Privacy Policy

Habova ("we", "us", or "our") is committed to protecting the privacy of everyone who uses our platform — property owners, managers, agents, caretakers, and tenants. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you hold under the Kenya Data Protection Act 2019 ("DPA 2019").

Please read this Policy carefully. By creating an account or continuing to use the Platform, you acknowledge that you have read and understood this Policy. If you do not agree with how we handle personal data, please discontinue use of the Platform.

Habova is a property management software company. Under the DPA 2019, Habova acts as a data controller for personal data relating to account holders (property owners, managers, and their staff) and as a data processor for personal data that account holders upload about their tenants and third parties.

Property owners and managers who use Habova to manage tenant data are themselves data controllers under the DPA 2019 and are independently responsible for having a lawful basis for processing tenant data and for providing tenants with required data protection notices.

To contact our Data Protection function, see Section 15.

We collect personal data in the following ways:

Data you give us directly

• Account data: name, email address, phone number, national ID or business registration number, company name, profile photo.
• Property data: property addresses, unit details, photos, rental amounts, lease terms, and any documents you upload (lease agreements, inspection reports, ID copies).
• Tenant data: name, contact details, ID number, employment and income details supplied on rental applications, emergency contacts, and any communications between tenants and property managers conducted through the Platform.
• Payment data: M-Pesa phone numbers used for transactions, transaction references, invoice and payment amounts, timestamps. We do not store M-Pesa PINs or full card numbers.
• Support data: the content of support tickets and communications you send to our team.

Data we collect automatically

• Usage data: pages visited, features used, buttons clicked, session duration, and navigation paths within the Platform.
• Device & connection data: IP address, browser type and version, operating system, screen resolution, and referring URL.
• Audit logs: a timestamped record of all significant actions taken on your account (logins, data changes, payment events) for security and compliance purposes.

Data from third parties

• Payment confirmation data from Safaricom (M-Pesa), including payment reference numbers and transaction status callbacks.
• Delivery status reports from Africa's Talking and Twilio for SMS and email notifications we send on your behalf.

We process personal data only where we have a lawful basis under the DPA 2019. The table below sets out our primary processing activities and their legal bases:

We do not use your personal data for automated decision-making that produces legal effects without human review. If we introduce such processing in future, we will update this Policy and notify you in advance.

When tenants make payments via M-Pesa, Habova receives a payment confirmation from Safaricom containing a transaction reference, the amount, and a timestamp. We use this data solely to reconcile payments against invoices and to update ledger records.

What we do not store: We never receive, log, or store M-Pesa PINs. Full mobile wallet credentials remain exclusively between the user and Safaricom.

Tenant mobile numbers used for STK push payments are stored in our system as part of the tenant's profile (to enable future payments) and are treated with the same data protection standards as all other personal data. Tenants may update or remove their payment phone number from their account settings at any time.

Payment records — including the amount, date, reference, and payer identity — are retained as part of the property's financial audit trail for a minimum of seven (7) years in compliance with the Kenya Tax Procedures Act and accounting best practices.

Habova does not sell, rent, or trade your personal data to third parties. We share data only in the following circumstances:

Within the Platform

Data about tenants is visible to the property owner or manager who manages their unit, to agents and administrators within the same Workspace, and to assigned caretakers or maintainers to the extent required to fulfil their role. Tenants can see their own invoices, lease, notices, and maintenance requests.

Service providers (data processors)

We share data with sub-processors who help us operate the Platform. All sub-processors are contractually bound to process data only on our instructions and to maintain appropriate security measures:

• Safaricom (M-Pesa): payment processing
• Africa's Talking / Twilio: SMS and email delivery
• Cloud infrastructure provider: hosting and data storage
• Analytics provider: aggregated, pseudonymised usage analytics

Legal obligations

We will disclose personal data where required by law, regulation, court order, or lawful request from a competent authority (such as the Kenya Revenue Authority or law enforcement). Where permitted, we will notify the affected user before making such disclosure.

Business transfers

If Habova is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Platform before your data becomes subject to a materially different privacy policy.

We retain personal data only as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law.

• Active account data is retained for as long as the account is active.
• Post-cancellation: account data is retained for 90 days to allow data export, then permanently deleted — except for records we are legally required to keep.
• Financial records (invoices, payment transactions, lease records) are retained for a minimum of 7 years in compliance with the Tax Procedures Act.
• Audit logs are retained for 3 years from the date of the recorded event.
• Support correspondence is retained for 2 years from resolution.

When data is no longer required, it is securely deleted or anonymised so that it can no longer be linked to any individual.

Habova takes security seriously. We implement technical and organisational measures appropriate to the risk of processing your personal data, including:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest using AES-256
• Role-based access controls ensuring staff can access only data necessary for their function
• Two-Factor Authentication (2FA) available and strongly recommended for all accounts
• Regular security reviews and vulnerability assessments
• Audit logging of all privileged access and significant data changes
• Incident response procedures in compliance with DPA 2019 breach notification requirements

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours and will inform affected users without undue delay.

No system is completely secure. You are responsible for maintaining the confidentiality of your account credentials and for notifying us promptly of any suspected unauthorised access.

The Kenya Data Protection Act 2019 grants you the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@habova.com. We will respond within 21 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at odpc.go.ke.

Habova uses cookies and similar technologies to operate the Platform, remember your preferences, and understand how the Platform is used. We categorise these as follows:

• Essential cookies: Required for authentication, session management, and security (e.g., CSRF protection). These cannot be disabled without breaking the Platform.
• Functional cookies: Remember your preferences such as theme (light/dark mode) and language settings.
• Analytics cookies: Collect aggregated, pseudonymised data about how the Platform is used to help us improve it. You may opt out via your account settings or browser settings.

We do not use advertising cookies or sell cookie data to third parties. We do not use third-party tracking pixels from social networks or advertisers on the authenticated portions of the Platform.

The Platform integrates with third-party services to deliver core functionality. Each service operates under its own privacy policy:

• Safaricom / M-Pesa— mobile payment processing. Governed by Safaricom's privacy policy and M-Pesa terms.
• Africa's Talking— SMS and email delivery. Governed by Africa's Talking's privacy policy.
• Twilio— fallback SMS channel. Governed by Twilio's privacy policy.

Links to external websites or services appearing in the Platform are provided for convenience. Habova is not responsible for the privacy practices of third-party sites and recommends you review their policies before sharing personal data with them.

The Habova Platform is not directed at or intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us at privacy@habova.com and we will delete it promptly.

Habova stores and processes data primarily within Kenya and the East Africa region. Where sub-processors operate in other jurisdictions — for example, Twilio's infrastructure — data may be transferred outside Kenya.

We ensure that any international transfers comply with the DPA 2019's requirements for cross-border data transfers, including through appropriate contractual safeguards (standard contractual clauses or equivalent mechanisms). A list of jurisdictions to which we transfer data is available upon request.

We may update this Privacy Policy from time to time to reflect changes in the law, our services, or the way we handle data. When material changes are made, we will:

• Update the effective date at the top of this page;
• Send an email notification to the primary contact on your account; and
• Display a notice on the Platform for at least 14 days.

We encourage you to review this Policy periodically. Continued use of the Platform after the effective date of an updated Policy constitutes acceptance of the changes.

For any questions, requests to exercise your rights, or concerns about this Privacy Policy, please contact our data protection function:

If you are not satisfied with our response, you may submit a complaint to the Office of the Data Protection Commissioner of Kenya: