Legal

Privacy Policy

Last updated: 1 May 2026 · Effective: 1 May 2026

Hodi Homes Limited ("we," "us," "our") is committed to protecting the privacy of all users of the Hodi Homes mobile application and website (the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal data, in compliance with the Kenya Data Protection Act, 2019 (the "DPA") and the regulations made thereunder by the Office of the Data Protection Commissioner (ODPC).

By using the Platform you consent to the practices described in this Policy. If you do not agree, please discontinue use of the Platform.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

2. Information We Collect

2.1 Information you provide directly

  • Account information: Phone number, full name, email address, profile photo, and chosen role (tenant/landlord).
  • Landlord verification documents: Government-issued ID (national ID or passport — front and back images) and a selfie photo submitted for identity verification.
  • Listing information: Property address, photos, description, pricing, and availability details entered by landlords.
  • Viewing bookings: Date, time, number of attendees, contact phone, and optional messages sent during booking.
  • Ratings & reviews: Star ratings, tags, and written comments submitted after viewings.
  • Support communications: Messages, emails, or form submissions sent to our support team.

2.2 Information collected automatically

  • Device information: Device type, operating system, app version, and unique device identifiers.
  • Usage data: Screens viewed, features used, search queries, and session duration.
  • Push notification token: A device token used to deliver push notifications. Stored in your profile; revocable via your device settings.
  • Crash and error logs: Anonymised diagnostic data used to identify and fix bugs.

2.3 Information from third parties

  • Safaricom / M-Pesa: Transaction reference numbers and payment status received from Safaricom's Daraja API when you make payments. We do not receive your M-Pesa PIN.
  • Identity verification provider: Verification outcome (approved/rejected) from our identity verification service provider. Raw ID document images are processed by the provider under their own privacy terms.

3. How We Use Your Information

We use your personal data for the following purposes, under the lawful bases indicated:

  • Account management (contractual necessity) — creating, maintaining, and securing your account.
  • Connecting tenants and landlords (contractual necessity) — displaying listings, facilitating viewing bookings, and enabling communication.
  • Payment processing (contractual necessity) — triggering and confirming M-Pesa transactions for mover bookings and service fees.
  • Identity verification (legal obligation / legitimate interest) — verifying landlord identities to protect tenants from fraud.
  • Platform safety (legitimate interest) — detecting and preventing fraud, abuse, and prohibited content.
  • Push notifications (consent) — sending viewing confirmations, status updates, and relevant alerts. You can withdraw consent via your device notification settings at any time.
  • Platform improvement (legitimate interest) — analysing usage patterns (in aggregate or pseudonymised form) to improve features and fix bugs.
  • Legal compliance (legal obligation) — complying with Kenyan law, responding to lawful requests from public authorities, and meeting tax obligations.

4. Information Sharing

We do not sell your personal data. We share it only as follows:

  • Between platform users: Tenants see landlord names, profile photos, verification badges, and phone numbers (after a viewing is confirmed). Landlords see tenant names and contact details for confirmed viewings.
  • Service providers: We share data with carefully selected third-party processors including our cloud database provider (Supabase), SMS OTP provider (Twilio), and identity verification provider. All processors are contractually required to process data only on our instructions and with adequate security measures.
  • Mover companies: When you book a move, we share your name, contact number, and move details with the selected moving company solely to fulfil the booking.
  • Legal requirements: We may disclose data if required by Kenyan law, court order, or a lawful request by a public authority (e.g., the ODPC, Kenya Revenue Authority, or law enforcement agencies).
  • Business transfers: In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the acquiring entity, subject to the same privacy protections.

5. Data Storage & Security

Your data is stored on Supabase's infrastructure, which is hosted in data centres operating in accordance with ISO 27001 standards. All data in transit is encrypted using TLS 1.2 or higher. Sensitive session tokens are stored on your device using encrypted secure storage (iOS Keychain / Android Keystore), not in plain AsyncStorage.

ID verification documents are stored in a private, access-controlled storage bucket. Access is limited to authorised verification reviewers on a need-to-know basis.

Despite these measures, no system is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you and the ODPC as required by the DPA.

6. Data Retention

  • Account data: Retained while your account is active and for 3 years after deletion, to comply with legal and financial record-keeping obligations.
  • Verification documents: Retained for 5 years post-verification, as required by applicable Kenyan anti-fraud regulations.
  • Viewing records & ratings: Retained indefinitely in anonymised/aggregated form for platform integrity; individually identifiable records are retained for 2 years after the viewing date.
  • Payment records: Retained for 7 years as required by the Kenya Revenue Authority regulations.
  • Support communications: Retained for 2 years from the date of resolution.

7. Your Rights

Under the Kenya Data Protection Act, 2019, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data.
  • Right to erasure — request deletion of your data, subject to our legal retention obligations.
  • Right to restrict processing — request that we limit how we use your data in certain circumstances.
  • Right to object — object to processing based on legitimate interests.
  • Right to data portability — request your data in a machine-readable format.
  • Right to withdraw consent — withdraw consent for processing where consent is the lawful basis (e.g., marketing communications, push notifications).

To exercise any of these rights, contact us at privacy@hodihomes.co.ke. We will respond within 21 days. If you are unsatisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.

8. Cookies & Tracking

The Hodi Homes mobile app does not use cookies. Our website (hodihomes.co.ke) uses only strictly necessary session cookies for navigation and does not use advertising or tracking cookies. We do not share browsing data with advertising networks.

We may use anonymised analytics on the website to understand traffic patterns (e.g., page views, referrer). No personally identifiable data is collected through this analytics tool.

9. Children's Privacy

The Platform is not directed at persons under 18 years of age. We do not knowingly collect personal data from children under 18. If you believe a child under 18 has registered on our Platform, please contact us at privacy@hodihomes.co.ke and we will take prompt action to remove the account.

10. Cross-Border Data Transfers

Some of our service providers (including Supabase and Twilio) may process your data outside Kenya. Where data is transferred internationally, we ensure adequate safeguards are in place as required by Section 48 of the DPA, including standard contractual clauses or transfers to jurisdictions with an adequate level of protection.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via push notification or email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the Policy was last revised.

12. Contact & Data Protection Officer

For any privacy-related queries, data subject requests, or concerns, please contact: