This Privacy Policy explains how TUFIXIT (“we,” “our,” or “us”) collects, uses, shares, and protects personal data when you use our website, mobile experiences, WhatsApp services, or any related APIs (the “Platform”).
We process personal data in line with the Kenya Data Protection Act, 2019 and the regulations issued under it. By using the Platform you acknowledge the practices described here. This policy should be read together with our Terms of Service.
1. Who we are
TuFixIt Limited is the data controller for personal data processed through the Platform. Our contact details are at the bottom of this page.
2. Personal data we collect
We collect the following categories of personal data:
- Account data: first name, last name, email address, Kenyan phone number, password (stored hashed with BCrypt), role (CLIENT / WORKER / ADMIN), referral code.
- Profile data (artisans): profile photo, skills, hourly rate, bio, years of experience, optional national ID number, certificate of good conduct, TVET certification, M-Pesa account number for payouts.
- Location data: service area name, GPS latitude/longitude (only when you grant browser permission or type it manually), and the customer’s job address.
- Job & transaction data: bookings, bids, agreed prices, M-Pesa transaction IDs, escrow records, ratings, reviews, dispute messages.
- Communication data: chat messages between customers and artisans, SMS and WhatsApp messages sent through the Platform, support tickets.
- Device & usage data: IP address, browser type, device identifier, pages viewed, links clicked, profile views, call/WhatsApp button clicks (used for analytics and ranking).
- Cookies & local storage: JWT token, session preferences (see section 7).
3. How we use your data
- Create and manage your account, log you in, and protect against fraud or abuse.
- Match customers with nearby, suitable artisans and rank search results.
- Process subscription payments via M-Pesa and verify transactions.
- Calculate the artisan Trust Score and vetting level (STANDARD / VERIFIED / PRO).
- Send transactional notifications (booking confirmations, OTPs, job updates) via SMS, WhatsApp, or email.
- Improve the Platform — debugging, analytics, A/B testing, and feature development.
- Comply with legal obligations, respond to lawful requests, and enforce our Terms.
4. Legal basis for processing
We rely on the following lawful bases set out in section 30 of the Data Protection Act, 2019:
- Performance of a contract — to deliver the marketplace service you signed up for.
- Consent — for optional features such as precise GPS location, marketing emails, and cookies that are not strictly necessary. You can withdraw consent at any time.
- Legitimate interests — to keep the Platform safe, prevent fraud, and improve search quality, balanced against your privacy rights.
- Legal obligation — when we are required to retain or disclose data under Kenyan law (e.g., tax, anti-money-laundering).
5. How we share your data
We share personal data only with parties who need it to deliver the service:
- Other users: when a customer contacts an artisan, the artisan sees the customer’s first name, phone number, location, and job description. When a customer views an artisan, the artisan’s public profile (name, photo, skills, ratings, location area) is visible. Reviews submitted are visible publicly with the reviewer’s first name only.
- Estate partners: if you book through an estate-branded short-code (e.g.,
FDH1), the estate manager receives the booking details to coordinate the job. - Payment providers: Safaricom M-Pesa (Daraja API) for payment initiation and verification.
- Communication providers: Africa’s Talking for SMS, Meta WhatsApp Business API for WhatsApp messages.
- Infrastructure providers: our cloud hosting provider, PostgreSQL database, Redis cache, and CDN. They process data on our instructions only.
- Authorities & legal: the police, the Office of the Data Protection Commissioner, the courts, or KRA, where required by law or to protect rights, property, and safety.
We never sell your personal data.
6. Location data
When you allow your browser to share precise location, we use it to (a) suggest your service area on the artisan onboarding flow, and (b) sort artisans by distance on the customer search results. You can revoke this permission in your browser settings at any time. Coarse location typed by you (e.g., “Westlands, Nairobi”) is stored on your profile so customers in your area can find you.
7. Cookies & local storage
We use only the cookies and browser storage that are strictly necessary to keep you logged in (a JWT token in localStorage) and to remember light UI preferences such as the last selected billing cycle. We do not use third-party advertising cookies. You can clear these at any time from your browser.
8. SMS & WhatsApp messaging
By signing up with a Kenyan phone number you agree to receive transactional SMS and WhatsApp messages relating to your account, bookings, payment confirmations, and security alerts. You may opt out of marketing messages at any time by replying STOP to any SMS we send, or by adjusting your preferences in Dashboard → Settings. Opting out of transactional messages may impair service delivery.
9. How long we keep your data
| Data type | Retention period |
|---|---|
| Active accounts | For as long as the account is open |
| Closed accounts | Up to 24 months (soft-deleted), then anonymised |
| Job records, reviews, M-Pesa transaction IDs | At least 7 years (Kenyan tax laws) |
| Server & security logs | Typically 90 days |
10. How we protect your data
- Passwords are stored as BCrypt hashes — never in plaintext.
- Authentication uses signed, short-lived JSON Web Tokens (JWT).
- All traffic between your device and our servers is encrypted with TLS (HTTPS).
- API endpoints have rate-limiting, input validation, and CORS protection.
- Internal access to personal data is restricted on a least-privilege basis.
No system is 100% secure. If we discover a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner within 72 hours and inform affected users without undue delay, as required by section 43 of the Data Protection Act, 2019.
11. Your rights
Under the Kenya Data Protection Act, 2019, you have the right to:
To exercise any right, email privacy@tufixit.com from the address registered on your account. We will respond within 30 days. You may also lodge a complaint with the ODPC.
12. Children’s data
The Platform is not directed to anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has shared data with us, please contact us so we can delete it.
13. International transfers
Our infrastructure providers may store backups in data centres outside Kenya. Where data leaves Kenya, we rely on the safeguards set out in section 48 of the Data Protection Act, 2019 — namely, transfers to jurisdictions with adequate protection or under standard contractual clauses with our processors.
14. Changes to this Policy
We may update this Policy as the Platform evolves. The “Last updated” date at the top of this page reflects the most recent version. Material changes will be notified via email, SMS, or an in-app banner before they take effect.
15. Contact us
Data-related enquiries:
See also our Terms of Service for the contractual terms that govern use of the Platform.