Privacy Policy

We wish to reiterate that HabariChat respects your privacy and are strongly committed to keeping secure any information we obtain from you or about you. This Privacy Policy describes our practices with respect to Personal Information we collect from or about you when you use our website, applications, and services (collectively, "Services"). Our use of that data is governed by our customer agreements covering access to and use of those offerings.

1. Personal Information We Collect

We collect personal information relating to you ("Personal Information") as follows:

Personal Information You Provide: We collect Personal Information if you create an account to use our Services or communicate with us as follows:

Account Information: When you create an account with us, we will collect information associated with your account, including your name, contact information, and authentication credentials.

User Content: When you use our Services, we collect Personal Information that is included in the input, file uploads, or feedback that you provide to our Services ("Content").

Communication Information: If you communicate with us, we collect your name, contact information, and the contents of any messages you send ("Communication Information").

Social Media Information: We have pages on social media sites like Instagram, Facebook, Medium, Twitter, YouTube and LinkedIn. When you interact with our social media pages, we will collect Personal Information that you elect to provide to us, such as your contact details (collectively, "Social Information"). In addition, the companies that host our social media pages may provide us with aggregate information and analytics about our social media activity.

Personal Information We Receive Automatically From Your Use of the Services: When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions ("Technical Information"):

Log Data: Information that your browser automatically sends when you use our Services. Log data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interact with our website.

Usage Data: We may automatically collect information about your use of the Services, such as the types of content that you view or engage with, the features you use and the actions you take, as well as your time zone, country, the dates and times of access, user agent and version, type of computer or mobile device, and your computer connection.

Device Information: Includes name of the device, operating system, device identifiers, and browser you are using. Information collected may depend on the type of device you use and its settings.

Cookies: We use cookies to operate and administer our Services, and improve your experience. A "cookie" is a piece of information sent to your browser by a website you visit. You can set your browser to accept all cookies, to reject all cookies, or to notify you whenever a cookie is offered so that you can decide each time whether to accept it. However, refusing a cookie may in some cases preclude you from using, or negatively affect the display or function of, a website or certain areas or features of a website.

Analytics: We may use a variety of online analytics products that use cookies to help us analyze how users use our Services and enhance your experience when you use the Services.

Third-Party Authentication: HabariChat respects the privacy and security of our users' data, including any information accessed through third-party OAuth providers such as Google, Microsoft, or other authentication services. We utilize third-party user data solely for the purpose of providing our services and enhancing the user experience. This may include accessing basic profile information to personalize the user experience and securely storing this data in accordance with industry standards. We do not share third-party user data with any external parties unless explicitly authorized by the user or required by law. Our privacy policy transparently outlines the specific ways in which we access, use, store, and potentially share third-party user data, ensuring clarity and accountability in our practices.

When you choose to sign in to HabariChat using your third-party account via OAuth, our application receives your email address, name, and profile picture from the authentication provider, as well as a unique identifier that allows you to log in. HabariChat uses this information to authenticate you and personalize your experience within the application. We securely store your unique identifier and email address to maintain your account and allow you to access your data across devices. HabariChat does not share your individual third-party user data with any external parties. We retain this data for as long as you maintain an active account with our service. If you wish to revoke HabariChat's access to your third-party account information, you may do so at any time through your respective account settings.

1.a. Facebook Page Integration

When you connect your Facebook Page to HabariChat, we access limited data from your Facebook account in order to deliver our messaging and customer support services. This access is granted through Facebook’s authorized login process and is subject to your explicit consent.

Permissions and Data Accessed:
Through the Facebook login process, HabariChat may request the following permissions:

pages_show_list: To identify the Facebook Pages you manage.
pages_messaging: To enable messaging functionality on your connected Page via HabariChat.

These permissions allow us to:

Display a list of Pages associated with your account.
Enable two-way communication between your Facebook Page and your customers using the HabariChat platform.

We do not access your personal Facebook profile data beyond what is necessary for Page authorization. HabariChat does not publish to your Pages, nor do we post or take any actions on your behalf without your explicit action or instruction.

Use of Facebook Data:
Any data accessed through Facebook is used solely for the purpose of enabling you to respond to messages, track conversations, and manage interactions within your Facebook Page’s inbox through the HabariChat platform. We do not sell, share, or use this data for any other purpose.

Data Retention and Revocation:
We retain Facebook Page-related access data only for as long as your account is connected to HabariChat or until you revoke access. You may disconnect your Facebook Page at any time through your HabariChat account settings or directly via your Facebook account's Business Integrations settings.

Compliance with Facebook Platform Policies:
HabariChat complies with Meta’s Platform Terms and Developer Policies, including requirements around user transparency and data security. For more information about how Facebook handles your data, please review Meta’s Data Policy.

2. How We Use Personal Information

We may use Personal Information for the following purposes:

To provide, administer, maintain and/or analyze the Services
To improve our Services and conduct research
To communicate with you
To develop new programs and services
To prevent fraud, criminal activity, or misuses of our Services, and to protect the security of our IT systems, architecture, and networks
To carry out business transfers
To comply with legal obligations and legal process and to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or other third parties

Aggregated or De-Identified Information: We may aggregate or de-identify Personal Information so that it may no longer be used to identify you and use such information to analyze the effectiveness of our Services, to improve and add features to our Services, to conduct research and for other similar purposes.

3. Disclosure of Personal Information

In certain circumstances we may provide your Personal Information to third parties without further notice to you, unless required by the law:

Vendors and Service Providers: To assist us in meeting business operations needs and to perform certain services and functions, we may provide Personal Information to vendors and service providers, including providers of hosting services, cloud services, and other information technology services providers, email communication software, and web analytics services, among others. Pursuant to our instructions, these parties will access, process, or store Personal Information only in the course of performing their duties to us.

Business Transfers: If we are involved in strategic transactions, reorganization, bankruptcy, receivership, or transition of service to another provider (collectively, a "Transaction"), your Personal Information and other information may be disclosed in the diligence process with counterparties and others assisting with the Transaction and transferred to a successor or affiliate as part of that Transaction along with other assets.

Legal Requirements: We may share your Personal Information, including information about your interaction with our Services, with government authorities, industry peers, or other third parties (i) if required to do so by law or in the good faith belief that such action is necessary to comply with a legal obligation, (ii) to protect and defend our rights or property, (iii) if we determine, in our sole discretion, that there is a violation of our terms, policies, or the law; (iv) to detect or prevent fraud or other illegal activity; (v) to protect the safety, security, and integrity of our products, employees, or users, or the public, or (vi) to protect against legal liability.

4. Your Rights

As a user, you have a right to:

Access your Personal Information and information relating to how it is processed
Delete your Personal Information from our records
Rectify or update your Personal Information
Transfer your Personal Information to a third party (right to data portability)
Restrict how we process your Personal Information
Withdraw your consent at any time, where we rely on consent as the legal basis for processing
Object to how we process your Personal Information
Lodge a complaint with the relevant data protection authority

To the extent provided for by local law and subject to applicable exceptions, individuals may have the following privacy rights in relation to their Personal Information:

The right to know information about our processing of your Personal Information, including the specific pieces of Personal Information that we have collected from you
The right to request deletion of your Personal Information
The right to correct your Personal Information
The right to be free from discrimination relating to the exercise of any of your privacy rights

We don't "sell" Personal Information or "share" Personal Information for cross-contextual behavioral advertising (as those terms are defined under applicable local law). We also don't process sensitive Personal Information for the purposes of inferring characteristics about a consumer.

Exercising Your Rights: To the extent applicable under local law, you can exercise privacy rights described in this section by submitting a request to [email protected]

Verification: In order to protect your Personal Information from unauthorized access, change, or deletion, we may require you to verify your credentials before you can submit a request to know, correct, or delete Personal Information. If you do not have an account with us, or if we suspect fraudulent or malicious activity, we may ask you to provide additional Personal Information and proof of residency for verification. If we cannot verify your identity, we will not be able to honor your request.

