JamiiCore
Back to JamiiCore

Privacy

Privacy Policy

This policy explains how personal data is collected, used, stored, shared, and protected in connection with JamiiCore Cloud.

Effective date: 1 June 2025

Governed by the laws of Kenya

Issuer & Contact

Issued by
Nexus Forge Africa Limited
Platform
JamiiCore Cloud - jamii.cloud
Address
90 Degrees by Tsavo, Nairobi, Kenya
Legal enquiries
legal@nexusforgeafrica.com
Data protection
privacy@nexusforgeafrica.com
Telephone
+254 715 676 878
Governing law
Laws of Kenya

2.1 Legal Basis and Regulatory Framework

This Privacy Policy explains how Nexus Forge Africa Limited ("we", "us", "our"), as Data Controller or Data Processor under the Data Protection Act 2019 (Kenya), collects, uses, stores, shares, and protects personal data in connection with the JamiiCore Cloud platform. This Policy applies to all Users, Administrators, Members, and next-of-kin contacts whose data is processed through the Platform.

We process personal data in accordance with the following legal and regulatory framework:

  • The Data Protection Act 2019 (Kenya) - our primary regulatory framework.
  • The Computer Misuse and Cybercrimes Act 2018 (Kenya).
  • The Consumer Protection Act 2012 (Kenya).
  • Applicable guidelines issued by the Office of the Data Protection Commissioner (ODPC) of Kenya.
  • Our lawful bases for processing personal data include: (a) contractual necessity; (b) compliance with a legal obligation; (c) legitimate interests pursued by us or by Organizations; and (d) consent, where specifically obtained.

2.2 Data We Collect from Organizations and Administrators

We collect and process the following categories of data from Organizations and Administrators:

  • Account registration data: full name, organization name, email address, telephone number, and role.
  • Billing and payment data: transaction references, M-Pesa paybill records, and bank transfer confirmations.
  • Usage and activity logs: login timestamps, IP addresses, feature usage, and session duration.
  • Communications: emails, support requests, and correspondence with our team.

2.3 Member Data Processed on Behalf of Organizations

Organizations may upload and manage Member data through the Platform. This can include:

  • Personal identification: full name, ID number or passport number, date of birth, gender, and profile photograph.
  • Contact details: home address, email address, and primary phone number.
  • Membership information: class year, chapter, membership category, status, and membership number.
  • Financial records: dues paid, outstanding balances, payment transaction history, and receipts.
  • Next-of-kin details: name, relationship, and contact telephone number.

2.4 Technical and Automatically Collected Data

We also collect certain technical data automatically when the Platform is used:

  • Device information: device type, operating system, and browser type.
  • Network data: IP address and approximate geographic location derived from IP.
  • Platform interactions: pages visited, features used, and error logs.

2.5 How We Use Personal Data

We use personal data for the following purposes:

  • Providing, operating, maintaining, and improving the Platform.
  • Processing membership registrations, payments, and generating receipts.
  • Sending service-related communications including payment confirmations and maintenance notices.
  • Responding to support requests and enquiries.
  • Detecting, investigating, and preventing fraud, security breaches, and abuse.
  • Complying with legal obligations, including court orders and regulatory requirements.
  • Generating anonymized and aggregated analytics to improve Platform performance.
  • We will not use Member data for our own marketing purposes. Member data belongs to the Organization and is processed solely to provide the Platform service.

2.6 Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We may share personal data only in the following circumstances:

  • With authorized sub-processors who assist us in delivering the Platform.
  • With the Organization whose account the data belongs to, in accordance with their instructions.
  • Where required by Kenyan law, court order, or regulatory authority including the ODPC.
  • In connection with a merger, acquisition, or sale of all or substantially all of our assets, with prior notice to affected parties.

2.7 Sub-Processors

We engage the following categories of sub-processors to assist in delivering the Platform:

  • Cloud infrastructure and database services for hosting and storage.
  • M-Pesa / Safaricom for payment processing and STK push.
  • SMS gateway providers for bulk SMS notifications and OTP delivery.
  • Email delivery providers for transactional and notification emails.
  • Analytics and monitoring services for performance and error monitoring.
  • All sub-processors are bound by contractual data processing agreements that require them to implement appropriate security measures and to process data only as instructed.

2.8 Data Retention

We retain different categories of data for different periods:

  • Administrator account data is retained for the duration of the Organization's subscription and for seven (7) years thereafter for legal and tax compliance purposes.
  • Member data is retained for the duration of the Organization's subscription and deleted sixty (60) days after termination unless the Organization requests earlier deletion.
  • Payment transaction records are retained for seven (7) years in accordance with the Income Tax Act (Cap. 470) and VAT Act.
  • System logs are retained for twelve (12) months for security purposes.
  • Next-of-kin data is retained for the same period as the associated Member's data.

2.9 Data Subject Rights

Under the Data Protection Act 2019, individuals have the following rights:

  • Right of access: to request a copy of personal data we hold about you.
  • Right to rectification: to have inaccurate personal data corrected.
  • Right to erasure: to request deletion of personal data in certain circumstances.
  • Right to restriction: to restrict processing of your personal data.
  • Right to object: to object to processing based on legitimate interests.
  • Right to data portability: to receive your data in a structured, commonly used format.
  • To exercise any of these rights, contact our Data Protection Officer at privacy@nexusforgeafrica.com. We will respond within twenty-one (21) days. Members should direct such requests to their Organization's Administrator in the first instance, as the Organization is the Data Controller for Member data.

2.10 Cross-Border Data Transfers

Your data may be transferred to and stored on servers located outside Kenya as part of our cloud infrastructure. Where such transfers occur, we ensure adequate safeguards are in place in accordance with Section 25 of the Data Protection Act 2019, including data processing agreements that incorporate appropriate standard data protection clauses.

2.11 Data Security

We implement appropriate technical and organizational security measures including:

  • Row-level security (RLS) ensuring each Organization can only access its own data.
  • AES-256 encryption for data at rest.
  • TLS 1.3 encryption for all data in transit.
  • JWT-based authentication with short-lived tokens.
  • Multi-factor authentication for Administrator accounts.
  • Regular security audits and penetration testing.
  • Strict access controls limiting data access to authorized personnel only.
  • In the event of a personal data breach that poses a risk to individual rights and freedoms, we will notify the ODPC within seventy-two (72) hours and affected Organizations without undue delay, as required by the Data Protection Act 2019.

2.12 Children's Data

The Platform is designed for use by organizations managing adult members. Where an Organization manages records that may include individuals under the age of 18 (for example, school alumni who joined as minors), the Organization is responsible for ensuring appropriate consent is obtained from a parent or guardian. We will process such data only on the Organization's documented instructions.

2.13 Contact - Data Protection

Data Protection Officer: Nexus Forge Africa Limited | privacy@nexusforgeafrica.com | +254 715 676 878

You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at odpc.go.ke.

Need more detail?

Talk to the JamiiCore Cloud team about your organization.

We can walk you through onboarding, security, pricing, and the modules that fit your association, SACCO, or community platform.

Book a DemoRequest Deployment