Privacy Policy

1. Introduction

Goliath Financials ("we," "us," "our," or the "Company") is a financial data and analytics platform focused on the Lusaka Stock Exchange ("LuSE") and the Zambian securities market. We are committed to protecting your personal data and respecting your privacy in accordance with the Data Protection Act No. 3 of 2021 of the Republic of Zambia (the "Data Protection Act"), and other applicable data protection laws.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you access or use our website at www.goliathfinancials.com, our mobile applications, and any related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you should discontinue use of the Service immediately.

2. Data Controller

For the purposes of the Data Protection Act and this Privacy Policy, the data controller responsible for your personal data is:

3. Information We Collect

We collect information in several ways depending on how you interact with our Service.

3.1 Information You Provide Directly

When you register for an account, update your profile, subscribe to a plan, or contact us, you may provide us with:

• Account Registration Data: First name, last name, email address, username, and password
• Profile Information: Date of birth, phone number, profile picture, bio, and investment preferences
• Payment Information: Payment method selected (Airtel Money, MTN MoMo, Bank Transfer, or Bank Deposit), transaction reference numbers, and billing cycle preference. We do not store your mobile money PINs or bank account credentials.
• Portfolio Data: Ticker symbols, share quantities, buy prices, and transaction dates you enter into the portfolio tracker
• Communications: Feedback submissions, support inquiries, and any other correspondence you send us
• Preferences: Theme settings (light/dark mode), notification preferences, and display preferences

3.2 Information Collected Automatically

When you access or use the Service, we may automatically collect:

• Device Information: IP address, browser type and version, operating system, device type, screen resolution, and unique device identifiers
• Usage Data: Pages visited, features used, time spent on pages, click patterns, search queries, referring URLs, and navigation paths
• Log Data: Server logs including access times, error logs, and API request data
• Location Data: Approximate geographic location derived from your IP address (we do not collect precise GPS location)

3.3 Information from Third Parties

We may receive information from third-party services if you choose to sign in using a third-party authentication provider (such as Google). The information received depends on that provider's policies and your settings with them, but typically includes your name, email address, and profile picture.

4. Legal Basis for Processing

In accordance with the Data Protection Act and applicable data protection principles, we process your personal data on the following legal bases:

• Performance of a Contract: Processing necessary to provide you with the Service, manage your account, process subscriptions, and deliver the features you have requested
• Consent: Where you have given clear consent for us to process your personal data for specific purposes, such as sending marketing communications or enabling optional analytics
• Legitimate Interests: Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, ensuring security, and conducting internal analytics, provided these interests are not overridden by your rights and freedoms
• Legal Obligation: Processing necessary to comply with our legal obligations under Zambian law, including tax, regulatory, and law enforcement requirements

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Service Delivery and Operations

• To create, maintain, and secure your user account
• To provide you with access to stock market data, company profiles, financial statements, and analytics
• To enable portfolio tracking, including recording your trades and computing portfolio metrics
• To process subscription payments and manage your billing cycle
• To send transactional emails, including email verification, password resets, payment confirmations, and subscription status notifications
• To deliver in-app notifications about your portfolio, market updates, and account activity

5.2 Service Improvement and Analytics

• To understand how users interact with the Service and identify areas for improvement
• To monitor and analyse usage trends, traffic patterns, and feature adoption
• To conduct internal research and development to enhance platform functionality
• To troubleshoot bugs, errors, and technical issues

5.3 Security and Fraud Prevention

• To detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activity
• To enforce our Terms of Service and protect the rights, property, and safety of our users and the public
• To monitor for unauthorised access or misuse of the Service

5.4 Communications

• To respond to your feedback, questions, and support requests
• To send service-related announcements (e.g. maintenance windows, policy changes, new features)
• To send marketing and promotional communications where you have opted in to receive them (you may opt out at any time)

5.5 Legal Compliance

• To comply with applicable laws, regulations, and legal processes
• To respond to lawful requests from public authorities, including law enforcement and regulatory agencies

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following limited circumstances:

6.1 Service Providers

We engage trusted third-party companies and individuals to perform services on our behalf, including but not limited to:

• Email Delivery: We use Resend to send transactional and notification emails on our behalf
• Hosting and Infrastructure: Our Service is hosted on cloud infrastructure providers that store and process data on our behalf
• Analytics: We may use analytics providers to help us understand Service usage

These service providers are contractually obligated to use your personal data only as necessary to provide services to us and in accordance with this Privacy Policy.

6.2 Legal Requirements

We may disclose your personal data if required to do so by law, or if we believe in good faith that such disclosure is necessary to:

• Comply with a legal obligation, court order, or lawful government request
• Protect and defend the rights or property of Goliath Financials
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public

6.3 Business Transfers

In the event that Goliath Financials undergoes a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of its assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or use of your personal data, as well as any choices you may have regarding your data.

6.4 With Your Consent

We may share your personal information for purposes not described in this Privacy Policy with your explicit consent.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Service, and to provide you with a personalised experience.

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the Service to function, including authentication tokens, session management, and security cookies. These cannot be disabled.
• Functional Cookies: Remember your preferences and settings, such as your chosen theme (light or dark mode), language, and display preferences
• Analytics Cookies: Help us understand how visitors interact with the Service by collecting and reporting information anonymously, including page views, session duration, and feature usage

7.2 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all cookies or to indicate when a cookie is being set. However, disabling cookies may affect the functionality of the Service, particularly authentication and personalisation features.

8. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security). Passwords are hashed using industry-standard algorithms and are never stored in plain text.
• Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls enforced across our systems
• Infrastructure Security: Our hosting infrastructure employs firewalls, intrusion detection systems, and regular security patches
• Regular Audits: We conduct periodic security reviews and vulnerability assessments to identify and address potential risks
• Incident Response: We maintain an incident response plan to promptly address any data breach or security incident, including notification procedures as required by the Data Protection Act

While we employ commercially reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you use the Service at your own risk.

9. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

• Account Data: Retained for the duration of your account. If you request account deletion, we will delete or anonymise your personal data within 30 days, except where we are legally required to retain it.
• Transaction and Payment Records: Retained for a minimum period as required by applicable Zambian tax and financial regulations (typically 6 years)
• Usage and Log Data: Retained for up to 12 months for analytics and security purposes, after which it is aggregated or deleted
• Communications: Feedback and support correspondence is retained for up to 24 months unless deletion is requested

When personal data is no longer required, we will securely delete or anonymise it so that it can no longer be associated with you.

10. International Data Transfers

Goliath Financials is based in Zambia. However, our Service may utilise servers and service providers located in other countries. If your personal data is transferred outside of Zambia, we will ensure that appropriate safeguards are in place to protect your data in accordance with the Data Protection Act, including:

• Ensuring the recipient country provides an adequate level of data protection
• Using contractual clauses that require the recipient to protect your data to the standards required by Zambian law
• Obtaining your explicit consent where required

11. Your Rights

Under the Data Protection Act and applicable data protection laws, you have the following rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you, along with information about how it is being processed
• Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal data. You can update most of your information directly through your account settings.
• Right to Erasure: You have the right to request deletion of your personal data where there is no compelling reason for its continued processing. This is subject to any legal obligations we may have to retain certain data.
• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data
• Right to Data Portability: You have the right to request your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller
• Right to Object: You have the right to object to the processing of your personal data where we are relying on legitimate interests as the legal basis, or where data is being processed for direct marketing purposes
• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Zambia Data Protection Commissioner if you believe that your data protection rights have been violated

To exercise any of these rights, please contact us at privacy@goliathfinancials.com. We will respond to your request within 30 days. We may request additional information from you to verify your identity before processing your request.

12. Third-Party Links and Services

Our Service may contain links to third-party websites, services, or applications that are not operated by us. This includes links to company websites displayed on stock profile pages and external authentication providers.

We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We strongly encourage you to review the privacy policy of every site you visit. This Privacy Policy applies solely to information collected by our Service.

13. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and you become aware that your child has provided us with personal data, please contact us at privacy@goliathfinancials.com.

If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information from our servers promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Post a notice on our Service or send you an email notification if the changes are significant
• Where required by law, obtain your consent before applying the changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any modifications indicates your acceptance of the updated policy. If you do not agree with the revised Privacy Policy, you should stop using the Service and may request deletion of your account.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: