Epargix
Legal document

Privacy Policy

🇫🇷 FR🇬🇧 EN
Version v1.1 — Effective 2026-05-13

PREAMBLE

Epargix ("we", "the Provider", "the Platform") is committed to protecting the privacy and personal data of its users ("you", "the Member"). This policy explains how we collect, use, share and protect your data in the course of providing digital tontine and community savings management services accessible at https://www.epargix.com and its associated application.

It is drafted in compliance with:

  • Cameroonian Law No. 2010/012 of 21 December 2010 on cybersecurity and the protection of personal data;
  • CEMAC Regulation No. 04/18/CEMAC-UMAC-COBAC on payment services;
  • applicable OHADA Uniform Acts;
  • the Standard Contractual Clauses recognised internationally for transfers outside the CEMAC zone.

1. IDENTITY OF THE DATA CONTROLLER

1.1 Corporate name : Epargix SAS

1.2 Legal form : Société par Actions Simplifiée (SAS)

1.3 Registered office : Douala, Cameroon (exact address to be published)

1.4 Trade Register (RCCM) : to be published

1.5 Taxpayer ID (NIU) : to be published

1.6 Data Protection Officer (DPO) : privacy@epargix.com

2. SCOPE

This policy applies to all data processed in the course of using Epargix services: account creation, account management, contributions, loans, welfare, group governance, and related communications.

3. DATA COLLECTED

We collect the following categories of data:

3.1 Identification data First name, last name, date and place of birth, photograph, National ID number (CNI), Unique Taxpayer Number (NIU).

3.2 Contact details Email address, phone number(s), postal address.

3.3 Financial and transactional data Mobile Money numbers, bank references (IBAN), contribution history, loans, guarantees, wallet (DDW) movements, Trust Score.

3.4 Behavioural data Payment punctuality, claim history, computed trust score (Trust Score 0–1000), participation in governance.

3.5 Technical data IP address, device type, browser, operating system, connection logs, approximate geolocation (country/city).

3.6 KYC documents Uploaded supporting documents (scanned ID card, proof of address, proof of income where applicable).

3.7 Communications Messages exchanged with support, content of notifications, governance vote responses.

Each processing activity rests on a specific legal basis:

  • Account management and service performance Basis: performance of the contract (accepted Terms of Service).
  • Trust Score calculation and eligibility for in-platform services Basis: performance of the contract; legitimate interest of the community.
  • KYC / Anti-Money Laundering and Counter-Terrorism Financing compliance Basis: legal obligation (CEMAC Regulation, Cameroonian Law 2003/004 on combating money laundering).
  • Security, fraud detection, audit of operations Basis: legitimate interest.
  • Service notifications (reminders, alerts, confirmations) Basis: performance of the contract.
  • Marketing communications and product news Basis: explicit and revocable consent.

5. SUB-PROCESSORS AND RECIPIENTS

To deliver the service, we rely on the following sub-processors, bound by contract (Data Processing Agreement) and subject to equivalent confidentiality and security obligations:

  • Supabase Inc. (United States) Database hosting and authentication service.
  • Vercel Inc. (United States) Web application hosting and CDN.
  • Resend / Postmark (United States) Transactional email delivery.
  • Twilio / local SMS operators SMS and push notification delivery.
  • Mobile Money operators (MTN MoMo, Orange Money, Wave, Express Union) Execution of inbound and outbound payments.
  • Partner banks Wire transfers and currency conversions where applicable.

No personal data is sold or shared for commercial purposes with third parties not listed above.

Within the Platform, your Trust Score and punctuality history may be viewed by the other Groups (Tenants) you belong to, in accordance with the principle of cross-group score portability accepted upon registration.

6. TRANSFERS OUTSIDE THE CEMAC ZONE

Certain data is transferred to the United States or the European Union (Supabase, Vercel, email/SMS providers). These transfers are governed by:

  • the Standard Contractual Clauses adopted by the European Commission;
  • our sub-processors' security certifications (SOC 2 Type II, ISO 27001 as applicable);
  • the explicit protection commitments included in each Data Processing Agreement.

A copy of the applicable safeguards may be obtained on request from the DPO at privacy@epargix.com.

7. RETENTION PERIODS

  • Active account data For the entire duration of the contractual relationship.
  • Financial data and transaction history 10 years from the last transaction (OHADA / COBAC obligation).
  • KYC documents (ID card, supporting documents) 5 years from account closure (CEMAC AML obligation).
  • Connection logs and technical logs 12 rolling months.
  • Data used for marketing Until consent is withdrawn, and at most 3 years after the last active contact.

At the end of these periods, data is either irreversibly anonymised or permanently deleted.

8. YOUR RIGHTS

In accordance with Law 2010/012 and applicable international standards, you have the following rights:

  • Right of access — obtain confirmation of processing and a copy of your data.
  • Right of rectification — correct inaccurate or incomplete data.
  • Right to erasure — request deletion, subject to legal archiving obligations (KYC/AML, OHADA).
  • Right to portability — receive your data in a structured, machine-readable format (JSON or CSV).
  • Right to object — refuse processing based on legitimate interest.
  • Right to restriction — have a contested processing suspended pending verification.
  • Right to withdraw consent at any time, without retroactive effect.
  • Right to lodge a complaint with the competent supervisory authority (see section 13).

To exercise these rights, email privacy@epargix.com. We commit to responding within 30 calendar days. Proof of identity may be requested to verify your identity.

9. SECURITY MEASURES

We implement the following technical and organisational measures:

  • TLS 1.2+ encryption for all client–server communications.
  • At-rest encryption of the database (AES-256).
  • Mandatory two-factor authentication (2FA) for administrator accounts.
  • Strict data partitioning between Groups via PostgreSQL Row Level Security (RLS).
  • Immutable audit trail for all financial operations.
  • Daily encrypted backups with 30-day retention.
  • Annual security reviews, vulnerability monitoring, incident response plan.
  • Regular staff training on data confidentiality.

10. COOKIES AND TRACKING

Epargix uses only strictly necessary cookies for Platform operation:

  • Supabase authentication cookie (lifespan: session).
  • Language preference cookie (lifespan: 1 year).
  • CSRF protection cookie (lifespan: session).

No advertising, profiling, or third-party tracking cookies are placed. No prior consent is required for these functional cookies, in line with the CNIL guidance and the applicable ePrivacy rules.

11. MINORS

The Platform is strictly reserved for adults (aged 18 or over). No data concerning minors is knowingly collected. If you suspect that a minor is using the Platform, please report it to privacy@epargix.com for immediate deletion.

12. CHANGES TO THIS POLICY

Any substantial change to this policy will be notified to you by email and in-app notification at least 30 days before it takes effect. Continued use of the Platform after that date constitutes acceptance of the new version. If you disagree, you may close your account free of charge, subject to settlement of your outstanding commitments.

13. CONTACT AND COMPLAINTS

Data Protection Officer: privacy@epargix.com

Postal address: Douala, Cameroon (exact address to be published)

Cameroonian supervisory authority: National Agency for Information and Communication Technologies (ANTIC) Website: https://www.antic.cm

Users residing in the European Union may also file complaints with the competent national authority of their country of residence.