1. Who We Are
Laitigo Systems Limited ("we", "us", "KURA360") is a technology company incorporated in Kenya. We are the Data Controller for all personal data processed through the KURA360 platform.
Company: Laitigo Systems Limited
Registered address: P.O. Box 00100, Nairobi, Kenya
Data Controller contact: privacy@kura360.com
Platform: kura360.com
2. What Data We Collect
We collect only the data necessary to provide KURA360 services. The categories of personal data we process are:
Account data
Name, email address, and Google OAuth profile information when you sign in with Google.
Campaign data
Electoral position sought, county/constituency, party affiliation, and financial records including donations received and campaign expenditures.
Field agent data
Agent name, national ID (for identity verification), phone number, and GPS location during active check-ins.
Evidence files
Photos and videos uploaded as campaign evidence, including embedded metadata (EXIF). All files are SHA-256 hashed at upload.
Payment data
Subscription payments are processed by Paystack. We receive confirmation of payment but do not store card numbers, MPesa PINs, or other payment credentials.
Usage data
IP address, browser type, pages visited, and interaction events collected to maintain security and improve the platform.
3. Why We Process It
We process your personal data only where we have a lawful basis to do so:
| Legal Basis | Processing Activity |
|---|---|
| Contractual necessity | Creating and managing your account, providing campaign management features, processing subscriptions. |
| Legitimate interests | Platform security, fraud prevention, abuse detection, and service improvement. |
| Legal obligation | Retaining financial records for ECFA/IEBC compliance (7-year requirement). |
| Consent | Sending marketing emails and optional analytics. You may withdraw consent at any time. |
4. Data Sharing
We do not sell your personal data. We share data only with the following sub-processors and under the circumstances described:
Payment processing for subscriptions. Processes payment data under their own privacy policy.
Infrastructure and hosting provider. Stores all application data on servers in EU-West-1 (Ireland) under a Data Processing Agreement.
Transactional email delivery. Receives recipient email addresses and email content.
OAuth authentication. When you sign in with Google, we receive your Google profile data as authorised by you.
We may share campaign financial data when legally required by the Independent Electoral and Boundaries Commission or other regulatory authorities.
5. Data Retention
We retain data only as long as necessary for the purpose it was collected, or as required by law. The following retention periods apply:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | 3 years after deletion | Dispute resolution |
| Campaign financial records | 7 years | ECFA legal requirement |
| Field agent records | 2 years after campaign close | Operational necessity |
| Evidence files | 5 years | IEBC compliance |
| Audit logs | 7 years | ECFA / regulatory obligation |
6. Your Rights
You have the following rights regarding your personal data. To exercise any of them, use our data rights request form or email privacy@kura360.com. We will respond within 30 days.
Right of access
Request a copy of the personal data we hold about you.
Right of rectification
Request correction of inaccurate or incomplete data.
Right of erasure
Request deletion of your data where there is no legal obligation to retain it.
Right to restriction
Request that we limit how we use your data in certain circumstances.
Right to portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests or for direct marketing.
EU / Diaspora Users (GDPR)
If you are located in the European Union or EEA, you have the same rights listed above, plus the right to lodge a complaint with your local data protection supervisory authority.
8. Kenya DPA 2019 Compliance
KURA360 operates in full compliance with the Kenya Data Protection Act 2019 (KDPA) and the Data Protection (General) Regulations 2021.
ODPC Registration
Laitigo Systems Limited is registered with the Office of the Data Protection Commissioner (ODPC) as a data processor and data controller as required under the KDPA.
Data Localisation
Primary application data is stored in Supabase's EU-West-1 (Ireland) region. Cross-border data transfers are conducted in compliance with KDPA s.48 and applicable adequacy determinations.
Data Subject Rights
All data subject rights under KDPA ss.26–34 are honoured within the 30-day statutory deadline. Submit a request via our rights request form.
9. Security
We implement industry-standard technical and organisational measures to protect your data:
Evidence hashing
All uploaded evidence is SHA-256 hashed at upload to provide a cryptographic chain of custody.
Encryption at rest
All data stored in Supabase is encrypted at rest using AES-256.
Encryption in transit
All connections are encrypted via TLS 1.3.
Access control
Role-based access control (RBAC) enforced at both the application layer and database level (Supabase RLS).
Audit logging
All material actions on financial data and agent records are written to an immutable audit log.
Automated compliance
Automated daily compliance checks detect retention violations, rights-request delays, and data minimisation gaps.
10. Contact & Complaints
For any privacy questions, data rights requests, or to report a concern:
Exercise Your Data Rights
Submit a formal access, erasure, correction, portability, or objection request using our automated rights request form.
Submit a Data Rights Request →