Privacy Policy

Effective Date: 10 April 2026 · Version 1.0

This policy complies with the Kenya Data Protection Act, 2019 (No. 24 of 2019).

1. Data Controller

CounselConnect ("we", "us", "our") is the data controller responsible for your personal data collected through the CounselConnect platform and related services.

Data Protection Officer (DPO)

Email: privacy@counselconnect.co.ke

Our registration with the Office of the Data Protection Commissioner (ODPC) is in process. This section will be updated with our registration number upon issuance.

2. Data We Collect

We collect the following categories of personal data:

2.1 Identity Data

Full name, LSK registration number, firm name, location, admission year, profile photograph, biography, headline, website URL, social media links (LinkedIn, Twitter/X, TikTok, YouTube), scheduling integration URL, and public profile slug.

2.2 Professional Data

Education history, work experience, professional skills, practice areas, services offered with rates, reputation score, job completion count, average ratings, review text, and contact vouches.

2.3 Contact Data

Email address, phone number (including M-Pesa registered number where applicable).

2.4 Financial & Transaction Data

Paystack payment tokens (we do not store credit/debit card numbers or M-Pesa PINs), M-Pesa transaction reference codes, billing history, subscription plan and status, ad wallet balance and transaction history, affiliate earnings and commission records, mentorship booking fees and payout records, event registration payments, fundraiser and condolence contribution records.

2.5 Content Data

All content you create or submit, including: text posts, articles, questions, answers, gig listings, condolence posts, fundraiser posts, polls (including your poll responses), event listings, milestone announcements, marketplace listings, mentorship posts, comments, direct messages, message attachments (images, documents), group posts, and channel posts.

2.6 Engagement Data

Reactions (like, celebrate, support, insightful, curious), shares, saves/bookmarks, profile views, post views, poll responses, skill endorsements given and received, contact vouches/ratings, job ratings and reviews, mentorship session ratings and reviews.

2.7 Usage & Technical Data

Pages visited, features used, IP address, device type and information, browser type and version, operating system, search queries, feed interactions, notification preferences, login timestamps, session duration.

2.8 Verification Data

LSK verification results received from the Law Society of Kenya API (advocate name, registration status, firm, location, photograph), KYC status (Unverified, Active, Inactive, Suspended).

2.9 Communication Data

Support tickets (content, priority, status), ticket attachments, internal support notes, customer service correspondence.

2.10 Tracking & Analytics Data

Cookies, advertising impression and click tracking data, affiliate link click data (IP address hash, user agent fingerprint, referring URL), referral attribution data, campaign parameters.

2.11 Community Data

Group memberships, group roles (owner, admin, moderator, member), channel follows, channel moderator status, channel bans.

2.12 Gazette & Fee Calculator Data

Gazette watchlist keywords, gazette hit notification records, gazette scan results, fee calculation parameters and history.

2.13 AI Chat & Case Briefs Data

We collect the following data in connection with our AI-powered services:

  • Chat queries and conversation history submitted to the AI Chat Service at chat.counselconnect.co.ke;
  • Search queries and case brief views on the Case Briefs Service at cases.counselconnect.co.ke;
  • Usage metrics (queries per month, features used) for subscription limit enforcement;
  • AI responses generated (for quality improvement and safety monitoring).

How We Use AI Data

  • To generate AI responses and case briefs;
  • To monitor and enforce subscription usage limits;
  • To improve AI accuracy and response quality through anonymised analytics;
  • AI queries are processed by third-party AI providers; no personally identifiable information is included in AI prompts.

Data Retention for AI Services

  • Conversation logs: retained for 90 days, then automatically deleted;
  • Search queries: retained for 30 days;
  • Usage counts: retained for the duration of your subscription.

4. How We Use Your Data

We use your personal data for the following purposes:

  • Service Provision: To operate the Platform, manage your account, process transactions, deliver features, and enable interactions between Members.
  • Identity Verification: To verify advocate credentials through the LSK API and maintain KYC status.
  • Payment Processing: To process subscription payments, mentorship fees, event registrations, ad wallet top-ups, affiliate payouts, and refunds through Paystack.
  • Communication: To send you service-related notifications (email, SMS, WhatsApp, in-app), support correspondence, and account alerts.
  • Content Delivery: To power the algorithmic feed, trending content, search results, connection suggestions, and content recommendations based on your interests, connections, and engagement.
  • Gazette Monitoring: To scan gazette content against your watchlist keywords and deliver hit notifications.
  • Fee Calculations: To compute indicative legal fee estimates based on the parameters you provide.
  • Advertising: To serve targeted advertisements, track ad performance (impressions, clicks, conversions), and provide advertisers with aggregated analytics. We do not share your personal data directly with advertisers.
  • Affiliate Tracking: To track referrals, attribute conversions, calculate commissions, and process affiliate payouts.
  • Analytics & Improvement: To understand how the Platform is used, improve features, fix bugs, and develop new services.
  • Fraud Prevention & Security: To detect, prevent, and investigate fraudulent activity, security threats, abuse, and violations of our Terms of Service.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

5. Data Sharing & Disclosure

We share your personal data with the following categories of recipients:

5.1 Other Members

Your profile information, posts, comments, and other Content are visible to other Members according to your privacy settings and the visibility level you choose (public, connections only, followers only, group, or channel).

5.2 Service Providers

ProviderPurposeData Shared
PaystackPayment processingPayment details, transaction amounts, email
SupabaseDatabase hosting & authenticationAll account and content data
UpstashRedis caching & rate limitingUser IDs, session data, cached content
ResendEmail deliveryEmail address, notification content
Law Society of KenyaAdvocate verificationLSK registration number

5.3 Advertisers

We provide advertisers with aggregated, anonymised analytics (impression counts, click rates, demographic breakdowns). We do not share your personal data directly with advertisers.

5.4 Affiliates

Affiliates receive limited referral data (referral status, conversion status) necessary for commission tracking. Affiliates do not receive your personal contact information.

5.5 Law Enforcement & Legal Process

We may disclose your personal data when required by law, regulation, legal process, or governmental request, including: court orders, subpoenas, regulatory investigations, and requests from the ODPC. We may also disclose data where we believe it is necessary to prevent fraud, protect the safety of any person, or enforce our Terms of Service.

5.6 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and the choices available to you.

5.7 With Your Consent

We may share your personal data with other third parties where you have given your express consent.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, as outlined below:

Data CategoryRetention Period
Active account dataDuration of active membership
Deleted account data90 days after account closure, then permanently deleted (except where legal holds apply)
Messages & conversationsRetained during active membership; deleted per conversation lifecycle and account closure
Financial & transaction records7 years (Kenya Income Tax Act compliance)
Messaging audit logs2 years
Support tickets3 years after resolution
Gazette dataIndefinite (public records)
Agreement acceptance recordsIndefinite (legal compliance)
Advertising analytics2 years
Affiliate tracking dataDuration of affiliate relationship plus 1 year

When personal data is no longer required, it is securely deleted or anonymised so that you can no longer be identified from it.

7. Your Rights Under the Data Protection Act, 2019

As a data subject under the Kenya DPA 2019, you have the following rights:

RightDescription
Right of AccessYou may request a copy of the personal data we hold about you.
Right to RectificationYou may request correction of inaccurate or incomplete personal data. You can also update most information directly through your account settings.
Right to ErasureYou may request deletion of your personal data, subject to exceptions for legal obligations, defence of legal claims, and public interest. Also known as the "right to be forgotten".
Right to Restrict ProcessingYou may request that we limit how we process your personal data in certain circumstances.
Right to Data PortabilityYou may request your personal data in a structured, commonly used, machine-readable format, and have it transmitted to another data controller.
Right to ObjectYou may object to processing based on legitimate interests, including profiling and direct marketing.
Right to Withdraw ConsentWhere processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right Not to Be Subject to Automated DecisionsYou may request human review of decisions made solely through automated processing that significantly affect you.

How to Exercise Your Rights

To exercise any of these rights:

  • Email our Data Protection Officer at privacy@counselconnect.co.ke;
  • Use the privacy settings in your account dashboard;
  • Submit a support ticket through the Platform.

