Privacy Policy

Information We Collect

We collect various types of information to deliver, maintain, secure, and optimize our website and ICT services. This information is categorized as follows:

a) Personal Information

This is personally identifiable information that you voluntarily provide to us when you request a consultation, register an account, purchase services, subscribe to updates, or contact our support team. It includes:

• Identity & Contact Data: Full name, primary email address, business and personal telephone numbers, job title, and company or organization name.
• Financial & Transactional Data: Billing addresses, payment receipts, M-Pesa transaction reference identifiers, and payment status indicators. (Note: We do not process or store credit/debit card numbers on our servers; all card transactions are securely routed through PCI-DSS compliant third-party payment gateways).
• Communications & Feedback: Records of your correspondence, support ticket submissions, emails, and any feedback or inquiries you submit through our contact forms.

b) Technical & Usage Information

We automatically collect technical data when you browse our website or interact with our online services. This helps us ensure network security, diagnose server issues, and improve your user experience. It includes:

• Device & Connection Details: IP addresses, operating system version, browser type and version, device make and model, screen resolution, and preferred system language.
• Behavioral & Interaction Logs: Timestamps of visits, specific pages viewed, time spent on each page, clickstream navigation paths, referral source URLs, and search terms that led you to our site.
• Telemetry & Diagnostic Signals: Server request-response logs, page load times, runtime error logs, and system crash diagnostics used to monitor website health and mitigate security threats (e.g., DDoS attacks).
• Cookies & Local Storage: Identifier tokens, configuration files, and tracking pixels (such as Google Analytics cookies) to preserve session states, save user preferences, and analyze traffic patterns.

c) Service-Related Data

When delivering custom software, SaaS platforms, cloud hosting, IoT networks, GIS systems, or payment integrations (such as M-Pesa APIs), we process specific technical and operational datasets to ensure system functionality. This includes:

• Client Application Databases: Structured database records, system schemas, and user profile registries managed under cloud hosting or custom application support agreements.
• IoT & Telemetry Information: Device signal diagnostics, hardware status indicators, geographic coordinates, and active transmission logs emitted from client IoT systems.
• Spatial & GIS Datasets: Vector shapefiles, remote sensing imagery, geographical mapping assets, and spatial coordinate layers uploaded by clients for GIS visualization.
• API Payload Logs: Metadata regarding external service calls, response codes, and payment notification status indicators (such as M-Pesa STK transaction reference tokens) required for auditing integrations.
• Confidential Business Assets: Software source code repositories, system configurations, SSL certificates, and server access tokens managed under strict confidentiality agreements.

Our Role (Data Processor): For all service-related datasets, Eelam Innovations acts strictly as a Data Processor operating under the explicit instructions of our corporate clients (who act as the Data Controllers). We process this data solely to fulfill our contractual service level agreements (SLAs), and we never sell, share, or monetize any client-owned databases.

How We Use Your Information

We process your information under strict legal bases to ensure operational excellence, secure our digital infrastructure, and maintain regulatory compliance. We use your data for the following specific purposes:

• Service Delivery & Maintenance: Setting up client profiles, hosting cloud environments, maintaining stable IoT network connections, displaying custom GIS maps, delivering requested software features, and pushing automated system updates.
• Transaction Processing & Billing: Completing customer payments, generating corporate fiscal invoices, auditing transaction reference codes, and reconciling payment integrations (such as verifying M-Pesa API transaction logs).
• Customer Support & Communication: Responding to contact inquiries, resolving technical support tickets, sending critical security or service-interruption alerts, and notifying you of scheduled service maintenance.
• Security & Cybersecurity Defense: Monitoring server logs, analyzing traffic anomalies, detecting brute-force login attempts, protecting corporate databases from unauthorized intrusion, and mitigating DDoS or malware threats.
• Performance Optimization & Research: Aggregating anonymous technical metadata (like server response times, load latencies, and interaction maps) to speed up our website, streamline workflows, and optimize server resource utilization.
• Legal & Regulatory Compliance: Adhering to the Kenya Data Protection Act, 2019, maintaining accounting logs required by corporate tax authorities, enforcing our terms of service, and complying with international app store developer policies.

