Privacy Policy
Effective Date: 14 May 2026 • SmartNet Kenya
Your privacy matters to us. This policy explains what data we collect, how we use it, and the choices you have. We do not sell your personal data.
Who We Are
SmartNet Kenya ("we", "us", "our") operates the SmartNet digital workforce readiness and referral platform. We are the data controller for personal data collected through the Platform.
This Privacy Policy applies to all users who register, browse, or interact with SmartNet, including visitors to the public website and registered members.
Data We Collect
Information You Provide Directly
| Category | Data Points | Purpose |
|---|
| Identity | Full name | Account creation, personalisation |
| Contact | Email address, Kenyan mobile phone number (E.164 format) | Account verification, M-Pesa payment, notifications |
| Credentials | Password (stored as Argon2id/bcrypt hash — never in plain text) | Authentication |
| Referral | Referral code used at registration, referrer ID | Building referral tree, commission calculation |
| Learning | Quiz answers, assessment scores, course completion status | AI grading, progress tracking, withdrawal eligibility |
Information Collected Automatically
- Session data: Session tokens (stored as SHA-256 hashes) to maintain your login state.
- Login timestamps: Last login date, used to detect and apply account dormancy after 6 months of inactivity.
- HTTP headers: Standard server logs may record IP addresses and browser user-agent strings for security monitoring.
Information from Third Parties
- Safaricom M-Pesa: Payment confirmation status, M-Pesa receipt number, and transaction date — received after STK Push confirmation. We do not receive your M-Pesa PIN or mobile money account credentials.
Legal Basis for Processing
We process your personal data on the following legal bases:
- Contract performance: Processing necessary to register your account, process your activation payment, and deliver course access.
- Legitimate interests: Fraud prevention, security monitoring, referral tree integrity, and platform improvement.
- Consent: Email notifications and weekly reports — you may opt out at any time in your notification preferences.
- Legal obligation: Retaining financial transaction records as required by Kenyan financial regulations.
Where we rely on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
How We Use Your Data
- Create and manage your account.
- Verify your email address and authenticate your sessions.
- Process your activation payment via Safaricom M-Pesa (STK Push).
- Place you correctly within the referral tree and calculate monthly commissions.
- Deliver and grade online courses using AI (OpenAI / Anthropic APIs) — your quiz answers may be sent to these providers as part of grading.
- Track your course completion milestones and calculate your withdrawal eligibility percentage.
- Send transactional notifications (payment confirmation, course completion, referral activity) by email and in-app.
- Detect dormant accounts and apply the dormancy policy described in our Terms of Service.
- Maintain security, detect fraud, and comply with legal obligations.
We do not use your personal data for advertising, behavioural profiling, or sale to third parties.
Third-Party Data Sharing
We share your data only where necessary. The following third parties may receive limited data:
| Third Party | Data Shared | Purpose |
|---|
| Safaricom M-Pesa (payment) | Phone number, amount, account reference | Processing activation payment via M-Pesa STK Push |
| SendGrid (email service) | Email address, notification content | Delivering transactional emails (payment receipt, course completion) |
| OpenAI / Anthropic (AI grading) | Your quiz answers and the question content | AI-powered assessment grading |
Each third party is governed by their own privacy policy. We encourage you to review them.
Data Retention
- Active accounts: Retained for as long as your account is active.
- Dormant accounts: Retained in full — dormancy only affects payout eligibility, not data.
- Deleted accounts: Core account data is deleted within 30 days of a verified deletion request. Financial transaction records are retained for 7 years as required by Kenyan law.
- Email verification tokens: Deleted immediately upon verification.
- Session tokens: Invalidated on logout and replaced on next login.
Security Measures
We take data security seriously and implement the following controls:
- Passwords are hashed using Argon2id (or bcrypt fallback) — never stored in plain text.
- Session tokens are stored as SHA-256 hashes server-side; the plain token is never persisted.
- All M-Pesa API communication uses TLS 1.2+ with certificate verification enforced.
- M-Pesa callbacks are validated against Safaricom's IP allowlist before processing.
- HTTP security headers are applied on every response: X-Content-Type-Options, X-Frame-Options: DENY, Referrer-Policy.
- Database access uses prepared statements throughout — no raw SQL string interpolation.
- Directory listing is disabled on the web server.
Despite these measures, no system is 100% secure. If you suspect unauthorised access to your account, please contact us immediately.
Your Rights
Under the Kenya Data Protection Act (2019) and, where applicable, the EU General Data Protection Regulation (GDPR), you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Ask us to correct inaccurate data.
- Right to erasure: Request deletion of your account and associated data (subject to legal retention requirements).
- Right to restrict processing: Ask us to pause processing of your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Withdraw notification consent at any time via your in-app notification preferences.
To exercise any of these rights, contact us at privacy@smartnet.co.ke. We will respond within 30 days.
Cookies & Local Storage
SmartNet uses server-side sessions only. A single session cookie is set in your browser to maintain your login state. This cookie:
- Is HTTP-only (not accessible by JavaScript).
- Is scoped to the SmartNet domain only.
- Expires when you close your browser (session lifetime).
- Uses the SameSite=Lax attribute to reduce CSRF risk.
We do not use tracking cookies, analytics cookies, or third-party advertising cookies.
International Data Transfers
SmartNet is based in Kenya. When we use third-party services such as SendGrid (USA) or OpenAI/Anthropic (USA), your data may be transferred internationally. We rely on those providers' standard contractual clauses and compliance certifications to ensure adequate protection.
Your quiz answers sent to AI grading providers contain no sensitive personal information beyond what you choose to write in your assessment responses.
Changes to This Policy
We may update this Privacy Policy to reflect changes in law or our practices. We will notify active users via in-app notification at least 14 days before material changes take effect. The updated policy will always be available at this URL.
Contact & Complaints
For privacy enquiries, data requests, or complaints:
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya.