Overview

Ngumi Ltd ("Ngumi", "we", "our", or "us") operates the Ngumi mobile application and the website at ngumi.co.ke (collectively, the "Platform"). Ngumi is a Kenyan social commerce marketplace that enables buyers, individual traders, verified sellers, technicians, and mechanics to list products, communicate, and complete transactions securely using M-Pesa.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have under the Kenya Data Protection Act 2019 (KDPA) and other applicable law. By creating an account or using the Platform, you agree to the practices described in this policy.

We do not sell your personal data. We do not display advertisements. The Ngumi Platform is entirely free of third-party advertising networks.

Who We Are

Data Controller: Ngumi Ltd
Registered in: Nairobi, Kenya
Email: support@ngumi.co.ke
Website: https://ngumi.co.ke

Ngumi operates as a data controller under the Kenya Data Protection Act 2019 and complies with directions issued by the Office of the Data Protection Commissioner (ODPC).

Information We Collect

We collect information you provide directly, information generated by your use of the Platform, and limited information from third-party services you connect to Ngumi.

1. Account & Identity Information

• Full name and display name
• Email address (used for authentication and notifications)
• Phone number (required for M-Pesa payments and account security)
• Profile photo (optional, uploaded by you)
• County and area of residence (used to surface locally relevant listings)
• Short biography or business description (optional)
• Authentication provider (email/password or Google Sign-In)

2. Seller & Business Information

• Business name, cover photo, and business biography for verified seller accounts
• Government-issued ID (for Verified Seller identity verification — stored encrypted; see Section 6)
• Business public phone number and email (displayed on your seller profile if you choose to add them)
• Payout method details (M-Pesa number or bank account details, stored encrypted in a secure vault)
• Subscription tier selection and billing history
• Team member names, email addresses, and roles within your business workspace

3. Listings & Marketplace Activity

• Product listings: titles, descriptions, prices, images, condition, delivery options, and category
• Orders: items purchased, quantities, prices, payment method, delivery address, and order status
• Delivery areas configured by sellers
• Product engagement metrics: views, phone-view clicks, and times seen (displayed to sellers in their analytics dashboard)
• Saved (wishlisted) items and recently viewed products
• Offers and promotional posts linked to your products

4. Community & Social Activity

• Posts, comments, replies, questions, offer announcements, and other content you publish in community feeds
• Videos and images attached to community posts (transcoded and stored on our servers)
• Likes, follows, and reactions to other users' content
• "Needed" section requests you post and responses you send
• Product reviews and star ratings
• Private messages exchanged between buyers and sellers

5. Device & Technical Information

• Firebase Cloud Messaging (FCM) device token (for push notifications)
• Device type and Android OS version
• App version code (used to enforce minimum version requirements)
• IP address (logged transiently for security purposes)
• Crash logs and diagnostic reports (via Firebase Crashlytics)

6. Payment & Transaction Data

• M-Pesa phone number used to initiate payment
• M-Pesa Checkout Request ID and M-Pesa receipt number (received from Safaricom)
• Transaction amounts, payment status, payment intent, and timestamps
• Seller wallet balance, transaction history, and payout records
• Platform commission and transfer fee records

7. AI & Search Data

• Search queries and AI assistant chat messages (not retained beyond your session for logged-out users)
• Product description vector embeddings generated for AI-powered similarity and search features (mathematical representations, not readable text)

8. Game Centre Data

• High scores for in-app games (Tetris, Snake, 2048)
• Leaderboard entries you voluntarily submit (displayed publicly under your username)

How We Use Your Data

Providing & Operating the Platform

• Creating and managing your account and seller profile
• Displaying your listings to relevant buyers and operating the marketplace
• Processing orders, payments, and refunds via M-Pesa
• Facilitating delivery confirmation through our OTP handover system
• Managing your seller wallet and processing weekly payouts
• Enforcing subscription tier limits on listing counts, image uploads, and offer slots
• Operating the community feed, private messaging, team workspaces, and reviews
• Sending transactional notifications: order updates, delivery OTPs, payment confirmations, and team invitations