Legal Basis for Processing

In accordance with Section 30 of the Kenya Data Protection Act, 2019 and Article 6 of the General Data Protection Regulation (GDPR), we only process your personal data when we have a valid legal justification. We rely on the following legal bases:

• Consent: You have given us explicit, unambiguous consent to process your data for specific purposes (e.g., subscribing to technology newsletters, registering for webinars, submitting service consultation forms, or granting Android permissions within our mobile apps). You have the right to withdraw this consent at any time.
• Performance of a Contract: Processing is essential to fulfill our contractual commitments under service level agreements (SLAs), custom software licensing terms, and cloud hosting contracts, or to execute pre-contractual steps (such as drafting service proposals and quotes) at your request.
• Compliance with Legal Obligations: Processing is mandatory to comply with statutory and regulatory mandates under Kenyan and international laws (e.g., maintaining financial logs for audit and tax reporting under the Kenya Revenue Authority, keeping data logs for ODPC compliance, and assisting in law enforcement requests).
• Legitimate Business Interests: Processing is necessary to support our legitimate commercial interests, provided these do not override your fundamental rights and privacy protections. Our legitimate interests include securing our networks against cyber attacks, auditing M-Pesa integration payloads to guarantee transaction success, and analyzing anonymous website traffic to optimize our user interfaces.

Cookies & Tracking Technologies

We use cookies, web beacons, unique device identifiers, and similar tracking technologies to enhance your browsing experience, analyze our website performance, and maintain secure sessions. We categorize these technologies as follows:

• Essential Cookies (Strictly Necessary): These are required to operate our website and services. They enable secure user login, protect forms against CSRF (Cross-Site Request Forgery) attacks, balance server request loads, and maintain active sessions. The site cannot function correctly without these cookies, and they cannot be disabled.
• Functional & Preference Cookies: These allow us to remember configurations and preferences you select (such as dark mode styling, language selection, region settings, or custom GIS mapping layers) to deliver a personalized and seamless visual interface.
• Performance & Analytical Trackers: We utilize aggregated, anonymous analytics tools (such as Google Analytics and Google Tag Manager) to understand how visitors interact with our platform. These cookies track traffic sources, page load durations, bounce rates, and navigation paths, helping us diagnose technical issues and optimize server speeds.
• Third-Party Integrations: Some pages may feature embedded third-party services (such as YouTube videos, interactive Google Maps, or payment gateway widgets). These third parties may set cookies on your device to track your interaction with their embeds. We do not control these cookies, and we recommend reviewing their respective privacy policies.

Managing Your Cookie Preferences

Most modern web browsers automatically accept cookies by default, but you can configure your browser settings to reject, block, or delete cookies at any time. To manage your browser's cookie settings, please refer to the "Help" or "Settings" menu of your specific browser. Please note: restricting or disabling essential or functional cookies may cause visual styling degradation and prevent certain interactive components of our website from loading or functioning correctly.

Data Sharing & Disclosure

We do not sell, rent, or lease your personal information. We only share or disclose your data when necessary to deliver our services, fulfill contractual commitments, protect system security, or comply with statutory legal mandates. Your data is shared exclusively with the following categories of recipients:

• Cloud Infrastructure & Hosting Providers: We host our custom applications, SaaS platforms, and databases on secure cloud infrastructure environments managed by trusted enterprise service providers (such as DigitalOcean, AWS, or localized high-security data centers) under strict data protection terms.
• Transactional Communication Gateways: To deliver system alerts, account setup messages, multi-factor authentication codes, or scheduled billing invoices, we route contact details (e.g., email or telephone numbers) through secure SMS and email API providers.
• Payment Gateways & Financial Partners: For transaction billing and verification, transaction tokens and API request references are securely routed to Safaricom's M-Pesa API and partner financial gateways to verify and process payment transactions securely.
• Corporate Transactions: In the event of a merger, acquisition, asset sale, joint venture, or corporate restructuring, user datasets may be transferred as a business asset. Any acquiring entity will be legally bound to uphold the identical confidentiality guarantees stated in this Privacy Policy.
• Legal & Regulatory Mandatory Disclosures: We may disclose your personal data if required to do so under Kenyan or international laws, including to comply with a valid court order, a police subpoena, or mandatory audits under the Office of the Data Protection Commissioner (ODPC) or the Kenya Revenue Authority (KRA).

Third-Party Compliance Guarantee: Every third-party sub-processor or partner we engage is contractually bound under formal Data Processing Agreements (DPAs) and Non-Disclosure Agreements (NDAs). They are strictly prohibited from utilizing, sharing, or processing your personal data for any purpose other than executing the specific services we have outsourced to them, and they must maintain equivalent organizational and technical security measures.

Data Security

We are dedicated to safeguarding your personal and service-related data. We implement robust, enterprise-grade technical, physical, and organizational security measures to protect your information against unauthorized access, accidental loss, disclosure, alteration, or destruction. Our core security protocols include:

• Advanced Data Encryption: All data transmitted between your device and our servers is secured using industry-standard Transport Layer Security (TLS 1.3/SSL) encryption. Databases, client registries, and sensitive backups at rest are secured using AES-256 bit encryption standards.
• Identity & Access Governance: Internal access to server environments, client databases, and source code repositories is tightly restricted using Role-Based Access Controls (RBAC), Multi-Factor Authentication (MFA), and the Principle of Least Privilege (PoLP). Only authorized systems administrators can access sensitive environments under strict audit logs.
• Perimeter & Network Defense: We protect our cloud nodes using Web Application Firewalls (WAF), rate-limiting mechanisms to prevent brute-force attacks, and network monitoring tools to detect and deflect DDoS or intrusion attempts.
• IoT Telemetry & GIS Security: IoT sensor communication endpoints are isolated, authenticated using unique hardware tokens or SSL certificates, and routed through secure subnets to prevent coordinate spoofing or MITM (Man-in-the-Middle) attacks.
• Continuous Vulnerability Management: We perform automated package dependency audits, continuous integration vulnerability scans, and security reviews of our codebase to discover and patch software bugs proactively.

Data Breach Notification Protocol

While we strive to employ the highest security standards to protect your data, no transmission method over the internet or cloud environment is completely impregnable. In the highly unlikely event of a suspected or confirmed data breach that presents a risk to your privacy, we will immediately initiate our incident response protocols. In accordance with the Kenya Data Protection Act, 2019, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of breach confirmation, and we will promptly contact affected users directly to provide mitigation guidance.

Data Retention

We only retain your personal, technical, and service-related data for as long as necessary to fulfill the operational, technical, financial, or legal purposes for which it was collected. Our retention schedules are governed by the following criteria:

• Account & Identity Data: We maintain your active profile information for the entire duration of your registered client account. Following a formal account deletion request (pursuant to Section 11), all personal identity records are permanently purged or fully anonymized within 30 days, unless retention is legally required.
• Financial & Transactional Records: Invoices, billing statements, tax receipts, and payment transaction metadata (such as SAFARICOM M-Pesa STK callback tokens) are retained for a statutory period of seven (7) years to satisfy auditing, bookkeeping, and financial reporting compliance under the Kenya Revenue Authority (KRA).
• Technical & Telemetry Logs: Automated server connection logs, IP diagnostics, brute-force security analysis, and website performance telemetry are retained for a temporary period of 90 to 180 days before being automatically purged from our systems or aggregated into non-identifiable statistical charts.
• Client Service Databases (Data Processor): For datasets hosted or managed on behalf of corporate clients, we adhere strictly to the custom retention limits stated in our Service Level Agreements (SLAs). Upon contract termination or client request, all client-owned database nodes and shapefiles are securely deleted or exported back to the client within 30 days.

Secure Data Disposal and Deletion

Once the legal retention period for a dataset expires, we execute secure disposal protocols. Digital records are permanently deleted using secure database block-purging and cryptographic deletion methods to ensure they are completely unrecoverable, while any physical storage media containing sensitive data is degaussed or physically destroyed.

Your Rights (Kenyan & Global Laws)

We believe in giving you full control over your data. In accordance with the Kenya Data Protection Act, 2019, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), you are granted robust rights regarding your personal information. These rights are detailed below:

1. Rights Under the Kenya Data Protection Act (DPA), 2019

If you are a resident of Kenya, you possess the following statutory rights, which you can exercise free of charge:

• Right to Be Informed: The right to receive clear, transparent, and easily understandable information regarding how we collect, process, share, and secure your personal data.
• Right of Access: The right to request confirmation of whether we process your data, obtain details about our processing activities, and receive a complete electronic copy of all personal records we hold about you.
• Right to Rectification: The right to request that we correct, update, or complete any inaccurate, outdated, or incomplete personal data we hold without undue delay.
• Right to Erasure (Right to Be Forgotten): The right to demand the permanent deletion of your account and all associated personal data from our active systems and backups, subject to legal retention overrides (such as tax compliance).
• Right to Object or Restrict Processing: The right to object to the processing of your data on legitimate grounds, to restrict processing while its accuracy is contested, or to object to direct marketing communications.
• Right to Data Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format, and to have that data transferred directly to another data controller where technically feasible.
• Right to Lodge a Complaint: The right to lodge a formal complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya if you believe our data processing operations infringe upon your rights.

2. Rights of European Union Residents (GDPR Compliance)

If you reside in the European Union (EU) or European Economic Area (EEA), you enjoy additional protections under the GDPR:

• Right to Restrict Processing: The right to suspend our processing of your personal data under certain conditions, such as during dispute resolutions.
• Right to Object to Automated Profiling: The right not to be subject to a decision based solely on automated processing or profiling that produces legal or significant effects.
• Right to Withdraw Consent: The right to withdraw your consent to data processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint with a Supervisory Authority: The right to file an official complaint with your local EU National Data Protection Authority.

3. Rights of California Residents (CCPA/CPRA Compliance)

If you are a resident of California, United States, you are entitled to the following privacy protections:

• Right to Know: The right to request disclosure of the specific categories of personal information we collect, the sources of collection, the business purpose for collecting, and the categories of third parties with whom we share it.
• Right to Delete: The right to request the deletion of personal information collected from you, subject to statutory exceptions.
• Right to Opt-Out of Sale or Sharing: The right to direct us not to "sell" or "share" your personal data. (Note: Eelam Innovations Limited does never sell, rent, trade, or share your data with third parties for marketing or commercial profit).
• Right to Non-Discrimination: The right to not receive discriminatory treatment, altered service levels, or price increases from us for exercising any of your CCPA privacy rights.

How to Exercise Your Rights

To exercise any of the rights listed above, including requesting account deletion or data portability, please submit a formal request to our Data Protection Officer at [email protected] with the subject line "Data Privacy Request".

Identity Verification: To safeguard your privacy and maintain system security, we may require you to provide proof of identity (such as verifying your registered email address or phone number) before processing your request. We will not disclose personal data to unverified requestors.

Response Timeline: We will respond to all verified requests free of charge within 30 days of receipt. If a request is highly complex or numerous, we may extend this period by an additional 30 days, and we will notify you of the extension and the reasons for it within the initial 30-day window.

Google API Services User Data

To enable advanced integrations (such as secure single sign-on via Google OAuth 2.0, automatic document backup to Google Drive, or synchronization of project events with Google Calendar), our applications may request permission to access your Google account data. Our use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including its strict Limited Use requirements.

Human Review Limitations: We strictly prohibit our staff, developers, or any other humans from reading your raw Google user data. Human access is only permitted under these narrow exceptions: (i) you provide explicit, granular permission to resolve a specific technical support ticket, (ii) it is absolutely necessary for security auditing purposes (such as detecting system abuse), or (iii) we are legally mandated to do so by a binding law enforcement directive.

