Privacy Policy — RentPilot Kenya
Scope: This Privacy Policy describes how RentPilot Kenya (“RentPilot”, “we”, “us”, or “our”) collects, processes, stores, discloses and protects personal data when you use our website, progressive web app (PWA), mobile application, APIs, or related services (collectively, the “Platform”). It also explains your rights and choices and how to contact us.
1. Definitions
Personal data any information relating to an identified or identifiable individual. Processing any operation performed on personal data (collection, storage, use, disclosure, deletion). Controller RentPilot Kenya, which determines the purposes and means of processing. Processor third party acting on our instruction (e.g., hosting, analytics).
2. Data Controller & Contact
Controller: RentPilot Kenya Limited
Contact: rentpilotkenya@gmail.com
Postal address: Nairobi, Kenya (address on request)
3. Categories of Personal Data We Collect
We collect the following categories of data where necessary and lawful:
- Identity & contact data: name, email address, telephone number, organisation name, postal address.
- Account & profile data: username, password hashes, profile preferences, profile photo.
- Verification & onboarding data: ID numbers, company registration number, verification notes, recordings or notes of short screening calls.
- Transactional & payment data: M-Pesa phone number (payee/payor), transaction reference IDs, transaction timestamps, amounts (we do not store M-Pesa PINs).
- Property & tenancy data: property address, unit numbers, lease terms, tenant names, rent schedules.
- Device & usage data: IP address, device identifiers, browser user agent, geolocation data (if provided), session logs, error reports, analytics.
- Communications: support emails, chat logs, phone call metadata and notes where applicable.
4. Sources of Personal Data
We obtain personal data directly from you when you register, use the Platform, contact support, or provide information in onboarding calls. We may also collect data automatically (analytics) and from third parties such as payment providers (M-Pesa/Daraja API), identity verification providers, or public registers.
5. Purposes of Processing & Legal Bases
We process personal data for the following specific purposes and legal bases:
- Providing the Service (Contractual performance): registration, authentication, account management, payment processing, rent collection, issuing receipts and statements.
- Verification & Onboarding (Legitimate interest / Contract): screening users via short calls and verification checks to maintain trust and safety of the platform.
- Platform security (Legitimate interest): fraud prevention, monitoring, enforcement of terms, and abuse detection.
- Analytics & product improvement (Legitimate interest / Consent): aggregated analytics to improve the Platform; we use anonymised data where possible.
- Communications (Contract / Consent): service messages, notifications, emails or SMS about transactions, policy updates, or support requests.
- Legal & compliance (Legal obligation): retention and disclosure to meet tax, accounting, audit or regulator requests and to comply with law.
6. User Access, Verification & Approvals
Access to the Platform is restricted to approved, registered users only. Registration is subject to a verification and screening process that includes a short onboarding call with RentPilot staff. Users must provide accurate information and supporting documentation on request. We reserve the right to refuse or suspend accounts that fail verification, violate terms, or pose risk to the community.
7. Cookies, Sessions & Tracking
We use cookies and similar technologies only as necessary to operate the Platform securely and to provide core functionality:
- Session cookies: required to maintain authenticated sessions and secure access.
- Essential cookies: used for security and to store user preferences required for the service.
- Analytics cookies: optional and used to collect aggregated usage and performance metrics; these are pseudonymous.
No non-essential cookies are collected by default. You may control cookie settings through your browser or device; however disabling essential cookies may prevent access to the Platform.
8. Data Sharing & Third-Party Processors
We do not sell personal data. We share personal data only with:
- Payment processors: M-Pesa (Safaricom) for processing rent payments and transaction reconciliation.
- Cloud & hosting providers: infrastructure providers that host our Platform.
- Analytics & monitoring providers: for performance and reliability metrics.
- Legal & professional advisors: where disclosure is necessary to comply with law or respond to lawful requests.
All processors are required by contract to implement appropriate technical and organisational measures and act only on our instruction.
9. International Data Transfers
Where we transfer personal data outside Kenya (e.g., cloud providers, analytics), we ensure adequate safeguards are in place such as standard contractual clauses, binding corporate rules, or ensuring the destination country provides adequate protection. If you would like specific details of the safeguards used for a transfer, contact us at rentpilotkenya@gmail.com.
10. Data Retention & Retention Schedule
We retain personal data only as long as necessary for the purpose collected, to comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods:
| Data category | Retention period (typical) |
|---|---|
| Account & profile data | Retained while account active + 2 years after deletion |
| Transaction records (payments) | 7 years (to meet financial/tax regulations) |
| Verification records / onboarding call notes | 5 years |
| Analytics & logs (aggregated) | Up to 2 years (pseudonymised where possible) |
| Support communications | 3 years |
We securely dispose of or anonymise data once retention periods expire.
11. Security Measures
We apply technical and organisational security measures, including but not limited to:
- Transport Layer Security (HTTPS/TLS) for all data in transit;
- Encryption at rest for sensitive fields where applicable;
- Role-based access controls, least privilege and audit logging;
- Secure password storage (hashing + salt) and optional two-factor authentication where implemented;
- Regular vulnerability scans, patching and security reviews;
- Incident response plans and breach notification procedures.
If you suspect a security incident involving your data, notify us immediately at rentpilotkenya@gmail.com.
12. Data Subject Rights & How to Exercise Them
You have rights under Kenya's Data Protection Act and applicable global privacy laws, including:
- Access: request a copy of personal data we hold;
- Rectification: correct inaccurate or incomplete data;
- Erasure: request deletion where no legal reason to retain;
- Restriction: request limitation of processing;
- Portability: receive your data in a structured, machine-readable format;
- Objection: object to processing based on legitimate interests;
- Withdraw consent: where processing is consent-based.
To exercise any rights, contact us at rentpilotkenya@gmail.com. We will respond within the statutory timeframe (typically 30 days) or notify you if an extension is necessary.
13. Children & Minors
The Platform is intended for users aged 18 and above. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected information about a child, please contact us to request deletion.
14. Automated Decision-Making & Profiling
We may use automated systems to support verification, risk assessment, and fraud detection. These processes do not make final legal or similarly significant decisions without human review. If you would like information about the logic involved and the measures used to protect your rights, contact us.
15. Breach Notification
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify affected individuals and the relevant supervisory authority in accordance with applicable law as soon as practicable and with required information about the breach and mitigation steps.
16. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will post the revised policy with a revised “Last updated” date and, where appropriate, notify registered users by email or in-app messages.
17. Complaints & Supervisory Authority
If you are not satisfied with our response to a privacy request, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya or the relevant supervisory authority in your jurisdiction.
18. Contact Information
For privacy enquiries, data subject requests, or to request copies of the safeguards for international transfers, contact:
RentPilot Kenya
Email: rentpilotkenya@gmail.com
Website: www.rentpilotkenya.com
Phone: +254 710 897 101
Annex A — Technical & Organisational Measures (summary)
- Access control and authentication policies; periodic access reviews.
- Data encryption in transit (TLS) and encryption at rest for sensitive fields.
- Regular backups, disaster recovery plan and retention of backup logs.
- Penetration testing and vulnerability management program.
- Processor due diligence and contractual security obligations.
Annex B — Retention Summary
| Record type | Retention | Reason |
|---|---|---|
| Account data | Account active + 2 years | Service, support and fraud prevention |
| Payment transactions | 7 years | Financial regulation and audit |
| Verification records | 5 years | Compliance and dispute resolution |
| Support logs | 3 years | Customer support and quality |
| System logs (access, error) | 12–24 months | Security and incident investigation |