Privacy Policy
Last updated: May 26, 2026
Introduction
Singlbase Technologies Limited ("Company", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with the Data Protection Act, 2019 (No. 24 of 2019) of the Republic of Kenya and the Data Protection (General) Regulations, 2021.
The Company is registered as a Data Controller and Data Processor with the Office of the Data Protection Commissioner (ODPC). This policy should be read alongside our Terms of Service and Cookie Policy.
1. Data Roles: Controller and Processor
Under Kenyan law, responsibility for personal data depends on the nature of the relationship:
- Singlbase Technologies Limited as Data Controller: We act as Data Controller for the personal data of our direct Users (landlords, property managers, agents, and team members) collected during account registration, onboarding, and general use of the Service.
- Singlbase Technologies Limited as Data Processor: Where Users upload or manage personal data of Tenants or other third parties through the Service, the User acts as the Data Controller and we act as a Data Processor. We process such data only on the documented instructions of the User, subject to applicable law.
- Users are responsible for obtaining a valid lawful basis and, where required, explicit consent from Tenants before uploading their personal data to the Service.
2. Personal Data We Collect
2.1 Account and Registration Data (Users)
- Full name, email address, and phone number.
- Organization name, organization registration number, KRA PIN, and VAT number (for tax-compliant invoicing).
- Account preferences, language settings, and notification preferences.
- Support and correspondence records.
2.2 Tenant and Third-Party Data (Managed by Users)
Users may upload personal data about Tenants including names, phone numbers, email addresses, national ID numbers, lease terms, rent payment history, and maintenance request details. Users act as Data Controllers for this data. We process it only as instructed. Users must ensure a lawful basis exists for all such processing.
2.3 Billing and Payment Data (Subscription)
- Subscription details: Plan tier, billing interval (monthly/annual), price, billing period dates, subscription status, and any scheduled plan changes.
- Payment method tokens: A non-sensitive Paystack authorisation code, card brand, last 4 digits, and expiry month/year. We do not store, process, or transmit full card numbers, CVV codes, or PINs. Those values are entered directly into Paystack's PCI-DSS Level 1 certified iframe and never reach our servers.
- Tax identifiers: Organization legal name, KRA PIN, and VAT number (if applicable), used to generate KRA-compliant invoices.
- Transaction history: Date, amount, currency, payment channel (card/M-Pesa/bank), Paystack reference, status (success/failed/refunded), and gateway response.
- Billing contact: An optional separate email address for invoice and renewal notifications.
2.4 Tenant Payment Data
- M-Pesa (Daraja): Tenant phone numbers used to initiate STK push requests, M-Pesa transaction references, and payment status confirmations received from Safaricom. We do not have access to, store, or transmit M-Pesa PINs.
- NCBA Bank: Account identifiers and transaction data retrieved via NCBA API OAuth tokens for payment reconciliation. We do not store NCBA login credentials.
2.5 Automated and Usage Data
- Log data: IP addresses, browser type, device type, and access timestamps, used for security monitoring, fraud detection, and platform stability.
- Session data: Authentication tokens stored in cookies for session management (see our Cookie Policy).
- Feature usage patterns: Aggregated, non-personally-identifiable data used to improve the Service.
3. Lawful Basis for Processing
We process personal data under the following lawful bases as defined in Section 30 of the Data Protection Act, 2019:
| Processing Activity | Lawful Basis |
|---|---|
| Account registration and platform access | Contract performance |
| Processing subscription payments and renewals | Contract performance |
| Issuing KRA-compliant invoices and tax records | Legal obligation |
| Fraud detection and security monitoring | Legitimate interests |
| Anti-money laundering checks and reporting | Legal obligation |
| Sending transactional notifications (payment receipts, renewal alerts) | Contract performance / legitimate interests |
| Sending marketing communications | Consent (opt-in required) |
| Platform performance and feature improvement | Legitimate interests |
| Law enforcement cooperation and regulatory reporting | Legal obligation |
4. How We Use Your Data
- To provide, maintain, and improve the Service.
- To process subscription payments, manage renewals, issue refunds, and send billing notifications via Paystack.
- To initiate tenant rent collection via M-Pesa STK push or NCBA bank transfers.
- To issue tax invoices and meet our reporting obligations to the Kenya Revenue Authority (KRA).
- To detect, investigate, and prevent fraudulent transactions or unauthorised access.
