Privacy Policy
Privacy Policy — gMA (goAML Reporter)
How the gMA mobile application collects, uses, and protects information.
1. Introduction
This Privacy Policy describes how gMA (also referred to as goAML Reporter) collects, uses, stores, and protects information when you use the mobile application. gMA is an offline-first application that helps authorised reporting entities prepare and submit Suspicious Transaction Reports (STR) and Cash Transaction Reports (CTR) to a goAML-compatible backend operated by the Financial Intelligence Unit of Tanzania (FIU Tanzania).
By installing or using gMA, you agree to the practices described in this policy. If you do not agree, please do not use the application.
2. Who Is Responsible for Your Data?
Data controller (for data processed through the goAML platform):
Financial Intelligence Unit of Tanzania (FIU Tanzania)
Website: https://www.fiu.go.tz
goAML service: https://goaml.fiu.go.tz
Application provider:
This mobile application is provided for use by institutions and persons authorised to file reports under applicable anti–money laundering and counter–terrorism financing (AML/CFT) laws in Tanzania.
For privacy enquiries relating to reports submitted through goAML, contact FIU Tanzania using the channels published on its official website.
3. Who Should Use This App?
gMA is intended for authorised reporters only — for example, compliance officers, designated reporting officers, and other staff of reporting entities who are permitted to file STRs and CTRs.
The app is not intended for use by the general public to report personal grievances, and it is not directed at children.
4. Information We Collect
4.1 Account and authentication information
When you sign in, the app collects:
- Username (stored locally on your device after login)
- Password (entered at login; not stored on the device)
- Access token and session cookie returned by the goAML server (stored locally to keep you signed in and to authorise API requests)
Authentication requests are sent over the internet to the configured goAML server (by default, FIU Tanzania’s production endpoint).
4.2 Report and compliance information you enter
To prepare STR and CTR filings, you may enter information about transactions and involved parties, including but not limited to:
- Transaction details (type, amount, currency, date, location, mode, status)
- Personal information about third parties (e.g. names, identification numbers, nationality, residence, occupation, gender)
- Entity information (e.g. business names, incorporation numbers, countries)
- Account information (e.g. account numbers, institution names, account holders)
- Goods and services details where applicable
- Suspicion reasons, indicators, source of funds, and purpose of transaction (depending on report type)
- Reference numbers and server workflow status returned after submission
This information is entered by you or your organisation as part of statutory or regulatory reporting obligations. It may relate to individuals who are not users of this app.
4.3 Attachments
You may optionally attach supporting documents to a report by:
- Selecting files from your device, or
- Capturing a photo with the device camera
Attachments are stored locally with your draft until submission. When you submit or sync a report, attachments may be included in the data package transmitted to the goAML server.
4.4 Message board content
If you use the in-app message board, the app may process:
- Message subjects and bodies you compose
- Attachments you send with messages
- Inbox, sent, archived, and broadcast messages retrieved from the server
- Read/archive/delete actions you perform on messages
4.5 App settings and preferences
The app stores limited preferences on your device, such as:
- Auto-sync on/off
- Language preference (e.g. English or Swahili)
- Reporting entity identifier (
rentity_id) used for submissions
4.6 Technical information
When the app communicates with the goAML server, standard technical data is exchanged as part of normal HTTPS operations, such as:
- IP address and request metadata (handled by the server and your network provider)
- HTTP status codes and error messages (shown in the app to help you retry failed submissions)
- Network connectivity status (used locally to decide when to sync pending reports)
The app does not continuously track your GPS location. Any “location” field in a report is text you enter manually about where a transaction occurred.
5. How We Use Information
We use the information described above to:
- Authenticate you against the goAML platform
- Create, edit, review, and store draft and submitted reports on your device
- Generate goAML-compatible export files and upload them when you submit or sync
- Display report status, server references, validation outcomes, and audit timestamps
- Synchronise pending reports when network connectivity is available (if auto-sync is enabled or you trigger sync manually)
- Operate the message board features (send, receive, archive, mark read, download attachments)
- Apply your preferences (language, sync behaviour, entity configuration)
Report data is processed for AML/CFT compliance purposes and in connection with legal obligations applicable to reporting entities in Tanzania.
6. Where Data Is Stored
| Data | Primary storage |
|---|---|
| Draft and submitted reports | On your device (local database) |
| Attachments | On your device until submitted; server copy after successful upload |
| Login token, session cookie, username | On your device (app preferences) |
| Submitted reports and messages | goAML server operated by FIU Tanzania |
Offline-first behaviour: Reports are saved on your device first. If you are offline at submission time, reports remain on the device with a “pending sync” status until they can be uploaded.
Uninstalling the app removes locally stored reports, attachments, tokens, and settings from that device, unless your operating system retains backups (e.g. cloud device backup). Submitted data already received by the goAML server is retained according to FIU Tanzania’s policies and applicable law.
8. Device Permissions
gMA may request the following permissions:
| Permission | Purpose |
|---|---|
| Internet | Sign in, submit reports, sync data, and use the message board |
| Network state | Detect connectivity to trigger or defer sync |
| Camera | Capture photos to attach as supporting documents (only when you choose this option) |
| Storage / file access | Pick existing files as attachments and open downloaded documents (as supported by your platform) |
You can deny camera or file access; you will still be able to use most of the app, but you may not be able to add certain attachments without granting the relevant permission.
9. Data Retention
- On device: Drafts, pending reports, attachments, and session tokens persist until you delete them, sign out, uninstall the app, or clear app data.
- On server: Retention of submitted reports and messages is governed by FIU Tanzania and applicable Tanzanian law. Contact FIU Tanzania for server-side retention schedules and archival policies.
10. Security
We take reasonable measures to protect information, including:
- Transmitting data over encrypted HTTPS connections
- Storing reports locally in the app’s private storage area on your device
- Requiring authentication for server API access
No method of storage or transmission is completely secure. You are responsible for:
- Keeping your device physically secure
- Using a strong goAML password and not sharing your credentials
- Signing out on shared or unattended devices
- Reporting suspected unauthorised access to your institution and FIU Tanzania promptly
11. Your Rights and Choices
Depending on your role and applicable law, you may have rights regarding personal data, including rights to access, correct, or object to certain processing.
- In-app: You can sign out, delete local drafts, and uninstall the app to remove locally stored data.
- Server-held data: Requests relating to information already submitted to goAML should be directed to FIU Tanzania, subject to AML/CFT confidentiality rules and legal restrictions that may limit disclosure of suspicious transaction reporting data.
12. Personal Data About Third Parties
When you file a report, you may provide personal data about customers, account holders, or other individuals. Your organisation is responsible for ensuring that such reporting is lawful, necessary, and proportionate under applicable AML/CFT requirements and data protection obligations.
gMA provides tools to capture and transmit that information; it does not independently verify the accuracy of third-party data you enter.
13. Third-Party Services and Libraries
The app uses standard open-source libraries for local storage, networking, file handling, and user interface. These libraries operate on your device or communicate only with the goAML server endpoints you use. The app does not embed third-party advertising or behavioural tracking SDKs.
14. International Transfers
The default configuration targets FIU Tanzania’s goAML service in Tanzania. If your organisation configures a different server URL, data may be processed in the jurisdiction where that server operates. Your institution is responsible for any cross-border transfer implications of its deployment choices.
15. Changes to This Policy
We may update this Privacy Policy from time to time. The Effective date at the top will be revised when changes are published. Continued use of the app after an update constitutes acceptance of the revised policy, unless otherwise required by law.
16. Contact
For questions about this Privacy Policy or the gMA application:
- AML/CFT reporting and goAML platform: Financial Intelligence Unit of Tanzania — https://www.fiu.go.tz
- Technical support: Contact Financial Intelligence Unit of Tanzania IT or compliance department.
This document is provided for transparency about how the gMA mobile application handles information. It does not replace your organisation’s internal privacy notices, reporting policies, or statutory obligations under Tanzanian AML/CFT and data protection law.