Every time you download a loan app and tap "Allow," you make a decision about your personal data. In Kenya, where mobile lending has grown into a multi-billion-shilling industry, that decision matters more than many borrowers realise. Stories of loan apps accessing contact lists and calling borrowers' relatives, employers, and even deceased family members to demand repayment became so common that the government was forced to intervene.

Today, Kenya has a legal framework — the Data Protection Act of 2019 and the CBK Digital Credit Provider licensing regime — that governs what data lenders can access. But knowing your rights is only useful if you understand them. This article explains exactly what personal data mobile lenders in Kenya can legitimately access, what they are prohibited from doing, and how to spot apps that are overstepping the boundary.

Platforms like SwiftCash operate within Kenya's data protection framework, collecting only what is necessary to provide credit services. Here is how to tell the difference between a privacy-respecting lender and one that treats your data as a product.

What Data Do Mobile Lenders Legitimately Need?

To assess your creditworthiness and process a loan, a digital lender needs a specific and limited set of information. Here is what is genuinely necessary:

Identity Verification Data

  • Your national ID number
  • Your full name (as on the ID)
  • Your date of birth
  • Potentially a photo of your ID document
  • Sometimes a selfie for biometric matching

This information is needed to confirm you are who you say you are and to check your identity against credit bureau and regulatory databases.

Contact Information

  • Your mobile phone number (the same as your M-Pesa number)
  • Optionally, an email address for communication

Note: your mobile number is the loan disbursement and repayment channel, so it is clearly necessary. However, the lender does not need access to your full contact list to obtain this information — you provide it directly when registering.

M-Pesa Transaction History

Many mobile lenders request permission to access your M-Pesa statement via API or USSD authorisation. This allows them to see your recent transaction history — how much you regularly receive, how much you spend, and how you manage your money. This is a legitimate input into credit assessment.

Importantly, this should be a read-only, time-limited access — not an ongoing tap into your financial data. Read the lender's terms to understand exactly what data they retrieve, how far back they look, and how long they store it.

Device Information

Many apps collect basic device information — phone model, operating system version, and sometimes a device identifier. This is used for fraud detection (identifying unusual patterns like a single device being used for multiple identities) and for app functionality purposes. It is generally a low-risk data collection.

Need quick cash? Apply on SwiftCash — get up to KES 40,000 in your M-Pesa in minutes.

What Data Lenders Are NOT Allowed to Collect (Without Justification)

Kenya's Data Protection Act establishes the principle of data minimisation: organisations must collect only the personal data that is necessary for the specific purpose for which it is being collected. Applied to lending, this means:

Your Contact List

Access to your full phone contact list is not necessary for credit assessment. A lender does not need to know the names and phone numbers of your friends, family, and colleagues in order to decide whether to lend you KES 10,000. The only legitimate reason a lender might request an "emergency contact" is to have an alternative way to reach you — and even then, they need only one contact, not your entire address book.

Apps that request full access to your contacts — and especially those that say they will contact your friends and family if you default — are operating in violation of the Data Protection Act. This practice is explicitly prohibited.

Your Photos and Videos

Access to your camera roll or media library is not necessary for lending. The only image-related permission a lender legitimately needs is camera access for the selfie/ID verification process — and this should be a single, in-app capture, not ongoing access to your photo library.

Call Logs and SMS Content

Some apps historically accessed call logs and SMS history as proxies for social stability. While this data can be predictive, it is highly personal and goes well beyond what is needed for standard credit assessment. Under the Data Protection Act, collecting this data requires explicit, informed consent and a clear justification.

Location Data (Continuous)

A one-time location check at registration might be used to confirm you are based in Kenya. But continuous, background location tracking is not justified for a lending app. If an app requests "always on" location access, that is a red flag.

Understanding App Permissions: What to Check Before Installing

Before installing any loan app, review the permissions it requests in the Google Play Store (under "App Permissions" on the app's listing page). Here is how to interpret common permissions:

  • Camera: Expected for ID verification selfies — acceptable
  • Phone/Call logs: Not necessary for lending — proceed with caution
  • Contacts: Not necessary — significant red flag
  • Storage/Media: Only needed if the app requires document upload — evaluate carefully
  • Location: Limited/one-time is acceptable; "always" is not
  • SMS: Some lenders use this to read OTP messages automatically — this is common and generally acceptable, but should be limited to OTP reading, not full SMS access

Your Rights Under the Data Protection Act

Kenya's Data Protection Act gives you specific rights over your personal data:

  • Right to access: You can request a copy of all the personal data a lender holds about you
  • Right to correction: You can ask for inaccurate data to be corrected
  • Right to deletion: After you repay your loan and have no ongoing relationship with a lender, you can request that your personal data be deleted (subject to any legal retention requirements)
  • Right to object: You can object to certain uses of your data, including direct marketing
  • Right to complain: If a lender violates your data rights, you can report them to the Office of the Data Protection Commissioner (ODPC)

The ODPC has the power to investigate complaints, impose fines, and order lenders to change their data practices. It is a real enforcement body, not just a complaints box.

How to Delete Your Data After Repaying

Once you have repaid your loan and have no further relationship with a lender, you have the right to request data deletion. Most legitimate lenders have a process for this, typically available in the app settings or via customer service. Some data — such as transaction records — may be retained for regulatory purposes even after you close your account, but the lender should explain what they retain and for how long.

If you find that a lender is unable or unwilling to delete your data after a reasonable request, this is a reportable violation under the Data Protection Act.

Choosing a Privacy-Respecting Lender

The clearest signal of a privacy-respecting lender is a published, readable privacy policy that explains specifically what data is collected, why it is collected, how long it is retained, and what your rights are. Vague privacy policies full of broad disclaimers are a warning sign.

SwiftCash is committed to collecting only the data necessary to provide our lending service and treating all customer information with full respect for Kenya's Data Protection Act. We disburse loans of KES 1,000 to KES 40,000 to your M-Pesa in under two minutes — no unnecessary data collection, no contact shaming, and no hidden charges. Apply on SwiftCash with confidence that your privacy is protected every step of the way.