5. Children

Our Service is not directed to children under the age of 18. HabariChat does not knowingly collect Personal Information from children under the age of 18. If you are under 18, you must have consent from your parent or guardian to use our Services.

Where HabariChat is used by educational institutions or other business customers to communicate with or about minors, such processing is subject to the enhanced protections for children's personal data under the Kenya Data Protection Act, 2019, and is governed by Section 11(c) of this Privacy Policy. In those contexts, the educational institution acts as the data controller and is responsible for obtaining and maintaining valid parental or guardian consent in accordance with applicable law.

6. Security and Retention

We implement commercially reasonable technical, administrative, and organizational measures to protect Personal Information both online and offline from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error free. In particular, email sent to or from us may not be secure. Therefore, you should take special care in deciding what information you send to us via the Service or email. In addition, we are not responsible for circumvention of any privacy settings or security measures contained on the Service, or third-party websites.

We'll retain your Personal Information for only as long as we need in order to provide our Service to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Information will depend on a number of factors, such as the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure, our purpose for processing the information, and any legal requirements.

7. International Users

By using our Service, you understand and acknowledge that your Personal Information will be processed and stored in our facilities and servers and may be disclosed to our service providers and affiliates in other jurisdictions.

Legal Basis for Processing: Our legal bases for processing your Personal Information include:

Performance of a contract with you when we provide and maintain our Services. When we process Account Information, Content, and Technical Information solely to provide our Services to you, this information is necessary to be able to provide our Services. If you do not provide this information, we may not be able to provide our Services to you.
Our legitimate interests in protecting our Services from abuse, fraud, or security risks, or in developing, improving, or promoting our Services, including when we train our models. This may include the processing of Account Information, Content, Social Information, and Technical Information.
Your consent when we ask for your consent to process your Personal Information for a specific purpose that we communicate to you. You have the right to withdraw your consent at any time.
Compliance with our legal obligations when we use your Personal Information to comply with applicable law or when we protect our or our affiliates', users', or third parties' rights, safety, and property.

8. Changes to the Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post an updated version on this page, unless another type of notice is required by applicable law.

9. How to Contact Us

Please contact us at [email protected] if you have any questions or concerns not already addressed in this Privacy Policy.

10. Kenya Data Protection Act Compliance

HabariChat is subject to and complies with the Kenya Data Protection Act, 2019 (No. 24 of 2019) ("KDPA") and its subsidiary regulations, including the Data Protection (General) Regulations, 2021, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, and the Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021. As a data controller and, where applicable, a data processor operating within the Republic of Kenya and processing the Personal Information of Kenyan data subjects, we are committed to processing your Personal Information lawfully, fairly, and transparently in full accordance with the KDPA's requirements.

Our Role Under the KDPA:
HabariChat acts as a data controller when we determine the purposes and means of processing your Personal Information in connection with our Services, for example when managing your account, communicating with you, or improving our platform. Where we process Personal Information on behalf of our business customers (for example, when a business uses HabariChat to communicate with its own end customers), we act as a data processor, operating solely under the lawful instructions of that business as the data controller. We maintain the registrations and internal records required of data controllers and data processors under the KDPA and its subsidiary regulations.

Lawful Basis for Processing Under the KDPA:
We process your Personal Information only where we have a valid and documented lawful basis to do so. Under the KDPA, the lawful bases on which we may rely include:

Consent: Where you have given your freely given, specific, informed, and unambiguous consent for us to process your Personal Information for a stated purpose. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Contractual necessity: Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract with us.
Legal obligation: Where we are required to process your Personal Information to comply with a legal or regulatory obligation imposed on us under Kenyan or other applicable law.
Legitimate interests: Where processing is necessary for our legitimate interests, or those of a third party (such as preventing fraud, maintaining network and information security, improving our Services, or conducting internal analytics), provided those interests are not overridden by your fundamental rights and freedoms as a data subject.
Vital interests: Where processing is necessary to protect your vital interests or those of another natural person.
Public interest: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Your Rights Under the KDPA:
In addition to the rights described in Section 4 of this Privacy Policy, the KDPA specifically guarantees Kenyan data subjects the following rights. These rights may be exercised at no charge by submitting a request to [email protected], and we will respond within the timelines prescribed by the KDPA and its subsidiary regulations.

