Skip to main content

Privacy Policy

Last Updated: May 1, 2026 | Version 1.0

Table of Contents

  1. Introduction
  2. Data Controller
  3. Data We Collect
  4. How We Use Your Data
  5. Legal Basis for Processing
  6. Data Sharing and Disclosure
  7. Cookies and Tracking
  8. Data Retention
  9. Your Rights
  10. International Data Transfers
  11. Security Measures
  12. Children's Privacy
  13. Changes to This Policy
  14. Contact Information

1. Introduction

Welcome to the Namibia Regulatory Sandbox platform ("Lancr," "we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform and services.

We are committed to protecting your privacy and complying with applicable data protection laws, including:

  • Namibian Data Protection Act (Act No. 10 of 2019)
  • European Union General Data Protection Regulation (GDPR)
  • South African Protection of Personal Information Act (POPIA)
  • Bank of Namibia Act and NAMFISA Act regulatory requirements

By using our platform, you consent to the collection and use of your information as described in this Privacy Policy.

2. Data Controller

The data controller responsible for your personal information is:

Namibia Regulatory Sandbox (Lancr)

Operated by: Bank of Namibia and NAMFISA

Address: 71 Robert Mugabe Avenue, Windhoek, Namibia

Email: legal@sandbox.lancr.org

Phone: +264 61 283 5111

Our Data Protection Officer can be reached at: dpo@sandbox.lancr.org

3. Data We Collect

3.1 Information You Provide Directly

We collect information that you provide when:

  • Creating an account (name, email, phone number, organization)
  • Submitting a sandbox application (business details, innovation description, KYC documents)
  • Using platform features (testing data, API logs, compliance reports)
  • Communicating with us (support requests, feedback, correspondence)
  • Participating in surveys or events

3.2 Information Collected Automatically

When you use our platform, we automatically collect:

  • Usage Data: Pages viewed, features used, time spent, click patterns
  • Technical Data: IP address, browser type, device information, operating system
  • Log Data: Access times, error logs, API requests
  • Location Data: General geographic location based on IP address

3.3 Information from Third Parties

We may receive information from:

  • Authentication providers (Google OAuth, GitHub)
  • Payment processors (for application fees)
  • Public business registries (for verification purposes)
  • Regulatory authorities (BON, NAMFISA)

3.4 Sensitive Personal Data

We may process certain sensitive personal data (special categories under GDPR/POPIA) necessary for regulatory compliance, including:

  • Identity documents (for KYC compliance)
  • Financial information (for licensing assessment)
  • Criminal background checks (for fit-and-proper assessments)

We only process this data with your explicit consent or where legally required by financial regulations.

4. How We Use Your Data

We use your personal information for the following purposes:

4.1 Platform Operations

  • Providing access to the regulatory sandbox environment
  • Processing and evaluating sandbox applications
  • Managing user accounts and authentication
  • Providing technical support and customer service

4.2 Regulatory Compliance

  • Conducting KYC and fit-and-proper assessments
  • Monitoring compliance with sandbox conditions
  • Reporting to regulatory authorities (BON, NAMFISA)
  • Detecting and preventing fraud, money laundering, and regulatory breaches

4.3 Platform Improvement

  • Analyzing usage patterns to improve user experience
  • Developing new features and services
  • Conducting research and statistical analysis
  • Training AI models for application triage and risk assessment

4.4 Communications

  • Sending service notifications and updates
  • Responding to inquiries and support requests
  • Providing regulatory guidance and case management
  • Marketing communications (with your consent)

6. Data Sharing and Disclosure

6.1 Regulatory Authorities

We share information with the Bank of Namibia and NAMFISA as required for regulatory oversight, compliance monitoring, and policy development.

6.2 Service Providers

We engage third-party service providers for:

  • Cloud hosting (AWS, Vercel, Supabase)
  • Analytics and monitoring (PostHog)
  • Email services (Resend)
  • Payment processing
  • Security and fraud prevention

All service providers are bound by data processing agreements and process data only according to our instructions.

6.3 Legal Requirements

We may disclose your information if required by law, court order, or government request.

6.4 Business Transfers

In the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity with appropriate safeguards.

6.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. For detailed information, please see our Cookie Policy.

7.1 Types of Cookies We Use

  • Necessary Cookies: Required for platform functionality (cannot be disabled)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how you use the platform
  • Marketing Cookies: Used for personalized content (requires consent)

You can manage your cookie preferences through our cookie banner or browser settings.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this policy:

Data TypeRetention Period
Account informationAccount lifetime + 7 years
Sandbox application data10 years (regulatory requirement)
Transaction logs7 years (AML compliance)
Analytics data26 months
Marketing consentUntil consent withdrawn
Support communications3 years

After the retention period expires, we securely delete or anonymize your data.

9. Your Rights

Under GDPR, POPIA, and Namibian data protection laws, you have the following rights:

Right to Access

Request a copy of your personal data we hold about you

Right to Rectification

Correct inaccurate or incomplete personal data

Right to Erasure

Request deletion of your data (subject to legal retention requirements)

Right to Restrict Processing

Limit how we use your data in certain circumstances

Right to Data Portability

Receive your data in a structured, machine-readable format

Right to Object

Object to processing based on legitimate interests or for marketing purposes

Right to Withdraw Consent

Withdraw consent for processing at any time (where consent is the legal basis)

Right to Lodge a Complaint

File a complaint with the Namibian Information Regulator or relevant supervisory authority

To exercise any of these rights, contact us at privacy@sandbox.lancr.org. We will respond within 30 days.

10. International Data Transfers

Your data may be transferred to and processed in countries outside Namibia, including countries that may not have equivalent data protection laws.

When transferring data internationally, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules for intra-group transfers
  • Data processing agreements with third-party processors

For transfers to the United States, we ensure service providers comply with appropriate data protection frameworks.

11. Security Measures

We implement comprehensive technical and organizational measures to protect your data:

11.1 Technical Safeguards

  • End-to-end encryption for data in transit (TLS 1.3)
  • Encryption at rest for sensitive data (AES-256)
  • Regular security audits and penetration testing
  • Intrusion detection and prevention systems
  • Multi-factor authentication
  • Regular security updates and patch management

11.2 Organizational Safeguards

  • Access controls and role-based permissions
  • Employee training on data protection
  • Data processing agreements with third parties
  • Incident response and breach notification procedures
  • Regular compliance assessments

11.3 Data Breach Notification

In the event of a data breach, we will notify affected individuals and relevant supervisory authorities within 72 hours, as required by GDPR.

12. Children's Privacy

Our platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

  • Notify you of material changes via email or platform notification
  • Update the "Last Updated" date at the top of this policy
  • Maintain a version history of policy changes
  • Request renewed consent where required by law

Your continued use of the platform after changes take effect constitutes acceptance of the updated policy.

14. Contact Information

For questions, concerns, or requests related to this Privacy Policy or your personal data:

Data Protection Officer

Email: dpo@sandbox.lancr.org

Phone: +264 61 283 5111

Privacy Inquiries

Email: privacy@sandbox.lancr.org

Legal Department

Email: legal@sandbox.lancr.org

Postal Address

Namibia Regulatory Sandbox

71 Robert Mugabe Avenue

Windhoek, Namibia

Supervisory Authority

Namibian Information Regulator

Website: www.informationregulator.na

Your Privacy Matters

We are committed to transparency and protecting your rights. If you have any questions or concerns about how we handle your data, please don't hesitate to contact us.

Questions about these legal documents? Contact our legal team at legal@sandbox.lancr.org