Privacy Policy

StampKE Solutions ("StampKE", "we", "us") is committed to protecting your personal data. This policy explains how we collect, use, disclose, and safeguard your information when you use our platform at stampke.co.ke, including Digital Business Cards, E-Signature, QR Reviews, Booking, and Client Capture tools. This policy complies with the Kenya Data Protection Act, 2019, the AU Malabo Convention, and follows GDPR standards where applicable.

1. Information We Collect

You Provide: Account info (name, email, phone, photo via Google OAuth), business card details, e-signature documents, booking info, reviews/feedback, lead capture data, and payment references via Paystack.

Automatically: Device/browser info, usage data, IP address, and essential authentication cookies.

Third Parties: Google OAuth profile data and Paystack transaction confirmations.

2. How We Use Your Information

• Service Delivery: Account management, digital card generation, e-signatures, bookings, client capture.
• Communications: Transactional emails for bookings, signature requests, lead notifications via Resend.
• Security: Fraud detection, abuse prevention, security monitoring.
• Analytics: Platform usage insights, card view metrics.
• Legal Compliance: Compliance with Kenyan and international law.

3. Legal Basis for Processing

Under the Kenya DPA 2019: Consent (account creation), Contractual Necessity (service delivery), Legitimate Interest (security, improvement), and Legal Obligation (regulatory requirements).

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share only with:

• Service Providers: Resend (email), Paystack (payments), Vercel (hosting), PostgreSQL (database) — under strict contracts.
• Public Card Visitors: Only the information you choose to display on your digital card.
• Legal Requirements: When compelled by court order or law enforcement.
• Business Transfers: In connection with mergers/acquisitions, with equivalent protections.

5. Data Security

• TLS/SSL encryption for all data transmission (HTTPS enforced).
• Passwords hashed with bcrypt (industry-standard).
• HTTP-only, Secure, SameSite cookies with session timeout.
• CSP, HSTS, X-Frame-Options security headers implemented.
• Role-based access controls and periodic security audits.
• Enterprise-grade hosting on Vercel with encrypted PostgreSQL databases.

6. Data Retention

Active account data is retained while your account is active. Inactive accounts: data retained up to 24 months then anonymised/deleted. Deletion requests honoured within 30 days. Some data may be retained for legal/tax obligations.

7. Your Rights (Kenya DPA 2019)

• Access: Request a copy of your personal data.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion (subject to legal obligations).
• Restrict Processing: Limit how we process your data.
• Data Portability: Receive data in machine-readable format.
• Object: Object to processing based on legitimate interest.
• Withdraw Consent: At any time without affecting prior processing.

Contact privacy@stampke.co.ke to exercise your rights. We respond within 30 days.

8. International Transfers

Data may be processed outside Kenya (US, EU) via our providers. We ensure safeguards including Standard Contractual Clauses and DPA cross-border requirements compliance.

9. Children's Privacy

StampKE is not for individuals under 18. We do not knowingly collect minors' data and will delete it immediately if discovered.

10. Changes & Contact

Material changes will be communicated via website notice or email. Questions or complaints: privacy@stampke.co.ke | StampKE Solutions, Longonot Road, 10th Floor Mercure Hotel, Nairobi, Kenya. You may also contact the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.