Privacy Policy

1. Introduction

Afribit Africa ("we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website www.afribit.africa and use our services. This policy complies with the Kenya Data Protection Act, 2019.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide to us:

• Merchant Registration: Business name, category, description, physical address, coordinates (latitude/longitude), phone number, email address, website, Lightning address, payment methods accepted, and contact person details
• Donations: Donor name and email (optional for named donations), donation amount and tier
• Verifier Applications: Name, email, phone number, address, and verification credentials
• Contact Forms: Name, email, and message content

2.2 Automatically Collected Information

• Usage Data: IP address, browser type, device information, pages visited, time spent on pages
• Geolocation Data: GPS coordinates when you use "Use My Location" feature (with your explicit permission)
• Cookies: Session cookies, preference cookies, analytics cookies

2.3 Third-Party Data

• OpenStreetMap: We contribute merchant location data to OpenStreetMap under the ODbL license
• BTCPay Server: Bitcoin payment transaction data (anonymous, no personal information stored)

3. How We Use Your Information

We use collected information for:

• Service Delivery: Processing merchant registrations, verifying submissions, displaying merchant locations on maps
• Donations: Creating Lightning invoices, sending payment receipts, recognizing donors (if chosen)
• Communication: Sending confirmation emails, verification updates, donation receipts, program updates
• OpenStreetMap Contribution: Publishing verified merchant data to OSM to improve global mapping data
• Analytics: Understanding website usage, improving user experience
• Security: Detecting fraud, preventing abuse, rate limiting

4. Data Sharing and Disclosure

4.1 Public Data

The following data is published publicly:

• Merchant Information: Business name, category, description, address, coordinates, payment methods, contact details (if provided) are displayed on our website and maps
• OpenStreetMap: Verified merchant data is published to OSM under ODbL license, becoming part of the global public database
• Named Donors: Names of donors who choose recognition are displayed on our website

4.2 Service Providers

We share data with trusted third-party providers:

• Email Service (Resend): To send transactional emails
• Database Hosting: Secure MySQL database for storing submissions
• Payment Processing (BTCPay Server): Self-hosted, no data shared with third parties
• Analytics: Anonymous usage statistics

4.3 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect rights, property, or safety.

5. Verifier Image Collection

Ground verifiers may capture photos during merchant verification visits:

• Purpose: Evidence of business operations, payment methods acceptance, location accuracy
• Storage: Images are uploaded to our secure server and linked to merchant submissions
• Usage: For admin review and verification purposes only; not published unless explicitly approved by merchant
• Retention: Stored for verification period, deleted after merchant approval/rejection or upon merchant request
• Consent: Merchants consent to verification photography during registration process

6. Data Security

We implement security measures including:

• HTTPS/TLS encryption for all data transmission
• Secure password hashing (bcrypt)
• Rate limiting to prevent abuse
• Input validation and sanitization
• Access controls and authentication for admin/verifier areas
• Regular security audits

However, no internet transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

• Merchant Data: Retained indefinitely for map display purposes unless deletion is requested
• Submission Data: Pending submissions retained for 90 days, then archived
• Donation Data: Retained for tax and accounting purposes (7 years minimum)
• Verification Images: Deleted after 30 days of merchant approval/rejection
• Analytics Data: Aggregated, anonymous data retained indefinitely

8. Your Rights (Kenya Data Protection Act)

Under Kenya's Data Protection Act 2019, you have the right to:

• Access: Request copies of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to legal obligations)
• Restriction: Request restriction of processing
• Object: Object to processing of your data
• Data Portability: Request transfer of your data
• Withdraw Consent: Withdraw consent at any time

To exercise your rights, contact us at info@afribit.africa

9. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect data from children. If you believe we have collected data from a child, contact us immediately.

10. International Data Transfers

Your data may be transferred to and stored on servers outside Kenya. We ensure appropriate safeguards are in place for such transfers, including encryption and secure protocols.

11. Changes to This Policy

We may update this Privacy Policy periodically. The "Last Updated" date at the top indicates the latest revision. Continued use of our services after changes constitutes acceptance.

12. Contact Us

For questions, concerns, or to exercise your rights:

13. Complaints

If you believe your data protection rights have been violated, you may file a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya: