Privacy Policy

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Section 2 of the DPA.
• "Processing" means any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, or erasure.
• "Data Subject" means a natural person whose personal data is processed — this includes Farmers, Buyers, Logistics Drivers, and visitors to the platform.
• "Sensitive Personal Data" means data revealing racial origin, health status, financial information, biometric data, or any other category listed under Section 25 of the DPA.
• "Data Controller" means Color Corporation Limited, which determines the purposes and means of processing your personal data.

2. Data We Collect

We collect only the minimum personal data necessary for each stated purpose (data minimisation principle).

2.1 Identity & Contact Data

• Full name and email address used to create and identify your account.
• Safaricom M-Pesa-registered phone number, used exclusively for STK Push payment initiations and B2C escrow disbursements via the Daraja API.
• National ID number or business registration number (where voluntarily provided or required for KYC thresholds — see Section 2.5).

2.2 Location Data

• GPS coordinates (Latitude/Longitude) for farms and delivery points, collected to facilitate logistics routing, distance calculations, and delivery zone matching.
• Location data is collected only with your explicit consent. You may revoke consent through account settings, which will disable location-dependent features such as the logistics matching engine.
• We do not collect continuous background location from mobile devices without a separate, prominent disclosure and opt-in.

2.3 Media & Documents

• Photographs of field scans, produce samples, and farm infrastructure uploaded to Cloudinary's Global CDN.
• PDF documents such as delivery notes, produce grading certificates, and contract summaries.
• Media metadata (file size, format, upload timestamp) is retained for audit integrity purposes.

2.4 Transactional & Financial Data

• M-Pesa transaction reference codes, Paystack payment IDs, escrow hold amounts, payout timestamps, and platform fee records.
• FarmSoko Wallet balances and transaction histories.
• We do not store full M-Pesa PINs, Paystack card numbers, or any raw payment credentials. All payment processing is handled server-to-server through tokenised APIs.

2.5 Know-Your-Customer (KYC) Data

• Where cumulative transaction volumes exceed thresholds prescribed under the Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), we may request a copy of a government-issued ID, a KRA PIN, or business registration documents.
• KYC documents are encrypted at rest and accessed only by authorised compliance personnel. They are not used for marketing or profiling purposes.
• Failure to complete required KYC verification may result in temporary withdrawal limits or account suspension until verification is complete.

2.6 Technical & Usage Data

• IP addresses, browser type, device identifiers, operating system, and session duration logs, collected automatically via our hosting infrastructure.
• In-app navigation patterns and feature interaction events, collected using privacy-preserving analytics to improve platform performance and user experience. This data is aggregated and not linked to individual identities for analytics purposes.
• Error logs and crash reports containing anonymised device and state information.

2.7 Communications Data

• Messages sent within the Contract Chat Room are encrypted at rest using AES-256-GCM encryption. FarmSoko personnel cannot read message content under normal circumstances.
• In the event of a formal dispute lodged through the platform, our Trust & Safety team may decrypt and review relevant chat messages solely for the purpose of dispute resolution. You consent to this limited review when you initiate or respond to a formal dispute.
• Support emails and in-app support tickets are retained for 24 months to maintain service continuity and training quality.

2.8 Data We Do NOT Collect

We do not knowingly collect data from children under the age of 18. We do not collect biometric data, health records, political opinions, religious beliefs, or racial/ethnic origin data. If you believe we have inadvertently collected such data, please contact support@farmsoko.com immediately.

3. Legal Basis for Processing

Under Section 30 of the DPA, we process your personal data only where a lawful basis exists:

• Contractual Necessity: Processing your name, phone number, location, and financial data is necessary to perform the contract between you and FarmSoko (account management, escrow processing, payout disbursement, logistics facilitation).
• Consent: Collection of GPS location data, marketing communications, and use of non-essential cookies is based on your freely given, specific, informed, and unambiguous consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation: KYC/AML data is processed to comply with POCAMLA and any directions from the Financial Reporting Centre (FRC).
• Legitimate Interests: Technical and usage data is processed for platform security, fraud prevention, and improving service quality, where these interests are not overridden by your fundamental rights.

4. How We Protect Your Data

• Encryption at Rest: All Contract Chat Room messages are encrypted using AES-256-GCM. Financial records and KYC documents are encrypted using AES-256 at the database level.
• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 or higher. We enforce HTTP Strict Transport Security (HSTS) and do not permit unencrypted connections.
• Access Controls: Personal data is accessible only to FarmSoko employees and contractors who require it to perform their duties, bound by confidentiality obligations. Role-based access controls and audit logs are maintained.
• Infrastructure Security: Our servers are hosted with industry-standard cloud providers with SOC 2 Type II certifications. We conduct regular vulnerability assessments and penetration testing.
• Data Breach Response: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ODPC within 72 hours of becoming aware of the breach, and notify affected data subjects without undue delay, as required by Section 43 of the DPA.
• Limitations: No security system is impenetrable. While we take commercially reasonable precautions, we cannot guarantee absolute security of data transmitted over the internet.

5. Third-Party Data Sharing

We share only the minimum data necessary with trusted third parties operating under binding data processing agreements consistent with the DPA.

