You repaid your mobile loan. The balance is zero, the app shows no outstanding amount, and you thought that was the end of it. But here is what most borrowers do not realise: repaying a loan does not automatically delete the data that a loan app collected about you. Your M-Pesa history, contact list, location records, SMS data, and spending patterns may still be sitting on a lender's servers — potentially for years.

Kenya's Data Protection Act 2019 gives you the right to change that. This guide walks you through exactly how to exercise your right to data erasure after clearing a mobile loan.

What Data Do Loan Apps Actually Collect?

Before you can request deletion, it helps to understand what you may be asking them to delete. Depending on the permissions you granted when you installed the app, a loan provider may have collected:

  • Your full name, national ID number, and date of birth
  • Your phone number and M-Pesa transaction history
  • Your entire contact list (including names and numbers)
  • Your SMS records (some apps read SMS to verify M-Pesa transactions)
  • Your device location history
  • Your app usage patterns and browsing history (on some apps)
  • Photos or selfies used for identity verification
  • Your loan application history and repayment behaviour

Some of this data has a legitimate retention purpose — for example, keeping records of your repayment history may be required by financial regulation. But much of it — particularly your contacts, location, and SMS data — has no reason to remain stored after you have repaid and closed your account.

Your Rights Under the Data Protection Act 2019

Kenya's Data Protection Act gives you, as a data subject, a set of enforceable rights:

  • Right of access: You can request a copy of all personal data a company holds about you
  • Right to erasure: You can request that your data be deleted when it is no longer needed for the purpose it was collected, or when you withdraw your consent
  • Right to rectification: You can request correction of inaccurate data
  • Right to object: You can object to processing of your data for certain purposes, including marketing

The right to erasure — sometimes called the "right to be forgotten" — is the most relevant after repaying a loan. The company must respond to your request within 21 days. If they refuse, they must give reasons. If those reasons are unsatisfactory, you can escalate to the Office of the Data Protection Commissioner (ODPC).

Need cash fast? Apply on SwiftCash — borrow KES 1,000–40,000, disbursed to M-Pesa in under 2 minutes.

Step-by-Step: How to Request Data Deletion

Step 1: Find the lender's data protection contact

CBK-licensed lenders are required to have a Data Protection Officer (DPO). Look in the app's privacy policy or settings for a contact email or address labelled "Data Protection Officer" or "Privacy." If this is not visible in the app, check the company's website.

Step 2: Send a formal data erasure request

Write a clear, dated letter or email. You do not need a lawyer to do this — a short message works fine. Include:

  • Your full name as registered on the app
  • Your phone number used on the app
  • Your national ID number (for identity verification)
  • A clear statement that you are exercising your right to erasure under the Data Protection Act 2019
  • A request for confirmation that the deletion has been completed

Step 3: Revoke app permissions immediately

Before or alongside your deletion request, go to your phone's settings and revoke all permissions from the loan app. On Android:

  1. Settings → Apps → [App name] → Permissions
  2. Revoke Contacts, Location, SMS, Camera, and Storage

This prevents the app from collecting further data while your deletion request is being processed.

Step 4: Uninstall the app

Uninstalling does not delete data from the company's servers, but it prevents any further local data collection and removes the app from your device.

Step 5: Wait for confirmation

The company has 21 days to respond. Keep a record of when you sent your request. If you receive no response within 21 days, that is itself a violation of the Data Protection Act and grounds for complaint.

What If the Lender Refuses or Ignores You?

If a licensed lender refuses your deletion request without satisfactory reasons, or simply ignores you, your next step is a complaint to the Office of the Data Protection Commissioner.

The ODPC accepts complaints at odpc.go.ke. You can file online. Include your correspondence with the lender, the date of your request, and the (lack of) response you received. The ODPC has the power to investigate, compel compliance, and issue fines to non-compliant data controllers.

For CBK-licensed lenders, you can additionally raise the matter with the CBK's consumer protection division, which has oversight over the conduct of licensed digital credit providers.

What Lenders Are Legally Allowed to Keep

Not all your data can be deleted on request. Lenders have legitimate grounds to retain certain information:

  • Financial records: Loan agreements, repayment records, and transaction histories may need to be retained for 7 years under Kenya's tax and financial regulation requirements
  • CRB data: Positive repayment history submitted to credit bureaus remains in the CRB system for a set period — this is generally a benefit to you, not a harm
  • Anti-fraud records: Limited identity data may be retained to prevent the same person from defrauding the lender repeatedly

The key distinction is between data that has a legitimate, proportionate retention purpose and data — like your full contact list or location history — that has no ongoing justification once your loan is closed.

Choosing a Lender That Respects Your Data from the Start

The simplest way to protect your data is to start with a lender that does not over-collect it. A loan app that requests contact access, SMS access, and location as a condition of lending is one you will be fighting to delete data from later.

SwiftCash does not require contact list access. The lending decision is based on financial data, not on your personal relationships or browsing habits. When your loan is repaid, there is no sprawling personal dataset to worry about — just the transaction record required for legal compliance. That is the kind of lender relationship that respects your privacy both during and after borrowing.

A Note on Unlicensed Apps

If you borrowed from an app that is not CBK-licensed, the Data Protection Act still applies — the ODPC has jurisdiction over all data processors operating in Kenya regardless of their licence status. However, enforcement against unlicensed operators, especially those based abroad, is more difficult. Document your request carefully, report to the ODPC, and accept that full deletion may not be achievable from offshore servers. The most powerful protection in this case is not to use these apps in the first place.