Partner Privacy Notice

This Partner Privacy Notice explains how Francton LLC, operating as Garisea (“Garisea,” “we,” “us”), handles personal data on the Garisea Partner dashboard at partner.garisea.com.

It is in addition to, not in place of, the customer-facing Privacy Policy at garisea.com. Where the two overlap on partner-account data, this Notice governs.

This Notice is written to comply with the Kenya Data Protection Act, 2019 and is aligned with the principles of the EU General Data Protection Regulation (GDPR) where applicable.

Francton LLC, operating as Garisea, is the data controller for:

• Your partner-account data (your name, email, phone, KRA PIN, business identification, login activity, billing history, dashboard preferences).
• Customer data (inquiries, messages, search history, account profile) collected by the platform. Garisea is the controller for this data; your organisation is a recipient of specific customer details (name, phone, email, the inquiry content) when a customer submits a lead to you through the platform.

For customer lead data that flows off-platform — when you call the customer, when the customer visits your premises, when you exchange WhatsApp messages from your own number, when a service or financing agreement is signed — your organisation is an independent data controller for that data under the Kenya Data Protection Act 2019, with your own data-protection responsibilities (lawful basis, retention, security, subject rights). See Partner Terms §21 for the boundary.

Our Data Protection contact is [email protected].

We collect personal data in three ways: data you give us directly, data we collect automatically when you use the dashboard, and data we receive from third parties.

3.1 Data you give us

• Account data — name, email, phone, password (stored as a salted bcrypt hash — we never see the plaintext).
• Partner organisation identity — business name, physical address, contact phone, contact email, social handles, operating hours, partner category (Finance, Insurance, Service Centre, Auto Parts, Detailing/Wraps/PPF, or Other).
• Verification documents — registration certificate (required); KRA PIN and identification document (optional). Document images are stored on our image hosting provider; metadata is in the primary database.
• Service or product information — descriptions, offers, coverage areas, and any other content you publish on your partner profile to describe your services to customers.
• Lead handling — your replies to customer inquiries, notes you write internally, follow-up notes, dispute submissions.
• Reviews you reply to — your public replies to customer reviews of your organisation.
• Payment requests— subscription, lead-pack, advertising-pack, and wallet top-up orders you initiate. Actual card numbers and M-Pesa PINs are captured by our payment service provider on their hosted checkout — Garisea never sees, stores, or processes them. We receive only the transaction outcome (success / failure / amount / reference) from the provider's signed webhook.
• Support tickets — anything you write to us at our partner support address or via the in-dashboard help centre.

3.2 Data collected automatically

• Device and browser — IP address, browser type and version, operating system, device model, screen size, language, timezone.
• Usage data — dashboard pages you visit, actions you take (publish, edit, archive, reply, dispute), session duration, feature engagement.
• Audit log of sensitive actions — account state changes (active / suspended / closed), profile status changes, data exports, deletions, settings changes affecting billing or contact channels. Retained for compliance and dispute reconstruction regardless of analytics consent.
• Crash and error data — when a dashboard request errors, we capture the stack trace, request context, and your user ID (so we can correlate, not so we can identify you to a third party). Handled by a third-party crash monitoring provider with PII fields scrubbed in transit.
• Cookies and local storage — session cookies, CSRF tokens, preference flags. Full inventory in our Cookie Policy.

3.3 Data from third parties

• Google Sign-In — if you sign in with Google, we receive your name, email, profile picture URL, and a Google account identifier. We do not receive your Google password.
• Apple Sign-In — if you sign in with Apple, we receive an Apple identifier (the sub claim) and, on first sign-in only, your email (or an Apple relay address if you chose “Hide my email”) and full name if you allowed sharing. We exchange the one-time authorization code for a refresh token so we can revoke your Apple session at account deletion (Apple guideline 5.1.1(v) requires this); the refresh token is encrypted at rest with AES-256-GCM.
• Payment service provider — payment outcome webhook (success / failure / amount / reference / your partner ID).

We use the data we collect to:

• Run the partner dashboard — authenticate you, keep your session, manage your profile, route customer leads to the right partner, surface analytics on your performance, send in-product notifications.
• Verify your organisation — review registration certificates, KRA PIN, and identification documents to approve your partner account and grant verification badges.
• Bill subscriptions and packs — relay orders to our payment service provider, credit your wallet on confirmation, auto-pause campaigns when the wallet falls below threshold, generate KRA-compliant invoices and receipts.
• Detect fraud, abuse, and policy violations — impersonation, ad-fraud, AUP violations, chargeback abuse, off-platform diversion.
• Send transactional communications — lead alerts, billing notices, status changes, dispute outcomes, verification updates, security notifications (password reset, login lockout, account closure confirmation).
• Send marketing communications, with consent — product newsletters, feature announcements, platform promotions. You can opt out anytime from Settings → Notifications without affecting transactional messages.
• Provide aggregate analytics — dashboard usage data feeds product analytics in aggregate. Where analytics identify your organisation specifically, that processing is gated on the cookie consent you set in this dashboard.
• Improve the platform — anonymized usage patterns feed product improvement (which features partners use, where they drop off, which surfaces convert).
• Comply with legal obligations — respond to lawful requests from Kenyan regulators, courts, or law enforcement; retain transaction records for the 7-year KRA statutory period; maintain audit logs.

Under the Kenya Data Protection Act 2019 and GDPR Article 6 (where applicable), our lawful basis for processing your personal data is:

• Contract performance — the bulk of dashboard processing flows from our Partner Terms (managing your profile, routing leads, billing, providing analytics you signed up for).
• Legitimate interests— fraud prevention, security monitoring, aggregate analytics, sub-processor relationships needed to run the platform. We balance these against your rights and limit data use to what's necessary.
• Consent — optional things like analytics + advertising cookies, marketing email subscriptions. Withdraw any time without affecting other processing.
• Legal obligation — KRA records retention, regulator requests, audit-trail keeping, breach notification.

We share your data only when needed to provide the service, with your consent, or when required by law.

6.1 With customers

Your organisation's public profile(business name, location, ratings, badges, contact channels you've enabled, operating hours, and service information) is visible on garisea.com and the customer mobile app. The personal email and password you use to sign in are never displayed.

6.2 With service providers

We use trusted third-party service providers to run the dashboard. Each is bound by a data-processing agreement that limits how they may use your data. The categories of providers we engage are:

• Payment processing— to charge subscriptions, packs, and wallet top-ups. Card and M-Pesa details are captured on the provider's hosted checkout; Garisea does not see, store, or process them.
• Email and SMS delivery — to send transactional email (lead alerts, billing notices, security alerts) and SMS one-time codes, and — with consent — marketing email.
• Cloud hosting and database — to run the dashboard, the API, and our primary database. Data is encrypted in transit and at rest.
• Content delivery and image / video hosting — to serve partner logos, profile images, KRA PIN images, and verification documents at scale.
• Push notifications — to deliver lead, billing, and message alerts to your browser or device.
• Crash and error monitoring — to capture scrubbed error reports so we can fix bugs.
• Aggregate dashboard analytics — gated on cookie consent; helps us understand which features get used.
• Bot mitigation and DDoS protection — to keep the dashboard safe from automated abuse.
• Background job scheduling — to run time-sensitive workflows like billing reminders and notification fan-out.
• AI-assisted features — limited use of large-language-model providers for lead suggestions and profile-description help. Content is sent under zero-data-retention agreements; no personal data beyond what you explicitly entered is included.

We periodically review our provider list and add or remove providers as the platform evolves. Material changes are reflected in this Notice and notified per §13.

We do not sell your personal data to anyone, and we do not share it with advertisers for retargeting outside Garisea.

6.3 With authorities

We may disclose your data when required by Kenyan law — for example, a lawful court order, a regulator's formal request, a criminal investigation by the Directorate of Criminal Investigations (DCI), or a binding KRA request. We'll notify you of the request unless legally prohibited from doing so.

6.4 Business transfers

If Garisea is sold, merged, or restructured, your personal data may be transferred to the acquiring entity under the same privacy commitments. We'll notify you by email at least 30 days before any such transfer where reasonably possible.

We keep your personal data only as long as we need it for the purposes described in this Notice, then delete or anonymize it.

• Active partner accounts — kept while the account is open.
• Closed accounts — profile and personal data are removed from active systems within 30 days of account closure. Anonymized aggregate analytics derivatives may be retained indefinitely (they no longer link back to you).
• Partner profile content — retained until you delete it or close the account. Deactivated profile content stays accessible internally for ~30 days to honour existing share-links, then moves to a hidden archive.
• Lead conversations — retained while your account is active. After account closure, removed within 30 days.
• Reviews left about you— generally remain live after account closure to inform other customers. The reviewer's display name is anonymized to “Former user” if they have themselves deleted their customer account.
• Invoices, receipts, payment records — retained for 7 years, as required by KRA records retention rules.
• Audit log (account state changes, moderation actions, data exports, deletions, sensitive settings changes) — retained for 7 years regardless of account state, for compliance and dispute reconstruction.
• Customer search history used to power partner insights — anonymized after 90 days. Anonymized aggregate data is retained indefinitely; we do not retain a customer-identifying link to old searches.
• Backups — automated database backups may retain your data for up to 30 days after deletion. Backups are access-restricted and used only for disaster recovery.

We apply industry-standard safeguards to protect your data:

• Encryption in transit — all connections to the dashboard, the API, and our sub-processors use TLS 1.2 or higher.
• Encryption at rest — the production database encrypts data at rest. Sensitive secondary credentials (Apple Sign-In refresh tokens) are additionally encrypted with AES-256-GCM before storage.
• Passwords — never stored in plaintext. We use bcrypt with a per-password salt; even an engineer with full database access cannot see your password.
• Authentication — short-lived JWT access tokens (30 minutes) + refresh-token rotation. Stored on web in httpOnly cookies with the Secure and SameSite attributes.
• Account lockout — after 5 failed login attempts in 30 minutes, the account is temporarily locked. We notify you by email.
• Webhook signature verification — incoming webhooks (payment confirmations, email bounce reports, media upload notifications) verify HMAC signatures before being trusted.
• CSRF protection — state-changing dashboard requests carry a CSRF token that we verify server-side.
• Access controls — engineer access to production data is role-based, audited, and time-bounded. Customer support staff see only the minimum data needed to help you.
• Secret hygiene — secrets rotate on a 90-day cadence and immediately on suspected compromise. Automated pre-commit scans block accidental credential commits.

No system is 100% secure. If we ever detect a personal data breach affecting your account, we will notify you and the Office of the Data Protection Commissioner within 72 hours of becoming aware, as required by the Kenya Data Protection Act 2019.

Under the Kenya Data Protection Act 2019 (Sections 26–33) and GDPR Articles 15–21 where applicable, you have the following rights over your personal data:

• Right of access — request a copy of the data we hold about you. Email [email protected] and we'll provide a structured JSON archive covering profile, leads, invoices, and notification preferences.
• Right to correction — fix inaccurate data. Most fields are editable directly in Settings → Profile. For things you can't edit yourself (e.g. registered email change with verification), email [email protected].
• Right to erasure (“right to be forgotten”) — delete your account and personal data. Available in Settings → Danger Zone. Personal data is removed within 30 days. Tax-mandated transaction records and 7-year audit logs are retained as required by law.
• Right to data portability — receive your data in a structured, machine-readable format (the JSON export referenced above).
• Right to object — object to processing based on legitimate interests (e.g. marketing emails). Toggle off in Settings → Notifications or email [email protected].
• Right to withdraw consent— where we process based on consent (analytics cookies, advertising cookies, marketing email), you can withdraw at any time. Withdrawal doesn't affect processing that already happened.
• Right to restrict processing — ask us to pause processing while we investigate a complaint. Email [email protected].
• Right to lodge a complaint— if you believe we've mishandled your data, you can complain to the Office of the Data Protection Commissioner (Kenya).

We respond to rights requests within 30 days, as required by law. Our Data Protection contact is [email protected].

Garisea's primary infrastructure runs on cloud providers with servers primarily located in Europe and the United States. When we transfer your personal data outside Kenya, we rely on the recipient's certifications (e.g. EU-US Data Privacy Framework participants) or contractual safeguards equivalent to the Kenya Data Protection Act 2019. We never transfer data to a jurisdiction without comparable privacy protections.

The dashboard uses automated systems to rank your profile in discovery results, score lead intent (a Cold-to-Very-Hot indicator), auto-pause campaigns when your wallet falls below threshold, and filter clearly-fraudulent activity. None of these decisions have a significant legal or material effect on you in the sense of Section 35 of the Kenya Data Protection Act — they affect ranking, presentation, and automated platform hygiene rather than whether you can transact. If you believe an automated decision (e.g. a profile wrongly hidden, a lead wrongly flagged invalid) has materially harmed you, contact [email protected] and a human moderator will review the outcome.

When customer personal data (name, phone, email, inquiry content, and related details) is delivered to your organisation through a lead, you become an independent data controller for that data. Your duties — under the Kenya Data Protection Act 2019 and these Partner Terms — include: processing the data only for the specific inquiry it relates to (no marketing list addition, no resale, no third-party transfer); keeping the data secure (no sharing in unsecured WhatsApp groups beyond your staff, no spreadsheet of customer contacts on an unsecured device); deleting the data when no longer needed for the inquiry; responding to customer data-subject requests made to you directly within 30 days; and notifying Garisea promptly if you learn of a personal data breach affecting customer data you obtained through the platform. Finance and insurance partners must additionally comply with the financial- services and insurance regulations applicable to them in Kenya. See Partner Terms §12 and §21 for the full scope.

We may update this Notice from time to time as the platform evolves, as our sub-processor list changes, or as the law requires. Material changes will be communicated by email at least 14 days before they take effect, with an in-dashboard notice. The “Last updated” date at the top of this page reflects the most recent revision. Continuing to use the dashboard after an update means you accept the updated Notice.

For privacy questions, complaints, or to exercise your rights:

• Data Protection: [email protected]
• Partner support: [email protected]
• Trust & safety: [email protected]
• Operated by: Francton LLC, Nairobi, Kenya.

To complain to the Kenyan data-protection regulator: Office of the Data Protection Commissioner — www.odpc.go.ke.