Data Protection

Data Protection

How BantuziLegal protects personal information under the Data Protection Act, No. 3 of 2021 of Zambia

Last reviewed: July 2026

Our Data Protection Principles

Aligned with the conditions for lawful processing under the Data Protection Act, No. 3 of 2021

Accountability

BantuziLegal takes responsibility for the personal information we process. We have appointed an Information Officer to oversee compliance with the Data Protection Act, No. 3 of 2021 of Zambia and related data-protection obligations.

Purpose Limitation

We collect personal information only for specific, explicitly defined, and lawful purposes. Data is never processed in a manner incompatible with the purpose for which it was originally collected.

Minimality

We collect only the personal information that is adequate, relevant, and not excessive for the purposes for which it is processed.

Security Safeguards

We implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, or unlawful processing.

Openness

We are transparent about the types of personal information we collect, the purposes for processing, and the categories of third parties with whom data may be shared.

Data Subject Rights

We respect the rights of data subjects to access, correct, and delete their personal information, and to object to processing where appropriate.

1. The Data Protection Act, No. 3 of 2021 of Zambia

The Data Protection Act, No. 3 of 2021 (the "Act") is Zambia's data-protection legislation. It governs the collection, processing, storage, and transfer of personal data, establishes the Office of the Data Protection Commissioner, and gives data subjects enforceable rights over their personal information. As a Zambian company serving Zambian legal practices, BantuziLegal treats the Act as the primary legal framework for everything we do with personal data.

Where your Firm enters personal data belonging to its own clients into the platform, your Firm is the data controller for that information and BantuziLegal acts as a data processor, processing it only on your instructions and only to provide the service.

2. Lawful Basis for Processing

We process personal information under one or more of the following lawful grounds recognised by the Act:

Contractual Necessity

Processing is necessary to perform our obligations under your subscription agreement — e.g., maintaining your account, providing platform access, processing payments, and delivering support.

Legitimate Interest

Processing is necessary for our legitimate business interests — e.g., improving platform security, analysing anonymised usage data, and preventing fraud — provided these interests do not override your rights.

Consent

Where you have given explicit consent — e.g., opting in to publish a testimonial or receiving marketing communications. You may withdraw consent at any time.

Legal Obligation

Processing is required to comply with applicable laws — e.g., retaining billing records for tax purposes or responding to valid legal process.

3. Categories of Personal Information

Identity Data

Full name, job title, professional role.

Contact Data

Email address, phone number, firm address.

Financial Data

Billing address, payment method details (processed by our payment gateway — we do not store full card numbers).

Technical Data

IP address, browser type, operating system, session identifiers.

Usage Data

Features accessed, pages visited, timestamps, referral source.

Practice Data

Client records, matter details, documents, time entries, and invoices entered by your Firm. This data may contain personal information of third parties (e.g., your clients). Your Firm is the controller of such data; BantuziLegal acts as a processor.

4. Technical & Organisational Safeguards

We implement the following measures to protect personal information:

Tenant Isolation

Every Firm receives a logically isolated database workspace. Queries are scoped by tenant identifier at the application layer, ensuring no cross-firm data leakage.

Encryption

All data in transit is encrypted using TLS 1.2 or higher. Sensitive fields at rest are encrypted where technically feasible.

Authentication & Access Control

Passwords are hashed using BCrypt. Authentication uses stateless JWT tokens with short expiry. Role-based access control (RBAC) restricts data access to authorised personnel only.

Audit Logging

All administrative and security-sensitive actions are recorded in an immutable audit log, including the user, action, timestamp, and affected resource.

Secure Development

Our development process includes code review, dependency scanning, and adherence to OWASP security guidelines.

5. Cross-Border Data Transfers

Your data may be processed in jurisdictions outside Zambia where our cloud-infrastructure providers maintain data centres. In all cases, we ensure that adequate protections are in place through contractual data-processing agreements that meet or exceed the cross-border transfer requirements of the Data Protection Act, No. 3 of 2021.

6. Data Subject Rights

Under the Data Protection Act, No. 3 of 2021 of Zambia, you have the right to:

Access

Request confirmation of whether we hold your personal information and obtain a copy of it.

Correction

Request that inaccurate, incomplete, or outdated personal information be corrected or updated.

Deletion

Request deletion of your personal information where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.

Objection

Object to the processing of your personal information on reasonable grounds.

Data Portability

Request an export of your data in a structured, commonly used format.

Complaint

Lodge a complaint with the Office of the Data Protection Commissioner of Zambia if you believe your rights have been violated.

To exercise any of these rights, contact our Information Officer at privacy@bantuzilegal.com. We will respond within 30 days.

7. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will: (a) notify the relevant data-protection authority within 72 hours of becoming aware of the breach; (b) notify affected data subjects without unreasonable delay; and (c) document the breach, its effects, and the remedial actions taken.

8. Retention Periods

We retain personal information only for as long as necessary to fulfil the purpose for which it was collected. Specific retention periods include: active account data (duration of subscription + 90 days); billing records (7 years, as required by tax law); audit logs (3 years); and anonymised analytics data (indefinitely, as it contains no personal information).

9. Information Officer

BantuziLegal has appointed an Information Officer responsible for ensuring compliance with the Data Protection Act, No. 3 of 2021 of Zambia and these commitments. The Information Officer can be reached at privacy@bantuzilegal.com.

10. Regional Alignment (POPIA)

Some of our users operate across Southern African jurisdictions. For their benefit, we voluntarily align our practices with South Africa's Protection of Personal Information Act, 2013 (POPIA), which shares its core principles with the Zambian Act. This alignment is supplementary: the Data Protection Act, No. 3 of 2021 of Zambia remains the primary framework governing our processing.

11. Updates to This Statement

We may update this Data Protection statement to reflect changes in our practices or legal requirements. Material changes will be communicated via email or in-app notification at least 14 days before they take effect.