Privacy Policy
Kilifi Real Estate — Effective Date: March 12, 2026
Your privacy matters to us. This Privacy Policy explains how Kilifi Real Estate collects, uses, shares, and protects your personal information when you use our platform.
Table of Contents
- Introduction and Scope
- Information We Collect
- How We Use Your Information
- Legal Bases for Processing
- Data Sharing and Third Parties
- Payment Processor Data Handling
- Data Retention Policy
- Data Security Measures
- International Data Transfers
- Your Data Rights
- Cookie Policy
- Children's Privacy
- Marketing and Opt-Out
- Automated Decision-Making
- Changes to this Policy
- Contact Information
1. Introduction and Scope
This Privacy Policy ("Policy") describes how Kilifi Real Estate ("Company," "we," "us," or "our") collects, processes, uses, stores, and discloses personal information obtained through the Platform's website, web application, mobile application, APIs, and related services (collectively, the "Platform").
This Policy applies to: all registered Users (Property Owners, Agents, Tenants, Buyers, Guests, and Administrators); unregistered Visitors; and individuals whose information is submitted by other Users.
Regulatory Framework. We process personal data in compliance with the Data Protection Act, 2019 (Kenya), the Kenya Information and Communications Act (Cap. 411A), and where applicable, the EU General Data Protection Regulation (GDPR).
Data Controller. Kilifi Real Estate is the data controller of personal information collected through the Platform.
2. Information We Collect
We collect information you provide directly, information generated through Platform use, and information from third parties.
2.1 Personal Information
| Category | Examples |
|---|---|
| Identity Data | Full name, national ID, KRA PIN |
| Contact Data | Email, phone, physical address |
| Authentication Data | Password (hashed), tokens, OAuth IDs |
| Profile Data | Profile photo, bio, agent licence number |
| Financial Identity | Bank details, M-Pesa number, tokenised card info |
| Document Data | ID copies, title deeds, licences, lease agreements, payslips |
| Communication Data | Messages sent via the Platform |
2.2 Account Information
Name, email, phone, encrypted password, account role, profile photo, and activity timestamps.
2.3 Listing and Property Data
Property address, GPS coordinates, type, pricing, description, amenities, photos/videos, availability calendar, and listing status (Featured/Verified).
2.4 Transaction Data
Payment amounts, currency, dates, payment method, gateway references, booking records, rental applications, and sale inquiry details.
2.5 Device and Technical Data
IP address, device type, browser, OS, referral URLs, pages visited, session duration, and error/crash logs — collected automatically on access.
2.6 Information from Third Parties
Data from payment processors (fraud signals), Google OAuth (name, email, photo), and verification partners.
3. How We Use Your Information
3.1 Account Operations: Create and manage your Account, authenticate you, enable messaging, and power Services.
3.2 Transactions: Process payments, detect fraud, generate receipts, and comply with financial reporting obligations.
3.3 Verification and Safety: Verify Listings, moderate content, investigate Terms violations, and maintain audit logs.
3.4 Communication: Send transactional notifications, service alerts, security notices, and (where consented) marketing communications.
3.5 Analytics: Understand Platform usage, monitor performance, and develop new features.
3.6 Legal Compliance: Comply with applicable laws, enforce our Terms, and respond to lawful government requests.
3.7 Personalisation: Display property recommendations based on your browsing and search behaviour.
4. Legal Bases for Processing
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Performance of a contract |
| Processing payments | Contract + Legal obligation |
| Transactional notifications | Contract + Legitimate interest |
| Fraud prevention and safety | Legitimate interest |
| Marketing communications | Consent or Legitimate interest |
| Analytics and performance | Legitimate interest |
| Compliance with laws / court orders | Legal obligation |
| Content moderation | Legitimate interest + Legal obligation |
5. Data Sharing and Third Parties
We do not sell your personal data.
5.1 Other Users. Listing details, owner/agent names, and contact info are visible to prospective Tenants, Buyers, and Guests as needed. In-platform messages are shared with the intended recipient only.
5.2 Service Providers. We engage third-party processors including:
| Category | Examples |
|---|---|
| Payment Processors | Safaricom M-Pesa (Daraja), Stripe |
| Cloud Infrastructure | AWS S3 |
| Email Services | SMTP / Amazon SES |
| Mapping Services | Google Maps API |
| Real-time Messaging | Pusher / WebSockets |
| Authentication | Google OAuth |
5.3 Legal Disclosures. We may disclose data to comply with legal obligations, court orders, or lawful government requests.
