1. Introduction
RentFlow ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and safeguard information when you use our platform at rentflow.zidi.digital. We comply with the Kenya Data Protection Act 2019 ("the Act") and any regulations issued thereunder.
2. Data We Collect
We collect the following categories of personal data:
Account Information
Full name, email address, phone number, and password (stored as a secure hash — never in plain text).
Property & Lease Data
Property addresses, unit details, lease terms, rent amounts, and tenancy records entered by landlords.
Payment Data
Rent payment records, due dates, paid dates, and M-Pesa transaction reference numbers received from Safaricom's Daraja API. We do not store M-Pesa PINs or full card numbers.
Usage & Technical Data
IP addresses, browser type, pages visited, and session data used for security and platform improvement.
3. How We Use Your Data
- To provide and operate the RentFlow platform.
- To process rent payments via M-Pesa and record payment confirmations.
- To send transactional notifications (payment confirmations, reminders, maintenance updates).
- To improve platform features and fix technical issues.
- To comply with our legal obligations under Kenyan law.
- To detect and prevent fraud and unauthorized access.
4. M-Pesa Payment Data
When rent is paid via M-Pesa, Safaricom's Daraja API sends us a payment callback containing the transaction reference (MpesaReceiptNumber), amount, and phone number. We store this information to reconcile payments and provide receipts. We do not have access to your M-Pesa PIN or wallet balance. All M-Pesa transactions are governed by Safaricom's own terms and privacy policy.
5. Data Storage & Security
Your data is stored on Neon PostgreSQL, a serverless PostgreSQL cloud platform that encrypts data at rest using AES-256. Data in transit is protected by TLS/HTTPS. We implement role-based access control so landlords can only access their own properties and tenants, and tenants can only access their own lease and payment data. Passwords are never stored in plain text — they are hashed using bcrypt/argon2.
6. Data Sharing
We do not sell your personal data to third parties. We may share data in the following limited circumstances:
- Safaricom: Phone numbers and amounts are sent to Safaricom's M-Pesa API to process payments.
- Neon / Vercel: Infrastructure providers that host our database and application. They process data on our behalf and are bound by data processing agreements.
- Legal obligation: If required by Kenyan law, court order, or government authority.
7. Tenant Data & Landlord Access
When a landlord creates a lease for a tenant, the tenant's data (name, email, phone, payment records) is accessible to that landlord within the RentFlow platform. Tenants should be aware that their landlord can view their payment history and maintenance requests. RentFlow acts as a data processor on behalf of landlords, who are the data controllers for their tenants' information. Landlords are responsible for obtaining appropriate consent from tenants to process their data on the platform.
8. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. After account deletion, we will delete your data within 90 days, except where we are required by law to retain records (e.g., financial records for the minimum period required by Kenyan tax law).
9. Your Rights Under the Kenya Data Protection Act 2019
Under the Act, you have the right to:
- Be informed about how your data is processed.
- Access a copy of the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Object to or restrict processing of your data.
- Request deletion of your data (right to erasure), subject to legal retention requirements.
- Data portability — request your data in a machine-readable format.
To exercise any of these rights, email us at support@rentflow.zidi.digital. We will respond within 30 days.
10. Cookies
We use session cookies to keep you logged in. We do not use advertising or third-party tracking cookies. Analytics data (page views, performance metrics) may be collected via Vercel Analytics in an aggregated, anonymised form.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of significant changes via email or an in-app notice. Continued use of the platform after notification constitutes acceptance of the updated policy.
12. Contact & Data Controller
For privacy inquiries, data subject requests, or complaints, contact our data protection point of contact at: support@rentflow.zidi.digital. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.