Right to be informed: You have the right to be informed, before or at the time of collection, that your Personal Information is being collected, the specific purposes for which it is being collected, the legal basis for processing, how long it will be retained, and whether it will be shared with or transferred to any third parties.
Right of access: You have the right to request confirmation of whether we hold your Personal Information, and to receive a copy of that information in an intelligible form. We will respond within the timelines prescribed by the KDPA, and we may charge a reasonable fee where requests are manifestly unfounded or excessive.
Right to rectification: You have the right to require us, without undue delay, to correct any Personal Information we hold about you that is inaccurate, misleading, incomplete, or out of date.
Right to erasure: You have the right to request the deletion or destruction of your Personal Information where it is no longer necessary for the purpose for which it was collected, where you have withdrawn your consent and there is no other lawful basis for continued processing, or where processing is otherwise unlawful under the KDPA.
Right to restriction of processing: You have the right to request that we restrict or suspend the processing of your Personal Information in certain defined circumstances, including where you contest the accuracy of the data, where processing is unlawful and you oppose erasure, or where we no longer need the data but you require it for the establishment or defence of a legal claim.
Right to data portability: Where processing is carried out by automated means and is based on your consent or on a contract, you have the right to receive your Personal Information in a structured, commonly used, and machine-readable format, and to have that information transmitted to another data controller where technically feasible.
Right to object: You have the right to object to the processing of your Personal Information at any time on grounds relating to your particular situation. Where Personal Information is processed for direct marketing purposes, you have an unconditional right to object and we will cease such processing immediately upon receipt of your objection.
Rights related to automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or significantly affects you, without appropriate human intervention, a clear explanation of the logic involved, and a meaningful opportunity to challenge the decision.

We will not discriminate against you for exercising any of the rights listed above. We may, however, need to verify your identity before processing a rights request, and we may decline requests that are manifestly unfounded, excessive, or that conflict with our obligations under applicable law.

Cross-Border Data Transfers:
The KDPA restricts the transfer of Personal Information outside Kenya to jurisdictions that do not provide a level of data protection that is at least equivalent to that afforded under the KDPA. Where we transfer your Personal Information to countries, territories, or international organisations outside Kenya (for example, to cloud infrastructure providers, analytics platforms, or other service providers), we take steps to ensure that such transfers comply with the KDPA. Safeguards we may rely on include: (i) a determination by the relevant Kenyan authority that the recipient jurisdiction provides an adequate level of protection; (ii) the use of standard contractual clauses or data transfer agreements incorporating appropriate technical and organisational protections; or (iii) where required, your explicit and informed consent to the specific transfer after being made aware of the possible risks. You may request details of the specific safeguards applicable to any international transfer of your Personal Information by contacting us at [email protected].

Data Protection Officer:
HabariChat has designated a Data Protection Officer ("DPO") responsible for overseeing our compliance with the KDPA and its subsidiary regulations, and for serving as the primary point of contact for data subjects and the Office of the Data Protection Commissioner on all matters relating to data protection. You may contact our DPO at [email protected] with the subject line "Attention: Data Protection Officer."

Sensitive Personal Data:
The KDPA affords heightened protection to certain categories of Personal Information classified as sensitive, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person's sex life or sexual orientation. HabariChat does not intentionally collect sensitive Personal Data from users of our general Services. Where any such data is processed in connection with a specific use case (for example, health-related information shared by a clinic using our platform), processing will be subject to explicit consent or another lawful basis permitted under the KDPA, and will be subject to enhanced security and access controls.

Data Retention Under the KDPA:
Consistent with our obligations under the KDPA, we retain your Personal Information only for as long as is necessary to fulfil the purpose for which it was collected, or for such longer period as may be required or permitted under applicable Kenyan law or other legal obligations. Once Personal Information is no longer required for any lawful purpose, we will securely delete, destroy, or anonymise it in a manner that prevents reconstruction or re-identification. Where immediate deletion is not possible (for example, because data is temporarily held in encrypted backup archives), we will isolate it from further active processing until secure deletion can be completed.

Supervisory Authority (Office of the Data Protection Commissioner):
The KDPA established the Office of the Data Protection Commissioner (ODPC) as the independent supervisory authority responsible for regulating the processing of Personal Information in Kenya, registering data controllers and data processors, investigating complaints, and enforcing data subjects' rights. If you are a Kenyan data subject and believe that HabariChat has processed your Personal Information in a manner inconsistent with the KDPA, you have the right to lodge a complaint with the ODPC. We encourage you to contact us first at [email protected] so that we may work to resolve your concern directly and promptly; however, this does not affect your right to approach the ODPC at any time without prior notice to us. The ODPC may be reached at:

Website: www.odpc.go.ke
Email: [email protected]
Address: Office of the Data Protection Commissioner, P.O. Box 30084-00100, Nairobi, Kenya

11. Regulated Industry Data Processing

HabariChat's platform is used by businesses operating in regulated industries in Kenya. The following describes how we handle data in those specific contexts. In all cases, the business customer remains the data controller and HabariChat acts solely as a data processor under their instructions. The business customer is responsible for ensuring their use of HabariChat complies with all sector-specific regulations applicable to them.

(a) Financial Services — Banks, SACCOs, Microfinance Institutions & Insurance

When a financial institution uses HabariChat to communicate with its customers:

We process customer communication data (message content, timestamps, and contact identifiers) solely for the purpose of routing and facilitating that communication on behalf of the financial institution.
We maintain a complete, timestamped audit log of all conversations, which the financial institution may access at any time for CBK, SASRA, IRA, or other regulatory audit and reporting purposes.
We do not store, access, or process actual financial transaction data, account balances, loan disbursement records, or any data that constitutes a regulated financial record under Kenyan financial law. Only communication metadata and message content are processed.
All communication data processed through the platform is encrypted in transit via the WhatsApp Business API and secured at rest within our infrastructure using industry-standard encryption controls.

(b) Healthcare — Hospitals, Clinics & Pharmacies

When a healthcare facility uses HabariChat to communicate with patients:

We process patient communication data (appointment requests, FAQ responses, and reminder notifications) solely for communication facilitation on behalf of the healthcare provider.
We do not store, access, or process clinical records, diagnoses, prescription details, laboratory results, or any data classified as health data under the Kenya Health Act, 2017. HabariChat is a communication tool, not a clinical records system.
Patient communication data is treated as sensitive personal data under the Kenya Data Protection Act, 2019 and is processed only under an explicit and documented lawful basis. Access within the HabariChat platform is restricted to staff members expressly authorised by the healthcare institution.
Patients interacting with a healthcare provider's HabariChat-powered system may request access to, or deletion of, their communication records at any time by contacting the healthcare provider directly as the data controller, or by contacting us at [email protected].

(c) Educational Institutions — Schools, Colleges & Universities

When an educational institution uses HabariChat to communicate with parents, guardians, or students:

Where communications involve data relating to minors (persons under 18 years of age), we apply the enhanced safeguards required for children's personal data under the Kenya Data Protection Act, 2019. The institution, as data controller, is responsible for ensuring valid parental or guardian consent is obtained before processing any data relating to a minor through our platform.
We do not access, store, or process academic records, examination results, student disciplinary records, or any data held by the institution under the authority of the Ministry of Education, the Kenya National Examinations Council (KNEC), or any other educational regulatory body.
We do not use communication data involving minors for any purpose other than delivering the agreed communication services to the institution. Such data is not used for AI model training, profiling, or any commercial purpose.
Parents or guardians wishing to exercise data subject rights (including access, rectification, or erasure) in respect of communications involving their child should contact the educational institution as the data controller in the first instance.

Last updated: 30/05/2026