Privacy Policy
Effective date: 2026-03-02
Last updated: 2026-03-02
1. Who We Are
1.1. Kizizi Gigs ("Kizizi," "we," "our," or "us") is a gig economy marketplace platform that connects people who need short-term gigs done ("gig posters") with skilled workers ("workers"). Our core workflow is Post, Match, Earn: users post gigs, get matched with skilled workers nearby, and transact payments through the platform.
1.2. We are the data controller responsible for your personal data under the Kenya Data Protection Act, 2019 ("DPA").
| Detail | Information |
|---|---|
| Company legal name | Kizizi Africa Ltd |
| Registered address | Nairobi, Kenya |
| Privacy contact email | privacy@kizizi.io |
1.3. For any privacy-related questions or to exercise your rights, contact us at the privacy email above.
2. What Personal Data We Collect and Why
We collect personal data in the following categories. For each, we explain what we collect, how we collect it, why, and our legal basis under Section 30 of the DPA.
2.1 Registration Data
When you sign up, we receive the following from your Google account:
| Data | Purpose | Legal basis |
|---|---|---|
| Email address | Account identification, communication (e.g., verification codes for phone changes) | Contract - necessary to create and maintain your account |
| Given name and family name | Display name on your profile | Contract |
| Profile picture URL | Display photo on your profile | Contract |
| Signup IP address | Fraud prevention and security | Legitimate interest - protecting the platform from abuse |
| Signup device information | Fraud prevention and debugging | Legitimate interest |
Source of data: Your Google account profile (via Google OAuth). We do not collect this data directly. It is provided by Google when you sign in.
2.2 Profile Data
After registration, you fill out a profile form in the app. You provide:
| Data | Purpose | Legal basis |
|---|---|---|
| Gender (male/female) | Profile display | Contract |
| Description (bio) | Profile display, helping gig posters evaluate workers | Contract |
| Phone number | Required for mobile money payouts and verification | Contract - necessary for payment processing |
| GPS location | Matching you with nearby gigs | Contract - core platform feature |
| Address (auto-generated from your GPS location) | Display approximate location on your profile | Contract |
| Skills | Matching you with relevant gigs | Contract |
| Photos (uploaded images) | Showing examples of your work | Contract |
| Availability toggle | Showing whether you are available for gigs | Contract |
| Max distance preference | Filtering gigs by distance | Contract |
Your phone number is encrypted at rest before storage. We never store your phone number in plain text (see Section 8 for details).
Your GPS location is used for proximity-based gig matching. You can update your location at any time in the app.
2.3 Login and Session Data
Each time you log in, we record:
| Data | Purpose | Legal basis |
|---|---|---|
| Login timestamp | Security monitoring, account activity tracking | Legitimate interest - fraud detection and security |
| Login IP address | Security monitoring, detecting unauthorized access | Legitimate interest |
| Login device information | Security monitoring, debugging | Legitimate interest |
2.4 Device Information
Your device sends information with each request to our servers. This includes:
| Data | Purpose |
|---|---|
| App version and build number | Ensuring compatibility |
| Platform and operating system version | Debugging, compatibility |
| Device model and manufacturer | Debugging |
| Locale and timezone | Localization |
Legal basis: Legitimate interest - maintaining platform stability, debugging issues, and ensuring security.
2.5 Payment Data
We use Paystack as our payment processor. We store the following payment-related data:
| Data | Purpose | Legal basis |
|---|---|---|
| Payment profile identifier | Linking your account to your Paystack payment profile | Contract |
| Mobile money provider | Identifying your payout method | Contract |
| Transaction records | Recording payments and payouts | Contract + Legal obligation (financial record-keeping) |
We never store your full mobile money account number. Only a masked version is kept for display purposes.
2.6 Content You Create
| Content | Data stored | Legal basis |
|---|---|---|
| Gig postings | Title, description, budget, location, address, category, attached images | Contract |
| Messages | Message text, sender, receiver, timestamps | Contract |
| Reviews | Comment text, rating, reviewer, reviewee, associated gig | Contract |
| File attachments | File name, file type, file size; the file itself is stored in cloud storage | Contract |
2.7 Affiliate Program Data
If you participate in our Affiliate Partner Program, we collect:
| Data | Purpose | Legal basis |
|---|---|---|
| Affiliate status and description | Managing your participation in the program | Contract |
| Referral codes | Tracking referrals attributed to you | Contract |
| Commission records | Calculating and paying commissions | Contract + Legal obligation (financial records) |
2.8 Push Notification Tokens
| Data | Purpose | Legal basis |
|---|---|---|
| Firebase Cloud Messaging (FCM) device token | Sending you push notifications about gigs, messages, and payments | Contract - necessary for real-time platform communication |
| Last-used timestamp | Managing active devices | Contract |
2.9 Install Attribution Data
When you first install the app from the Google Play Store, we capture install referrer data. This tells us if you installed the app via an affiliate referral link. We use this solely to attribute referrals to the correct affiliate partner.
Legal basis: Contract, necessary for the affiliate program.
3. How We Use Your Data
We use your personal data for the following purposes, all of which map to the data categories above:
3.1. Providing the platform service
Creating your account, displaying your profile, matching you with gigs
based on your location and skills, facilitating messaging between gig
posters and workers, and processing payments.
3.2. Payment processing
Initiating payments from gig posters, processing payouts to workers via
mobile money, recording transaction history, and calculating platform
service fees.
3.3. Communication
Sending you push notifications about new gig matches, messages, payment
updates, and platform announcements. Sending transactional emails (e.g.,
verification codes for phone number changes).
3.4. Security and fraud prevention
Recording login information and device details, verifying app integrity,
and detecting unauthorized access or abuse.
3.5. Platform stability and debugging
Using device information and error reports to identify and fix bugs,
maintain compatibility across devices, and improve app performance.
3.6. Analytics Understanding how the platform is used to improve the service. Analytics data is collected automatically as a legitimate interest for improving the platform.
3.7. Crash reporting
Collecting crash diagnostics to maintain app stability. Crash data is
collected as a legitimate interest for platform stability.
3.8. Legal compliance
Retaining financial and transaction records as required by the Kenya
Income Tax Act (7-year retention period).
3.9. Affiliate program
Tracking referrals, calculating commissions, and processing affiliate
payouts.
4. Automated Decision-Making
4.1. We use automated gig matching as a core feature of the platform. When a gig is posted our system automatically identifies suitable workers based on a number of factors.
4.2. This matching determines which gigs appear in your feed and which workers are shown to gig posters.
4.3. If you do not want your data used for automated matching you cannot use the platform as this is the core service we provide.
5. Cookies and Tracking Technologies
5.1 Mobile App
| Technology | What it does | Consent required? |
|---|---|---|
| Firebase Analytics | Collects usage data (screen views, sessions, device info) to help us understand how the app is used. | No - legitimate interest for improving the platform |
| Firebase Crashlytics | Collects crash reports and diagnostic data to maintain app stability. | No - legitimate interest for platform stability |
| On-device storage | Stores authentication tokens, profile data, and app state locally on your device in encrypted storage. This data does not leave your device. | No - necessary for the app to function |
6. Third-Party Services and Data Sharing
We share your data with the following third-party services. We do not sell your personal data to anyone.
6.1 Firebase / Google
| Service | Data shared | Purpose |
|---|---|---|
| Firebase Authentication | Email, name, profile picture | User authentication via Google Sign-In |
| Firebase Cloud Messaging (FCM) | Device token, notification content | Delivering push notifications to your device |
| Firebase Analytics | Device info, screen views, session data | Usage analytics (legitimate interest) |
| Firebase Crashlytics | Device info, crash traces, diagnostic data | Crash reporting and app stability |
Google's privacy policy: https://policies.google.com/privacy
6.2 Paystack
| Data shared | Purpose |
|---|---|
| Email, payment amounts, mobile money account details | Payment processing (collecting payments from gig posters and paying out workers) |
Paystack processes payments in KES (Kenyan Shillings). Paystack is our payment processor and they handle the actual processing of payments.