• Safaricom (Daraja API): Phone numbers and transaction amounts are transmitted for STK Push initiation and B2C wallet disbursements. Safaricom's own privacy terms govern their use of this data.
• Paystack: Transactional data is shared for escrow holding and payment processing. Paystack is PCI-DSS compliant.
• Cloudinary: Farm media files and PDF documents are stored on Cloudinary's CDN under a data processing agreement that restricts use to storage and delivery only.
• Logistics Providers: Farmer and Buyer names, phone numbers, and delivery GPS coordinates are shared with third-party logistics partners strictly for fulfilling contracted deliveries.
• Legal & Regulatory Disclosure: We may disclose personal data to law enforcement authorities, courts, or regulatory bodies (including the ODPC and FRC) where required by law, court order, or to protect the rights, property, or safety of FarmSoko, our users, or the public.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent data protection commitments. We will notify you before such a transfer occurs.
• Aggregated Data: We may share anonymised, aggregated market insights (e.g., regional crop prices, seasonal demand trends) with agricultural research institutions and government agencies. This data cannot be used to identify individual users.
• No Sale of Data: FarmSoko does not sell, rent, or otherwise trade your personal data to third parties for their own commercial purposes.

6. Cookies & Tracking Technologies

• Essential Cookies: Required for authentication (session tokens), CSRF protection, and core platform functionality. These cannot be disabled without preventing platform access.
• Analytics Cookies: Used to understand aggregate usage patterns and improve the platform. These are only set with your explicit consent, which you can manage via the Cookie Preferences panel in your account settings.
• No Advertising Cookies: We do not use third-party advertising networks, tracking pixels, or cross-site behavioural profiling technologies.

7. Data Retention

We retain personal data only for as long as necessary for the purpose collected, or as required by law:

• Account & Identity Data: Retained for the lifetime of your account, plus 7 years after account closure to satisfy statutory record-keeping requirements under Kenyan tax and commercial law.
• Financial & Transaction Records: Retained for 7 years post-transaction in accordance with the Kenya Revenue Authority requirements and POCAMLA obligations.
• KYC Documents: Retained for 5 years after the end of the customer relationship, as required by POCAMLA.
• Chat Messages: Retained for 2 years from the date of the contract's completion or termination, then permanently deleted. Messages related to an active or unresolved dispute are retained until the dispute is fully resolved.
• Location Data: Delivery GPS waypoints are retained for 90 days, then anonymised for aggregate logistics analysis.
• Server Logs: Retained for 90 days for security and debugging, then automatically purged.
• Deleted Accounts: Upon receiving a valid deletion request and subject to any legal holds, we will purge personal data within 30 days and provide written confirmation.

8. Cross-Border Data Transfers

Some of our third-party service providers (including Cloudinary and Paystack) may process or store data outside Kenya. Where such transfers occur, we ensure they are lawful under Section 49 of the DPA, relying on one of the following safeguards:

• The recipient country is deemed to have adequate data protection by the ODPC;
• Standard contractual clauses approved by the ODPC are in place; or
• The transfer is necessary for the performance of a contract to which you are a party.

9. Automated Decision-Making & Profiling

FarmSoko uses automated systems for fraud detection and transaction risk scoring. Where a fully automated decision produces a significant legal or similarly significant effect on you (such as account suspension or withdrawal restrictions), you have the right to request human review of that decision. Contact privacy@farmsoko.co.ke to exercise this right.

10. Your Data Subject Rights

Under Sections 26–34 of the Kenya Data Protection Act, 2019, you have the following rights:

• Right of Access (Section 26): Obtain a copy of the personal data we hold about you, free of charge, within 21 days of a verified request.
• Right to Rectification (Section 27): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Section 28): Request deletion of your personal data where there is no overriding legal basis for retention.
• Right to Restrict Processing (Section 29): Request that we limit processing of your data in certain circumstances (e.g., while accuracy is contested).
• Right to Data Portability (Section 30): Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Section 31): Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to Withdraw Consent (Section 32): Withdraw consent at any time without detriment, where processing is based on consent. This does not affect the lawfulness of prior processing.
• Right to Lodge a Complaint: Lodge a complaint directly with the Office of the Data Protection Commissioner (ODPC) at info@odpc.go.ke if you believe we have violated your data rights.

To exercise any of these rights, contact our Data Protection Officer at privacy@farmsoko.co.ke with your full name, registered email address, and a description of your request. We will respond within 21 days. We may ask you to verify your identity before processing sensitive requests.

11. Children's Privacy

The FarmSoko platform is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If a parent or guardian believes their child has provided us with personal data, please contact privacy@farmsoko.co.ke and we will delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in law, our data practices, or platform features. Material changes will be communicated via in-app notification and email at least 14 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy. If you do not agree to the changes, you may close your account before the effective date.

13. Contact & Complaints

Data Protection Officer
Color Corporation Limited
Email: support@farmsoko.com
Postal Address: P.O. Box 62891, Nairobi, Kenya

If you are not satisfied with our response, you may escalate to the Office of the Data Protection Commissioner:
Website: www.odpc.go.ke · Email: info@odpc.go.ke