Data Protection
How BantuziLegal protects personal information under the Data Protection Act, No. 3 of 2021 of Zambia
Last reviewed: July 2026
Our Data Protection Principles
Aligned with the conditions for lawful processing under the Data Protection Act, No. 3 of 2021
Accountability
BantuziLegal takes responsibility for the personal information we process. We have appointed an Information Officer to oversee compliance with the Data Protection Act, No. 3 of 2021 of Zambia and related data-protection obligations.
Purpose Limitation
We collect personal information only for specific, explicitly defined, and lawful purposes. Data is never processed in a manner incompatible with the purpose for which it was originally collected.
Minimality
We collect only the personal information that is adequate, relevant, and not excessive for the purposes for which it is processed.
Security Safeguards
We implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, or unlawful processing.
Openness
We are transparent about the types of personal information we collect, the purposes for processing, and the categories of third parties with whom data may be shared.
Data Subject Rights
We respect the rights of data subjects to access, correct, and delete their personal information, and to object to processing where appropriate.
1. The Data Protection Act, No. 3 of 2021 of Zambia
The Data Protection Act, No. 3 of 2021 (the "Act") is Zambia's data-protection legislation. It governs the collection, processing, storage, and transfer of personal data, establishes the Office of the Data Protection Commissioner, and gives data subjects enforceable rights over their personal information. As a Zambian company serving Zambian legal practices, BantuziLegal treats the Act as the primary legal framework for everything we do with personal data.
Where your Firm enters personal data belonging to its own clients into the platform, your Firm is the data controller for that information and BantuziLegal acts as a data processor, processing it only on your instructions and only to provide the service.
2. Lawful Basis for Processing
We process personal information under one or more of the following lawful grounds recognised by the Act:
Contractual Necessity
Processing is necessary to perform our obligations under your subscription agreement — e.g., maintaining your account, providing platform access, processing payments, and delivering support.
Legitimate Interest
Processing is necessary for our legitimate business interests — e.g., improving platform security, analysing anonymised usage data, and preventing fraud — provided these interests do not override your rights.
Consent
Where you have given explicit consent — e.g., opting in to publish a testimonial or receiving marketing communications. You may withdraw consent at any time.
Legal Obligation
Processing is required to comply with applicable laws — e.g., retaining billing records for tax purposes or responding to valid legal process.
3. Categories of Personal Information
Identity Data
Full name, job title, professional role.
Contact Data
Email address, phone number, firm address.
Financial Data
Billing address, payment method details (processed by our payment gateway — we do not store full card numbers).
Technical Data
IP address, browser type, operating system, session identifiers.
Usage Data
Features accessed, pages visited, timestamps, referral source.
Practice Data
Client records, matter details, documents, time entries, and invoices entered by your Firm. This data may contain personal information of third parties (e.g., your clients). Your Firm is the controller of such data; BantuziLegal acts as a processor.
4. Technical & Organisational Safeguards
We implement the following measures to protect personal information:
Tenant Isolation
Every Firm receives a logically isolated database workspace. Queries are scoped by tenant identifier at the application layer, ensuring no cross-firm data leakage.
Encryption
All data in transit is encrypted using TLS 1.2 or higher. Sensitive fields at rest are encrypted where technically feasible.
Authentication & Access Control
Passwords are hashed using BCrypt. Authentication uses stateless JWT tokens with short expiry. Role-based access control (RBAC) restricts data access to authorised personnel only.
Audit Logging
All administrative and security-sensitive actions are recorded in an immutable audit log, including the user, action, timestamp, and affected resource.
Secure Development
Our development process includes code review, dependency scanning, and adherence to OWASP security guidelines.
5. Cross-Border Data Transfers
Your data may be processed in jurisdictions outside Zambia where our cloud-infrastructure providers maintain data centres. In all cases, we ensure that adequate protections are in place through contractual data-processing agreements that meet or exceed the cross-border transfer requirements of the Data Protection Act, No. 3 of 2021.
6. Data Subject Rights
Under the Data Protection Act, No. 3 of 2021 of Zambia, you have the right to:
Access
Request confirmation of whether we hold your personal information and obtain a copy of it.
Correction
Request that inaccurate, incomplete, or outdated personal information be corrected or updated.
Deletion
Request deletion of your personal information where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
Objection
Object to the processing of your personal information on reasonable grounds.
Data Portability
Request an export of your data in a structured, commonly used format.
Complaint
Lodge a complaint with the Office of the Data Protection Commissioner of Zambia if you believe your rights have been violated.
To exercise any of these rights, contact our Information Officer at privacy@bantuzilegal.com. We will respond within 30 days.
7. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will: (a) notify the relevant data-protection authority within 72 hours of becoming aware of the breach; (b) notify affected data subjects without unreasonable delay; and (c) document the breach, its effects, and the remedial actions taken.
8. Retention Periods
We retain personal information only for as long as necessary to fulfil the purpose for which it was collected. Specific retention periods include: active account data (duration of subscription + 90 days); billing records (7 years, as required by tax law); audit logs (3 years); and anonymised analytics data (indefinitely, as it contains no personal information).
9. Information Officer
BantuziLegal has appointed an Information Officer responsible for ensuring compliance with the Data Protection Act, No. 3 of 2021 of Zambia and these commitments. The Information Officer can be reached at privacy@bantuzilegal.com.
10. Regional Alignment (POPIA)
Some of our users operate across Southern African jurisdictions. For their benefit, we voluntarily align our practices with South Africa's Protection of Personal Information Act, 2013 (POPIA), which shares its core principles with the Zambian Act. This alignment is supplementary: the Data Protection Act, No. 3 of 2021 of Zambia remains the primary framework governing our processing.
11. Updates to This Statement
We may update this Data Protection statement to reflect changes in our practices or legal requirements. Material changes will be communicated via email or in-app notification at least 14 days before they take effect.
