1. INTRODUCTION
1.1. Who We Are
KampusBites ("we," "us," or "our") creates a digital marketplace connecting university students ("Customers") with local food vendors ("Vendors") and delivery agents ("Riders"). We are committed to protecting your personal data and respecting your privacy.
1.2. Scope
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website kampusbites.co.ke, use our Progressive Web App (PWA), or use our Vendor/Rider portals.
1.3. Compliance
This policy is drafted in accordance with the Constitution of Kenya, 2010 and the Data Protection Act, 2019. We act as a Data Controller for the information you provide to us directly, and a Data Processor for certain transactional data.
2. THE DATA WE COLLECT
We collect different types of data depending on whether you are a Student, Vendor, or Rider.
2.1. Identity Data
- All Users: Full Name, Email Address, Phone Number.
- Students: University/Campus Name, Year of Study.
- Vendors: Business Name, Owner's Name.
- Riders: Full Legal Name.
2.2. Verification & KYC Data (Sensitive Personal Data)
To ensure safety and prevent fraud on campus, we collect specific documents for verification. We strictly protect this data.
- Riders: National ID Number, Copy of National ID (Front/Back), Student ID (Front/Back), and a real-time Profile Picture.
- Vendors: Business Permit/Registration (where applicable), National ID of the owner.
2.3. Financial Data
- M-Pesa Details: Phone numbers used for transactions.
- Transaction History: Details of orders, payments, and payouts.
Note: We do not store your M-Pesa PINs. All payment processing is handled by our regulated partners (e.g., IntaSend, Safaricom).
2.4. Geo-Location Data
- Riders: Real-time GPS location is collected while you are "Online" to enable order dispatch and live tracking for the customer.
- Students/Vendors: Location data is collected to pinpoint delivery addresses (Hostels, Admin Blocks) and Store locations.
2.5. Technical Data
Device type, IP address, browser type, and operating system used to access our PWA.
3. HOW WE USE YOUR DATA
We only process your data when we have a lawful basis to do so. We use your data to:
- Service Delivery: To process food orders, manage payments via M-Pesa, and coordinate deliveries.
- Verification: To verify that Riders are legitimate students and Vendors are real businesses, ensuring campus safety.
- Communication: To send you status updates (e.g., "Order Accepted," "Rider Arrived"), security alerts, and support messages.
- Payouts: To disburse earnings to Vendors and Riders via M-Pesa B2C.
- Improvement: To analyze usage trends (e.g., popular food categories) to improve the KampusBites experience.
- Legal Compliance: To comply with Kenyan tax laws and the Data Protection Act.
4. DATA SHARING AND DISCLOSURE
4.1. NO SELLING OF DATA
We do not sell, trade, or rent your personal identification information to others. Your data is yours.
4.2. Operational Sharing
We share necessary data to fulfill the service:
- With Vendors: The Vendor sees the Student's first name and specific order details to prepare the food.
- With Riders: The Rider sees the Student's first name, phone number, and delivery location (e.g., "Nyayo Hostel, Room 101") to complete the delivery.
- With Students: The Student sees the Rider's first name, profile picture, and real-time location during an active delivery.
4.3. Third-Party Service Providers
We share data with trusted partners who help us run the app, specifically:
- Payment Processors: (e.g., IntaSend, Safaricom) to process M-Pesa transactions.
- Cloud Hosting: (e.g., Google Firebase) to securely store our database.
4.4. Legal Requirements
We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., Kenyan Police or the ODPC).
5. DATA SECURITY
We take the security of your data seriously. We implement the following measures:
- Encryption: All data transmitted between your device and our servers is encrypted using SSL/TLS (HTTPS).
- Access Control: Only authorized administrative staff have access to sensitive verification documents.
- Secure Storage: ID images and sensitive documents are stored in secure, private cloud storage buckets with restricted access.
While we strive to use commercially acceptable means to protect your data, remember that no method of transmission over the internet is 100% secure.
6. DATA RETENTION
We will retain your personal data only for as long as is necessary for the purposes set out in this Privacy Policy.
- Active Accounts: We retain data while your account is active.
- Transaction Records: We retain financial transaction data for a minimum of seven (7) years as required by Kenyan Tax Laws.
- Deleted Accounts: If you request account deletion, we will remove your personal identifiers within 30 days, unless legal obligations require us to keep specific records.
7. YOUR RIGHTS
Under the Data Protection Act, 2019, you have the following rights:
- Right to be Informed: To know how your data is being used (this Policy).
- Right of Access: To request a copy of the data we hold about you.
- Right to Rectification: To ask us to correct false or misleading data (e.g., updating your phone number).
- Right to Erasure: To ask us to delete your personal data ("Right to be Forgotten"), subject to legal limitations.
- Right to Object: To opt-out of marketing communications.
To exercise any of these rights, please contact us at support@kampusbites.co.ke.
8. CHANGES TO THIS POLICY
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date." Significant changes will be communicated via App Notification or SMS.
9. CONTACT US
If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at: