Privacy Policy

Sakura Group ("we", "us", or "our") is a Tanzania-based Communications Platform as a Service (CPaaS) provider operating under the brand Sakura SMS. We are committed to protecting your privacy and handling your personal data responsibly.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, APIs, website, dashboard, and related services (collectively, the "Service"). It applies to all users of the Service, including developers, business account holders, and end users who receive messages sent through our platform.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this policy, please do not access or use the Service.

2.1 Personal Data You Provide

When you create an account or use our Service, you may provide us with:

• Account information: Full name, email address, phone number, company name, and billing address.
• Payment information: Mobile money account details, bank account information, or other payment credentials required to process transactions.
• Identity verification: Government-issued ID, business registration documents, or other documents required for Sender ID registration and TCRA compliance.
• Communication preferences: Your preferred language, notification settings, and marketing opt-in choices.

2.2 Message Content

When you use our messaging APIs, we process the content of messages you send and receive through the platform. This may include text, media files, and metadata associated with each message. Message content is processed solely for the purpose of delivering your communications and is handled in accordance with Section 6 (Data Retention) of this policy.

2.3 Usage Data

We automatically collect information about how you interact with our Service, including:

• API usage: Request logs, response codes, message delivery status, and throughput metrics.
• Dashboard activity: Pages visited, features used, and actions taken within your account.
• Performance data: Latency measurements, error rates, and system health metrics.

2.4 Device and Technical Information

When you access our website or dashboard, we may collect:

• IP address and approximate geographic location
• Browser type, version, and language settings
• Operating system and device type
• Referring URL and pages visited
• Session duration and interaction patterns

We use the information we collect for the following purposes:

3.1 Service Delivery

• Processing and delivering messages across SMS, WhatsApp, and other channels
• Providing delivery receipts and status reports
• Managing your account, API keys, and Sender IDs
• Processing payments and maintaining billing records

3.2 Security and Fraud Prevention

• Detecting and preventing unauthorized access, spam, and abuse
• Monitoring for fraudulent activity and policy violations
• Enforcing our Terms of Service and Acceptable Use Policy

3.3 Analytics and Improvement

• Analyzing usage patterns to improve platform performance and reliability
• Developing new features and services based on aggregate usage data
• Generating anonymized, aggregate statistics about platform usage

3.4 Compliance

• Meeting obligations under the Tanzania Data Protection Act 2022
• Complying with TCRA regulations for telecommunications services
• Responding to lawful requests from government authorities

3.5 Communication

• Sending service-related notifications (maintenance windows, policy updates, security alerts)
• Providing technical support and responding to your inquiries
• Sending marketing communications where you have opted in

We do not sell your personal data. We may share your information with the following categories of third parties only as necessary to provide and improve the Service:

4.1 Mobile Network Operators (MNOs)

To deliver SMS messages, we share recipient phone numbers and message content with Tanzanian MNOs including Vodacom, Tigo (MIC Tanzania), Airtel, and Halotel. This sharing is essential for message delivery and is governed by our interconnection agreements with each operator.

4.2 Payment Processors

We share billing information with payment service providers to process your transactions securely. This includes mobile money operators (M-Pesa, Tigo Pesa, Airtel Money) and bank payment gateways.

4.3 Legal Requirements

We may disclose your information when required to:

• Comply with applicable law, regulation, or legal process
• Respond to lawful requests from public authorities, including TCRA and law enforcement
• Protect the rights, property, or safety of Sakura Group, our users, or the public
• Enforce our Terms of Service

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

• Account data: Retained for the duration of your account and for 12 months after account closure to support any outstanding obligations.
• Message content: Retained for 30 days after delivery for support and troubleshooting purposes, then permanently deleted.
• Message metadata: Delivery receipts, timestamps, and routing information are retained for 12 months for analytics and compliance.
• API logs: Retained for 90 days for debugging and security monitoring.
• Billing records: Retained for 7 years as required by Tanzanian tax regulations.

You may request deletion of your data at any time by contacting us at [email protected]. We will process deletion requests within 30 days, subject to any legal retention obligations.

Under the Tanzania Data Protection Act 2022 and, where applicable, the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request that we correct any inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to legal retention requirements.
• Right to data portability: You may request a copy of your data in a structured, commonly used, machine-readable format.
• Right to object: You may object to the processing of your personal data for direct marketing purposes.
• Right to restrict processing: You may request that we limit the processing of your data in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

As a Tanzanian entity, Sakura Group is subject to the Personal Data Protection Act, 2022 (the "Act"). We are committed to full compliance with the Act and its implementing regulations.

Under the Act, we operate as both a data controller and a data processor:

• Data controller: For personal data of our account holders, we determine the purposes and means of processing.
• Data processor: For message content and recipient data provided by our customers, we process data on behalf of and under the instructions of our customers.

Our compliance measures include:

• Registering with the Personal Data Protection Commission as required by Part III of the Act
• Appointing a Data Protection Officer responsible for overseeing compliance
• Conducting Data Protection Impact Assessments for high-risk processing activities
• Implementing appropriate technical and organizational measures to protect personal data
• Maintaining records of all processing activities as required under Section 19 of the Act
• Reporting data breaches to the Commission and affected individuals within 72 hours

For users located in the European Economic Area (EEA), the United Kingdom, or Switzerland, or where our customers use the Service to process personal data of individuals in those regions, we comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Legal Basis for Processing

We process personal data under the following legal bases:

• Contract performance: Processing necessary to provide the Service under our Terms of Service.
• Legitimate interests: Processing necessary for fraud prevention, security, and platform improvement, where such interests are not overridden by your rights.
• Legal obligation: Processing required to comply with applicable laws and regulations.
• Consent: Processing based on your explicit consent, such as marketing communications.

International Data Transfers

Our primary infrastructure is located in East Africa. Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

Data Protection Officer

You may contact our Data Protection Officer regarding any GDPR-related inquiries at [email protected].

We use cookies and similar tracking technologies to enhance your experience on our website and dashboard.

Types of Cookies We Use

• Essential cookies: Required for the basic functionality of the Service, including authentication, session management, and security. These cannot be disabled.
• Analytics cookies: Help us understand how visitors interact with our website by collecting and reporting information anonymously. We use these to improve our Service.
• Preference cookies: Allow the website to remember choices you make (such as your preferred language or region) and provide enhanced, personalized features.

Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing cookies. Please note that disabling essential cookies may prevent you from using certain features of the Service.

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256.
• Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. We use role-based access controls and multi-factor authentication.
• Monitoring: We continuously monitor our systems for security threats, unauthorized access attempts, and anomalous activity.
• Incident response: We maintain a documented incident response plan and will notify affected users and relevant authorities within 72 hours of discovering a data breach.
• Regular audits: We conduct periodic security assessments and vulnerability testing to identify and address potential risks.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to maintaining the highest practical standards.

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at [email protected] so that we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send a notification to the email address associated with your account
• Display a prominent notice on our website or dashboard

We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: