Draft — pending legal review

This is a placeholder Privacy Policy. It will be reviewed by a qualified attorney to ensure full compliance with Kenya's Data Protection Act 2019 and the GDPR before Sikivu launches publicly.

Legal

Privacy Policy

Last updated: March 2026  ·  Effective: upon public launch

1. Introduction

Sikivu ("we", "our", "us") is a mental wellness companion built for people in East Africa. We are committed to protecting your privacy and handling your personal data with care, transparency, and respect — especially given the sensitive nature of mental health information.

This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights under Kenya's Data Protection Act 2019 (DPA 2019) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Data Controller

The data controller for your personal data is Sikivu, operating at sikivu.app (previously available at sikivu.africa). For privacy-related enquiries, contact us at:

Privacy Officer

Sikivu · sikivu.app

Email: privacy@sikivu.app

3. Data We Collect

We collect the following categories of personal data:

Account data

  • ·Phone number (used for authentication via SMS OTP)
  • ·Display name (optional)
  • ·Country and timezone

Wellness data

  • ·Mood check-ins and journal entries
  • ·Emotional patterns and wellness scores derived from your entries
  • ·Conversation history with the Sikivu AI companion (Premium users)

Usage data

  • ·App features used, session duration, crash reports
  • ·Device type, operating system, app version

Payment data

  • ·Transaction references from Pesapal (web: M-Pesa, cards), RevenueCat (iOS App Store), or Google Play Billing (Android)
  • ·We do not store raw card numbers — payment processors handle this under their own PCI-DSS compliance

Communications

  • ·Messages you send us via the contact form
  • ·Waitlist enquiries — name, email, phone (optional), platform interest, marketing consent status, and opt-in date

4. Sensitive Personal Data

Mental health and wellness data constitutes sensitive personal data under both DPA 2019 (Section 45) and GDPR (Article 9). We process this data only on the basis of your explicit consent, which you give when you create an account and begin using the app.

You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal.

5. Legal Basis for Processing

Explicit consentWellness and mood data, AI companion conversations, biometric authentication (if enabled)
Contract performanceProcessing necessary to deliver the Sikivu service you signed up for, including authentication and core app features
Legitimate interestsImproving our service, detecting abuse, fraud prevention, security monitoring
Legal obligationComplying with court orders, law enforcement requests under Kenyan law, or mandatory reporting obligations
Vital interestsCrisis intervention — if we detect a risk to life, we may process data to connect you with emergency resources. Crisis escalation is always free and always available.
Consent (marketing)We send launch notifications and occasional pre-launch updates to waitlist subscribers who have explicitly opted in. You may withdraw this consent at any time via sikivu.app/email-preferences or by emailing privacy@sikivu.app.

6. How We Use Your Data

  • ·Authenticate you securely via SMS OTP (Africa's Talking)
  • ·Provide and personalise your wellness companion experience
  • ·Detect emotional patterns and surface insights in your dashboard
  • ·Power the AI companion's contextual memory (Premium users)
  • ·Send transactional communications (login OTPs, receipts, account alerts)
  • ·Process payments for Premium subscriptions
  • ·Detect and respond to crisis signals in your entries
  • ·Improve the app through aggregated, anonymised analytics
  • ·Comply with legal obligations
  • ·Send launch notifications and occasional pre-launch updates to waitlist subscribers who have given marketing consent (via Brevo — see Section 7)

7. Third-Party Processors

We share data with the following processors, strictly limited to what each requires to perform their function:

Supabase

Database, authentication, and backend infrastructure. Hosted on AWS (EU region or nearest). Data Processing Agreement in place.

Africa's Talking

SMS OTP delivery for authentication. Kenyan company. Only your phone number is shared, solely for OTP delivery.

Resend

Transactional email (login OTPs, receipts, account alerts, waitlist double opt-in confirmation emails). Name and email address shared only for these purposes.

Brevo (Sendinblue)

Email broadcast platform. Name and email address of waitlist subscribers are transferred to Brevo after double opt-in confirmation, solely to send launch notifications and occasional pre-launch updates. Brevo is GDPR-compliant and operates under a Data Processing Agreement. You can remove yourself from this list at any time via sikivu.app/email-preferences.

Pesapal

Web payment processing (M-Pesa, cards) for East African users. PCI-DSS compliant. Your phone number and transaction reference are shared to process payments.

RevenueCat

Mobile subscription management via Apple App Store (iOS) and Google Play Billing (Android). Only your anonymised app user ID is shared — no financial data passes through RevenueCat directly.

Anthropic (Claude API)

AI companion responses for Premium users. Conversation context is sent to generate responses. Anthropic's data processing terms apply. We do not use your data to train Anthropic's models.

We do not sell your personal data. We do not share wellness or mental health data with employers, insurers, governments, or any third party unless required by law.

8. Data Retention

Active account dataRetained while your account is active
Wellness and journal dataRetained while your account is active; permanently deleted within 30 days of account deletion
Payment recordsRetained for 7 years as required by Kenyan tax law
Anonymised analyticsMay be retained indefinitely — cannot be re-linked to you
Crisis-related recordsRetained for a minimum of 3 years in line with safe practice guidelines, unless you request earlier deletion

9. Your Rights

Under the DPA 2019 and GDPR, you have the following rights:

Right of accessRequest a copy of all personal data we hold about you
Right to rectificationCorrect inaccurate or incomplete personal data
Right to erasureRequest deletion of your personal data ("right to be forgotten")
Right to restrictionAsk us to pause processing while a dispute is resolved
Right to portabilityReceive your data in a machine-readable format to transfer to another service
Right to objectObject to processing based on legitimate interests
Right to withdraw consentWithdraw consent for sensitive data processing at any time via account settings or by deleting your account

To exercise any of these rights, contact privacy@sikivu.app. We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya.

10. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • ·Encryption at rest and in transit (TLS 1.2+)
  • ·Row-level security on all database tables
  • ·Authentication via short-lived OTPs — no passwords stored
  • ·Access controls limiting staff access to personal data
  • ·Regular security reviews

In the event of a data breach affecting your rights and freedoms, we will notify you and the ODPC within 72 hours of becoming aware, as required by DPA 2019 and GDPR.

11. International Data Transfers

Our primary infrastructure is hosted within or near the East African region. Where data is transferred outside Kenya (for example, to processors operating in the EU or US), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms under DPA 2019 Section 48.

12. Children

Sikivu is intended for users aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact privacy@sikivu.app and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you in the app and update the "Last updated" date above. Continued use of Sikivu after changes take effect constitutes acceptance of the updated policy.

14. Contact

Questions about this Privacy Policy? Email privacy@sikivu.app or use our contact form.