Privacy Policy

Last Updated: 30 May 2026

1. Introduction

Genesis Zimbabwe ("Company," "We," "Us," "Our") is committed to protecting the privacy and security of your personal and business data. This Privacy Policy explains how we collect, use, store, share, and protect information when you use our Services, including Genesis POS, Genesis Management App, Supplier Portal, Company Portal, and PrivateZenith AI (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Services.

We are registered and operate in Zimbabwe at Zimre Park, Ruwa, Goromonzi. This policy complies with the laws of the Republic of Zimbabwe, including the Cybersecurity and Data Protection Act [Chapter 12:07] and other applicable regulations.

This Privacy Policy applies to all users of our Services, including business owners, company administrators, staff members, customers whose data is processed through our platform, and suppliers who interact with our Supplier Portal. Each category of user has different data protection rights and obligations, and we have structured this policy to address the specific concerns of each group.

2. Information We Collect

2.1 Information Collected from Business Owners and Administrators

When you register a company account or act as an administrator, we collect:

Identity Data: Full name, government-issued identification number (where required for verification), and digital signature records.
Contact Data: Business email address, personal email address, phone number, and physical business address.
Company Registration Data: Company name, registration number, business type, industry sector, tax identification number, and VAT registration details.
Financial Data: Bank account details for payouts and billing, preferred currency settings, and payment transaction history with our platform.
Account Credentials: Username, hashed password, encrypted PIN code, security questions and answers, and multi-factor authentication tokens.
Business Configuration Data: Number of branches, branch locations, operating hours, tax rate configurations, receipt templates, and pricing strategies.

2.2 Information Collected from Staff Members

When staff accounts are created (by administrators or through self-registration), we collect:

Identity Data: Full name, employee ID or staff number (as assigned by the employer).
Contact Data: Email address and phone number.
Employment Data: Role, position, department, branch assignment, shift schedules, and manager assignments.
Performance Data: Sales performance metrics, transaction counts, average transaction values, return rates, and productivity statistics.
Attendance Data: Login times, shift start and end times, break periods (where recorded through the system), and location of login events.
Account Credentials: Username, hashed password, encrypted PIN code, and access permission levels.
Communication Data: Notes, messages, and internal communications made within the platform.

Staff members should be aware that their usage of the Services may be monitored by their employer. We act as a data processor for staff data, with the employer (business owner) acting as the data controller.

2.3 Information Collected from Customers

Through our Services, business owners may record and process data about their customers. This data is controlled by the business owner and processed by us on their behalf. It typically includes:

Identity Data: Customer name, and where provided, national identification numbers for loyalty or credit programs.
Contact Data: Phone numbers, email addresses, and physical addresses (where collected for delivery purposes).
Transaction Data: Purchase history, amounts spent, payment methods used, dates and times of purchases, items purchased, and return/refund history.
Loyalty Data: Loyalty points balances, reward redemptions, membership tiers, and referral activity.
Credit Data: Credit limits, payment terms, outstanding balances, and payment history (for business customers on credit arrangements).
Preferences: Product preferences, communication preferences, and opt-in consents for marketing.

We do not use customer data for our own purposes. Customer data is processed solely on behalf of the business owner who collected it. Customers should direct privacy inquiries to the relevant business whose services they use.

2.4 Information Collected from Suppliers

When suppliers interact with our Supplier Portal, we collect:

Business Identity Data: Company name, registration number, business type, and industry sector.
Contact Data: Supplier representative name, business email, phone number, and physical address.
Product Data: Product catalogs, pricing lists, stock availability, delivery timelines, and product descriptions.
Transaction Data: Purchase order history, invoices, payment records, delivery notes, and order fulfillment data.
Financial Data: Bank account details for payments, tax information, and payment terms.
Performance Data: Delivery reliability metrics, product quality ratings, response times, and order accuracy statistics.

2.5 Information Collected Automatically

When you use our Services, we automatically collect:

Device Information: Device type, operating system, unique device identifiers, browser type and version, screen resolution, and IP address.
Usage Data: Pages visited, features used, time spent on each feature, clicks, navigation patterns, feature adoption rates, and interaction sequences.
Performance Data: App crash reports, error logs, load times, API response times, synchronization status, and offline queue statistics.
Location Data: Approximate location based on IP address (for regional settings, currency configuration, and tax compliance). We do not collect precise GPS location without explicit consent.
Offline Data: Records of transactions processed while offline, including timestamps, device identifiers, and synchronization events when connectivity is restored.
Network Data: Connection type (WiFi, mobile data), signal strength, bandwidth estimates, and network provider information for performance optimization.

2.6 Information from Third Parties

We may receive information about you from:

Payment Processors: EcoCash, PayNow, banks, and mobile money operators — transaction confirmation, payment status, and verification data. We do not receive or store full payment card numbers or banking credentials.
Business Partners: Your staff members who register accounts on your behalf, other businesses in our network that interact with your business (e.g., suppliers submitting catalogs), and referral partners.
Public Registries: Company registration databases and regulatory bodies for identity verification and compliance purposes, where permitted by law.

3. Legal Basis for Processing

We process your personal data only when we have a lawful basis to do so. The legal bases we rely on are:

3.1 Contractual Necessity

We process data that is necessary for the performance of a contract with you. This includes creating your account, providing the Services, processing transactions, synchronizing data, and offering customer support. Without this processing, we cannot deliver the Services you have requested.

3.2 Legal Obligation

We process data to comply with legal obligations applicable to us under Zimbabwean law, including tax record-keeping requirements (retaining financial records for a minimum of 6 years), responding to lawful requests from courts and regulatory authorities, complying with anti-money laundering regulations, and fulfilling reporting obligations to government agencies.

3.3 Legitimate Interests

We process data for our legitimate business interests, provided those interests do not override your fundamental rights and freedoms. These interests include analyzing and improving our Services, ensuring network and information security, preventing fraud and abuse, conducting business research and analytics with anonymized data, and marketing our Services to existing users (with opt-out rights).

3.4 Consent

Where we rely on your consent as the legal basis for processing, we will obtain your explicit consent before processing your data. This includes certain marketing communications, optional data collection features, and processing of sensitive data where applicable. You have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

3.5 Vital Interests

In rare circumstances, we may process personal data where necessary to protect the vital interests of an individual, such as in a medical emergency where data access is required to prevent serious harm.

4. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Maintain the Services: Processing transactions, synchronizing data across devices, generating reports, managing inventory, processing orders, and delivering AI-powered insights through PrivateZenith.
To Improve the Services: Analyzing usage patterns to enhance features, fix bugs, optimize performance, develop new functionality, and refine user interfaces based on real-world interaction data.
To Communicate With You: Sending service updates, billing information, technical notices, security alerts, support responses, onboarding guidance, and feature announcements.
To Ensure Security: Monitoring for fraudulent activity, unauthorized access attempts, service abuse, data exfiltration attempts, and anomalous usage patterns.
To Comply with Legal Obligations: Maintaining records as required by Zimbabwean law, responding to lawful requests from authorities, fulfilling tax reporting requirements, and complying with regulatory audits.
To Provide AI Insights (PrivateZenith): Analyzing your business data to generate actionable recommendations, sales forecasts, inventory alerts, performance metrics, anomaly detection, and trend analysis. AI processing is done on your data within our secure infrastructure. Your data is not used to train models for other customers.
To Enable Multi-Device Synchronization: Ensuring that data entered on one device is available on all your authorized devices in real time, including offline reconciliation when connectivity is restored.
To Generate Aggregated Analytics: Creating anonymized, aggregated statistics about platform usage, industry trends, and business performance patterns. These aggregates cannot identify individual businesses or individuals.
To Manage User Roles and Permissions: Enforcing access controls based on role-based permissions configured by administrators, ensuring staff only access data necessary for their roles.

5. Automated Decision-Making

5.1 PrivateZenith AI Processing

Our PrivateZenith AI feature performs automated analysis and generates recommendations based on your business data. This includes:

Sales Forecasting: Predicting future sales volumes based on historical transaction data, seasonal patterns, and market trends. These forecasts help you make inventory and staffing decisions but are advisory in nature.
Inventory Optimization: Automated recommendations for stock replenishment, identification of slow-moving items, and suggestions for markdown or promotion of excess stock.
Anomaly Detection: Flagging unusual transactions, potential fraud indicators, or data inconsistencies that may require human review.
Performance Insights: Analyzing staff performance, customer purchasing patterns, and operational efficiency metrics to provide actionable business intelligence.
Pricing Recommendations: Suggesting optimal pricing strategies based on market analysis, demand patterns, and competitor monitoring where data is available.

5.2 Human Oversight

All automated decisions made by PrivateZenith AI are advisory. Significant business decisions (pricing changes, staff disciplinary actions, credit decisions, and major inventory orders) always require human approval. You may request human review of any automated recommendation by contacting our support team.

5.3 Right to Object

You have the right to object to automated decision-making that produces legal effects concerning you or similarly significantly affects you. To exercise this right, please contact us. Note that automated analysis is core to the PrivateZenith feature; opting out may affect the functionality available to you.

5.4 Algorithmic Transparency

We are committed to transparency in our use of AI. The algorithms used by PrivateZenith are designed to be interpretable, and we can explain the logic behind specific recommendations upon request. We regularly audit our AI systems for fairness, accuracy, and bias.

We do not sell, rent, or trade your personal or business information. We may share information in the following limited circumstances:

6.1 Service Providers

We may share information with trusted third-party service providers who perform services on our behalf, including:

Cloud hosting and infrastructure providers (who store data on our behalf under strict contractual data processing agreements).
Payment processing partners (limited to transaction verification and settlement data).
Email and notification delivery services.
Analytics providers (using anonymized, non-identifiable data).
Customer support platform providers.

All service providers are contractually bound to protect your data and may only use it for the specific services they perform for us. They are prohibited from using your data for their own purposes.

6.2 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal requests by public authorities (e.g., a court order, subpoena, or government agency request). We will notify you of such requests where legally permitted and will challenge overly broad or unlawful requests.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change and the new entity will be bound by this Privacy Policy. You will have the right to terminate your account and request data deletion if you do not wish to continue under the new entity.

6.4 With Your Consent

We may share your information for any other purpose with your explicit consent, which you may withdraw at any time.

6.5 What We Do NOT Share

We do not sell your data to advertisers or data brokers.
We do not share your customer data with third parties for their marketing purposes.
We do not share your sales or financial data with competitors.
We do not use your business data to train AI models for purposes other than improving your PrivateZenith AI experience.
We do not share personal data across different business accounts unless those businesses have an explicit relationship configured in the platform.

7. Third-Party Data Processors

We engage the following categories of third-party data processors who have access to personal data in connection with the Services. All processors are subject to contractual data processing agreements that require them to protect data to standards equivalent to this Privacy Policy:

7.1 Cloud Infrastructure Providers

We use cloud infrastructure services for data hosting, storage, computing, and content delivery. These providers maintain industry-standard physical and logical security controls, including SOC 2 or equivalent certifications. Data is stored in regions optimized for African business performance.

7.2 Payment Processors

Payment transactions are processed through licensed payment gateways and financial institutions including EcoCash, PayNow, and partner banks. These processors handle payment data directly and are PCI DSS compliant where applicable. We receive only transaction confirmation and status data from these processors.

7.3 Communication Services

We use third-party email service providers, SMS gateways, and push notification services to deliver service communications, alerts, and marketing messages (where consented). These providers process contact data solely for message delivery purposes.

7.4 Analytics and Monitoring Services

We use analytics platforms to understand usage patterns, application performance monitoring tools to detect and resolve technical issues, and error tracking services to identify and fix bugs. Data shared with these services is anonymized or pseudonymized where possible.

7.5 AI and Machine Learning Services

PrivateZenith AI processing is conducted using our own infrastructure and licensed AI frameworks. Where third-party AI services are used, they process data under strict data protection agreements that prohibit use of your data for training their models.

7.6 Backup and Disaster Recovery Providers

We maintain encrypted backups through third-party backup services to ensure data durability and business continuity. Backup data is encrypted at rest and in transit.

We maintain an up-to-date list of all sub-processors. To request a complete list of our third-party data processors, please contact us at support@genesispos.xyz. We will notify you of any changes to our sub-processors as required by applicable law.

8. Data Storage & Security

8.1 Data Storage

Your data is stored on secure cloud servers with redundancy across multiple geographic locations to ensure availability and durability.
Data is encrypted at rest using industry-standard encryption algorithms (AES-256).
Data transmitted between your devices and our servers is encrypted using TLS/SSL protocols (minimum TLS 1.2).
Offline data stored on local devices is encrypted using device-level encryption with platform-native security APIs.
Database backups are encrypted and stored in geographically separate facilities.

8.2 Security Measures

We implement the following security measures to protect your data:

Regular security assessments and penetration testing by independent third-party firms.
Access controls with role-based permissions for staff accounts at granular levels.
Two-factor authentication options for all administrative accounts.
Automatic session timeout after periods of inactivity.
Comprehensive audit logging of all sensitive operations, data access, permission changes, and configuration modifications.
Employee background checks and mandatory data protection training for all staff with access to personal data.
Strict vendor risk management program for all third-party service providers, including initial due diligence and periodic reassessments.
Incident response plan with defined escalation procedures, containment strategies, and communication protocols.
Rate limiting and brute force protection on authentication endpoints.
Web application firewall and DDoS protection.

8.3 Data Location

Your primary data is stored on servers located in regions that ensure optimal performance for African businesses. We maintain data processing agreements with our cloud providers that ensure your data is protected to standards required by Zimbabwean law. Data may be replicated to additional regions for disaster recovery purposes, always under equivalent or greater protection levels.

9. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

Active Accounts: Data is retained for the duration of your account and for 90 days after account termination to allow for data export and transition.
Transaction Records: Sales and financial records are retained for a minimum of 6 years in accordance with Zimbabwean tax and record-keeping requirements under the Income Tax Act and related regulations.
Staff Records: Employment-related data is retained for the duration of a staff member's association with a business account and for 1 year thereafter, subject to employer retention policies.
Customer Records: Customer data processed on behalf of business owners is retained according to the business owner's retention policies. We will delete customer data upon the business owner's instruction or upon account termination.
Backup Data: Archived backups are retained for up to 90 days before secure deletion.
Analytics Data: Anonymized, aggregated analytics data may be retained indefinitely for service improvement and historical trend analysis purposes.
Communications: Support correspondence and communications are retained for 3 years from the date of the last communication.
Legal Hold: Data subject to legal proceedings, investigation, or regulatory inquiry may be retained until the matter is fully resolved and all appeal periods have expired.

After the retention period, data is securely deleted using industry-standard data sanitization methods or rendered permanently anonymous such that it cannot be linked back to an identifiable individual or business.

10. Your Rights

You have the following rights regarding your data under Zimbabwean data protection law:

Right to Access: You may request a copy of the data we hold about you or your business, including information about how we use it and who we share it with.
Right to Rectification: You may request correction of any inaccurate, incomplete, or outdated data we hold about you.
Right to Deletion (Right to be Forgotten): You may request deletion of your data, subject to legal retention requirements and legitimate business needs.
Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and have the right to transmit that data to another service provider.
Right to Restrict Processing: You may request that we limit how we use your data in certain circumstances, such as during a dispute about data accuracy.
Right to Object: You may object to certain data processing activities, including direct marketing and processing based on legitimate interests.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to Object to Automated Decisions: You may request human intervention in automated decision-making processes that significantly affect you.

To exercise any of these rights, contact us at support@genesispos.xyz or WhatsApp 0787592481 / 0781847609. We will respond to your request within 30 days as required by Zimbabwean law. There is no charge for exercising your rights, though we may charge a reasonable fee for repetitive, unfounded, or excessive requests.

11. Data Subject Access Request Procedure

11.1 How to Make a Request

You may make a Data Subject Access Request (DSAR) or exercise any of your data protection rights by:

Emailing support@genesispos.xyz with the subject line "DSAR Request".
Sending a WhatsApp message to 0787592481 / 0781847609 with your request details.
Writing to us at our physical address: Zimre Park, Ruwa, Goromonzi, Zimbabwe.
Using the Data Request form available in your Company Portal account settings.

11.2 Information We May Require

To process your request, we may need to verify your identity. We may request:

A copy of your government-issued identification document.
Proof of address or business registration.
Additional information to confirm your relationship with our Services.
Specific details about the data or processing activity your request concerns.

11.3 Our Response Process

We will acknowledge receipt of your request within 48 hours.
We will respond substantively within 30 calendar days, as required by Zimbabwean law.
If your request is complex or you have made multiple requests, we may extend the response period by up to an additional 30 days, with notice.
We will provide the information in the format you request (electronic or paper), where reasonably possible.
If we cannot fulfill your request, we will explain the reasons and your options for challenging our decision.

11.4 Requests by Business Owners Regarding Staff or Customer Data

Business owners who are data controllers for their staff and customer data may request access to data processed on their behalf. We will facilitate such requests promptly. Data subjects (staff or customers) should first direct their requests to the business owner who collected their data. If the business owner is unable or unwilling to respond, we will assist data subjects directly where required by law.

12. Cookies & Tracking

12.1 What Are Cookies

Cookies are small text files that are placed on your device when you visit a website or use an application. They are widely used to make websites work efficiently and provide information to the website owners. We also use similar technologies such as local storage, session storage, and web beacons.

12.2 Types of Cookies We Use

Essential / Strictly Necessary Cookies: These cookies are required for the operation of our Services. They enable you to authenticate, navigate, and use core features. Without these cookies, the Services cannot function properly. They include session cookies that remember your login state and security cookies that help protect your account. These cannot be disabled.

Functional / Preference Cookies: These cookies remember choices you make to improve your experience, such as your preferred language, currency display settings, theme preferences, and saved dashboard layouts. They may also remember changes you have made to text size, fonts, and other customizable parts of the Services.

Analytics / Performance Cookies: These cookies help us understand how users interact with our platform — which pages are visited most often, which features are used, how users navigate, and where they encounter errors. Data collected is aggregated and anonymized. We use this information to improve performance, fix issues, and prioritize feature development. Analytics data is retained in anonymized form.

Session Cookies: These are temporary cookies that expire when you close your browser. They are used to maintain your session state and remember your actions during a single browsing session.

Persistent Cookies: These cookies remain on your device for a set period or until you manually delete them. They remember your preferences and settings across return visits.

Third-Party Cookies: We use minimal third-party cookies, primarily from our analytics and hosting providers. These are limited to what is strictly necessary for service provision. We do not allow third-party advertising cookies on our platform.

12.3 Cookie Duration

Session cookies: Expire when you close your browser.
Preference cookies: Persist for up to 12 months or until updated.
Authentication cookies: Persist for the duration of your login session, up to a maximum of 30 days for "remember me" functionality.
Analytics cookies: Persist for up to 24 months, after which data is anonymized.

12.4 Managing Cookies

You can control and manage cookies in several ways:

Browser Settings: Most browsers allow you to view, block, or delete cookies through their settings. Please note that blocking essential cookies may prevent the Services from functioning correctly.
Platform Settings: Where available, we provide cookie preference settings within our platform to allow you to opt in or out of non-essential cookies.
Do Not Track: Our Services currently do not respond to "Do Not Track" signals from browsers. We will update this policy if that changes.

12.5 Changes to Cookie Settings

If you change your cookie settings, some features of the Services may not function as intended. We recommend keeping essential cookies enabled to ensure full functionality of the platform.

13. Marketing Communications

13.1 Types of Marketing Communications

With your consent (or where a legitimate interest applies), we may send you:

Product Updates and Feature Announcements: Information about new features, improvements, and service enhancements relevant to your use of the platform.
Promotional Offers: Special pricing, discounts, and promotional campaigns for our Services.
Educational Content: Tips, guides, best practices, and industry insights to help you get the most out of our Services.
Event Invitations: Invitations to webinars, training sessions, user groups, and industry events.
Newsletters: Periodic newsletters with company news, industry trends, and product highlights.

13.2 Consent and Opt-Out

We will only send marketing communications to you where we have your consent or a legitimate interest (for existing customers receiving information about similar products or services). You can opt out of marketing communications at any time by:

Clicking the "unsubscribe" link in any marketing email.
Replying "STOP" to any SMS marketing message.
Updating your communication preferences in your account settings.
Contacting us at support@genesispos.xyz.

Opting out of marketing communications does not affect service-related communications, such as account notifications, security alerts, billing information, and support responses.

13.3 Third-Party Marketing

We do not share your personal data with third parties for their own marketing purposes without your explicit consent. We do not sell or rent your contact information to advertisers or marketing agencies.

13.4 Frequency

We aim to limit marketing communications to a reasonable frequency. Typically, promotional emails are sent no more than once per week. Product update communications are sent only when relevant changes occur.

14.1 Social Media Integration

Our Services may include social media features, such as links to our social media pages, social sharing buttons, and embedded social media feeds. These features are provided by third-party social media platforms including but not limited to Facebook, WhatsApp, Twitter/X, LinkedIn, and Instagram.

14.2 Data Collected by Social Media Platforms

When you interact with social media features on our platform, the social media provider may collect information about your interaction. This may include:

Your social media profile information (if you are logged into the social media platform).
The fact that you visited our website or used our Services.
Your IP address and browser information.
The specific content you interacted with (e.g., sharing a page, liking a post).

14.3 Our Relationship with Social Media Platforms

The data collected by social media platforms through their features is governed by the privacy policies of those platforms, not by this Privacy Policy. We encourage you to review the privacy policies of any social media platforms you interact with through our Services. We do not control and are not responsible for how social media platforms collect, use, or share your information.

14.4 WhatsApp Integration

Our Services may integrate with WhatsApp for customer support and communications. When you contact us via WhatsApp, your phone number, profile name, and message content will be processed by Meta (WhatsApp's parent company) according to WhatsApp's privacy policy. We only use WhatsApp for communication purposes and do not use your WhatsApp data for any other purpose.

14.5 Minimizing Data Sharing

To minimize data shared with social media platforms, we recommend logging out of social media accounts before interacting with social media features on our platform. You may also use browser extensions that block social media tracking.

15. Data Anonymization and Aggregation

15.1 Anonymization Process

We may anonymize personal data by removing or modifying identifying characteristics so that the data can no longer be attributed to a specific individual or business without the use of additional information. Anonymization techniques we use include:

Aggregation: Combining data from multiple sources into statistical summaries that do not identify individuals.
Pseudonymization: Replacing identifying fields (such as names and contact details) with artificial identifiers.
Data Masking: Redacting or obscuring specific data elements.
Generalization: Replacing precise values with broader categories (e.g., age range instead of exact age, city instead of street address).
Noise Addition: Introducing small statistical variations to prevent re-identification while preserving overall data utility.

15.2 Use of Anonymized Data

Once data has been irreversibly anonymized, it is no longer considered personal data and may be used for:

Service Improvement: Analyzing usage patterns across our entire user base to identify trends, improve features, and optimize performance.
Industry Benchmarking: Creating anonymized benchmarks and industry reports that help businesses understand how they compare to peers (e.g., average transaction values, inventory turnover rates, peak sales periods).
Business Intelligence: Generating market insights, economic trend analysis, and sector-specific reports that benefit the broader business community in Zimbabwe and Africa.
Research and Development: Conducting research to develop new features, improve AI models, and advance business management technology.
Public Reporting: Publishing anonymized statistics about platform adoption, economic activity, and business trends. These publications will never identify individual businesses or individuals.

15.3 Guarantees

We are committed to ensuring that anonymized data cannot be re-identified. We implement technical and organizational measures to prevent re-identification, including:

Ensuring minimum group sizes in aggregated reports to prevent inference of individual data.
Regularly reviewing anonymization techniques against current best practices and re-identification risks.
Contractually prohibiting recipients of anonymized data from attempting to re-identify individuals.
Destroying original identifiers once anonymization is complete.

16. Children's Privacy

Our Services are intended for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly and terminate any associated accounts. If you believe a child has provided us with personal data, please contact us immediately at support@genesispos.xyz.

17. International Data Transfers

Your data may be transferred to and processed in countries other than Zimbabwe where our service providers operate, including countries in Africa, Europe, and other regions. When we transfer your data internationally, we ensure appropriate safeguards are in place, including:

Standard contractual clauses approved for data protection, binding the data recipient to the same level of data protection.
Data processing agreements that require the recipient to protect data to standards equivalent to or greater than those required by Zimbabwean law.
Technical and organizational security measures that meet or exceed industry standards, including encryption in transit and at rest.
Assessment of the data protection framework in the recipient country to ensure adequacy.

By using our Services, you consent to the transfer of your data to countries that may have different data protection laws than your country of residence, provided that we have implemented appropriate safeguards as described above.

If you wish to know more about the specific safeguards applied to your data during international transfer, please contact us.

18. Data Breach Notification

In the event of a data breach that affects your personal or business data, we will:

Notify you within 72 hours of becoming aware of the breach.
Provide a description of the nature of the breach, including where possible, the categories and approximate number of data subjects and records affected.
Inform you of the categories of data likely affected (e.g., contact information, financial data, transactional data).
Describe the likely consequences of the breach for data subjects.
Detail the measures we have taken or propose to take to address the breach and mitigate its possible adverse effects.
Provide contact information for our Data Protection Officer for further information.

Notifications will be sent to the primary email address associated with your account. We will also report breaches to the relevant data protection authority (such as the Postal and Telecommunications Regulatory Authority of Zimbabwe / Data Protection Authority) as required by the Cybersecurity and Data Protection Act [Chapter 12:07] and other applicable laws.

19. Specific Zimbabwean Data Protection Law Compliance

19.1 Applicable Legislation

This Privacy Policy is designed to comply with the following Zimbabwean laws and regulations:

Cybersecurity and Data Protection Act [Chapter 12:07]: The primary data protection legislation in Zimbabwe, which governs the collection, use, storage, and processing of personal data by data controllers and data processors. This Act establishes the Data Protection Authority and sets out the rights of data subjects.
Constitution of Zimbabwe Amendment (No. 20) Act, 2013: Section 57 of the Constitution protects the right to privacy, which forms the constitutional foundation for data protection in Zimbabwe.
Electronic Transactions and Electronic Commerce Act [Chapter 12:30]: Governs electronic transactions, digital signatures, and the admissibility of electronic records.
Banking Act [Chapter 24:20]: Governs the handling of financial data and transaction records by financial service providers and their partners.
Income Tax Act [Chapter 23:06]: Sets record-keeping requirements for financial and transactional data, including the 6-year retention period.

19.2 Data Protection Authority

The Data Protection Authority established under the Cybersecurity and Data Protection Act oversees compliance with data protection laws in Zimbabwe. We cooperate fully with the Authority and respond promptly to any inquiries or directions from the Authority regarding our data processing activities.

19.3 Data Controller and Processor Roles

Under Zimbabwean law, we act as a data controller for the personal data we collect directly from you (e.g., your account registration information, billing data, and support correspondence). We act as a data processor for the business data you entrust to us, including your customer data, staff data, and supplier data. As a data processor, we process data only on your documented instructions and have implemented technical and organizational measures to fulfill our obligations under the Cybersecurity and Data Protection Act.

19.4 Registration and Compliance

We are registered as a data processor in Zimbabwe and maintain records of our data processing activities as required by the Cybersecurity and Data Protection Act. Our data protection compliance program includes:

Regular data protection impact assessments for new processing activities.
Data protection by design and default for all new features and Services.
Records of processing activities (ROPA) maintained and updated regularly.
Annual internal data protection audits.
Designated Data Protection Officer with responsibility for compliance oversight.

19.5 Cross-Border Data Transfers

In accordance with the Cybersecurity and Data Protection Act, we ensure that any transfer of personal data outside Zimbabwe is subject to appropriate safeguards that are substantially similar to the protections provided under Zimbabwean law. We do not transfer data to countries that do not have adequate data protection laws without implementing appropriate safeguards.

20. Complaints Procedure

20.1 How to Lodge a Complaint

If you believe that we have breached your data protection rights or failed to comply with our obligations under this Privacy Policy or applicable law, you may lodge a complaint using the following process:

Step 1 — Internal Resolution: Contact our Data Protection Officer directly at support@genesispos.xyz with the subject line "DATA PROTECTION COMPLAINT". Provide a detailed description of your concern, including dates, the specific data or processing activity involved, and how you believe your rights have been affected.

Step 2 — Acknowledgment: We will acknowledge receipt of your complaint within 48 hours and provide you with a reference number and contact details for the person handling your complaint.

Step 3 — Investigation: We will investigate your complaint thoroughly, which may involve reviewing relevant records, interviewing staff involved, and consulting with our legal advisors. We may request additional information from you during this process.

Step 4 — Response: We will provide a substantive written response to your complaint within 30 days of receipt. Our response will include the outcome of our investigation, any actions we have taken or propose to take, and the reasons for our decision.

Step 5 — Escalation: If you are not satisfied with our response, or if we have not responded within the 30-day period, you have the right to escalate your complaint to the Data Protection Authority established under the Cybersecurity and Data Protection Act. We will provide you with the relevant contact details for the Authority upon request.

20.2 Escalation to Regulatory Authority

You have the right to lodge a complaint with the Data Protection Authority at any time, regardless of whether you have followed our internal complaint procedure. The contact details for the Data Protection Authority can be obtained from the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) or through official government channels.

20.3 Judicial Remedy

You also have the right to seek judicial remedy through the courts of Zimbabwe if you believe your data protection rights have been violated, including the right to claim compensation for damages suffered as a result of a breach of the Cybersecurity and Data Protection Act.

20.4 No Penalty for Complaints

We will not penalize you or treat you less favorably for making a complaint in good faith about our data handling practices. We value feedback that helps us improve our data protection practices.

21. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or industry standards. We will notify you of material changes through:

Email to the registered email address associated with your account.
A prominent notice on our website and Company Portal.
An in-app notification banner.
A notification in the admin dashboard.

Changes will take effect 30 days after notification, except where changes are required to address legal, regulatory, or security issues, in which case they may take effect immediately. Your continued use of the Services after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may terminate your account before the effective date.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. The "Last Updated" date at the top of this page indicates when the policy was last revised. We will maintain an archived version of previous policies for reference.

22. Contact Information

22.1 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy, ensuring compliance with the Cybersecurity and Data Protection Act, and serving as the point of contact for data subjects and the Data Protection Authority. Our DPO can be contacted directly:

DPO Email: dpo@genesispos.xyz
DPO Phone / WhatsApp: 0787592481 / 0781847609
DPO Address: Attn: Data Protection Officer, Zimre Park, Ruwa, Goromonzi, Zimbabwe

22.2 General Privacy Inquiries

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

Phone / WhatsApp: 0787592481 / 0781847609
Email: support@genesispos.xyz
Address: Zimre Park, Ruwa, Goromonzi, Zimbabwe
Website: genesiszimbabwe.com
Company Portal: Accessible through your account dashboard for in-platform privacy requests.

We will acknowledge receipt of your privacy-related request within 48 hours and respond substantively within 30 days as required by Zimbabwean law.

22.3 Availability

Our DPO and support team are available during normal business hours (Zimbabwe time, CAT, UTC+2). Urgent privacy matters, including data breach notifications, should be flagged with "URGENT" in the subject line for priority handling.

      📦 Your Trust Matters: We are committed to protecting the data that powers your business. If you ever have concerns about how your information is handled, please reach out to us directly. We are here to help.
    