5.4 Business Transfers. In a merger or acquisition, data may transfer to the acquiring entity with prior notice to you.
6. Payment Processor Data Handling
6.1 M-Pesa. Processed via Safaricom Daraja API. We share your M-Pesa number and amount only. We never store your PIN. Safaricom's privacy policy applies.
6.2 Stripe. Card payments processed by Stripe (PCI-DSS compliant). We do not store full card numbers — only tokenised references. Stripe's privacy policy applies.
6.3 Bank Transfers. Bank references stored securely, accessible only to authorised personnel for reconciliation purposes.
6.4 Retention. All payment data is retained for 7 years as required by KRA regulations.
7. Data Retention Policy
| Data Category | Retention Period |
|---|---|
| Account data (active) | Duration of account + 5 years |
| Transaction and payment records | 7 years (KRA) |
| Property Listings | Active period + 3 years |
| Messages and communications | 3 years from last activity |
| Device / log data | 12 months rolling |
| Audit logs | 7 years |
| Dispute records | 7 years from resolution |
8. Data Security Measures
Our security measures include:
- HTTPS/TLS encryption for all data in transit
- AES-256 encryption for sensitive data at rest
- Industry-standard password hashing (bcrypt)
- Payment tokenisation via PCI-DSS compliant processors
- Role-based access control (RBAC)
- CSRF protection, SQL injection prevention via ORM
- API rate limiting via Laravel Sanctum
- Regular security audits and penetration testing
Breach Notification. We will notify the Office of the Data Protection Commissioner of Kenya within 72 hours and affected Users without undue delay in the event of a reportable data breach.
9. International Data Transfers
Data may be processed outside Kenya by cloud and infrastructure providers (e.g., AWS, Stripe, Google). We implement appropriate safeguards including contractual clauses, recognised security certifications (PCI-DSS, ISO 27001), and GDPR Standard Contractual Clauses where applicable.
10. Your Data Rights
Under the Kenya Data Protection Act 2019, you have the following rights:
Right of Access
Request a copy of your personal data held by us. We respond within 21 days of a verified request.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your data where no legal basis for retention exists.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is consent-based.
To exercise any right, email: privacy@kilifirealestate.co.ke
You may also lodge a complaint with the Office of the Data Protection Commissioner of Kenya.
11. Cookie Policy
Cookies are small text files placed on your device when you visit the Platform.
| Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Session, auth, CSRF protection | Session / 1 year |
| Functional | Preferences (language, filters) | 1 year |
| Performance / Analytics | Usage analytics and performance | 2 years |
| Marketing / Targeting | Property recommendations | 1 year |
You can manage cookies through your browser settings. Disabling strictly necessary cookies (e.g., session cookies) may impair login and transaction functionality.
12. Children's Privacy
The Platform is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors.
If you believe your child has provided data to us, contact privacy@kilifirealestate.co.ke and we will delete the information promptly.
13. Marketing Communications and Opt-Out
Where permitted by law or with your consent, we may send property recommendations, newsletters, and promotional content.
You may opt out at any time by:
- Clicking "Unsubscribe" in any marketing email;
- Updating notification preferences in Account Settings;
- Emailing privacy@kilifirealestate.co.ke.
Opting out does not affect transactional or security communications (e.g., booking confirmations, payment receipts).
14. Automated Decision-Making and Profiling
The Platform uses automated processes for search ranking, fraud detection, and property recommendations. These do not constitute fully automated decision-making with legal or similarly significant effects. Contact privacy@kilifirealestate.co.ke with any concerns.
15. Changes to this Privacy Policy
We may update this Policy from time to time. Material changes will be notified via email to your registered address, a prominent Platform notice, and an updated "Last Updated" date. Continued use after the effective date constitutes acceptance.
16. Contact Information
Data Protection Officer
Kilifi Real Estate
For data subject requests, email privacy@kilifirealestate.co.ke with subject: "Data Subject Request — [Your Full Name]"
Regulatory enquiries: Office of the Data Protection Commissioner — odpc.go.ke
Last updated: March 12, 2026 • © 2026 Kilifi Real Estate. All rights reserved.