Legal · Privacy · Effective 01 June 2026

Data policy.

How MIHZI Ltd collects, processes, protects, and returns personal data, across the models we build, the platforms we run, and the engagements we deliver for banks, insurers, and telecoms. Written to be read, not just filed.

ControllerMIHZI Ltd
JurisdictionRwanda
LawLaw N° 058/2021
Contactinfo@mihzi.com
§ 01 · Scope

Who this covers, and who it doesn't.

This policy applies to personal data MIHZI Ltd ("MIHZI", "we") handles when we provide decision-intelligence services (models, SDKs, APIs, and analyst consoles) and when we operate the secure data platform underneath them.

It covers data about our clients' end-customers that we process on a client's behalf, data about our own business contacts, and data from visitors to our systems. It does not govern how our clients independently use the outputs we deliver to them. That sits under their own policies and our contract.

§ 02 · Our two roles

We wear two hats, and we're registered for both.

Under Rwanda's data-protection law, the same organisation can act as a data controller (deciding why and how data is processed) and a data processor (processing on instruction from another controller). MIHZI is registered in both capacities, and we tell you which hat we're wearing for any given dataset.

Registered
Data Controller
Issued by NCSA · Rwanda
Year 2026
Registered
Data Processor
Issued by NCSA · Rwanda
Year 2026
  • As processor, when we run models or pipelines over a client's customer data, the client is the controller. We act only on documented instructions, under a Data Processing Agreement (DPA).
  • As controller, for our own business operations: prospect and client contacts, recruitment, billing, and security telemetry from our own systems.
§ 03 · What we process

The categories of data we touch.

We are data-minimal by design: we process only what a given purpose requires, and we pseudonymise at ingest wherever a model doesn't need identity.

  • Behavioural & interaction data: session signals, device and channel metadata, timing and navigation patterns (the inputs behind TIA trust scores).
  • Transactional & operational data: payments, claims, account, and usage records supplied by clients for risk, fraud, and segmentation work.
  • Identity data: names and identifiers, only where a use case genuinely requires re-identification, and gated behind contractual review.
  • Business-contact data: names, work emails, and roles of people at client and prospect organisations.

We do not seek out special-category data (health, biometrics, beliefs) unless a specific, lawful, contracted use case requires it, with additional safeguards.

§ 04 · Purposes & legal basis

Why we process, and on what footing.

Service delivery
Running models, agents, and consoles for a client. Basis: performance of contract (processor, on the client's lawful basis).
Model development
Building and validating models on pseudonymised data. Basis: legitimate interests / contract, with anonymisation where feasible.
Fraud & security
Detecting anomalies and protecting systems. Basis: legitimate interests and legal obligation.
Business operations
Contact, billing, recruitment. Basis: contract, legitimate interests, or consent as applicable.
§ 05 · Retention

We keep data for as long as the work needs it, then return or destroy it.

Processor data is retained for the term of the engagement and the period set in the DPA, after which it is returned or securely destroyed on the client's instruction. Controller data we hold only while there is a lawful purpose, then delete on a scheduled cycle. Security and audit logs are kept for a defined window to support investigations and attestations.

§ 06 · Security

The controls are encoded in the system, not the policy doc.

Encryption in transit (TLS 1.3) and at rest (AES-256), role-based access with attribute scopes, tamper-evident audit logging, and in-country residency where regulation requires it. The full stance, and how we handle incidents, lives on our posture page.

§ 07 · Sub-processors

Who else touches the data.

Where we use sub-processors (cloud hosting, infrastructure), they are bound by contract to equivalent obligations, disclosed to clients, and subject to change-notice and objection rights under the DPA. A current sub-processor list is available to clients on request.

§ 08 · International transfers

In-country where it matters.

Our default topology keeps workloads on a regional cloud footprint, and we deploy in-country where a client's regulation requires data residency. Any cross-border transfer is made only with an appropriate lawful transfer mechanism in place.

§ 09 · Your rights

Access, correction, erasure, objection.

Data subjects have rights to access, rectify, erase, restrict, and object to processing of their personal data, and to lodge a complaint with the supervisory authority. Where we act as processor, we route requests to the relevant client-controller and support them in responding. Where we are controller, contact us directly at info@mihzi.com.

§ 10 · Changes & contact

When this changes, and how to reach us.

We update this policy as our services and the law evolve; material changes are dated at the top and, for clients, notified under contract. Questions, requests, or concerns go to our Data Protection contact:

  • Email: info@mihzi.com
  • Post: MIHZI Ltd, Kigali, Rwanda
  • Supervisory authority: National Cyber Security Authority (NCSA), Rwanda

This policy is published in English and Kinyarwanda. If the two versions differ, the English version prevails.