Legal

Privacy Policy

Effective: 27 September 2025  ·  Updated: 14 April 2026

Your privacy matters to us. This policy explains what data we collect, why we collect it, and how we protect it in plain language, in line with the Kenya Data Protection Act 2019.

1 What We Collect

Data Type Why We Need It
Name, Phone, EmailAccount creation and communication
National ID NumberIdentity verification to prevent fraud
Phone OTP CodesPasswordless login codes expire in 10 minutes
Property DocumentsListing verification and trust scoring
Transaction RecordsToken wallet management and M-Pesa withdrawals
Usage & Device DataPlatform improvement and fraud detection

2 How We Use Your Data

  • Authenticating your identity via OTP and securing your session with Sanctum bearer tokens
  • Verifying property listings and calculating trust scores
  • Processing token purchases and M-Pesa STK push withdrawals
  • Sending transactional notifications (OTP codes, listing approvals, token credits)
  • Detecting and preventing fraudulent activity across the platform

3 Data Sharing

We do not sell your personal data. We share information only in these limited circumstances:

  • M-Pesa / Safaricom: Phone number and amount for STK push transactions and account activation payments.
  • Email providers: Name and email for welcome and confirmation emails.
  • Law enforcement: When required by a valid Kenyan court order or statutory obligation.

4 Contact Reveal & Unlock

A seller's full phone number is only revealed to a user who explicitly spends DEPI tokens to unlock it. We log all unlock events. Sellers are notified when their contact is viewed, creating accountability on both sides of every transaction.

5 Data Retention

We retain your account data for as long as your account is active. OTP codes are automatically invalidated after 10 minutes and marked used after verification. If you request deletion, we remove your personal data within 30 days, except where retention is required by law (e.g., financial records for 7 years under KRA requirements).

6 Security

All passwords are hashed with bcrypt. Data in transit is encrypted via HTTPS/TLS. API authentication uses Laravel Sanctum bearer tokens with per-device session management. OTP codes are short-lived and single-use. We conduct regular security audits and notify users of any data breaches as required by the Kenya Data Protection Act 2019.

7 Your Rights

Under the Kenya Data Protection Act 2019, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data through your profile settings
  • Request deletion of your data (subject to legal retention requirements)
  • Withdraw consent for marketing communications at any time
  • Lodge a complaint with the Office of the Data Protection Commissioner

For privacy concerns or data requests, contact our Data Protection Officer: privacy@depi.co.ke