Privacy Policy

This Privacy Policy explains how Stimafy collects, uses, and protects personal data. It applies to landlords who sign in to use the Service and to tenants whose information landlords add to it. We comply with the Kenya Data Protection Act 2019 and the regulations of the Office of the Data Protection Commissioner (ODPC).

1. Who we are

Stimafy is a sub-meter billing tool for Kenyan landlords. For purposes of the Data Protection Act, our role depends on the data:

• For landlord data (your name, your email from Google sign-in, your account settings): we are the Data Controller.
• For tenant data (the names, phone numbers, and billing information landlords add): the landlord is the Data Controller, and we are the Data Processor acting on their behalf. See our Data Processing Agreement for the detailed terms.

2. What we collect

From landlords

• Name, email address, and profile picture (from Google Sign-In)
• A unique identifier issued by Amazon Cognito
• Properties, units, sub-meter numbers, KPLC account details, and monthly readings you enter
• Server logs (request times, IP address, browser type) for security and debugging

From tenants (entered by landlords)

• Name and contact details (phone number, optional email)
• Which unit they occupy and from when
• Their monthly meter readings, bill amounts, and payment status

3. How we use it

We use this data only to provide the Service, specifically to:

• Authenticate you when you sign in.
• Calculate per-tenant bills from the KPLC rate and meter readings you enter.
• Render WhatsApp invoice messages (which you then send from your own device — we do not send messages on your behalf).
• Show you a dashboard of cycle progress, outstanding bills, and collection rate.
• Investigate bugs and prevent abuse.

We do not sell your data, use it for advertising, train AI models on it, or share it with any party except the sub-processors listed below.

4. Where your data lives

All landlord and tenant data is stored in Amazon Web Services infrastructure in the Cape Town (af-south-1) region. This keeps the data within the African continent and provides low latency for Kenyan users. Specifically:

• Aurora PostgreSQL Serverless v2 stores the relational records (properties, units, tenants, readings, bills), encrypted at rest.
• Amazon Cognito stores authentication state (your email, Google profile, session tokens).
• The Stimafy web application is served from AWS Amplify Hosting in eu-west-1 (Ireland) because Amplify Hosting is not yet available in af-south-1. The application makes calls back to the Cape Town database over encrypted HTTPS.

5. Sub-processors

We rely on a small set of trusted vendors to operate Stimafy. Each is bound by their own data-protection commitments:

• Amazon Web Services (AWS) — hosting, database, authentication
• Google LLC — Sign-In identity provider only (the minimum profile data needed to recognise you on return visits)
• Anthropic PBC — Claude API for meter-photo digit extraction, when (and if) you enable the camera-capture feature. Photos are sent to Anthropic only at the moment of extraction; the response is the read digits, no image storage on Anthropic's side.
• GitHub Inc. — source-code hosting (no production data)
• PostHog Inc. — product analytics (page views, feature usage, session metadata). Hosted in the EU region. We use PostHog to understand how landlords navigate the app and to spot broken flows. We do not send tenant phone numbers, addresses or bill amounts to PostHog. IPs are captured by PostHog for fraud and rough geolocation only.

WhatsApp / Meta is not a Stimafy sub-processor. When you click “Send via WhatsApp”, the message is sent from your own WhatsApp account on your device. Whatever you send is subject to Meta's own terms.

6. How long we keep data

We keep your account and its data for as long as you use the Service. If you stop using Stimafy or request deletion, we remove your landlord record and all tenant records you entered within 30 days. Server logs are retained for up to 90 days for security and abuse-investigation purposes.

7. Your rights under the Data Protection Act 2019

You have the right to:

• Be informed about how your data is used (this page).
• Access the data we hold about you.
• Correct inaccurate data.
• Request deletion (also called the right to erasure).
• Object to certain types of processing.
• Receive your data in a portable format.
• Withdraw consent at any time.

To exercise any of these rights, email support@stimafy.online. We respond within 7 business days.

If you are a tenant whose data was added by your landlord and you want it changed or removed, contact your landlord first (they control the record). If they are unresponsive, contact us and we will help mediate.

8. Complaints

If you believe we have mishandled your data, please email us first so we can put it right. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.

9. Changes to this policy

Material changes will be announced by email. The “Last updated” date above always reflects the current version.

10. Contact

For any privacy-related question: support@stimafy.online