1. Data We Collect
For Landlords & Property Managers:
- Legal Name, National ID/Passport Number, KRA PIN
- Business Registration Certificate (if applicable)
- Email address and phone number
- Payout Credentials: M-PESA phone number, Paybill number + account reference, Till number, or Bank account details
- Property addresses and unit details
- Transaction history and disbursement records
- Recipient Tokens: Auto-generated gateway references from our payment partners (stored encrypted)
For Tenants:
- Legal Name, National ID/Passport Number
- Phone number and email address
- Assigned property address and unit number
- Payment history: M-PESA transaction codes, amounts, timestamps
- Security Deposit Records: Deposit amount, date paid, escrow holding period, ledger tracking hashes, refund status, and any authorized deduction documentation
- Move-in/Move-out Documentation: Property condition photos/videos, inventory checklists, and inspection reports uploaded during tenancy start and end
- Communication with landlord/caretaker via platform
2. How We Collect Data
- Directly from you: When you register, update your profile, add properties, or configure payout settings
- Automatically via M-PESA webhooks: Transaction receipts, payment confirmations, and disbursement status
- From payment partners: Safaricom (Daraja API) and Paystack provide transaction verification data
3. Legal Basis for Processing (Kenya Data Protection Act, 2019)
- Performance of a Contract: We process your data to facilitate rent collection, deposit escrow, and disbursement as agreed
- Legitimate Interests: To prevent payment fraud, verify identities, resolve deposit disputes, and reconcile financial records
- Legal Obligation: To comply with anti-money laundering (AML) laws and financial record-keeping requirements
- Consent: For marketing communications (you may opt out anytime)
4. How We Use Your Data
- Process rent payments and disbursements to your designated payout method
- Hold and manage security deposits in escrow trust
- Process deposit refunds and authorized deductions
- Verify your identity before processing disbursements (KYC verification)
- Generate recipient tokens for automated payouts
- Send payment receipts, rent reminders, and disbursement confirmations
- Investigate and resolve payment and deposit disputes
- Comply with regulatory audits and law enforcement requests
- Improve our platform through analytics (anonymized data)
5. Data Sharing & Third Parties
Dominium does NOT sell your personal data to third parties. We share data only with essential service providers:
- Safaricom (M-PESA Daraja API): To process payments, verify transactions, and initiate disbursements. Shared data: phone numbers, amounts, transaction references.
- Paystack (or future licensed PSP partner): To route automated disbursements to landlords. Shared data: payout credentials (bank accounts, phone numbers, Paybill/Till details).
- Cloud Hosting Provider: Secure data storage (encrypted at rest).
- Email/SMS Providers: To send notifications and receipts. Shared data: email address, phone number, transaction summaries.
- Legal & Regulatory Authorities: Only when required by law or to investigate fraud.
Deposit Escrow Data: Security deposit records are held in a segregated trust database with enhanced encryption. Even Dominium support staff cannot access deposit transaction logs without 2FA authorization and documented audit trail.
6. Data Storage & Retention
- Encryption: All sensitive data (payout credentials, IDs, KRA PINs, deposit records) is encrypted at rest using AES-256.
- Transmission Security: All data in transit uses TLS 1.3 encryption.
- Retention Periods:
- Active account data: Retained indefinitely while your account is active
- Transaction records (rent payments): 7 years (required by Kenyan tax law)
- Security Deposit Data: Retained for 7 years after tenancy ends (required for dispute resolution and audit compliance). Escrow routing tokens and ledger hashes are encrypted continuously.
- Payment logs & webhook responses: 90 days for dispute resolution
- Deleted account data: Anonymized after 30 days; transaction and deposit records retained for 7 years
7. Your Rights Under Kenya Data Protection Act, 2019
- Right to Access: Request a copy of all personal data we hold about you (including deposit history)
- Right to Rectification: Correct inaccurate or incomplete data via your dashboard
- Right to Erasure ("Right to be Forgotten"): Request account deletion (provided all financial obligations and deposit disputes are settled)
- Right to Restrict Processing: Temporarily limit how we use your data
- Right to Data Portability: Export your data in machine-readable format (CSV/JSON)
- Right to Object: Opt out of marketing communications or specific processing activities
To exercise any of these rights, email privacy@dominium.co.ke or use the "Request Data" feature in your dashboard.
8. Data Security Measures
- All passwords hashed using bcrypt (cost factor 10+)
- Database encrypted at rest (AES-256)
- API keys and secrets stored in environment variables, never in code
- Regular security audits and penetration testing
- Automated backups (daily) stored encrypted off-site
- Access logs maintained for all sensitive operations
- Two-factor authentication (2FA) available for admin accounts and deposit access
- Deposit data segregation: Escrow records stored in physically separate database shard with enhanced access controls
9. Children's Privacy
Dominium does not knowingly collect data from persons under 18 years of age. If you believe a minor has provided us with personal data, contact us immediately to delete it.
10. International Data Transfers
All data is stored on servers located in Kenya. We do not transfer your personal data outside Kenya except:
- When required by our cloud infrastructure provider (which maintains data residency in Kenya)
- With your explicit consent
11. Breach Notification
In the event of a data breach affecting your personal information (including deposit records), we will notify you and the Office of the Data Protection Commissioner (ODPC) within 72 hours of detection, as required by Kenyan law.
12. Updates to This Privacy Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email and require your acceptance before continued use of the platform. The "Last Updated" date at the top indicates when changes were made.
13. Contact Information
Data Protection Officer (DPO): dpo@dominium.co.ke
Privacy Inquiries: privacy@dominium.co.ke
Deposit Disputes: disputes@dominium.co.ke
Office of the Data Protection Commissioner (ODPC): www.odpc.go.ke