Legal

Privacy Policy

Effective date: 2 March 2026  •  Applies to: hamia.co.ke

Hamia is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and what rights you have under the Data Protection Act, 2019 (Act No. 24 of 2019) of Kenya and other applicable laws.

By using Hamia, you confirm that you have read and understood this Policy.

1. Who We Are

Hamia operates the property management and discovery platform available at hamia.co.ke. We are the data controller for personal data processed through this platform. We are based in Nairobi, Kenya.

For all data protection enquiries, contact us at privacy@hamia.co.ke.

2. Data We Collect

2.1 Account & Identity Data

  • Full legal name, email address, and phone number (Kenyan format)
  • Password (stored as a one-way cryptographic hash, never in plain text)
  • Profile photo (optional)
  • National ID number or passport number (encrypted at rest using AES-256; collected by landlords during tenant onboarding)
  • KRA PIN (encrypted at rest; optional, collected where required for tax compliance)
  • Google account identifier (if you register or sign in via Google OAuth)
  • Role on the platform: Owner, Agent, Caretaker, or Tenant
  • Account verification documents: National ID, KRA PIN certificate, business registration certificate, property ownership documents (for Owners and Agents)

2.2 Property & Tenancy Data

  • Property names, addresses, types, and GPS coordinates
  • Unit details: number, type, size, bedrooms, rent amount
  • Tenancy records: start date, end date, rent terms, lease agreements (digitally signed)
  • Deposit amounts and deposit deduction records
  • Move-in and move-out dates
  • Tenant reviews submitted by landlords at checkout (star ratings, no free text)

2.3 Financial & Payment Data

  • Invoice amounts, due dates, payment dates, and balances
  • Payment records: amounts, modes (M-Pesa, cash, bank), dates, and M-Pesa transaction codes
  • M-Pesa Paybill/Till numbers and payer phone numbers (from Safaricom callbacks)
  • Bank account details for remittances (encrypted at rest)
  • Expense records, quotations, budgets, and remittance records
  • Subscription payment records for Hamia platform fees

Hamia does not store M-Pesa PINs, card numbers, or any payment credentials belonging to you or your tenants.

2.4 Listing & Media Data

  • Property listing details: title, description, category, pricing, features
  • Photos and images uploaded for listings (stored on AWS S3; perceptual hashes generated to detect duplicate or stolen images)
  • Contact information shown on public listings

2.5 Communications Data

  • Email content of notifications and alerts sent through the platform
  • SMS messages sent via your configured SMS provider or Hamia's own SMS gateway
  • In-platform notification content and read status

2.6 Usage & Technical Data

  • IP address and device user agent (captured on each authenticated request for security and audit purposes)
  • Login timestamps, login success and failure events
  • Actions performed on the platform (audit log: what you did, when, and from where)
  • Session data (stored server-side; expires automatically)
  • Browser type and operating system (from user agent string)

3. How We Collect Your Data

3.1 Directly from you

When you register an account, complete your profile, add properties, onboard tenants, record payments, upload documents, or contact us.

3.2 Automatically

When you use the platform, our systems automatically record your IP address, browser details, and actions for security monitoring and audit compliance.

3.3 From third parties

  • Google: If you sign in via Google, we receive your name, email address, and Google account identifier. We do not receive your Google password.
  • Safaricom (M-Pesa): If you enable the M-Pesa integration, Safaricom's Daraja API sends us C2B payment callback data: transaction code, amount, payer phone number, account reference, and timestamp. This data belongs to transactions made to your Paybill or Till number.
  • Your SMS provider: If you configure an SMS integration (Africa's Talking, Twilio, Infobip, or custom), delivery status information may be received from that provider.
  • Landlords/Agents: Tenant identity information (ID number, name, phone, email) may be entered by a landlord or agent when onboarding a tenant to their property.

4. Lawful Basis for Processing

Under the Data Protection Act, 2019, we process your data on the following grounds:

Basis Examples
Contract performance Creating your account, managing your properties and tenancies, generating invoices and receipts, processing subscription payments
Consent Sharing your tenant rental profile with prospective landlords (opt-in only); processing sensitive personal data; marketing communications
Legal obligation Retaining financial records for 7 years (Income Tax Act, VAT Act); responding to lawful requests from regulators or courts
Legitimate interests Security monitoring, audit logging, fraud prevention, improving platform reliability, detecting duplicate or fraudulent property listings

