Privacy Policy

Effective: Last updated:

1. Introduction

Jumuika ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website, mobile applications (iOS and Android), and related services (collectively, the "Platform").

This policy complies with the Kenya Data Protection Act, 2019 and the General Data Protection Regulation (GDPR) for users in the European Economic Area, and is designed to meet the requirements of the Apple App Store and Google Play Store.

2. Information We Collect

2.1 Information You Provide

  • Account registration: Name, email address, phone number, profile photo
  • Agent profiles: Business name, licence information, office address, professional bio, social media links, bank details for payouts
  • Property listings: Property details, descriptions, photos, videos, documents, pricing
  • Communications: Messages, inquiries, contact form submissions, lead notes
  • Payment information: M-Pesa phone number, transaction records, bank transfer details
  • User-generated content: Property reels, reviews, social media posts
  • Verification data: Email verification codes, phone verification codes, two-factor authentication (TOTP) secrets

Mobile App Registration

When you register through our Android or iOS mobile application, we collect:

  • Full name
  • Email address
  • Phone number
  • Password (stored securely using bcrypt hashing with 12 rounds)

For Agent accounts, we additionally collect:

  • Company/agency name
  • Real estate license number
  • Years of professional experience
  • Professional biography
  • Bank account information (for payment processing)
  • Office address

Profile Information

  • Profile photograph (captured via camera or selected from your device gallery)
  • Budget preferences (minimum and maximum, for Customers)
  • Preferred property locations
  • Property type preferences

Property Inquiries

When you submit a property inquiry through the app, we collect:

  • Your name, email address, and phone number
  • Your message to the property agent
  • The property you are inquiring about

This information is shared with the relevant property agent to facilitate your inquiry.

2.2 Information Collected Automatically

  • Device information: Device type, operating system, unique device identifiers, Firebase Cloud Messaging (FCM) tokens for push notifications
  • Usage data: Pages visited, properties viewed, search queries, search history, feature usage, session duration
  • Location data: Approximate location from IP address; precise GPS location only when you explicitly use map or location features (with your permission)
  • Log data: IP address, browser type, access times, referring URLs

Mobile App Data

When you use our mobile application, we automatically collect:

Device Information:

  • A unique device identifier (UUID) generated during app installation for analytics purposes
  • Device manufacturer and model (e.g., "Samsung Galaxy S21")
  • Android device ID (Settings.Secure.ANDROID_ID)
  • Operating system type and version
  • Platform identifier ("android" or "ios")

Usage Data:

  • Properties you view and when you view them (stored locally, up to 20 recent properties)
  • Search queries you enter (stored locally, up to 10 recent searches)
  • Properties you save to favorites
  • Properties you add to comparison lists
  • Your preferred listing type (sale or rent)
  • Your preferred search location
  • Theme preference (dark or light mode)
  • Onboarding completion status

Push Notification Data:

  • Firebase Cloud Messaging (FCM) token for delivering push notifications
  • Notification preferences (enabled/disabled)
  • Notification interaction data

Authentication Data:

  • Access tokens and refresh tokens (stored in encrypted local storage)
  • Token expiry information
  • Login session data

2.3 Information from Third Parties

  • Social authentication: When you sign in with Google, Facebook, or Apple, we receive your name, email, and profile picture (as permitted by your social account settings)
  • Referral data: Referral source and click tracking when you arrive via an agent's referral link

3. How We Use Your Information

  • Provide our services: Display property listings, process inquiries, manage leads, handle payments
  • Account management: Create and maintain accounts, verify identity, process subscriptions
  • Communications: Send property alerts, lead notifications, payment confirmations, and service updates via email, push notification, SMS (Africa's Talking), and WhatsApp
  • Search and recommendations: Power property search (via Typesense), provide personalised recommendations, and show relevant content
  • AI features: Generate property descriptions, power the Juma AI assistant, and provide content suggestions using DigitalOcean AI (Llama) and Anthropic (Claude)
  • Image generation: Create AI-generated images for social media templates using Ideogram.ai
  • Analytics and improvement: Understand usage patterns, improve platform features, and fix issues
  • Safety and security: Detect fraud, prevent abuse, and protect our users
  • Legal compliance: Comply with applicable laws and respond to legal requests

4. Third-Party Services & Data Sharing

We do not sell your personal information. We share data with the following service providers who process it on our behalf:

ServicePurposeData Shared
Google Firebase (FCM)Push notificationsFCM token, device information, notification delivery status
Firebase AnalyticsApp analyticsDevice identifiers, usage patterns, session data
Google Sign-InSocial authenticationGoogle ID token, name, email address
Facebook Login (Meta)Social authenticationFacebook access token, name, email address
Apple Sign-InSocial authenticationAuthentication tokens
Africa's TalkingSMS notifications & verificationPhone number, message content
Meta WhatsApp Cloud APIWhatsApp communicationsPhone number, message content
Safaricom M-Pesa (Daraja)Payment processingPhone number, amount, transaction reference
TypesenseProperty searchSearch queries, property and agent data for indexing
Bunny CDN / Bunny StreamMedia hosting and video streamingImages, videos, documents. Servers located in the EU.
DigitalOcean AIAI content generationProperty details for description generation
Anthropic (Claude)AI-generated descriptions and recommendationsProperty data, conversation messages
Ideogram.aiAI image generationText prompts for image creation

Each third-party service processes data according to their own privacy policy. We may also disclose information when required by law, to protect our rights, or to prevent fraud or safety issues.

5. Data Storage & Security

Your data is stored on servers hosted by DigitalOcean with data centres in various locations. Media files are stored on Bunny CDN (EU region). We implement industry-standard security measures including:

  • Encryption in transit (HTTPS/TLS)
  • Password hashing (bcrypt with 12 rounds)
  • Two-factor authentication (TOTP) for agent accounts
  • Rate limiting on authentication and API endpoints
  • Sanctum token-based authentication for mobile API access
  • HMAC signature verification for payment webhooks

Mobile App Security Measures

Our mobile application implements the following security measures:

  • Encrypted Token Storage: Authentication tokens (access and refresh tokens) are stored using Android's Encrypted SharedPreferences (androidx.security.crypto), which uses AES-256 encryption.
  • HTTPS/TLS: All communication between the app and our servers uses HTTPS encryption in transit.
  • Token Refresh: Access tokens are proactively refreshed before expiry (with a 5-minute buffer) to maintain secure sessions.
  • Automatic Session Termination: If token refresh fails, the app automatically logs the user out to prevent unauthorized access.
  • DNS-over-HTTPS: The app uses DNS-over-HTTPS for enhanced network privacy.
  • Two-Factor Authentication: Agent accounts can enable two-factor authentication (TOTP) for an additional layer of security.
  • Local Data Privacy: Data stored locally on your device (favorites, search history, preferences) is stored in Android DataStore, which is accessible only to the Jumuika app and is encrypted on devices running Android 7.0 and above.
  • Phone Verification: Phone numbers can be verified using SMS codes for added account security.

6. Data Retention

  • Account data: Retained while your account is active. After deletion, personal data is purged within 30 days.
  • Transaction records: Retained for 7 years for financial and legal compliance.
  • Communication logs: Retained for 90 days for quality and dispute resolution.
  • Search history: Retained for 120 days for analytics and personalisation.
  • Property listings: Removed within 30 days of account deletion or listing removal.
  • Notification logs: Retained for 90 days.

Mobile App Local Data Retention

Data stored locally on your device:

  • Search history: Retained until manually cleared by you or app data is cleared. Maximum of 10 recent searches stored.
  • Recently viewed properties: Retained until manually cleared. Maximum of 20 recent properties stored with timestamps.
  • Favorites: Retained until you remove them or delete the app.
  • Comparison list: Retained until you clear it. Maximum of 4 properties.
  • Preferences (theme, listing type, location): Retained until changed or app is uninstalled.
  • Device ID: Retained for the lifetime of the app installation. A new ID is generated if the app is reinstalled.
  • FCM token: Retained until the app is uninstalled or you opt out of notifications.
  • Authentication tokens: Retained until you log out or tokens expire (access tokens have a limited lifespan; refresh tokens expire after 30 days).

You can clear all locally stored data at any time by clearing the app's data through your device's Settings > Apps > Jumuika > Clear Data.

7. Your Rights (Kenya Data Protection Act 2019)

Under the Kenya Data Protection Act, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete data
  • Erasure: Request deletion of your personal data (see our Account & Data Deletion page)
  • Data portability: Request your data in a structured, machine-readable format (available via the "Export Data" feature in your account settings)
  • Object: Object to processing of your data for certain purposes
  • Withdraw consent: Withdraw consent for data processing at any time

To exercise these rights, contact our Data Protection Officer at dpo@jumuika.co.ke. We will respond within 30 days.

You may also lodge a complaint with the Office of the Data Protection Commissioner of Kenya at www.odpc.go.ke.

8. Children's Privacy

Jumuika is a real estate platform intended exclusively for users aged 18 years and older. Real estate transactions in Kenya require adult legal capacity.

We do not knowingly collect, solicit, or process personal information from anyone under the age of 18. If you are under 18, please do not attempt to register for an account or send any personal information to us.

