Privacy Policy

Codian Concepts ("Codian", "we", "us", or "our") operates codian.co.ke, a unified API platform for developers, businesses, and the Kenyan tech community, offering payment processing, messaging, government services integration, and community features (collectively, the "Platform"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information in compliance with the Kenyan Data Protection Act 2019 and other applicable laws.

We are committed to safeguarding your privacy and ensuring transparency in our data practices. This policy applies to all users, including developers creating applications, businesses processing payments, and community members participating in events or forums. By using the Platform, you consent to the practices described herein. If you do not agree, please do not use the Platform.

We may update this Privacy Policy periodically. Material changes will be notified via email, Platform announcements, or by updating the effective date above. Continued use of the Platform constitutes acceptance of the updated policy. For inquiries, contact our support team as provided in our contact section.

We collect various types of information to provide, improve, and secure our services. The categories of data include:

• Personal Information: When you create an account, register an application, or participate in the community, we may collect your name, email address, phone number, and, for businesses, registration details (e.g., company name, registration number).
• Know Your Customer (KYC) Data: For payment processing, high-volume API usage, or withdrawals, we may collect government-issued identification (e.g., national ID, passport), proof of address, business ownership documents, and details of beneficial owners to comply with Kenyan anti-money laundering (AML) and counter-terrorism financing (CTF) regulations.
• Payment and Transaction Data: When you initiate payments (e.g., via M-Pesa, STK Push, PayBill), we collect transaction details such as amounts, transaction IDs, phone numbers, and account references. We do not store full payment card details unless required for processing and compliance.
• Usage and Technical Data: We collect information about your interactions with the Platform, including IP addresses, device information (e.g., browser type, operating system), API request logs, and session data. This includes analytics data to monitor performance and usage patterns.
• Community and Content Data: If you participate in the Codian Kenya Tech Community, we may collect profile information (e.g., username, interests), event registrations, and content you post (e.g., forum posts, comments).
• Government Services Data: When accessing Kenyan government services through our integrated APIs, we may collect data required for submissions (e.g., permit applications, tax filings), which may include personal or business identifiers.
• Cookies and Tracking Technologies: We use cookies and similar technologies for session management, authentication, and analytics. Essential cookies enable core functionality; non-essential cookies (e.g., for analytics) require your consent.

We use your information to deliver, maintain, and enhance the Platform’s functionality and security, and to comply with legal obligations. Specific purposes include:

• Service Delivery: To create and manage your account, authenticate API requests, process payments, facilitate government service submissions, and provide community features.
• KYC and Compliance: To verify identities, prevent fraud, and comply with AML/CTF regulations and other legal requirements.
• Platform Improvement: To analyze usage patterns, optimize API performance, troubleshoot issues, and enhance user experience.
• Communication: To send transactional emails (e.g., payment confirmations, API key resets), respond to support inquiries, and, with your consent, send promotional materials about new features or community events.
• Community Engagement: To display your profile or content in community forums, manage event registrations, and facilitate networking.
• Security: To detect and prevent unauthorized access, fraud, or abuse of the Platform, including monitoring API usage and transaction integrity.
• Legal Obligations: To comply with Kenyan laws (e.g., Data Protection Act 2019), respond to regulatory requests, and maintain audit trails for financial transactions.

We may share your information with authorized parties to provide services, comply with laws, or protect our rights, but only as necessary and with appropriate safeguards.

• Service Providers: We share data with trusted third-party providers, such as payment processors (e.g., M-Pesa), cloud hosting services, and analytics providers, to facilitate transactions, store data, or monitor Platform performance. These providers are bound by contracts to protect your data.
• Financial and Regulatory Partners: KYC and transaction data may be shared with financial institutions, payment gateways, or government agencies to process payments, verify identities, or comply with AML/CTF and tax regulations.
• Community Features: Content you post in the Codian Kenya Tech Community (e.g., forum posts) may be publicly visible unless marked private. Profile information may be shared with other community members to facilitate networking.
• Legal Compliance: We may disclose data to comply with court orders, subpoenas, or regulatory requests, or to protect our legal rights, property, or safety, or that of our users or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to a successor entity, subject to equivalent privacy protections.

We implement industry-standard security measures to protect your data, but no system is entirely secure. You share responsibility for securing your account and applications.

• Storage: Data is stored on secure servers in Kenya or trusted cloud providers compliant with Kenyan data protection laws. KYC and transaction data are retained for the duration required by law (e.g., 7 years for financial records) or until no longer needed for the purposes collected.
• Security Measures: We use HTTPS encryption, secure authentication (e.g., OAuth), and encryption at rest for sensitive data (e.g., KYC, transaction details). Regular security audits and compliance with standards like PCI-DSS for payment processing are maintained.
• Your Responsibilities: You must use strong passwords, enable two-factor authentication (2FA) where available, and secure API credentials (e.g., client_id, client_secret). Do not expose keys in client-side code or public repositories.
• Data Breaches: In the event of a confirmed data breach, we will notify affected users within 72 hours, as required by the Kenyan Data Protection Act 2019, and take steps to mitigate harm.

Under the Kenyan Data Protection Act 2019 and other applicable laws, you have rights regarding your personal data. These include:

• Right to Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Deletion: Request deletion of your data, subject to legal retention requirements (e.g., transaction records).
• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances.
• Right to Data Portability: Request your data in a structured, machine-readable format where feasible.
• Right to Object: Object to processing for marketing or other purposes, including automated profiling.
• Right to Withdraw Consent: Withdraw consent for non-essential data processing (e.g., marketing emails) at any time.

To exercise these rights, contact our support team as provided in our contact section. We will respond within 30 days, as required by law. You may also lodge complaints with the Kenyan Office of the Data Protection Commissioner (ODPC) if you believe we have not addressed your concerns.

We use cookies and similar technologies to enhance your experience, maintain sessions, and analyze Platform usage.

• Essential Cookies: Necessary for core functionality, such as authentication and session management. These cannot be disabled.
• Analytics Cookies: Used to collect aggregated data on user behavior (e.g., via Google Analytics) to improve the Platform. You may opt out via browser settings or our cookie consent tool.
• Marketing Cookies: Used for personalized promotions, only with your explicit consent.
• Managing Cookies: You can disable non-essential cookies through your browser settings or our cookie consent interface (if applicable). Note that disabling cookies may affect Platform functionality.

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children without verifiable parental consent.

• If we discover that a minor’s data has been collected without consent, we will delete it promptly, except where required by law.
• Parents or guardians who believe their child’s data has been collected may contact our support team to request its removal.

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or Platform features. Material changes will be communicated at least 30 days in advance via email, Platform notifications, or by updating the effective date above.

Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy. If you disagree with the changes, you may close your account as described in our Terms of Service.

For questions about this Privacy Policy, to exercise your data rights, or to report concerns, please contact our support or legal team as provided in our contact section.

• Data Protection Officer: Available to address privacy-related inquiries.
• Complaints: If unsatisfied with our response, you may contact the Kenyan Office of the Data Protection Commissioner (ODPC).