Privacy Policy

Version 1.0 · Effective date: January 2025 · Data Controller: Mkandarasi (ProqureAI)

1. Data Controller

Mkandarasi ("we", "us", "our") operates as a Data Controller and Processor registered under the Office of the Data Protection Commissioner (ODPC), Kenya, in accordance with the Kenya Data Protection Act, 2019.

2. Personal Data We Collect

Account data: Name, email address, account type (supplier / procuring entity), password (hashed)
Company data: Company name, registration number, address, contact details, documents uploaded for verification
Procurement activity: Tender responses, quotations, proposals, RFI responses, award records
Payment data: Payment reference numbers, subscription tier, billing cycle (card numbers are never stored)
Usage data: IP addresses, browser information, access logs for security and platform improvement

3. Legal Basis for Processing

Contract performance: Processing necessary to provide the platform services you subscribed to
Consent: Marketing communications, optional analytics (you may withdraw at any time)
Legal obligation: Retaining audit records as required by procurement regulations and Kenyan law
Legitimate interest: Platform security, fraud prevention, service improvement

4. How We Use Your Data

To create and manage your account
To match suppliers with procurement opportunities
To process payments and manage subscriptions
To send transactional notifications (new tenders, awards, PO issuance)
To comply with legal and regulatory requirements
With your consent: marketing emails and newsletters

5. Data Sharing

We share your data only as necessary:

With Procuring Entities: When you respond to a tender, your company details are shared with the relevant PE
With Suppliers: When a PE issues a PO or award, the supplier receives the relevant procurement details
Payment processors: Pesapal, M-Pesa, Airtel Money — for payment processing only
Hosting providers: Cloud infrastructure providers under data processing agreements
We do not sell personal data to third parties

6. Data Retention

Active accounts: Retained while your account is active and for 7 years after closure for legal audit purposes
Deleted accounts: Anonymised within 30 days of a confirmed deletion request; anonymised audit records retained
Payment records: Retained for 7 years per Kenyan tax regulations

7. Your Rights Under the Kenya Data Protection Act, 2019

You have the right to:

Access — Request a copy of all personal data we hold about you
Rectification — Correct inaccurate personal data via your profile settings
Erasure — Request deletion of your account and personal data
Data portability — Download your data in machine-readable JSON format
Withdraw consent — Withdraw optional consents (marketing, analytics) at any time
Object — Object to processing based on legitimate interest
Lodge a complaint — File a complaint with the ODPC at www.odpc.go.ke

To exercise your rights: Consent Settings · Download Data · Delete Account

8. Security

We implement industry-standard security measures including HTTPS encryption, bcrypt password hashing, two-factor authentication, and regular security audits. Data is hosted on servers within compliant data centres.

9. Cookies

We use essential session cookies required for platform functionality. No third-party advertising cookies are used.

10. Changes to This Policy

We will notify registered users of material changes to this policy via email at least 14 days before they take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

11. Contact

For data protection enquiries: [email protected]
For ODPC complaints: Office of the Data Protection Commissioner, P.O. Box 30517–00100, Nairobi, Kenya