Privacy Policy — Sheba Credit

Section 01

Who We Are

Sheba Credit PLC ("Sheba Credit," "we," "us," or "our") is a financial technology company incorporated in Ethiopia and headquartered in Addis Ababa. We operate a credit information, financial literacy, and open banking platform designed to expand financial access for Ethiopians.

This Privacy Policy applies to all products and services offered by Sheba Credit, including the Sheba Credit Score, Sheba Save, Sheba Agri, Sheba Education, the Open Banking Suite, and the CRaaS B2B API.

Regulatory framework: Sheba Credit processes personal and credit data in accordance with National Bank of Ethiopia Credit Reference Bureau Directives No. CRB/02/2019 CRB/02/2019, the Banking Business Proclamation No. 592/2008, and applicable Ethiopian data protection legislation.

Section 02

Data We Collect

We collect the following categories of personal and financial data:

Category	Examples	Source
Identity Data	Full name, date of birth, Fayda Digital ID number, national ID, passport, photograph	You, directly
Contact Data	Mobile phone number, email address, physical address	You, directly
Financial Data	Bank account details, loan history, repayment records, guarantor relationships, credit applications, outstanding balances	You; participating financial institutions; National Bank of Ethiopia Credit Reference System
Mobile Money Data	Telebirr transaction history, mobile wallet inflows and outflows, top-up patterns	You, with consent; Telebirr/Ethio Telecom with your consent
Agricultural Data	Cooperative membership, crop yield records, ECX market transactions, input purchase history, seasonal income patterns	You; agricultural cooperatives; ECX; with consent
Utility Payment Data	Electricity, water, and telecom payment history	You; EEPCO; AAWSA; with consent
Savings Behaviour Data	Deposit frequency, savings consistency, goal achievement, ROSCA/Iqub participation	You; participating MFIs and SACCOs with consent
Education Data	Financial literacy module completion, Education Points earned, quiz scores, language preference	You, through Sheba Education platform
Open Banking Data	Transaction history, account balances, income patterns — shared by you with consented financial institutions	You; participating banks with your explicit consent
Technical Data	Device type, IP address, app version, operating system, session data, crash reports	Automatically, when you use our platform
Enquiry Data	Records of which financial institutions have accessed your credit report and when	Generated internally when CRaaS queries are made

We do not collect or store sensitive personal data such as biometric data, religious beliefs, ethnicity, or political affiliation, except where required by law for identity verification purposes.

Section 03

How We Use Your Data

We use the data we collect for the following purposes:

Credit scoring: To generate your Sheba Credit Score using our AI/ML models, incorporating alternative and traditional data sources;
Credit reporting: To compile and maintain your credit file and share it with participating financial institutions that query your report through our CRaaS API, solely for lending decision purposes;
Agricultural credit profiling: To assess the creditworthiness of farmers and agricultural workers through our Sheba Agri Graph Neural Network model;
Financial education: To track your progress through Sheba Education modules and award Education Points that contribute to your credit score;
Open banking: To aggregate and present your consented transactional data to you and, with your explicit permission, to participating financial institutions;
Identity verification: To verify your identity and prevent fraud, money laundering, and other financial crime;
Regulatory compliance: To fulfil our obligations under NBE Directive CRB/02/2019 and any other applicable Ethiopian law, including submitting required reports to the National Bank of Ethiopia;
Service improvement: To improve the accuracy of our scoring models, platform features, and user experience — using anonymised and aggregated data where possible;
Complaints and disputes: To investigate and resolve complaints about the accuracy of credit information.

We will never use your data to: sell to advertisers; make employment decisions; discriminate on the basis of ethnicity, religion, gender, or political opinion; or for any purpose not listed in this policy without your express consent.