We will respond to your request within thirty (30) days. We may request additional information to verify your identity before processing your request. If we are unable to fulfil your request, we will explain the reasons.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
  • Encryption at rest: Data stored in our databases is encrypted at rest.
  • Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
  • Audit logging: Access to sensitive data is logged and monitored, including message deletion audit trails.
  • Payment security: Payment processing is handled by Paystack, which is PCI-DSS compliant. We do not store credit card numbers or M-Pesa PINs.
  • Rate limiting: API rate limiting to prevent abuse and brute-force attacks.
  • Input validation: All user input is validated and sanitised to prevent injection attacks.

Data Breach Notification

In the event of a personal data breach that poses a real risk of harm to data subjects, we will:

  • Notify the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours of becoming aware of the breach, as required by the DPA 2019;
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
  • Document the breach, its effects, and the remedial measures taken.

9. Cross-Border Data Transfers

Some of our service providers process data outside of Kenya. In accordance with Section 48-50 of the DPA 2019, we ensure that adequate safeguards are in place for all cross-border transfers, including:

  • Verifying that the recipient country provides adequate data protection;
  • Implementing standard contractual clauses or equivalent safeguards where the recipient country does not provide adequate protection;
  • Ensuring that our service providers are contractually bound to process personal data only in accordance with our instructions and applicable data protection laws.

Our primary service providers and their data processing locations are disclosed in Section 5.2. You may contact our DPO for further details on the safeguards applied to specific transfers.

10. Cookies & Tracking Technologies

We use cookies and similar tracking technologies as follows:

TypePurposeConsent Required
Essential / Session CookiesAuthentication, session management, security. Required for the Platform to function.No (strictly necessary)
Preference CookiesRemembering your settings, language, theme (dark/light mode).No (functionality)
Analytics CookiesUnderstanding how the Platform is used, page views, feature usage, performance monitoring.Yes
Advertising CookiesAd targeting, impression tracking, click tracking, frequency capping, conversion measurement.Yes
Affiliate Tracking CookiesTracking referrals from affiliate links, attributing conversions. Includes IP address hash and user agent fingerprint.Yes

Managing Cookies

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Platform. For consent-based cookies, you may withdraw consent at any time through your account privacy settings.

11. Children's Privacy

The Platform is not directed at, and is not intended for use by, anyone under the age of eighteen (18). We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe that a child under 18 has provided us with personal data, please contact our DPO at privacy@counselconnect.co.ke.

12. Automated Decision-Making

We use automated processing in the following areas:

  • Feed Algorithm: Your feed content is ordered by an algorithm that considers engagement signals, recency, your connections, topics you follow, and your past interactions. This does not produce legal effects but affects which content you see first.
  • Ad Targeting: Advertisements are targeted based on your profile data, interests, location, and engagement patterns. You see ads that the algorithm determines are most relevant to you.
  • Content Recommendations: Job, mentorship, connection, and content suggestions are generated by algorithms based on your profile and activity data.
  • Fraud Detection: We use automated tools to detect suspicious activity, including unusual login patterns, payment anomalies, and platform abuse.
  • Gazette Matching: Gazette hits are determined by automated keyword matching with confidence scoring.

You have the right to request human review of any automated decision that significantly affects you. Contact our DPO to exercise this right.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. For material changes, we will provide notice through the Platform, email, or other reasonable means at least thirty (30) days before the changes take effect.

We maintain versioned records of this policy. The "Effective Date" at the top indicates when the current version took effect. Previous versions are available upon request.

14. Contact & Complaints

Data Protection Officer

Email: privacy@counselconnect.co.ke

Subject line: "Data Protection Request"

Office of the Data Protection Commissioner (ODPC)

If you are not satisfied with our response to your data protection request, you have the right to lodge a complaint with the ODPC:

Office of the Data Protection Commissioner

Immaculate Conception Catholic Church, Norfolk Towers, 5th Floor

Kijabe Street, Nairobi

P.O. Box 2440-00100, Nairobi, Kenya

Email: complaints@odpc.go.ke

General Support

For non-privacy-related enquiries, please use the in-app support system or email support@counselconnect.co.ke.

Related Policies