracking outages or troubleshooting issues that you report to us. And we also use your information to make improvements to our services;

any other purposes which we may notify you of at the time of obtaining your consent.

(collectively, the “Purposes”).

As the purposes for which we may/will collect, use, disclose or process your personal data depend on the circumstances at hand, such purpose may not appear above. However, we will notify you of such other purpose at the time of obtaining your consent, unless processing of your personal data without your consent is permitted by the Cyber and Data Protection Act or by applicable law.

In order to conduct our business operations more smoothly, we may also be disclosing the personal data you provide to us to our third party service providers, agents and/or our affiliates or related corporations, and/or other third parties, who may be sited in or outside of Zimbabwe, for one or more of the above-stated Purposes.

We will make reasonable efforts to ensure that your personal data is stored and processed in the accurate and complete form as provided by you for all Purposes. You must ensure that you update us of any changes in your personal data from time to time. We will not be responsible for relying on inaccurate or incomplete personal data arising from you not updating us of any changes in your personal data from time to time, in a timely manner.

3. SHARING YOUR PERSONAL INFORMATION

We will share your personal information as follows:

3.1 Authorized Users

All users authorized by you to have access to your account can view personal information stored in the account. We share information about authorized users only for legitimate purposes consistent with this policy, including servicing your account and marketing products and services to you.

3.2 Sharing within the ZBFH Corporate Group

We share personal information with other members of the ZBFH corporate group to allow our corporate affiliates to contact you with offers, services or products that may be of interest to you and to provide you with their products and services. Any such corporate affiliate may use your information only according to the terms of this policy.

3.3 Sharing with insurers and professional advisers

We may disclose your data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

3.4 Sharing with Partners

When we share personal information with certain third-party partners, including marketing and advertising partners, that information includes your name, email address and other information enabling partners to: (a) assist you in using our products and services, (b) contact you with offers, services or products that may be of interest to you, and (c) provide you with their products or services.

Further, our partners are prohibited from using your contact information for any purpose beyond those set forth above without your consent. In the event we collect information from you in connection with an offer that is jointly presented by us and a partner, we will let you know who is collecting the information and whose privacy policy applies, as well as any options you may have regarding use of your information.

3.5 Sharing with third party service providers and vendors

Occasionally, we enter into contracts with carefully selected third parties so that they can assist us in servicing you (for example, providing you with customer service, fraud detection and deterrence or access to advertising assets and providing us with information technology and storage services) or to assist us in our own marketing and advertising activities (including providing us with analytic information and search engine optimization services). Our contracts with such third parties prohibit them from using any of your personal information for any purpose beyond the purpose for which it was shared.

If you purchase a product or service from a third party through one of our product or brands, we will pass your personal information to such third party in order for them to fulfill your order and provide you the relevant services.

We also share non-personal information with certain third parties, including the media, industry observers, marketing and advertising partners, vendors, customers, potential customers or partners.

We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys or serve us services as a telecom operator. We may share your information with these third parties for those limited purposes only and with your necessary consent under the law, if any.

3.6 Payment Service Providers

We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.

3.7 Compliance with Laws and Law Enforcement Requests

We may disclose your Information (including your Personal Information) to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (b) to enforce our agreements, policies and terms of service, (c) to protect the security or integrity of our products and services, (d) to protect us, our customers or the public from harm or illegal activities, or (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.

However, nothing in this Policy is intended to limit any legal defenses or objections that you may have to a third party's, including a government's, request to disclose your information.

We also reserves the right to disclose personally identifiable information and/or non-personally-identifiable information that we believe, in good faith, is appropriate or necessary to enforce our Terms of Service, take precautions against liability, to investigate and defend itself against any third-party claims or allegations, to assist government enforcement agencies, to protect the security or integrity of our Services, and to protect the rights, property, or personal safety of ZBFH, our Users or other natural person.

3.8 Business Transfers

We may share or transfer your information (including your Personal Information) in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We will notify all users of our services by email and/or a prominent notice on our website of any such transfer.

4. THE DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

We will respect the confidentiality of the personal data you provide to us.

In that regard, we will not disclose your personal data to third parties without first obtaining your consent permitting us to do so. However, please note that we may disclose your personal data to third parties without first obtaining your consent in certain situations, including, without limitation, the following:

cases in which the disclosure is required or authorised based on the applicable laws and/or regulations;

cases in which the purpose of such disclosure is clearly in your interests, and if consent cannot be obtained in a timely way;

cases in which the disclosure is necessary to respond to an emergency that threatens the life, health or safety of yourself or another individual;

cases in which the disclosure is necessary for any investigation or proceedings;

cases in which the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written legal authorisation for such disclosure in accordance with applicable laws, certifying that the personal data is necessary for the purposes of the functions or duties of the officer;

cases in which the disclosure is to a public agency and such disclosure is necessary in the public interest; and/or

where such disclosure without your consent is permitted by the Cyber and Data Protection Act or by applicable law.

