Privacy Notice

1. Who we are

Leafy Keys is a security platform operated as a joint venture between GreenHeart Kilifi and a group of security-minded residents. GreenHeart Kilifi is the registered data controller for personal data processed via this app.

ODPC registration: [GreenHeart's registration number to be inserted].

Contact: [privacy contact email + postal address to be inserted].

2. What personal data we collect

When you register: your name, phone number, neighbourhood, and (optionally) plot number, home GPS location, profile photo, and a safe-code for SOS disarm. The safe-code is stored only as a one-way hash.

Emergency contacts: names and phone numbers of up to two people you nominate. You confirm at registration that those people have agreed to be contacted in an emergency.

When you submit a report: report type, severity, GPS at the time of the incident, free-text description, and any photos or voice notes you attach.

When you trigger SOS: your GPS at the time, an audio recording of up to 2 minutes (treated as biometric data and kept for the shortest practicable period), and your responses to the triage questions.

Operational metadata: account creation/sign-in timestamps, push notification subscriptions if you install the app, and rate-limit/security records (which may include your IP address briefly).

3. Why we collect it (lawful bases)

Performance of our service to you: providing emergency response, dispatching guards, communicating with you about incidents.

Legitimate interest: investigating incidents, training and supervising guards, improving the platform.

Legal obligation: where we are required to retain or disclose data under Kenyan law.

Consent: you may withdraw consent at any time by deleting your account in the Privacy Controls screen. Withdrawal does not affect the lawfulness of processing already carried out.

4. Who we share data with

Leafy Keys security guards, supervisors, and the GreenHeart control room — to dispatch a response to your report or SOS.

Sub-processors that store or transmit data on our behalf: Supabase (Ireland) for our database and storage; Vercel (US, global edge) for hosting; Africa's Talking (Kenya) for SMS; Twilio (US) for WhatsApp messaging where used; Resend (US) for transactional email where used.

Public emergency services (police, fire, medical) where reasonably necessary to respond to an incident you report.

We do NOT sell your data, share it for advertising, or use it to train AI models.

5. Where data is processed (cross-border transfers)

Some sub-processors store or process data outside Kenya. Where a sub-processor is in a country without adequacy under Section 49 of the Kenya Data Protection Act 2019, we rely on standard contractual clauses or equivalent safeguards.

Specifically: Supabase processes in EU (Ireland); Vercel processes globally including US; Africa's Talking processes in Kenya; Twilio and Resend process in the US.

6. How long we keep it

Voice recordings (SOS audio): 30 days.

Photos (incident, checkpoint): 180 days.

Reports and chat messages: 1 year after the incident.

SOS event records, guard shift logs, status logs: 1 year.

Guard location heartbeats: 30 days.

Your account: kept as long as you use the service. You can request immediate deletion at any time.

Some operational records (e.g. anonymised audit traces) may persist briefly past these windows for security purposes.

7. Your rights

Right to access: download a copy of your data via Privacy Controls in the app.

Right to erasure: delete your account via Privacy Controls in the app, or by writing to us.

Right to rectification: correct your details in your profile, or write to us.

Right to object / withdraw consent: write to us; some processing may be necessary for the safety service to function.

Right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC): https://www.odpc.go.ke

8. Security

We use phone OTP authentication (no passwords). Data is encrypted in transit (TLS) and at rest. Row-level security limits which records each user, guard, or supervisor can access. Service-role access is restricted to backend processes; the app is reviewed for security regularly.

9. Children

Leafy Keys is not designed for use by children under 13. If you believe a child has registered, please contact us so we can verify and act appropriately.

10. Updates

We may update this notice. Significant changes will be communicated in-app. The date at the top of this page reflects the most recent revision.