Meneja — Property Management

Section 01

Who We Are

Meneja is a property management platform operated by Meneja Billing (Business Registration No. BN-L3SMEDA9), a sole proprietorship registered in Kenya under the Business Registration Service Act, 2015.

In this policy, “Meneja”, “we”, “us”, and “our” refer to Meneja Billing. “Platform” refers to the Meneja web and mobile application and its associated APIs.

We are registered with the Office of the Data Protection Commissioner (ODPC) as a Data Controller under Section 18 of the Data Protection Act, 2019. Our processing activities fall within the category of property management, which is a mandatory registration sector under the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

Data Protection Contact

For all privacy-related queries, requests, and complaints: privacy@meneja.co.ke

Section 02

Scope of This Policy

This policy applies to all individuals who interact with the Meneja Platform, including:

Property owners and investors who list and manage estates
Property managers assigned to oversee estates on behalf of owners
Maintenance staff assigned to service and resolve work orders
Tenants who occupy units managed through the Platform
Visitors to our website who have not yet registered

This policy governs how we collect, use, store, share, and protect personal data, and explains your rights as a data subject under Kenyan law.

Section 03

What Personal Data We Collect

We collect only data that is adequate, relevant, and limited to what is necessary for the purposes described in this policy.

3.1 All Users (Registration)

Data	Purpose
Full name	Identity verification and display
Email address	Authentication, notifications, correspondence
Password (hashed)	Account security — never stored in plain text
Phone number	M-Pesa payment processing, SMS notifications
Role	Access control and dashboard routing

3.2 Tenants (Additional Data)

Data	Purpose
National ID number	Identity verification for lease agreements
Emergency contact name & phone	Safety and welfare purposes
Assigned unit and estate	Service delivery
Monthly rent amount	Payment processing and records
Lease agreement details	Contractual obligation (Growth plan and above)

3.3 Transaction Data

Data	Purpose
M-Pesa transaction reference	Payment verification and reconciliation
Payment amount & timestamp	Financial records and audit trail
STK push phone number	Initiating mobile money payment requests

Sensitive data: We do not collect sensitive personal data as defined under Section 2 of the Data Protection Act, 2019 (such as health data, biometrics, or ethnic origin) unless expressly required and consented to. National ID numbers are collected solely for identity verification during onboarding.

Section 04

Legal Basis for Processing

Under Section 30 of the Data Protection Act, 2019, we must identify a lawful basis before processing personal data. We rely on the following:

Legal Basis	Processing Activity
Performance of a Contract (S.30(b))	Creating and managing tenancy records, executing lease agreements, processing rent payments
Legal Obligation (S.30(c))	Retaining financial and transaction records for tax and regulatory purposes (KRA, CBK)
Legitimate Interests (S.30(e))	Platform security, fraud prevention, maintenance and complaint routing, notifications
Consent (S.30(a))	Optional marketing communications and service improvement surveys

Section 05

How We Use Your Personal Data

We use your data strictly for the purposes for which it was collected:

Registering and maintaining your account on the Platform
Matching tenants to units and estates
Processing rent payments via Safaricom M-Pesa (STK push and paybill)
Generating and storing digital lease agreements
Routing maintenance complaints to the appropriate staff or manager
Sending in-platform and email notifications relevant to your role
Producing financial records and payment histories
Monitoring platform security and investigating potential breaches
Complying with legal and regulatory obligations under Kenyan law

We do not use your personal data for profiling, automated decision-making with legal effect, or targeted advertising. We do not sell, rent, or trade your personal data to third parties for commercial purposes.

Section 06

Sharing Your Personal Data

We share personal data only where necessary and under appropriate safeguards:

Third Party	Purpose
Safaricom (M-Pesa / Daraja API)	Processing rent payments. Phone number and payment amount are transmitted to initiate STK push requests. Safaricom processes this under their own privacy framework.
Supabase Inc.	Cloud database hosting and authentication. All user and transaction data is stored in Supabase-managed infrastructure. A Data Processing Agreement is in place.
Vercel Inc.	Hosting and serving the Meneja web application. Server logs may contain IP addresses and request metadata. A Data Processing Agreement is in place.
Law Enforcement / Regulatory Bodies	Where required by law or a valid court order (Kenya Police Service, ODPC, KRA). We will notify you where legally permissible.

6.1 Cross-Border Transfers

Supabase and Vercel are entities established outside Kenya. Data transfers to these processors are carried out under Section 48 of the Data Protection Act, 2019:

Both processors are subject to contractual data protection obligations equivalent to Kenyan law standards
Data Processing Agreements are in place with both processors
Both processors implement industry-standard security measures including encryption at rest and in transit

Section 07

Data Retention

We retain personal data for no longer than is necessary for the purpose for which it was collected, subject to applicable legal obligations.

Data Category	Retention Period
Active user account data	Duration of account + 12 months after closure
Tenant records (profile, lease, unit)	Duration of tenancy + 7 years (Kenyan tax law)
M-Pesa transaction records	7 years from transaction date
Maintenance & complaint records	3 years from resolution
Security and audit logs	12 months
Consent records	Duration of relationship + 3 years
Deleted account data	Anonymised within 30 days, except where legal hold applies

Section 08

Your Rights as a Data Subject

Under Part IV of the Data Protection Act, 2019, you have the following rights in respect of your personal data held by Meneja:

Right	What It Means
Right to be Informed	Know what data we hold, why, and how it is used. This policy fulfils that obligation.
Right to Access	Request a copy of your personal data. We respond within 7 days, free of charge.
Right to Rectification	Request correction of inaccurate or incomplete data.
Right to Erasure	Request deletion where we no longer have a lawful basis. We respond within 14 days. Financial and lease records may be retained to comply with legal obligations.
Right to Object	Object to processing based on legitimate interests or for direct marketing.
Right to Data Portability	Request your data in a machine-readable format within 30 days.
Right to Withdraw Consent	Withdraw consent at any time without affecting prior processing.
Right re: Automated Decisions	We do not make automated decisions with legal effect. Any such processing would require explicit consent.

How to Exercise Your Rights

Submit a written request to privacy@meneja.co.ke. Include your full name and the email address associated with your account. We may verify your identity before processing the request.

If you are dissatisfied with our response, you have the right to lodge a complaint with the ODPC at www.odpc.go.ke or call 0207801800.

Section 09

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or destruction:

All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted in Supabase's managed infrastructure
Authentication uses Supabase Auth with hashed password storage
Row-Level Security (RLS) policies ensure each user only accesses data relevant to their role
No direct client-side database access is permitted — all queries go through server-side admin clients

Data Breach Notification

In the event of a personal data breach, we will:

Notify the ODPC within 72 hours of becoming aware, under Section 43 of the Data Protection Act, 2019
Notify affected data subjects in writing within a reasonable period, describing the nature of the breach and steps taken
Document all breaches in an internal breach register

Section 10

Changes to This Policy

We may update this policy from time to time. Where changes are material, we will notify you by email or via a prominent notice on the Platform at least 14 days before the changes take effect. The version number and effective date will always reflect the current version.

Continued use of the Platform after the effective date of an updated policy constitutes acceptance of the revised terms.

Questions about this policy?

Email us at privacy@meneja.co.ke or read our Cookie Policy and Terms & Conditions.

Section 01

Who We Are

In this policy, “Meneja”, “we”, “us”, and “our” refer to Meneja Billing. “Platform” refers to the Meneja web and mobile application and its associated APIs.

Data Protection Contact

For all privacy-related queries, requests, and complaints: privacy@meneja.co.ke

Section 02

Scope of This Policy

This policy applies to all individuals who interact with the Meneja Platform, including:

Property owners and investors who list and manage estates
Property managers assigned to oversee estates on behalf of owners
Maintenance staff assigned to service and resolve work orders
Tenants who occupy units managed through the Platform
Visitors to our website who have not yet registered

This policy governs how we collect, use, store, share, and protect personal data, and explains your rights as a data subject under Kenyan law.

Section 03

What Personal Data We Collect

We collect only data that is adequate, relevant, and limited to what is necessary for the purposes described in this policy.

3.1 All Users (Registration)

Data	Purpose
Full name	Identity verification and display
Email address	Authentication, notifications, correspondence
Password (hashed)	Account security — never stored in plain text
Phone number	M-Pesa payment processing, SMS notifications
Role	Access control and dashboard routing

3.2 Tenants (Additional Data)

Data	Purpose
National ID number	Identity verification for lease agreements
Emergency contact name & phone	Safety and welfare purposes
Assigned unit and estate	Service delivery
Monthly rent amount	Payment processing and records
Lease agreement details	Contractual obligation (Growth plan and above)

3.3 Transaction Data

Data	Purpose
M-Pesa transaction reference	Payment verification and reconciliation
Payment amount & timestamp	Financial records and audit trail
STK push phone number	Initiating mobile money payment requests

Section 04

Legal Basis for Processing

Under Section 30 of the Data Protection Act, 2019, we must identify a lawful basis before processing personal data. We rely on the following:

Legal Basis	Processing Activity
Performance of a Contract (S.30(b))	Creating and managing tenancy records, executing lease agreements, processing rent payments
Legal Obligation (S.30(c))	Retaining financial and transaction records for tax and regulatory purposes (KRA, CBK)
Legitimate Interests (S.30(e))	Platform security, fraud prevention, maintenance and complaint routing, notifications
Consent (S.30(a))	Optional marketing communications and service improvement surveys

Section 05

How We Use Your Personal Data

We use your data strictly for the purposes for which it was collected:

Registering and maintaining your account on the Platform
Matching tenants to units and estates
Processing rent payments via Safaricom M-Pesa (STK push and paybill)
Generating and storing digital lease agreements
Routing maintenance complaints to the appropriate staff or manager
Sending in-platform and email notifications relevant to your role
Producing financial records and payment histories
Monitoring platform security and investigating potential breaches
Complying with legal and regulatory obligations under Kenyan law

Section 06

Sharing Your Personal Data

We share personal data only where necessary and under appropriate safeguards:

Third Party	Purpose
Safaricom (M-Pesa / Daraja API)	Processing rent payments. Phone number and payment amount are transmitted to initiate STK push requests. Safaricom processes this under their own privacy framework.
Supabase Inc.	Cloud database hosting and authentication. All user and transaction data is stored in Supabase-managed infrastructure. A Data Processing Agreement is in place.
Vercel Inc.	Hosting and serving the Meneja web application. Server logs may contain IP addresses and request metadata. A Data Processing Agreement is in place.
Law Enforcement / Regulatory Bodies	Where required by law or a valid court order (Kenya Police Service, ODPC, KRA). We will notify you where legally permissible.

6.1 Cross-Border Transfers

Supabase and Vercel are entities established outside Kenya. Data transfers to these processors are carried out under Section 48 of the Data Protection Act, 2019:

Both processors are subject to contractual data protection obligations equivalent to Kenyan law standards
Data Processing Agreements are in place with both processors
Both processors implement industry-standard security measures including encryption at rest and in transit

Section 07

Data Retention

We retain personal data for no longer than is necessary for the purpose for which it was collected, subject to applicable legal obligations.

Data Category	Retention Period
Active user account data	Duration of account + 12 months after closure
Tenant records (profile, lease, unit)	Duration of tenancy + 7 years (Kenyan tax law)
M-Pesa transaction records	7 years from transaction date
Maintenance & complaint records	3 years from resolution
Security and audit logs	12 months
Consent records	Duration of relationship + 3 years
Deleted account data	Anonymised within 30 days, except where legal hold applies

Section 08

Your Rights as a Data Subject

Under Part IV of the Data Protection Act, 2019, you have the following rights in respect of your personal data held by Meneja:

Right	What It Means
Right to be Informed	Know what data we hold, why, and how it is used. This policy fulfils that obligation.
Right to Access	Request a copy of your personal data. We respond within 7 days, free of charge.
Right to Rectification	Request correction of inaccurate or incomplete data.
Right to Erasure	Request deletion where we no longer have a lawful basis. We respond within 14 days. Financial and lease records may be retained to comply with legal obligations.
Right to Object	Object to processing based on legitimate interests or for direct marketing.
Right to Data Portability	Request your data in a machine-readable format within 30 days.
Right to Withdraw Consent	Withdraw consent at any time without affecting prior processing.
Right re: Automated Decisions	We do not make automated decisions with legal effect. Any such processing would require explicit consent.

How to Exercise Your Rights

Submit a written request to privacy@meneja.co.ke. Include your full name and the email address associated with your account. We may verify your identity before processing the request.

If you are dissatisfied with our response, you have the right to lodge a complaint with the ODPC at www.odpc.go.ke or call 0207801800.

Section 09

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or destruction:

All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted in Supabase's managed infrastructure
Authentication uses Supabase Auth with hashed password storage
Row-Level Security (RLS) policies ensure each user only accesses data relevant to their role
No direct client-side database access is permitted — all queries go through server-side admin clients

Data Breach Notification

In the event of a personal data breach, we will:

Notify the ODPC within 72 hours of becoming aware, under Section 43 of the Data Protection Act, 2019
Notify affected data subjects in writing within a reasonable period, describing the nature of the breach and steps taken
Document all breaches in an internal breach register

Section 10

Changes to This Policy

Continued use of the Platform after the effective date of an updated policy constitutes acceptance of the revised terms.

Questions about this policy?

Email us at privacy@meneja.co.ke or read our Cookie Policy and Terms & Conditions.

How we handle your data

Who We Are

Scope of This Policy

What Personal Data We Collect

3.1 All Users (Registration)

3.2 Tenants (Additional Data)

3.3 Transaction Data

Legal Basis for Processing

How We Use Your Personal Data

Data Retention

Your Rights as a Data Subject

How to Exercise Your Rights

Data Security

Data Breach Notification

Changes to This Policy

How we handle your data

Who We Are

Scope of This Policy

What Personal Data We Collect

3.1 All Users (Registration)

3.2 Tenants (Additional Data)

3.3 Transaction Data

Legal Basis for Processing

How We Use Your Personal Data

Data Retention

Your Rights as a Data Subject

How to Exercise Your Rights

Data Security

Data Breach Notification

Changes to This Policy