Data Privacy Policy
Last updated: January 2026
PublicMoodTracker ("we", "our", "us") is a political intelligence platform operated from Nairobi, Kenya. We are committed to processing your personal data lawfully, fairly, and transparently in accordance with the Kenya Data Protection Act 2019 (KDPA), the Data Protection (General) Regulations 2021, and applicable international standards including the EU General Data Protection Regulation (GDPR) where EEA residents are concerned.
1. Who We Are
PublicMoodTracker is registered as a Data Controller with the Office of the Data Protection Commissioner (ODPC), Kenya, under Registration Number ODPC/DC/2025/001 (placeholder). Our registered office is in Nairobi, Kenya. Questions about this policy may be directed to our Data Protection Officer at privacy@siasaiq.com.
2. Data We Collect and Why
2.1 Account & Identity Data
- Phone number — required to create an account and receive M-Pesa payment confirmations.
- Email address (optional) — used for report delivery and newsletter subscriptions.
- Name (optional) — personalises your dashboard and reports.
- County / location preference (optional) — filters county-level intelligence to your region.
2.2 Payment Data
- M-Pesa transaction reference (e.g., QJK87HGT) — verifies payment and grants access.
- M-Pesa receipt number, checkout request ID — for reconciliation and refunds.
- Amount and timestamp — audit trail for KRA compliance (7-year retention).
- We do never store your M-Pesa PIN, bank account numbers, or card details.
2.3 Usage & Behavioural Data
- Pages visited, search queries entered, reports downloaded, and features used.
- Session duration, referral source, and navigation paths.
- Collected via server logs and privacy-respecting analytics (no third-party ad tracking).
2.4 Device & Technical Data
- IP address (truncated after processing), browser type and version, operating system.
- Used exclusively for security, fraud prevention, and debugging.
2.5 Communications Data
- Support emails or WhatsApp messages you send us.
- Newsletter subscription status and email open/click events.
2.6 What We Do NOT Collect
- Special category data: health, biometrics, religion, ethnicity, sexual orientation, political opinions (about you).
- Data from children under 18.
- Location data beyond the county you voluntarily provide.
3. Legal Bases for Processing
| Purpose | Legal Basis (KDPA / GDPR) |
|---|---|
| Delivering the subscription service you purchased | Contract performance (Art. 6(1)(b) GDPR / KDPA s.30(1)(b)) |
| Processing M-Pesa payments | Contract performance |
| Sending transaction receipts | Contract performance |
| Platform security and fraud prevention | Legitimate interests (KDPA s.30(1)(f)) |
| Anonymised usage analytics | Legitimate interests |
| Marketing emails and newsletters | Consent (withdrawable at any time) |
| Legal and regulatory compliance | Legal obligation (KDPA s.30(1)(c)) |
| KRA tax record retention | Legal obligation |
4. How We Use Your Data
- Authenticate your identity and maintain your account.
- Verify M-Pesa payments and grant platform access within 30 seconds of successful payment.
- Generate and deliver personalised political intelligence reports (PDF/PPTX).
- Send SMS/WhatsApp spike alerts if you subscribe to that service.
- Deliver the weekly intelligence briefing (email subscribers only).
- Detect abuse, scraping, and fraudulent payment attempts.
- Improve the platform through anonymised aggregate analysis.
- Comply with KRA VAT obligations and ODPC registration requirements.
5. Data Sharing and Third Parties
We do not sell, rent, or trade your personal data to any third party. We share data only in the following limited circumstances:
| Recipient | Purpose | Data Shared | Safeguards |
|---|---|---|---|
| Safaricom (M-Pesa / Daraja API) | Payment processing | Phone number, amount | Safaricom's own data protection framework; STK Push encryption |
| Cloud hosting provider | Infrastructure (servers, DB, backups) | All platform data at rest | Data stored within Kenya or EEA; encryption at rest (AES-256) |
| Email delivery service | Transaction emails, newsletter | Email address, name | Processor agreement; GDPR-compliant provider |
| Kenya Revenue Authority (KRA) | VAT and tax compliance | Transaction records | Statutory obligation |
| ODPC / Law enforcement | Regulatory or court order | As specified in order | We require a valid legal instrument before disclosure |
6. International Data Transfers
Our primary infrastructure is hosted in Kenya. When data is processed by EEA-based sub-processors (e.g., email delivery), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. We do not transfer personal data to countries without adequate protection without appropriate safeguards under KDPA Section 48.
7. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (phone, email) | 3 years after account closure | KDPA compliance, dispute resolution |
| Payment transaction records | 7 years from transaction date | KRA VAT obligation |
| Support communications | 2 years after resolution | Quality assurance |
| Server access logs | 90 days | Security incident investigation |
| Anonymised analytics | Indefinite (no personal identifiers) | Product improvement |
| Newsletter subscription | Until unsubscribe + 30 days | Suppression list compliance |
8. Security Measures
We apply industry-standard technical and organisational measures to protect your data:
- Encryption in transit: TLS 1.3 on all API endpoints and web traffic.
- Encryption at rest: AES-256 for database storage and backups.
- Access control: Role-based access; admin actions are logged and audited.
- Password policy: Admin accounts require strong passwords and 2FA.
- Penetration testing: Annual external pen test; critical findings resolved within 30 days.
- Data minimisation: Phone numbers are masked in logs (e.g., +2547•••••456).
- Incident response: A documented breach response plan with ODPC notification within 72 hours.
9. Cookies and Tracking
Essential Cookies (cannot be disabled)
session_token— keeps you logged in during a browser session.csrf_token— prevents cross-site request forgery attacks.
Optional Analytics Cookies (opt-in)
- Anonymised page-view counters to improve navigation and feature discoverability.
- No fingerprinting, cross-site tracking, or advertising cookies are used.
Manage cookie preferences in your browser settings or in the cookie banner on first visit.
10. Your Rights Under the KDPA
As a data subject under the Kenya Data Protection Act 2019, you have the following rights:
| Right | Description | KDPA Section |
|---|---|---|
| Right of access | Obtain a copy of all personal data we hold about you. | s.26 |
| Right to rectification | Correct any inaccurate or incomplete data. | s.27 |
| Right to erasure | Request deletion of your personal data ("right to be forgotten"). | s.38 |
| Right to object | Object to processing for marketing or profiling purposes. | s.35 |
| Right to portability | Receive your data in a machine-readable format (JSON/CSV). | s.39 |
| Right to restriction | Request that processing be limited while a dispute is resolved. | s.34 |
| Right to complain | Lodge a complaint with the ODPC at www.odpc.go.ke. | s.63 |
Exercise any right by emailing privacy@siasaiq.com. We will respond within 21 days as required by the KDPA.
11. Children's Privacy
PublicMoodTracker is not directed at children under 18. We do not knowingly collect personal data from minors. If we become aware that a child has provided personal data, we will delete it promptly. Contact privacy@siasaiq.com if you believe we hold a child's data.
12. Changes to This Policy
We review this policy at least annually. Material changes — those affecting how we use or share your data — will be communicated by email to registered users at least 14 daysbefore taking effect, and by a notice banner on the platform. The "Last updated" date at the top reflects the most recent revision.
13. Contact Us
Data Protection Officer
PublicMoodTracker · Nairobi, Kenya
Email: privacy@siasaiq.com
Response time: within 2 business days