1. Who controls your data
EABD is operated by TECHenya Solutions in Nairobi, Kenya — the data controller for everything collected on the platform. Where data is processed on our behalf by suppliers, those suppliers act as data processors. Our Data Protection Officer can be reached at [email protected].
We comply with the Kenya Data Protection Act 2019, the Uganda Data Protection and Privacy Act 2019, the Tanzania Personal Data Protection Act 2022, the Rwanda Data Protection and Privacy Law 2021, and the South Sudan and Burundi equivalents where applicable to citizens of those countries using the platform.
2. What we collect
2.1 When you create an account
- Name and email address (required)
- Phone number (optional, required if you want SMS notifications)
- Country and approximate location (required for relevance ranking)
- A salted password hash (we never store passwords in plain text)
2.2 When you list a business
- Business name, description, addresses, registration numbers, VAT number, website, social profiles
- Photos, logos, videos, portfolio pieces you upload
- Decision-maker names and titles you publish on the listing (we treat decision-maker emails as private and never publish them)
- Verification documents (registration certificate, utility bill) — these are retained encrypted, only viewable by the verification team, and deleted within 90 days of verification
2.3 When you use the platform
- Search queries (so we can improve relevance — anonymised after 90 days)
- Listings you view, click, save, and contact (for analytics and recommendations)
- Reviews and messages you write
- Reports of suspicious activity you submit (we keep these confidential)
- Device and browser metadata, IP address, country (for security, fraud detection, and language defaults)
2.4 When you transact
- Plan and price you chose
- Transaction ID, last four digits of the payment instrument, gateway response code
- Receipt-related details required for accounting
- We never see your full card number or your M-Pesa PIN — the gateways handle that and only return us a confirmation token
2.5 Cookies and similar technologies
We use a minimum set of cookies: session cookies for login, a CSRF token for forms, and a cookie that remembers your country selection. We use Cloudflare Turnstile to block bots — Turnstile collects browser metadata in a privacy-preserving way without third-party tracking. We do not embed Google Analytics, Facebook Pixel, or any cross-site advertising network.
3. Why we collect it
Each piece of data is collected for a specific purpose with a defined legal basis:
- To run the service — account, listings, payments. Legal basis: performance of contract.
- To verify businesses — registration and address checks. Legal basis: legitimate interest (platform trust) + consent (you upload the documents knowing why).
- To prevent fraud and abuse — IP logging, rate limits, AI query audit. Legal basis: legitimate interest + legal obligation in some cases.
- To send transactional emails — order receipts, claim verifications, new-message alerts. Legal basis: performance of contract.
- To send marketing emails — only if you opt in. Legal basis: consent (you can withdraw at any time via the unsubscribe link).
- To comply with the law — tax records, court orders. Legal basis: legal obligation.
4. Who we share it with
We share data with the smallest set of suppliers that can do the job, contractually bound to use the data only as we direct:
- Payment processors — Safaricom M-Pesa, Pesapal, PayPal — when you transact
- Hosting and infrastructure — our managed hosting provider and Cloudflare for content delivery and bot protection
- AI providers — we send anonymised search prompts (no PII attached) to OpenAI for the AI search engine; OpenAI's data policy for API customers excludes the prompts from training
- Email delivery — transactional email is sent via a transactional provider; we do not share marketing lists with third parties
- Analytics — we run server-side analytics; no third-party JavaScript analytics
We do not sell user data. We do not share data with advertising networks. We do not allow third parties to install tracking on our pages.
5. International transfers
Some of our processors (OpenAI, Cloudflare, hosting) operate servers outside East Africa. Transfers happen under standard contractual clauses or equivalent safeguards. If you would rather we kept your data exclusively within Kenya, write to us — we can configure a region-restricted account on most paid plans.
6. How long we keep it
- Account data — for as long as your account exists, then 30 days for grace-deletion
- Listings you publish — until you delete them or archive them
- Verification documents — 90 days after a successful verification, then deleted
- Messages between you and other users — until you delete them or the conversation
- Payment records — 7 years (Kenyan tax law requirement)
- Audit logs of administrative actions — 180 days, then pruned by the daily retention sweep
- Analytics events — 90 days, then pruned
- AI search queries — 90 days, then anonymised
- Rate-limit and bot-detection records — 24 hours, then pruned
7. Your rights
Kenya DPA, Uganda DPPA, Tanzania DPA, Rwanda DPL, and other regional laws give you a set of rights over your personal data. EABD honours all of them regardless of which country you are in. Write to [email protected] with your request — we respond within the statutory deadline (30 days under Kenya DPA, similar elsewhere).
- Access — get a copy of everything we hold about you
- Rectification — fix anything that is wrong
- Erasure — delete it (we delete or anonymise within 30 days, with the legal-retention exceptions noted above)
- Restriction — pause our processing while a dispute is resolved
- Portability — get your data in a structured, machine-readable format
- Objection — tell us to stop using your data for a specific purpose
- Withdraw consent — for anything you previously opted into; the unsubscribe link is in every marketing email
8. Complaints
If we mishandle your data and you are not happy with our response, you can complain to the data protection authority in your country:
- Kenya — Office of the Data Protection Commissioner (ODPC), odpc.go.ke
- Uganda — Personal Data Protection Office (PDPO), pdpo.go.ug
- Tanzania — Personal Data Protection Commission
- Rwanda — National Cyber Security Authority (NCSA) Data Protection Office
9. Security
We protect your data with industry-standard controls: encryption in transit (TLS), encryption at rest for credentials and verification documents, role-based access for staff (we audit every administrative action), automated rate limiting and bot protection at the edge, and daily backups stored encrypted in a separate region. We disclose security breaches affecting your data to you within 72 hours of confirming the breach, and to the relevant data protection authority where required by law.
10. Children
EABD is not directed at children. We do not knowingly collect data from anyone under 18. If you become aware that a minor has created an account, write to us and we will delete it.
11. Changes to this policy
We may update this policy as the platform evolves and as the law changes. When we make material changes, we tell account holders by email at least 14 days before the changes take effect. The "last reviewed" date at the top of this page is the canonical signal of when the current version became effective.
12. Contact
For anything in this policy, or to exercise any of the rights described above, write to our Data Protection Officer at [email protected]. Every message goes to a human and is logged in our compliance system; you will receive an acknowledgement within one business day and a substantive response within 30 days.