Mobile Application Data & Device Permissions

This Privacy Policy governs your use of all mobile applications published by Eelam Innovations Limited (including our Android applications on the Google Play Store and iOS applications on the Apple App Store). We are fully committed to compliance with Google Play Developer Program Policies and Apple App Store Review Guidelines. Depending on the specific application and features you utilize, our mobile apps may request access to the following sensitive device permissions and data:

• Location Services (Fine & Coarse Location): We may request access to your device's precise (GPS) and approximate network coordinates. This data is utilized solely to power location-aware functionalities, such as rendering spatial GIS layers, tracing physical farm boundaries, logging surveying coordinates, and registering field events. We do not track location in the background unless a specific feature explicitly requires continuous background logging (such as offline boundary mapping), in which case we will prompt you for explicit, separate consent before activation. All location data is transmitted securely via TLS encryption and is never shared with third-party advertising networks.
• Camera & Photo Library Access: We may request permission to access your device camera and gallery. This is used exclusively to allow you to take and upload photos (such as adding farm asset pictures, capturing field-event evidence, logging inventory items, or updating your user profile photo) and scanning barcode/QR codes for item registration. The camera is only activated upon your active, physical tap in the application and is never accessed silently or in the background.
• Storage & Local Filesystem (Read/Write Access): We may request read and write permissions for your device's local storage. This is necessary to cache application assets (such as loading spatial map tiles offline in remote fields), saving local SQLite database state, and exporting downloaded data directly into CSV or PDF reports on your device filesystem.
• Device Telemetry & Crash Diagnostics: We may collect standard, non-sensitive system data (such as your device model, operating system version, carrier name, unique Android ID, and crash log reports powered by Firebase Crashlytics). This telemetry is utilized strictly for system debugging, crash resolution, and security audits to prevent service abuse.
• Push Notification Services: With your explicit consent, we may send you push notifications to deliver critical system reminders, database synchronization alerts, security warnings, or operational schedule notifications. You can opt-out of these notifications at any time through the application settings or your device's notification panel.

Controlling and Revoking Mobile Permissions

We operate under a policy of strict data minimization, only requesting the absolute minimum permissions required to execute the action you initiate. You maintain complete control over your mobile device permissions. You can grant, modify, or revoke permissions at any time by navigating to your device's system settings (typically under Settings > Apps > [App Name] > Permissions). Please note: revoking certain permissions will not disable the entire application, but will cause specific location-based, storage-dependent, or camera-driven features to become temporarily unavailable.

Account and Data Deletion

In accordance with Google Play's Data Safety policies and global data protection frameworks (such as the Kenya Data Protection Act, 2019 and the GDPR), we provide all registered users with clear, frictionless, and accessible pathways to permanently delete their accounts and all associated personal data. You do not need to reinstall the application to request account deletion.

Pathways to Request Account Deletion

You can initiate the permanent erasure of your account and related datasets through either of the following two mechanisms:

• In-App Automated Deletion (Instant): If you currently have the mobile application installed on your device, you can delete your account instantly by logging in, navigating to Settings > Account Settings > Delete Account (or Profile > Security Settings > Delete Account depending on the app), and confirming the final on-screen prompts. This instantly terminates your profile and begins the server purging sequence.
• Web-Based / Email Deletion Request (7 Days): If you have already uninstalled our application, or prefer not to use the in-app path, you can submit a deletion request directly via our public web support. Simply email our Data Protection team at [email protected] with the subject line "Account Deletion Request". Please provide your registered account username, email address, or phone number. We will verify your identity securely before initiating deletion.

Scope of Deletion: What Data is Erased

When you request account deletion, we undergo a complete cryptographic deletion and database purge. The following information is permanently erased or irreversibly anonymized from our active databases and servers:

• Identity & Profile Records: Your full name, username, email address, phone number, password hashes, profile picture, and account configuration settings.
• Device Telemetry & Tokens: Firebase push notification tokens, unique device identifiers, geolocational caching layers, and active session tokens.
• User-Generated Content: All custom data logs, operational records, and attachments uploaded directly by your account.

Exceptions: What Data is Retained

We do not retain your data after account deletion unless we are legally obligated to do so by applicable statutes. Specifically, financial transaction records, tax invoices, and Safaricom M-Pesa STK push logs must be preserved for a statutory period of seven (7) years to comply with auditing and tax accounting regulations under the Kenya Revenue Authority (KRA). Any such legally retained datasets are moved into an offline, highly encrypted, and strictly isolated archiving vault, isolated from any active operational processing, and will be automatically destroyed immediately upon the expiration of the statutory period.

Irreversibility Notice: Once your account deletion request is processed and completed (which takes up to 7 business days for email-submitted requests), the action is absolute and permanent. Your account details, custom data logs, and cloud backups cannot be restored or recovered.

Third-Party Links & Services

This Privacy Policy applies exclusively to the digital platforms, software applications, and services owned and operated by Eelam Innovations Limited. For your convenience, our website, client portals, and mobile applications may contain hyperlinks to third-party websites, external plug-ins, API endpoints, or online services that are owned and governed by independent entities (such as corporate partners, research repositories, social networks, or payment gateways).

We do not own, monitor, or exercise control over the content, tracking technologies, security protocols, or privacy practices of these external sites. Clicking on any third-party link or enabling an external integration may permit those third parties to collect, share, or track personal data about you. We assume no responsibility or legal liability for the actions, privacy policies, or cookie usage of any third-party domains you access.

We strongly encourage you to review the privacy policy and terms of service of every external website or mobile application you visit before submitting any personal, financial, or sensitive information to them.

Children's Privacy

Eelam Innovations Limited operates professional platforms, enterprise software, and agricultural services that are strictly directed at and intended for use by adults (individuals aged 18 years and older). We do not design, market, or structure our applications to attract minors, nor do we knowingly solicit, collect, or process personal data from children.

Under the Kenya Data Protection Act, 2019, a child is defined as any individual under the age of 18. In other international jurisdictions, children's privacy acts (such as COPPA in the United States and the GDPR in the European Union) establish protective age thresholds of 13 and 16 years, respectively. We strictly adhere to these local and global protections.

If you are a parent or legal guardian and discover or suspect that your child has bypassed age restrictions to create an account, register on our platforms, or submit personal data (such as emails, phone numbers, or locations) without your supervision or consent, please notify us immediately at [email protected].

Upon receiving and verifying such notifications, we will take prompt, immediate action to deactivate the unauthorized account, permanently purge all associated data files, and erase all server records from our active databases and backup storage systems.

Changes to This Privacy Policy

We reserve the right to modify, amend, or update this Privacy Policy at any time in order to reflect changes in our operational procedures, technological frameworks, or to ensure strict compliance with evolving local and international legal standards (such as updates to the Kenya Data Protection Act, 2019, GDPR, or CCPA).

Notification of Policy Updates

When updates are made to this document, we will immediately revise the "Effective Date" prominently displayed at the very top of this page. For minor, non-material adjustments (such as cosmetic formatting, typo corrections, or stylistic cleanups), changes will take effect immediately upon posting.

For any material changes (updates that significantly alter how we collect, process, share, or secure your personal data, or amendments that modify your statutory rights), we will provide you with prominent notice prior to the change becoming effective. This notice will be delivered through one or more of the following channels:

• A clear, visible notification banner or alert displayed on our web platform dashboard.
• An in-app modal or notification alert presented within our mobile applications.
• A direct email notification sent to the email address registered with your active account.

We strongly encourage you to review this Privacy Policy periodically to stay fully informed of our data protection practices. Your continued use of our websites, web portals, software applications, or mobile apps after any modifications become effective will constitute your voluntary acknowledgment and acceptance of the updated Privacy Policy terms.

Contact & Support Information

We welcome your questions, feedback, and inquiries regarding this Privacy Policy, our data protection measures, or your statutory privacy rights. Eelam Innovations Limited has appointed a dedicated Data Protection Officer (DPO) to oversee our compliance and address any concerns you may raise.

For standard inquiries, our team commits to responding within 48 hours. For formal data subject requests or statutory complaints under the Kenya DPA, GDPR, or CCPA, we will process and respond within the statutory 30-day window.

Statutory Escalation Authorities

We are fully dedicated to working with you to achieve a fair and rapid resolution to any privacy or security concern you might have. However, if you are a resident of Kenya and believe that your inquiry or complaint has not been resolved satisfactorily, you hold the statutory right to escalate your complaint directly to the national regulatory authority:

Office of the Data Protection Commissioner (ODPC)
12th Floor, Britam Tower, Hospital Road, Upper Hill,
P.O. Box 30920-00100, Nairobi, Kenya
Website: https://www.odpc.go.ke
Email: [email protected]