Section 04

Legal Basis for Processing

We process your personal data on the following legal bases:

Your consent: For collection and processing of alternative data (mobile money, utility, agricultural, open banking data). You may withdraw consent at any time, subject to any data already shared with financial institutions under Article 7 of NBE Directive CRB/02/2019;
Contractual necessity: For data required to provide the services you have signed up to use, including generating your credit score and managing your account;
Legal obligation: For data processing required by the National Bank of Ethiopia, including submission of credit information to the Credit Reference System, compliance with anti-money laundering laws, and regulatory reporting;
Legitimate interests: For fraud prevention, security monitoring, platform improvement, and aggregated analytics — where our interests are not overridden by your privacy rights.

Section 05

Who We Share Your Data With

We share your data only in the circumstances described below. We do not sell your personal data.

Participating financial institutions: Banks, MFIs, and capital goods finance companies licensed by the NBE may access your credit report through the CRaaS API — solely for the purpose of making lending decisions or portfolio management reviews, as required by NBE Directive CRB/02/2019 Article 7.12. Institutions are contractually prohibited from using your data for any other purpose;
National Bank of Ethiopia: We are legally required to submit credit data to the NBE Credit Reference System and to comply with any regulatory reporting requirements under applicable directives;
Data processing partners: Cloud infrastructure providers (e.g., AWS Africa), cybersecurity providers, and software vendors who process data on our behalf under strict data processing agreements and who may not use your data for their own purposes;
Identity verification providers: Third-party services used to verify your identity against the Fayda Digital ID system or other national identity records;
Law enforcement and courts: Where we are legally compelled to disclose data by a court order, law enforcement authority, or as required by Ethiopian law.

In all cases of data sharing, we ensure that appropriate contractual, technical, and organisational safeguards are in place.

Section 06

Credit Reporting Obligations

As a credit reference platform, Sheba Credit has specific obligations under NBE Directive CRB/02/2019 regarding how your credit information is processed and reported:

Accuracy: We are committed to ensuring all credit information we hold is accurate. Where incorrect information has been submitted by a financial institution, we will correct it within 5 working days of the inaccuracy being detected or reported;
Completeness: Financial institutions are obligated to submit complete and timely information on all borrowers. We are not liable for inaccuracies arising from data submitted in error by financial institutions, but we will investigate and correct such errors promptly upon notification;
Confidentiality: Credit information submitted to Sheba Credit is held in strict confidence and is only accessible to authorised users in line with Article 7.13 of NBE Directive CRB/02/2019;
Enquiry records: Every time a financial institution queries your credit report, this is recorded. You can view who has accessed your report through the Sheba Credit app;
Defaulter reporting: If you are classified as a defaulter by a participating financial institution, this information will be included in your credit file in accordance with NBE directives and retained for the periods specified in Section 7 of this policy.

Section 07

How Long We Keep Your Data

We retain your data in accordance with mandatory periods under NBE Directive CRB/02/2019 and our legitimate business needs:

Data Type	Retention Period	Legal Basis
Positive credit information	Minimum 10 years from date of full loan settlement	NBE CRB/02/2019 Art. 6.1(a)
Negative credit information (defaulted loans)	Maximum 7 years from date of full settlement of defaulted loan	NBE CRB/02/2019 Art. 6.1(b)
Enquiry records	Minimum 5 years	Audit and compliance
Account information	Duration of account + 7 years	Legal obligation
Alternative data (mobile money, utility, etc.)	Duration of active account + 3 years	Contractual; legitimate interest
Education and literacy data	Duration of active account	Contractual
Technical and log data	12 months	Security; fraud prevention
Complaint records	7 years	Legal obligation

At the end of the applicable retention period, data will be securely deleted or anonymised in a manner that prevents re-identification.

Section 08

Your Rights

You have the following rights regarding your personal and credit data held by Sheba Credit:

👁

Right to Access

You have the right to access your credit information and a copy of all personal data Sheba Credit holds about you. Borrowers and guarantors may access their credit report free of charge once per 12-month period through the Sheba Credit app.

✏️

Right to Correct

If you believe your credit information is inaccurate, you have the right to request a correction. Sheba Credit will investigate and respond within 7 working days. Verified corrections will be made within 5 working days.

🗑

Right to Deletion

You may request deletion of data that is no longer required, subject to mandatory retention periods under NBE directives. Data required by law cannot be deleted before the mandatory retention period expires.

🔒

Right to Withdraw Consent

You may withdraw consent for alternative data processing at any time. Withdrawal does not affect data already submitted to the Credit Reference System or shared with financial institutions under NBE obligations.

📋

Right to Explanation

You have the right to receive an explanation of the key factors that influenced your Sheba Credit Score, in plain language in Amharic or English, through the Sheba Credit app.

📣

Right to Complain

If you are dissatisfied with how we handle your data, you have the right to complain to Sheba Credit directly and, if unresolved, to escalate to the National Bank of Ethiopia.

To exercise any of these rights, contact us at privacy@shebacredit.com or through the Sheba Credit app. We will respond within 7 working days.

Section 09

Data Security

Sheba Credit implements rigorous technical and organisational measures to protect your data against unauthorised access, loss, destruction, or disclosure. Our security framework includes:

Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256);
Access controls: Data access is restricted to authorised personnel on a strict need-to-know basis. Each financial institution accessing the CRaaS API is assigned unique credentials managed by a designated Security Administrator, in line with Article 7.10 of NBE Directive CRB/02/2019;
Audit logging: All system access, credit report queries, and data changes are logged and monitored for anomalies;
Security infrastructure: Our cloud infrastructure is hosted in compliant, ISO 27001-certified environments with multi-region redundancy;
Penetration testing: We conduct regular third-party security audits and penetration tests;
Data minimisation: We collect only the data necessary for the specific purposes described in this policy;
Incident response: We maintain a documented incident response plan. In the event of a data breach that affects your rights and freedoms, we will notify affected users and the relevant regulatory authority as required by Ethiopian law.

If you discover or suspect a security vulnerability in the Sheba Credit platform, please contact us immediately at security@shebacredit.com.

Section 10

Cookies & Analytics

The Sheba Credit website (shebacredit.com) uses cookies and similar technologies to improve your browsing experience and understand how our platform is used.

Essential cookies: Required for the website to function, including session management and security tokens. These cannot be disabled;
Analytics cookies: Used to understand page views, user journeys, and performance metrics. We use privacy-respecting analytics tools and do not share this data with advertising networks;
Preference cookies: Remember your language preference and display settings.

You may manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect your ability to use the core Sheba Credit platform.

The Sheba Credit mobile app does not use third-party advertising cookies or tracking SDKs.

Section 11

Children's Privacy

The Sheba Credit platform is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child has registered on our platform, please contact us at privacy@shebacredit.com and we will promptly delete the relevant data.

Section 12

Cross-Border Data Transfers

Your data is primarily processed and stored within Ethiopia. Where we use cloud infrastructure or third-party service providers that may process data outside Ethiopia, we ensure that appropriate safeguards are in place, including:

Data processing agreements that bind third parties to confidentiality and security obligations equivalent to those required by Ethiopian law;
Use of cloud regions that offer data residency options within or near Ethiopia where technically feasible;
Strict prohibition on third-party processors using your data for any purpose other than providing services to Sheba Credit.

Credit information subject to the NBE Directive CRB/02/2019 is not transferred outside Ethiopia without explicit regulatory approval.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable law, or regulatory requirements from the National Bank of Ethiopia. Where changes are material, we will notify you through the Sheba Credit app and by email at least 14 days before the changes take effect.

The date of the most recent revision is shown at the top of this policy. Continued use of the platform after any revision constitutes your acceptance of the updated policy.

Section 14

Contact Us

For any privacy-related questions, data access requests, or complaints, please contact our Data Protection Officer:

Email: privacy@shebacredit.com
Security issues: security@shebacredit.com
Disputes: disputes@shebacredit.com
Address: Data Protection Officer, Sheba Credit PLC, Addis Ababa, Ethiopia
Website: shebacredit.com/contact

We aim to respond to all privacy enquiries within 7 working days. For complaints that remain unresolved, you may escalate to the National Bank of Ethiopia, Addis Ababa.

This Privacy Policy was last updated in March 2026.