The instances listed above in the foregoing paragraph are not intended to be exhaustive. For more information on the exceptions, you are encouraged to peruse the Cyber and Data Protection Act.

Where we disclose your personal data in line with this policy to third parties with your consent, we will employ our best efforts to require such third parties to protect your personal data.

5. THIRD PARTY PERSONAL DATA

You represent, undertake and warrant to us that:

in respect of any personal data of any individuals whatsoever which you may, from time to time, disclose to us (“Third Party Personal Data”), you would have prior to disclosing such Third Party Personal Data to us obtained the appropriate consent from the individuals whose Third Party Personal Data are being disclosed, to:

permit you to disclose the individuals’ Third Party Personal Data to us for or in connection with the Purposes; and/or

permit us and our affiliates or related corporations (in Zimbabwe and/or elsewhere) to collect, use, disclose, share and/or process (through authorised service providers, relevant third parties or otherwise) the individuals’ Third Party Personal Data for or in connection with the Purposes;

any Third Party Personal Data that you disclose to us is accurate;

should you become aware that any such Third Party Personal Data has been updated and/or changed after such disclosure to us, you shall give us notice in writing as soon as reasonably practicable thereafter; and

should you become aware that any individual whose Third Party Personal Data you have disclosed to us has withdrawn his consent as referred to in sub-Clause (a) above, you shall give us notice in writing as soon as reasonably practicable thereafter. Without prejudice to our other rights under applicable law and/or the agreement(s) between you and us, upon our receipt of the said notification, we shall have the right to discontinue or not provide any products and/or services to and/or transactions with you that are linked to such Third Party Personal Data.

6. SECURITY

Once we have received your information, we will take appropriate technical and organizational security measures to safeguard your personal information against loss, theft and unauthorized use, access or modification.

In case of collection of financial account information, we protect its transmission through the use of Multi Factor Authentication.

7. STORAGE OF YOUR DATA

The data that we collect from you may be transferred to, and stored at, a destination outside Zimbabwe. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this policy.

All Personal Information you provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Information, we cannot guarantee the security of your data transmitted to our Site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

8. INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA

In order for us to provide the Services to you, your personal information will be transferred to, and stored at/processed in other countries. Your personal data is also processed by staff operating outside Zimbabwe, who work for us or for one of our suppliers. We will take all steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this policy. The data will be protected by appropriate safeguards, including the use of standard data protection clauses in contracts with employees, suppliers and third party partners.

We and our group companies have offices and facilities in Zimbabwe and Botswana.

9. THIRD PARTY WEBSITES

Users may find advertising or other content on our website that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties.

We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site.

In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website's own terms and policies.

10. UNAUTHORIZED ACCOUNTS

If an account or profile was created without your knowledge or authorization, please contact us via any of the following options https://www.zb.co.zw/holding/contact-us, and request immediate removal of the account or profile.

11. RETENTION OF PERSONAL INFORMATION

We retain your personal information to provide services to you and as otherwise necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Notwithstanding the other provisions of this Section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

We will also put in place measures such that your personal data in our possession or under our control is destroyed and/or anonymized as soon as it is reasonable to assume that:

the purpose for which that personal data was collected is no longer being served by the retention of such personal data; and

retention is no longer necessary for any other legal or business purposes.

12. OUR POLICY TOWARDS CHILDREN

Our Services are not directed to individuals under 18 years. We do not knowingly collect Personal Information from children under 18 years. If we become aware that a child under 18 has provided us with Personal Information, we will take steps to delete such information. If you become aware that a child has provided us with Personal Information, please contact our Data Protection Officer on amapako@zb.co.zw

We will, however, collect, use, disclose and process the personal data of a minor data subject, provided to us by an adult in the capacity of parent or legal guardian of the child.

13. YOUR RIGHTS

In this Section, we have summarized the rights that you or Users have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

Your principal rights under data protection law are:

  • the right to access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to object to processing;
  • the right to data portability;
  • the right to complain to a supervisory authority; and
  • the right to withdraw consent.

To the extent that the legal basis for our processing of your personal data is: Your consent; or that the processing is necessary for the performance of a contract to which you are party with us or with our partners to whom we are providing services as a processor or in order to take steps at your request prior to entering into a contract, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.

If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with the Data Protection Authority.

To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

14. COMPLAINTS OR INQUIRY

If you, at any time, have any queries on this policy or any other queries in relation to how we collect, use, disclose or process your personal data, please do not hesitate to contact our Data Protection Officer.

If you have any complaint or grievance about this policy; the collection, use, disclosure or processing of your personal information; or our compliance with the Cyber and Data Protection Act, please contact our Data Protection Officer.

15. Changes to this Privacy Policy

This Privacy Policy is effective as of December 2024 and will remain in effect except with respect to any changes in its provisions in the future, which will be posted on this page. We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically. It is your responsibility to check this page from time to time to check for any change. Your continued use of the Site or Services after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.

16. Data Protection Officer

Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to our Data Protection Officer who can be contacted at amapako@zb.zo.zw

Updated September 2025