Policy Document

Privacy and Data Protection Policy

OurWorld Zanzibar Zanzibar Digital Free Zone 27 March 2026

01Purpose and Scope

This Privacy and Data Protection Policy sets out the principles governing the collection, use, storage, disclosure, and protection of personal and transactional data by OurWorld Zanzibar ("OWZ"), Regulator of the Zanzibar Digital Free Zone ("ZDFZ" or the "Zone").

This Policy applies to all persons, natural or legal, interacting with the Zone Operating System ("Zone OS"), including Users, Digital Residents, Free Zone Companies and Free Zone Cooperatives, licensed service providers (including Digital Asset Service Providers), and any person interacting with the Zone Operating System ("Zone OS").

This Policy is intended to balance the protection of personal privacy and commercial confidentiality with the regulatory, supervisory, and law enforcement requirements applicable to the Zone.

02Legal and Regulatory Basis

Data within the ZDFZ is processed in accordance with applicable laws of the United Republic of Tanzania and Zanzibar, including the Personal Data Protection Act, 2022 and related regulations, as well as with ZDFZ Regulations, Rules, and Circulars.

This Policy reflects internationally recognized data protection principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

03Data Collected

OWZ may collect and process the following categories of data:

  1. Identity data, including names, identification documents, biometric or proof-of-life data.
  2. Corporate and beneficial ownership data, including governance and control information.
  3. Transactional data relating to activities conducted within the Zone.
  4. Technical data, including system access logs, device identifiers, and usage data.
  5. Compliance data, including due diligence records, risk assessments, and regulatory filings.
  6. Communications data, including correspondence with OWZ or licensed service providers.

Data collection shall be limited to what is necessary for the operation of the Zone, regulatory compliance, and prevention of unlawful activity.

04Data Processing

Data is processed on one or more of the following bases:

  1. Regulatory necessity, including compliance with applicable laws and OWZ requirements.
  2. Contractual necessity, including participation in the ZDFZ and use of the Zone OS.
  3. Legitimate interests, including system security, fraud prevention, and risk management.
  4. Consent, where required under applicable rules or laws.

Registration as a User, Digital Resident, Zone Company or Zone Cooperative in the ZDFZ constitutes acknowledgment of and agreement to such processing, subject to this Policy.

05Data Use and Purpose Limitation

Data collected within the ZDFZ shall be used for the following purposes:

  1. identity verification and onboarding;
  2. operation of the Zone and enforcement of contractual rights;
  3. compliance with anti-money laundering, combating the financing of terrorism and illegal organisations, and sanctions requirements;
  4. monitoring, detecting, and preventing fraud or unlawful activity; and
  5. regulatory supervision, investigation, and enforcement.

Data shall not be used for unrelated purposes without an appropriate legal basis.

06Confidentiality and Access Controls

All data within the ZDFZ is subject to strict confidentiality and security controls, including the following:

  1. Access is restricted on a role-denominated basis to authorized personnel and systems.
  2. Sensitive data is segregated and protected using appropriate technical safeguards, including encryption where appropriate.
  3. Participants may access their own data, subject to system rules and regulatory requirements.

OWZ shall implement appropriate technical and organizational measures to prevent unauthorized access, disclosure, alteration, or loss of data.

07Data Disclosure

Data may be disclosed by OWZ or licensed service providers:

  1. to OWZ in its regulatory and supervisory capacity;
  2. to competent authorities in the United Republic of Tanzania and Zanzibar pursuant to lawful process;
  3. in response to lawful requests relating to money laundering, financing of terrorism or illegal organisations, sanctions violations, fraud, or other criminal activity.

Such disclosure shall be limited to what is necessary and subject to applicable legal process and safeguards.

08Data Retention

Data shall be retained for as long as necessary to fulfill regulatory, legal, and operational requirements.

Transaction and ownership records may be retained for extended periods or permanently where required for auditability and legal certainty.

Personal data shall not be retained longer than necessary, subject to regulatory requirements.

Retention periods shall be determined by OWZ and applicable law.

09Digital Infrastructure and Auditability

The ZDFZ utilizes digital and distributed ledger technologies to enhance transparency and auditability.

The ZDFZ supports the use of pseudonymous digital identifiers within its systems; however, such identifiers are linked to verified identity information held by the Regulator or licensed service providers. This ensures that participants may transact using pseudonymous addresses or accounts within the Zone, while preserving the ability of the Regulator and competent authorities to identify individuals where required for regulatory, compliance, or law enforcement purposes.

Key records may be immutable and form part of a permanent audit trail.

Systems are designed to record transactional data without unnecessarily exposing personal identity information.

These mechanisms support both regulatory compliance and user privacy.

10Participant Responsibilities

All participants in the ZDFZ shall:

  1. Provide accurate and complete information;
  2. Maintain the confidentiality of their credentials; and
  3. Comply with applicable data protection and confidentiality requirements.

Licensed service providers shall implement data protection measures consistent with this Policy and applicable regulations.

11Data Subject Rights

Subject to applicable law and regulatory requirements, individuals may have rights relating to their personal data, including:

  1. The right to access and obtain a copy of personal data.
  2. The right to request correction of inaccurate data.
  3. The right to object to or restrict processing in certain circumstances.
  4. The right to request deletion where permissible under law.

These rights may be subject to limitations where necessary for regulatory compliance, security, or law enforcement purposes.

12Data Breach Notification

OWZ and licensed entities shall implement procedures to detect, respond to, and mitigate data breaches. Material breaches shall be reported to OWZ and, where required, to relevant authorities. Affected individuals may be notified where appropriate, subject to legal and security considerations.

13Amendments

OWZ may amend this Policy from time to time to reflect changes in law, regulation, or operational requirements.

14Governing Law

This Policy shall be governed by the laws applicable to the ZDFZ, including relevant laws of Zanzibar and the United Republic of Tanzania, as supplemented by applicable ZDFZ Regulations and Rules.