If we learn that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to delete that information as quickly as possible. If you believe we might have any information from or about a child under 18, please contact us at dpo@jumuika.co.ke.

Parents and guardians who believe their child has provided personal data to Jumuika may contact our Data Protection Officer to request access to, correction of, or deletion of such data.

9. Mobile App Permissions

Our mobile application requests the following permissions on your device. Each permission is optional unless noted, and you can manage permissions at any time through your device's Settings.

9.1 Internet Access (Required)

  • Permission: android.permission.INTERNET
  • Purpose: Required for all core app functionality including loading property listings, displaying property images and videos, user authentication, submitting property inquiries, and receiving push notifications.
  • Data transmitted: All data described in this policy is transmitted over encrypted HTTPS connections.
  • This permission is automatically granted and cannot be individually toggled.

9.2 Camera Access (Optional)

  • Permission: android.permission.CAMERA
  • Purpose: Allows you to take photographs directly within the app for setting or updating your profile picture/avatar and capturing property photographs (for Agents listing properties).
  • When requested: Only when you tap the camera option to take a new photo. The app does not access your camera in the background.
  • Data collected: Photos you capture are uploaded to our servers for display on your profile or property listing. Photos are stored on Bunny CDN servers.
  • You can deny this permission and instead select existing photos from your device's gallery using the system photo picker, which does not require camera permission.
  • To revoke: Settings > Apps > Jumuika > Permissions > Camera > Deny

9.3 Notifications (Optional, Android 13+)

  • Permission: android.permission.POST_NOTIFICATIONS
  • Purpose: Allows us to send you push notifications about new property inquiries and lead responses, property updates and price changes, account activity and security alerts, payment and transaction confirmations, and promotional offers and new listings matching your preferences.
  • When requested: During initial app setup or when you first interact with notification settings.
  • Data collected: Your Firebase Cloud Messaging (FCM) token is sent to our servers to enable notification delivery. We also track notification delivery status and whether notifications are enabled.
  • You can disable notifications at any time without affecting other app functionality.
  • To revoke: Settings > Apps > Jumuika > Permissions > Notifications > Deny, or within the app: Profile > Settings > Notification Preferences

9.4 Photo/Media Access

  • We use the Android system Photo Picker to allow you to select photos from your device gallery without requiring broad access to your photo library.
  • The Photo Picker only gives our app access to the specific photos you select, not your entire gallery.
  • No separate permission is required for the Photo Picker on Android 11 and above.

10. International Data Transfers

Your personal data may be transferred to and processed in countries other than Kenya. These transfers occur when we use third-party services whose servers are located internationally:

  • Google services (Firebase, Analytics, Sign-In): Data may be processed on Google servers in the United States or other countries where Google operates.
  • Facebook/Meta (Facebook Login): Data may be processed on Meta servers in the United States or other countries.
  • Bunny CDN: Media content is delivered through servers located in the European Union.
  • Anthropic (Claude AI): AI processing may occur on servers in the United States.

We ensure that such transfers comply with the Kenya Data Protection Act 2019 by:

  • Implementing appropriate contractual safeguards with our service providers
  • Ensuring that recipient countries provide adequate levels of data protection
  • Obtaining your explicit consent for cross-border transfers where required
  • Using encryption for data in transit and at rest

For users in the European Economic Area (EEA), we comply with GDPR requirements for international data transfers by relying on Standard Contractual Clauses (SCCs) and adequacy decisions where available.

By using our mobile application and accepting this Privacy Policy, you consent to the transfer of your personal data to countries outside Kenya as described above.

11. Additional Rights for Users in the European Economic Area (EEA)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

  • Contract performance: Processing your account data, property inquiries, and lead management (Article 6(1)(b))
  • Legitimate interests: Analytics, app performance monitoring, fraud prevention (Article 6(1)(f))
  • Consent: Push notifications, marketing communications, Firebase Analytics tracking (Article 6(1)(a))

Your GDPR Rights

  • Right of access (Article 15): Request a copy of all personal data we hold about you
  • Right to rectification (Article 16): Request correction of inaccurate data
  • Right to erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing (Article 18): Request that we limit how we use your data
  • Right to data portability (Article 20): Receive your data in a structured, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time for consent-based processing, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact our Data Protection Officer at dpo@jumuika.co.ke. We will respond to your request within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

  • The Office of the Data Protection Commissioner, Kenya (https://www.odpc.go.ke)
  • Your local EU supervisory authority

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email, push notification, or in-app notice at least 30 days before they take effect. The "Last Updated" date at the top reflects the most recent revision.

13. Contact Us

For privacy-related questions or requests: