Hament is committed to safeguarding the confidentiality, integrity, and availability of every data point you share with us. This Privacy Policy explains how we collect, use, store, and protect personal information when you visit our websites, open an investment account, or interact with our team. We follow the Tanzania Personal Data Protection Act, the U.S. Gramm-Leach-Bliley Act, the Cayman Islands Data Protection Act, and—when applicable—the EU/UK GDPR, applying the highest standard that governs your jurisdiction..
We collect only the data we legitimately need to deliver regulated investment services, satisfy anti-money-laundering (AML) obligations, and improve your client experience. All data are encrypted in transit and at rest, housed in tier-one cloud environments certified to ISO 27001 and SOC 2 Type II, and accessible solely to authorised personnel under multi-factor authentication (MFA) and strict role-based permissions..
Identification & compliance data. This includes your name, date of birth, national ID or passport number, proof-of-address documents, tax-identification numbers, source-of-funds details, and any enhanced-due-diligence materials required under global AML/KYC regulations. We also store records of your client classification (Retail, Professional, Institutional) and risk-tolerance questionnaires..
Platform & transactional data. When you use our services we log device identifiers, IP addresses, browser settings, and activity on our website or app. We record every order, trade, and cash movement to meet legal reporting requirements and to offer real-time portfolio analytics. For optional services—such as marketing emails or research subscriptions—we retain your communication preferences and engagement metrics, which you may update or opt out of at any time.
We process your data first and foremost to deliver the services you request: opening and administering investment accounts, executing and settling trades, producing statements, and providing client support. Your identification details help us verify identity, comply with KYC/AML laws, assess suitability, manage risk, and meet regulatory-reporting duties in Tanzania, the United States, and the Cayman Islands. We also analyse aggregated, pseudonymised usage patterns to improve platform performance, detect fraud, and develop new features. Marketing messages (investment insights, event invitations) are sent only if you have opted in and may be tailored with basic engagement metrics; you can update preferences or opt out at any time. We never sell or rent personal data to third parties, and vendors acting on our behalf must contractually maintain equal or stronger privacy safeguards
Retention periods are dictated by statutory, regulatory, and contractual requirements. Core client records—such as KYC documentation, transaction confirmations, account statements, and tax reports—are kept for at least seven (7) years after your account is closed, and up to ten (10) years where anti-money-laundering or securities laws impose longer mandates. Operational data—such as system audit logs, access records, and disaster-recovery backups—may be retained beyond those minimums in order to:
When retention obligations lapse, we either permanently delete the data or irreversibly anonymise it using NIST-approved destruction methods. If you request erasure and no law prevents it, we will remove your personal data from active systems within thirty (30) days and from encrypted backups during the next scheduled purge cycle.
You have the right to access the personal data we hold about you, to request corrections to inaccurate or incomplete information, and—subject to legal and regulatory constraints—to ask for deletion or restriction of processing. You can also object to certain uses of your data, withdraw consent for marketing at any time, and request a machine-readable copy of data you have provided to transfer to another service (data portability).
To exercise any of these rights, email hello@hamentgroup.com or submit a request through your secure client portal. We will acknowledge your request within five (5) business days and fulfil it within 30 days, unless a longer period is permitted under applicable law; if we must decline (e.g., where records are required for anti-money-laundering compliance) we will explain the reason and the regulatory basis for retention.
We safeguard your information through layered security: TLS 1.3 encryption on every data transfer, AES-256 at-rest encryption in ISO 27001/SOC 2 Type II-certified data centres, strict role-based access with mandatory MFA, continuous intrusion detection, and annual third-party penetration tests—all designed to keep your data confidential, integral, and available only to authorised personnel.