Paystack's privacy policy: https://paystack.com/privacy
6.3 Tigris
| Data shared | Purpose |
|---|---|
| Uploaded files (profile photos, gig images, message attachments) | Cloud file storage for user-uploaded files |
6.4 Sentry
| Data shared | Purpose |
|---|---|
| Error details, request context (including IP address) | Error tracking and monitoring for platform stability |
Sentry's privacy policy: https://sentry.io/privacy/
6.5 Resend
| Data shared | Purpose |
|---|---|
| Email address, email content (e.g., verification codes for phone number changes) | Transactional email delivery |
We use Resend only for transactional emails. Not marketing.
6.6 Fly.io
| Data shared | Purpose |
|---|---|
| All data processed by our backend | Infrastructure hosting |
Fly.io is our hosting provider.
6.7 Google Fonts
| Data shared | Purpose |
|---|---|
| IP address (via HTTP request) | Loading fonts in the mobile app |
When the app loads fonts from Google's servers, your device's IP address is exposed to Google as part of the HTTP request.
6.8 Data Shared with Other Users
Certain data is visible to other users of the platform as part of the service:
| Data | Visible to |
|---|---|
| First name, profile photo, bio, gender, skills, availability, approximate location | Other platform users (via your profile) |
| Gig title, description, budget, location, category, attached images | All platform users (via gig listings) |
| Review comments and ratings | All platform users |
| Messages | Only the other participant in the conversation |
Your email address, phone number, IP addresses, device information, and exact GPS coordinates are not visible to other users.
7. International Data Transfers
7.1. Our platform infrastructure is hosted outside Kenya. Your personal data is transferred to and processed in the following locations:
| Service | Location | Transfer basis |
|---|---|---|
| Fly.io (hosting) | United States / Global | Contractual necessity + Data Processing Agreement |
| Tigris (file storage) | United States / Global | Contractual necessity + Data Processing Agreement |
| Firebase / Google (authentication, analytics, crashlytics, push notifications) | United States | Legitimate interest (analytics, crashlytics) + Contract (auth, messaging) + Data Processing Agreement |
| Paystack (payments) | Global | Contractual necessity + Data Processing Agreement |
| Sentry (error monitoring) | United States | Legitimate interest + Data Processing Agreement |
| Resend (email delivery) | United States | Contractual necessity + Data Processing Agreement |
7.2. For each transfer, we rely on one or more of the following safeguards under Sections 48–51 of the DPA:
- Contractual necessity - the transfer is necessary to perform the service you signed up for
- Legitimate interest - the transfer is necessary for our legitimate interests (e.g., analytics, error monitoring)
- Data Processing Agreements (DPAs) with each processor, incorporating appropriate safeguards
7.3. By using Kizizi, you acknowledge that your data will be transferred to and processed in the countries listed above. These countries may not have data protection laws equivalent to those in Kenya. The safeguards described above are designed to ensure your data is protected regardless of where it is processed.
8. Data Security
8.1. We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it, including:
- Encryption: Sensitive personal data such as phone numbers is encrypted at rest before being stored in our database.
- Account number protection: We never store your full mobile money account number.
- Secure authentication: We use industry-standard authentication mechanisms and verify app integrity to prevent unauthorized access.
- Access controls: Access to personal data is restricted to authorized personnel only.
- Logging safeguards: Sensitive data such as passwords and authentication tokens is excluded from application logs.
- On-device encryption: The mobile app stores sensitive data in encrypted storage on your device.
- Secure communications: All data transmitted between your device and our servers is encrypted in transit.
8.2. No system is perfectly secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that poses a risk to your rights, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours and inform you without unreasonable delay, as required by Section 39 of the DPA and Section 31 of the Computer Misuse and Cybercrimes Act, 2018.
9. Data Retention
We retain your personal data for the following periods:
| Data category | Retention period | Reason |
|---|---|---|
| Account data (name, email, phone number, profile) | Duration of your account + 30 days after a deletion request is processed | Contractual necessity + processing period |
| GPS location data | Duration of your account | Core feature (gig matching); deleted on account deletion |
| Messages | Duration of your account + 1 year | Contract + dispute resolution |
| Payment and transaction records | 7 years from the date of the transaction | Legal obligation - Kenya Income Tax Act (financial record-keeping) |
| Affiliate commission records | 7 years | Legal obligation - financial records |
| Gig postings | Duration of your account + 2 years | Dispute resolution |
| Reviews | Duration of your account | Part of the service |
| Login and device logs | 12 months (rolling) | Legitimate interest - security and debugging |
| Firebase Crashlytics data | 90 days | Firebase's default retention period (controlled by Google) |
| Firebase Analytics data | Subject to Google's retention settings | Legitimate interest |
| Pending phone change records | 15 minutes | Automatically expires |
| Verification codes | 10 minutes | Automatically expires |
When your account is deleted, we will delete or anonymize your personal data within 30 days, except for data we are legally required to retain (financial/transaction records for 7 years).
10. Your Rights
Under the Kenya Data Protection Act, 2019 (Sections 26–31), you have the following rights:
10.1 Right to Access (Section 27)
You can request a copy of the personal data we hold about you. We will respond within 30 days.
How to exercise: Contact us at privacy@kizizi.io.
10.2 Right to Rectification (Section 28)
You can request correction of inaccurate personal data.
- Profile data (bio, gender, phone number, location, skills, availability): You can update these directly in the app via your profile settings.
- Name, email, and profile picture: These are sourced from your Google account. To change them, update your Google account and sign in again.
10.3 Right to Erasure (Section 29)
You can request deletion of your personal data. We will process your request within 30 days.
How to exercise: Contact us at privacy@kizizi.io to request account deletion.
Exceptions: We may retain certain data after deletion where required by law. Specifically, financial and transaction records for 7 years under the Kenya Income Tax Act.
10.4 Right to Object (Section 30)
You can object to processing based on legitimate interest. In particular:
- Analytics: You may object to analytics data collection by contacting us at the privacy email above.
10.5 Right to Data Portability (Section 27)
You can request a copy of your data in a commonly used, machine-readable format. We will respond within 30 days.
How to exercise: Contact us at privacy@kizizi.io.
10.6 Right to Withdraw Consent
If we introduce any processing activities that rely on your consent, we will clearly identify them and provide a way to withdraw consent at any time. Withdrawal of consent will not affect the legality of any processing carried out before you withdrew.
10.7 Right to Lodge a Complaint
If you are not satisfied with how we handle your data or your request, you have the right to lodge a complaint with ithe Office of the Data Protection Commissioner (ODPC)
11. Whether Providing Data Is Required
11.1. Contractual requirement: To use the platform, you must provide registration data (via Google Sign-In), profile data (phone number, location, skills), and payment data. Without this data, we cannot create your account, match you with gigs, or process payments. If you do not provide this data, you cannot use the platform.
11.2. Collected automatically: Analytics data is collected automatically under our legitimate interest in improving the platform. You may object to this processing (see Section 10.4).
12. Children's Privacy
12.1. Kizizi is intended for users who are 18 years of age or older. We do not knowingly collect personal data from children under 18.
12.2. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data as promptly as possible.
12.3. If you believe a child under 18 is using our platform, please contact us at privacy@kizizi.io so we can take appropriate action.
13. Changes to This Policy
13.1. We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last updated" date at the top of this policy.
- For material changes, we will notify you before the changes take effect.
13.2. Your continued use of the platform after changes take effect constitutes acceptance of the updated policy. If you do not agree with the changes, you should stop using the platform and request account deletion.
14. Contact Information
For any questions about this Privacy Policy, to exercise your data rights, or to raise a privacy concern, contact us at:
| Privacy contact email | privacy@kizizi.io |
| Company name | Kizizi Africa Ltd |
| Address | Nairobi, Kenya |
15. Legal Framework
This Privacy Policy is governed by the Data Protection Act, 2019 of Kenya and the Data Protection (General) Regulations, 2021. Where this policy references legal obligations, it refers to Kenyan law unless otherwise stated.