5. How We Use Your Data

  • Service delivery: To operate your account, manage properties and units, process tenancies, generate invoices, record payments, and produce financial reports.
  • Identity verification: To verify the identity of Owners and Agents before granting full platform access and before publishing property listings.
  • Billing & subscriptions: To manage your Hamia subscription, process platform payments via M-Pesa, and send billing notifications.
  • Communications: To send you notifications about your properties, tenancies, invoices, payments, and platform events via email and SMS.
  • M-Pesa reconciliation: To match incoming M-Pesa payments to tenant invoices within your property portfolio.
  • Tax compliance: To help you compute Rental Income Tax (MRI) and display monthly/annual tax summaries.
  • Tenant analytics: To provide tenants with a personal rental profile showing payment history, on-time rates, and tenancy records.
  • Security & fraud prevention: To detect unauthorised access, identify fraudulent listings, and maintain the integrity of the platform.
  • Legal compliance: To meet our obligations under Kenyan law, including responding to lawful regulatory or court orders.
  • Platform improvement: To understand how the platform is used and to improve features and performance (using aggregated, de-identified data).

6. Data Sharing & Third Parties

We do not sell your personal data. We share data only in the following circumstances:

6.1 Service providers (processors)

Provider Purpose Data transferred
Amazon Web Services (AWS) Cloud hosting and file storage (S3) Property photos, uploaded documents, audit archives
Google LLC OAuth sign-in (optional) Name and email address (only if you choose Google sign-in)
Safaricom (M-Pesa / Daraja) M-Pesa payment reconciliation (optional add-on) Your Daraja credentials (encrypted); M-Pesa callback data including payer phone and transaction codes
SMS providers (Africa's Talking, Twilio, Infobip, custom) SMS notifications (optional add-on, BYO credentials) Recipient phone number and SMS message content for notifications you trigger
Cloudflare Content delivery network (CDN) and DDoS protection IP addresses and HTTP request metadata
Meilisearch Property search indexing Public listing details (no personal data)

6.2 Within the platform (role-based access)

Certain data is shared between users on the platform based on their roles:

  • Owners and Agents can see tenancy, payment, and invoice data for their properties.
  • Caretakers can see payment and unit status data for units they manage.
  • Tenants can see their own invoices, lease documents, and payment history only.
  • Tenant profile data (rental track record) is shared with prospective landlords only with the tenant's explicit prior consent; see Section 7.

6.3 Legal disclosures

We may disclose your data where required by law, court order, or lawful request from a regulatory authority in Kenya, including the Kenya Revenue Authority, Office of the Data Protection Commissioner, and law enforcement agencies acting with proper authority.

6.4 Business transfers

If Hamia is involved in a merger, acquisition, or asset sale, your data may be transferred to the acquiring party. You will be notified in advance of any such transfer and your rights will be preserved.

7. Tenant Rental Profile Sharing

Hamia operates a consent-based tenant profile system. Your rental profile is divided into two layers:

Private layer (you only)

Full payment history with amounts, all lease documents, invoices, receipts, exact transaction dates, contact information, and ID/KRA PIN.

Shareable layer (only with your explicit consent)

  • On-time payment rate (e.g., "92% on-time across 12 tenancies")
  • Number of previous tenancies and average tenancy duration
  • Overall star rating (average of landlord reviews by category)
  • Whether any tenancy ended with unresolved disputes

Consent is off by default. You must actively enable it at Settings → Privacy → Data Sharing. You may turn it off at any time. Every consent change is logged with a timestamp. When consent is off, prospective landlords see only: "This tenant has not enabled profile sharing."

8. Data Retention

Data category Retention period Reason
Financial records (invoices, payments, receipts, remittances) 7 years Income Tax Act (Kenya), Tax Procedures Act
Audit logs (active / dashboard access) 2 months (live), then archived Performance; older logs moved to S3 archive
Audit log archives (S3) 7 years Compliance and dispute resolution
Account data (profile, settings) Until account deletion, then anonymised Service delivery; anonymisation preserves financial record integrity
Verification documents (ID, KRA PIN certificates) Duration of account + 3 years Regulatory compliance
Session data Until logout or session timeout Authentication
Lease agreements Duration of tenancy + 7 years Legal enforceability and dispute resolution

When we delete account data following a deletion request, we anonymise rather than erase where financial records must be preserved: your name becomes "Deleted User [XXXX]", your email and phone are cleared, and all identifying fields are removed. Financial figures are retained in their de-identified form only.