Safety, Security & Fraud Prevention

• Verifying seller identity to reduce fraud and fake listings
• Detecting, investigating, and preventing scams, policy violations, and abuse
• Protecting the integrity of M-Pesa transactions
• Enforcing our Terms of Service and community guidelines

Improving the Platform

• Analysing usage patterns to fix bugs and improve product features
• Improving our AI shopping assistant using anonymised, aggregated data only
• Testing new features

Legal Compliance

• Complying with the KDPA, the Consumer Protection Act, and applicable tax obligations
• Responding to valid legal requests from competent Kenyan authorities
• Maintaining financial transaction records as required by regulation

Legal Basis for Processing (KDPA 2019)

• Contract performance: Processing necessary to provide marketplace services — account creation, order processing, payment handling, and seller dashboard operations.
• Legitimate interests: Fraud prevention, platform security, seller analytics, and service improvement — where our interests do not override your fundamental rights.
• Legal obligation: Maintaining transaction records for tax and regulatory compliance; responding to valid court orders or regulatory directions.
• Consent: Push notifications (configurable in app settings); optional device permissions (camera, photo library) revocable through Android device settings; voluntary submission of government ID for seller verification.

M-Pesa Payments & Financial Data

Ngumi integrates with Safaricom's M-Pesa API (Daraja) to process payments. When you make a payment:

• You receive an STK Push prompt directly from Safaricom. You enter your M-Pesa PIN directly with Safaricom — Ngumi never receives or stores your M-Pesa PIN.
• Safaricom sends a payment callback to Ngumi. We store the Checkout Request ID, receipt number, amount, and timestamp.
• For Cash-on-Delivery orders, a non-refundable buyer commitment fee (minimum KSh 50) is charged at checkout to confirm buyer intent. This is Ngumi's facilitation fee, not a deposit.
• For full-payment orders, Ngumi holds funds in a secure wallet until the buyer confirms receipt via OTP. The net amount (after platform commission) is then credited to the seller's Ngumi wallet.
• Payout method details are stored encrypted using Supabase Vault and are never stored or transmitted in plain text.
• Seller payouts are processed on a weekly basis (Fridays) subject to minimum balance requirements and the presence of a verified primary payout method.

Safaricom's handling of your M-Pesa account is governed by Safaricom's own Privacy Policy. Ngumi is not responsible for Safaricom's data practices.

Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share data only as follows:

With Other Users (as necessary for the marketplace)

• Your public profile name, profile photo, county, and bio are visible on your listings and seller profile.
• Your business name, cover photo, and public contact details are displayed on your shop page if you are a verified seller.
• Your community posts, product reviews, and comments are publicly visible within the Platform.
• Your delivery address is shared with the relevant seller solely for the purpose of order fulfilment.
• Team members within a shared business workspace can view that workspace's orders, products, messages, and analytics — not your personal account data.

With Service Providers

We engage trusted third-party processors under data processing agreements. They process data on our instructions only:

• Supabase Inc. — Database hosting, authentication, storage, and real-time infrastructure
• Cloudflare Inc. — Image and video delivery (Cloudflare R2 and CDN)
• Google Firebase — Push notifications (FCM), crash reporting (Crashlytics)
• Brevo (Sendinblue SAS) — Transactional email (order confirmations, team invitations, OTP emails)
• Safaricom PLC — M-Pesa payment processing
• Google LLC — Google Sign-In; Google Play Store distribution

For Legal Reasons

• We will disclose personal data if required by a valid court order, warrant, or directive from a competent Kenyan authority.
• We may disclose data to protect the rights, property, or safety of Ngumi, our users, or the public.

Business Transfers

• If Ngumi undergoes a merger, acquisition, or sale of assets, user data may be transferred. We will notify affected users before their data becomes subject to a different privacy policy.

Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account closure, subject to the exceptions below.
• Transaction records (orders, payments, payouts): Retained for 7 years from the transaction date to comply with Kenyan tax and financial regulations.
• Community posts and reviews: Deleted when you close your account, except where the content is part of a shared thread or a verified product review.
• Seller verification documents (government ID): Retained while your seller account is active and for up to 2 years after closure for fraud prevention, then permanently and securely deleted.
• Private messages: Retained while the conversation is active. You may request deletion of specific conversations.
• Crash logs and diagnostic data: Retained for up to 90 days then automatically deleted.
• FCM push tokens: Deleted when you sign out or uninstall the application.

Security

We implement technical and organisational security measures proportionate to the sensitivity of the data we hold:

• All data in transit between the Ngumi app and our servers is encrypted using TLS (HTTPS).
• Payout account details are encrypted at rest using Supabase Vault before database storage.
• Delivery OTPs are stored as encrypted secrets and decrypted only at the point of display to the buyer.
• Database access is restricted by role-based access controls and Row Level Security (RLS) policies enforced at the database level, ensuring users can only access their own data.
• M-Pesa API credentials are stored as encrypted environment variables in server-side Edge Functions and are never embedded in the mobile application binary.
• User passwords are never stored by Ngumi — authentication is managed by Supabase Auth using industry-standard secure hashing.
• We monitor for application errors using Firebase Crashlytics and address issues promptly.

No system can guarantee absolute security. If you suspect unauthorised access to your account, contact us immediately at support@ngumi.co.ke.

Your Rights Under the KDPA 2019

To exercise any of the rights below, email us at support@ngumi.co.ke with the subject "KDPA Data Request". We respond within 21 days as required by law.

Right of Access

You may request a copy of the personal data we hold about you, at no charge.

Right to Rectification

You may correct inaccurate data. Most account information can be updated directly in your Ngumi profile settings.

Right to Erasure

You may request deletion of your personal data where it is no longer necessary for the purposes collected, where you withdraw consent, or where processing is unlawful. Note: transaction records required by law cannot be deleted before the mandated retention period expires.

Right to Restriction of Processing

You may request that we restrict processing of your data while a dispute about accuracy or lawfulness is under review.

Right to Data Portability

You may request your personal data in a structured, machine-readable format (JSON or CSV) for export or transfer.

Right to Object

You may object to processing based on legitimate interests. We will cease such processing unless we demonstrate compelling grounds that override your rights.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time through in-app notification settings or your Android device's permission settings. Withdrawal does not affect lawfulness of prior processing.

Right to Lodge a Complaint

You may complain to the Office of the Data Protection Commissioner (ODPC):
www.odpc.go.ke  ·  P.O. Box 41079-00100, Nairobi, Kenya

Children's Privacy

The Ngumi Platform is not directed at persons under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered on our Platform, contact us at support@ngumi.co.ke and we will delete the account and associated data without delay.

Third-Party Services & Links

The Ngumi Platform may contain links to external websites. This Privacy Policy applies only to Ngumi. We are not responsible for the privacy practices of any linked third parties.

The Ngumi Android application includes the following third-party SDKs which may collect technical data per their own policies:

• Google Firebase (FCM, Crashlytics) — Firebase Privacy Policy
• Google Play Services
• Media3/ExoPlayer (video playback only — no data collection)

International Data Transfers

Ngumi is headquartered in Nairobi, Kenya. Some of our service providers (Supabase, Cloudflare, Google Firebase, Brevo) store or process data on servers outside Kenya, including in the United States and European Union. Where we transfer personal data internationally, we ensure appropriate safeguards are in place — including contractual obligations on service providers — consistent with the requirements of the KDPA 2019. By using Ngumi, you acknowledge these transfers as necessary for us to deliver the service.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via push notification and/or an in-app banner. The "Last Updated" date at the top of this page will reflect the most recent revision. Continued use of the Platform after the effective date of any update constitutes your acceptance of the revised terms. The current version is always available at ngumi.co.ke/privacy.html.

Contact Us

For questions, concerns, or to exercise your data rights:

• Email: support@ngumi.co.ke
• Website: ngumi.co.ke
• Company: Ngumi Ltd, Nairobi, Kenya

We aim to respond within 5 business days and to resolve all formal KDPA data subject requests within 21 days as required by law.