- To comply with applicable Kenyan laws, including the Data Protection Act 2019, POCAMLA, the Computer Misuse and Cybercrimes Act 2018, and CBK regulations.
- To respond to support requests and improve customer experience.
- Marketing: We send marketing communications only with your explicit prior consent. You may opt out at any time by clicking "Unsubscribe" in any marketing email or by contacting us at legal@singlbase.com. Transactional notifications (payment confirmations, renewal reminders, invoice receipts, failure alerts) are essential to the Service and cannot be opted out of while you have an active paid subscription.
6. Security and Breach Notification
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These include:
- AES-256 encryption for data at rest.
- TLS 1.3 encryption for all data in transit.
- Role-based access controls (RBAC) and row-level security (RLS) in our database.
- Multi-factor authentication options for all user accounts.
- Regular security reviews and access audits.
- PCI-DSS compliant payment processing via Paystack (card data never transits our servers).
Data Breach Notification: In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, we will:
- Notify the ODPC within 72 hours of becoming aware of the breach, in accordance with Section 43 of the Data Protection Act, 2019.
- Notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights.
- Maintain a record of all data breaches, including those not reported to the ODPC, for internal audit purposes.
7. Data Retention
We retain personal data only for as long as necessary for the stated purpose or as required by law. The following schedule applies:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account and profile data | Duration of account + 30 days | Final data export window |
| Organization data (properties, tenants, leases) | Duration of account + 30 days | Final data export window |
| Billing invoices and tax records | 7 years from date of issue | KRA record-keeping requirement (Income Tax Act) |
| Transaction history (payments) | 7 years | KRA and POCAMLA obligations |
| Saved payment method tokens | Active subscription + 30 days post-cancellation | Deactivated with Paystack on expiry |
| Security and access logs | 90 days | Fraud detection and incident response |
| Support correspondence | 3 years | Service quality and dispute resolution |
Upon expiry of the applicable retention period, data is securely deleted, anonymised, or pseudonymised. Where anonymisation is used, the resulting data is no longer personal data and is not subject to the Data Protection Act, 2019.
8. Your Rights Under the Data Protection Act, 2019
As a data subject, you have the following rights under Sections 26 to 38 of the Data Protection Act, 2019. To exercise any right, contact us at legal@singlbase.com with your name, account email, and a description of your request. We will acknowledge your request within 5 organization days.
| Right | What It Means | Response Time |
|---|---|---|
| Right to access | Obtain a copy of your personal data and information about how it is processed. | 30 days |
| Right to rectification | Request correction of inaccurate or incomplete data. | 14 days |
| Right to erasure | Request deletion of your data where it is no longer necessary or where consent is withdrawn, subject to legal retention obligations. | 14 days |
| Right to data portability | Receive your data in a structured, machine-readable format (CSV or JSON) for transfer to another service. | 30 days |
| Right to restrict processing | Request that we limit how we use your data while a dispute is resolved. | 14 days |
| Right to object | Object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds. | 14 days |
| Right to withdraw consent | Withdraw any consent given for processing at any time. Withdrawal does not affect lawfulness of prior processing. | Immediate |
| Right against automated decision-making | Not be subject to decisions based solely on automated processing (including profiling) that significantly affect you. We do not make such decisions without human review. | 14 days |
We will respond to all verified requests free of charge. Where requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse, providing written reasons.
9. Children's Data
The Service is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at legal@singlbase.com and we will delete it promptly.
10. Direct Marketing
We will not use your personal data for direct marketing without your prior explicit consent, as required by Section 37 of the Data Protection Act, 2019. Every marketing communication we send will include a clearly visible unsubscribe link. You may also opt out at any time by contacting us at legal@singlbase.com.
Transactional communications (payment receipts, subscription renewal reminders, invoice notifications, security alerts) are not marketing communications and are sent on the basis of contract performance.
11. Complaints and Contact
To exercise your rights, report a privacy concern, or raise a data protection complaint, please contact us:
- Privacy and Legal: legal@singlbase.com
- General Support: legal@singlbase.com
- Postal Address: Singlbase Technologies Limited, Nairobi, Kenya
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):
- Website: www.odpc.go.ke
- Breach reporting: odpc.go.ke/report-a-data-breach
- Registration portal: dataportal.odpc.go.ke
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable law, or new features. When we make material changes we will update the "Last updated" date, notify registered Account Owners by email at least 14 days before the changes take effect, and display a notice within the Service. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.