9. Security Measures

We implement the following technical and organisational measures to protect your data:

  • Encryption at rest: All sensitive personal data (ID numbers, KRA PINs, bank account details, M-Pesa credentials, SMS credentials) is encrypted using AES-256 encryption before storage.
  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS). We enforce HTTPS across all platform endpoints.
  • Password hashing: Passwords are never stored in plain text. We use strong one-way cryptographic hashing (bcrypt).
  • Access controls: Every user role has strictly scoped access. Caretakers cannot see financial configurations. Tenants can only access their own data. Admin access requires multi-factor authentication (MFA).
  • Audit logging: Every significant action on the platform is logged with IP address, timestamp, user, and action details. Sensitive fields (passwords, credentials, ID numbers) are never written to logs.
  • Credential handling: M-Pesa Daraja credentials and SMS provider credentials are decrypted only at the moment of use and immediately discarded from memory. They never appear in logs, error messages, or API responses.
  • Verification document access: Identity verification documents are accessed via time-limited signed URLs (15-minute expiry); they are never publicly accessible.
  • Infrastructure: Our servers are hosted on AWS with appropriate network security controls. Cloudflare provides DDoS protection.

Despite these measures, no internet transmission is 100% secure. If you suspect a security incident involving your account, contact us immediately at privacy@hamia.co.ke.

10. Your Rights Under the Data Protection Act, 2019

As a data subject under Kenyan law, you have the following rights:

Right of Access (Section 26)

You may request a copy of all personal data we hold about you. Tenants can download their payment history, invoices, lease documents, and tenancy records directly from their dashboard as a ZIP or PDF export at any time. Others may submit a formal data access request to privacy@hamia.co.ke.

Right to Rectification (Section 27)

You may request correction of inaccurate personal data. Most profile information can be corrected directly in your account settings. For corrections to financial or identity records, contact us at privacy@hamia.co.ke. All correction requests are logged and reviewed.

Right to Erasure (Section 28)

You may request deletion of your account and personal data. We will anonymise your account within 30 days. Financial records required for tax compliance (7-year retention) will be de-identified but not erased. You cannot request erasure of financial records that form part of a landlord's legally required records.

Right to Data Portability (Section 30)

You may request your personal data in a structured, commonly used, machine-readable format (CSV or PDF). Tenant analytics dashboards include direct data export functionality.

Right to Object (Section 32)

You may object to processing of your personal data where we rely on legitimate interests as the lawful basis. We will assess your objection and cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Restriction of Processing (Section 31)

You may request that we restrict processing of your data in certain circumstances, such as while a correction request is being investigated.

Right to Withdraw Consent

Where we process your data based on consent (e.g., tenant profile sharing), you may withdraw that consent at any time from your privacy settings. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

How to exercise your rights: Most controls are available directly within your account settings. For formal requests, email privacy@hamia.co.ke from the email address registered on your account. We will respond within 21 days as required by the DPA 2019.

Complaints: If you are dissatisfied with how we handle your data or your rights request, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at www.odpc.go.ke.

11. Cookies & Session Data

Hamia uses the following cookies:

Cookie Purpose Type
hamia_session Maintains your login session Essential
XSRF-TOKEN Protects against cross-site request forgery attacks Essential (security)

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not track your browsing activity outside of hamia.co.ke.

Your browser can be configured to refuse cookies, but this will prevent you from logging in and using the platform.

12. International Data Transfers

Some of our service providers are based outside Kenya:

  • Amazon Web Services (AWS): Property photos and documents stored on S3 may be hosted in data centres outside Kenya. AWS maintains appropriate data protection standards and security certifications.
  • Google LLC: If you use Google Sign-In, your authentication is processed by Google's global infrastructure.
  • Cloudflare: Web traffic passes through Cloudflare's global network for CDN and security services.

These transfers are made under appropriate safeguards, including standard contractual clauses and the legitimate interests of providing you with a secure, reliable service. The core personal data in our platform database is hosted within AWS infrastructure with access controls in place.

13. Children's Data

Hamia is intended for adults aged 18 and above. We do not knowingly collect personal data from persons under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor's data has been submitted to us, contact us at privacy@hamia.co.ke.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by a prominent notice on the platform before the changes take effect. The "Effective date" at the top of this page will reflect the most recent update. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For any privacy-related questions, data subject requests, or concerns, please contact us:

Hamia

Support: support@hamia.co.ke

General: info@hamia.co.ke

Phone: +254 769 526 067

Nairobi, Kenya

To lodge a complaint with the regulator: Office of the Data Protection Commissioner (ODPC), Nairobi, Kenya.