Privacy Policy

1. Who We Are

Qimani is a Kenyan real estate platform registered under Qimani Tech that connects property buyers, renters, and investors with verified agents, agencies, and developers. We operate at qimani.com. For the purposes of the Kenya Data Protection Act 2019 (DPA), Qimani Tech is the data controller responsible for the personal information collected through this platform. This Privacy Policy governs how we handle personal data across all features of our platform — including property search, agent listings, lead enquiries, subscription payments, and account management. By using our services, you acknowledge this policy. This policy should be read alongside our Terms of Service, which governs your use of the platform more broadly.

2. Legal Basis for Processing

We process your personal data on the following lawful bases under the Kenya Data Protection Act 2019:

• Contract performance — to create and manage your account, process payments, deliver subscription services, and fulfil obligations arising from your use of the platform.
• Legitimate interests — to detect fraud, improve platform security, send service-related communications, and operate our analytics systems, where these interests are not overridden by your rights.
• Consent — where you have explicitly agreed to receive marketing communications or optional notifications. You may withdraw consent at any time.
• Legal obligation — where processing is required to comply with Kenyan law, tax regulations, or lawful requests from authorities.

3. What Information We Collect

4. How We Use Your Information

We use the data we collect to run and improve Qimani. Specifically this includes:

• Creating and managing your account as a buyer, agent, agency, or developer.
• Displaying your listings to buyers and renters on the platform.
• Processing subscription payments and sending payment confirmations via email.
• Sending lead notifications to agents when a buyer submits an enquiry about their listing.
• Powering the analytics dashboard so agents can see views, calls, WhatsApp clicks, and saves on their listings.
• Sending subscription renewal reminders, expiry notices, and listing approval or rejection emails.
• Verifying agent identity by reviewing submitted National ID, KRA PIN certificate, and professional documents including EARB licences, business registration certificates, company certificates, and NCA registrations.
• Generating agent profile pages with a unique public URL slug based on their agency name.
• Personalising property recommendations and search results based on browsing behaviour.
• Calculating market analysis estimates including price trends and comparable property data shown on listing pages. This data is aggregated and does not identify individual users.
• Detecting and preventing fraudulent listings, fake accounts, or platform abuse, including detecting duplicate free trial accounts using phone number verification, National ID matching, and device fingerprinting to protect the integrity of our one-time free trial offer.
• Complying with applicable Kenyan laws and responding to lawful requests from authorities.

5. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances and only to the extent necessary:

• With agents when you submit an enquiry or click a contact button on their listing, so they can respond to your interest.
• With buyers when you are an agent and a buyer submits a lead through your listing — your name, agency, phone number, and WhatsApp are shared.
• With IntaSend (our payment processor) to process subscriptions, boosts, and add-on payments on your behalf.
• With our transactional email provider to deliver payment confirmations, lead notifications, and listing status emails.
• With our database and authentication provider which stores your account data securely under our instructions as a data processor.
• With our cloud storage provider to store and serve property listing images and verification documents.
• With our verified partner network — including software developers, photographers, mortgage advisors, lawyers, and valuers — only when you explicitly request a referral.
• With authorities or legal bodies where we are required to do so under Kenyan law.
• In the event of a business merger, acquisition, or asset transfer, your data may be transferred as part of that process. We will provide 30 days prior notice to registered users before any such transfer.

6. International Data Transfers

Some of our third-party service providers — including but not limited to IntaSend and Google — may store or process your data on servers located outside Kenya. Where this occurs we ensure that appropriate safeguards are in place, including contractual data processing agreements that require these providers to protect your data to a standard equivalent to or greater than the requirements of the Kenya Data Protection Act 2019. By using Qimani you consent to your data being processed in these jurisdictions where necessary to provide our services.

7. Subscription and Payment Data

Qimani uses IntaSend to process payments for agent subscriptions and add-ons. When you initiate a payment, an STK push is sent to your M-Pesa number or a card payment is processed. We store the IntaSend transaction reference and your chosen subscription plan in our database. We do not store your M-Pesa PIN, card details, or any sensitive financial credentials. Subscription data including your plan tier, start date, and expiry date is stored in your agent profile and is visible to you in your dashboard and to Qimani administrators.

8. Listing Draft Data

When an agent creates a listing before completing a subscription payment, the listing is saved as a draft. Draft listings are not visible to the public. Drafts that remain unpaid are automatically deleted after 7 days of inactivity. A warning email is sent 24 hours before deletion. Images attached to drafts are stored temporarily and are deleted alongside the draft listing during our automated cleanup process.

9. Cookies and Tracking

10. Your Rights Under the Kenya Data Protection Act 2019

As a data subject under the Kenya Data Protection Act 2019, you have the following rights regarding your personal data:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure — to request deletion of your personal data where there is no lawful basis for us to continue holding it.
• Right to restriction — to ask us to limit how we process your data in certain circumstances.
• Right to data portability — to receive a copy of your data in a structured, machine-readable format.
• Right to object — to processing based on legitimate interests, including profiling.
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

11. Data Security

We protect your data using industry-standard security practices including encrypted connections via HTTPS, Row Level Security on our database so agents can only access their own data, JWT-based authentication, and restricted access to the admin panel. Sensitive operations such as payment verification use server-side API calls with secret keys that are never exposed to the browser. We conduct periodic security reviews to assess and address vulnerabilities. While we take reasonable precautions, no internet-connected system is completely immune to risk and we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Office of the Data Protection Commissioner as required by law.

12. Data Retention

We keep your personal data for as long as your account is active or as required to provide our services. The following specific retention periods apply:

• Active account data — retained for the duration of your account.
• Draft listings — automatically deleted after 7 days of inactivity if no subscription payment is completed. A warning email is sent 24 hours before deletion.
• Lead enquiry data — retained for 12 months after account closure for dispute resolution purposes.
• Financial and payment records — retained for 7 years in line with Kenyan tax and accounting requirements.
• Verification documents (approved) — retained for the duration of your account, deleted within 30 days of account closure.
• Verification documents (rejected) — deleted within 30 days of rejection.
• Inactive accounts — accounts with no login or platform activity for 24 consecutive months may be flagged for deletion with 30 days prior email notice.

13. Children

Qimani is intended for individuals aged 18 and above. We do not knowingly collect data from minors. If we discover that a minor has provided us with personal data without parental consent, we will delete that data immediately. If you believe a person under 18 has registered on our platform, please contact us immediately at privacy@qimani.com and we will remove the account promptly.

14. Changes to This Policy

We may update this Privacy Policy as our platform grows and our practices evolve. When we make significant changes we will notify registered users by email at least 14 days before the new policy takes effect and update the date below. We encourage you to review this policy periodically. Continued use of the platform after changes are published constitutes acceptance of the revised policy.

15. Contact Us

For any privacy-related questions, requests, data subject rights enquiries, or concerns please reach out to us directly:

• Privacy enquiries: privacy@qimani.com
• General support: support@qimani.com
• Phone: +254 798 431 212
• Platform: qimani.com
• Data Protection Commissioner (Kenya): www.odpc.go.ke