Privacy Policy
Effective Date: 10 April 2026 · Version 1.0
This policy complies with the Kenya Data Protection Act, 2019 (No. 24 of 2019).
1. Data Controller
CounselConnect ("we", "us", "our") is the data controller responsible for your personal data collected through the CounselConnect platform and related services.
Data Protection Officer (DPO)
Email: privacy@counselconnect.co.ke
Our registration with the Office of the Data Protection Commissioner (ODPC) is in process. This section will be updated with our registration number upon issuance.
2. Data We Collect
We collect the following categories of personal data:
2.1 Identity Data
Full name, LSK registration number, firm name, location, admission year, profile photograph, biography, headline, website URL, social media links (LinkedIn, Twitter/X, TikTok, YouTube), scheduling integration URL, and public profile slug.
2.2 Professional Data
Education history, work experience, professional skills, practice areas, services offered with rates, reputation score, job completion count, average ratings, review text, and contact vouches.
2.3 Contact Data
Email address, phone number (including M-Pesa registered number where applicable).
2.4 Financial & Transaction Data
Paystack payment tokens (we do not store credit/debit card numbers or M-Pesa PINs), M-Pesa transaction reference codes, billing history, subscription plan and status, ad wallet balance and transaction history, affiliate earnings and commission records, mentorship booking fees and payout records, event registration payments, fundraiser and condolence contribution records.
2.5 Content Data
All content you create or submit, including: text posts, articles, questions, answers, gig listings, condolence posts, fundraiser posts, polls (including your poll responses), event listings, milestone announcements, marketplace listings, mentorship posts, comments, direct messages, message attachments (images, documents), group posts, and channel posts.
2.6 Engagement Data
Reactions (like, celebrate, support, insightful, curious), shares, saves/bookmarks, profile views, post views, poll responses, skill endorsements given and received, contact vouches/ratings, job ratings and reviews, mentorship session ratings and reviews.
2.7 Usage & Technical Data
Pages visited, features used, IP address, device type and information, browser type and version, operating system, search queries, feed interactions, notification preferences, login timestamps, session duration.
2.8 Verification Data
LSK verification results received from the Law Society of Kenya API (advocate name, registration status, firm, location, photograph), KYC status (Unverified, Active, Inactive, Suspended).
2.9 Communication Data
Support tickets (content, priority, status), ticket attachments, internal support notes, customer service correspondence.
2.10 Tracking & Analytics Data
Cookies, advertising impression and click tracking data, affiliate link click data (IP address hash, user agent fingerprint, referring URL), referral attribution data, campaign parameters.
2.11 Community Data
Group memberships, group roles (owner, admin, moderator, member), channel follows, channel moderator status, channel bans.
2.12 Gazette & Fee Calculator Data
Gazette watchlist keywords, gazette hit notification records, gazette scan results, fee calculation parameters and history.
2.13 AI Chat & Case Briefs Data
We collect the following data in connection with our AI-powered services:
- Chat queries and conversation history submitted to the AI Chat Service at chat.counselconnect.co.ke;
- Search queries and case brief views on the Case Briefs Service at cases.counselconnect.co.ke;
- Usage metrics (queries per month, features used) for subscription limit enforcement;
- AI responses generated (for quality improvement and safety monitoring).
How We Use AI Data
- To generate AI responses and case briefs;
- To monitor and enforce subscription usage limits;
- To improve AI accuracy and response quality through anonymised analytics;
- AI queries are processed by third-party AI providers; no personally identifiable information is included in AI prompts.
Data Retention for AI Services
- Conversation logs: retained for 90 days, then automatically deleted;
- Search queries: retained for 30 days;
- Usage counts: retained for the duration of your subscription.
3. Legal Basis for Processing
Under the Kenya Data Protection Act, 2019, we process your personal data on the following legal bases:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Account creation and management, payment processing, subscription management, service delivery (jobs, mentorship, events, marketplace), communications necessary for service provision. |
| Legitimate Interest | Platform improvement and analytics, fraud prevention and security, feed algorithm optimisation, content recommendations, enforcing our Terms of Service, internal reporting, ensuring network integrity. |
| Consent | Marketing communications, non-essential cookies and tracking, sharing data with third-party advertisers (aggregated), affiliate cookie placement, WhatsApp notifications. |
| Legal Obligation | Tax record retention, responding to court orders and legal process, regulatory reporting, compliance with the Data Protection Act 2019, anti-money laundering obligations. |
4. How We Use Your Data
We use your personal data for the following purposes:
- Service Provision: To operate the Platform, manage your account, process transactions, deliver features, and enable interactions between Members.
- Identity Verification: To verify advocate credentials through the LSK API and maintain KYC status.
- Payment Processing: To process subscription payments, mentorship fees, event registrations, ad wallet top-ups, affiliate payouts, and refunds through Paystack.
- Communication: To send you service-related notifications (email, SMS, WhatsApp, in-app), support correspondence, and account alerts.
- Content Delivery: To power the algorithmic feed, trending content, search results, connection suggestions, and content recommendations based on your interests, connections, and engagement.
- Gazette Monitoring: To scan gazette content against your watchlist keywords and deliver hit notifications.
- Fee Calculations: To compute indicative legal fee estimates based on the parameters you provide.
- Advertising: To serve targeted advertisements, track ad performance (impressions, clicks, conversions), and provide advertisers with aggregated analytics. We do not share your personal data directly with advertisers.
- Affiliate Tracking: To track referrals, attribute conversions, calculate commissions, and process affiliate payouts.
- Analytics & Improvement: To understand how the Platform is used, improve features, fix bugs, and develop new services.
- Fraud Prevention & Security: To detect, prevent, and investigate fraudulent activity, security threats, abuse, and violations of our Terms of Service.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
5. Data Sharing & Disclosure
We share your personal data with the following categories of recipients:
5.1 Other Members
Your profile information, posts, comments, and other Content are visible to other Members according to your privacy settings and the visibility level you choose (public, connections only, followers only, group, or channel).
5.2 Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Paystack | Payment processing | Payment details, transaction amounts, email |
| Supabase | Database hosting & authentication | All account and content data |
| Upstash | Redis caching & rate limiting | User IDs, session data, cached content |
| Resend | Email delivery | Email address, notification content |
| Law Society of Kenya | Advocate verification | LSK registration number |
5.3 Advertisers
We provide advertisers with aggregated, anonymised analytics (impression counts, click rates, demographic breakdowns). We do not share your personal data directly with advertisers.
5.4 Affiliates
Affiliates receive limited referral data (referral status, conversion status) necessary for commission tracking. Affiliates do not receive your personal contact information.
5.5 Law Enforcement & Legal Process
We may disclose your personal data when required by law, regulation, legal process, or governmental request, including: court orders, subpoenas, regulatory investigations, and requests from the ODPC. We may also disclose data where we believe it is necessary to prevent fraud, protect the safety of any person, or enforce our Terms of Service.
5.6 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and the choices available to you.
5.7 With Your Consent
We may share your personal data with other third parties where you have given your express consent.
6. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, as outlined below:
| Data Category | Retention Period |
|---|---|
| Active account data | Duration of active membership |
| Deleted account data | 90 days after account closure, then permanently deleted (except where legal holds apply) |
| Messages & conversations | Retained during active membership; deleted per conversation lifecycle and account closure |
| Financial & transaction records | 7 years (Kenya Income Tax Act compliance) |
| Messaging audit logs | 2 years |
| Support tickets | 3 years after resolution |
| Gazette data | Indefinite (public records) |
| Agreement acceptance records | Indefinite (legal compliance) |
| Advertising analytics | 2 years |
| Affiliate tracking data | Duration of affiliate relationship plus 1 year |
When personal data is no longer required, it is securely deleted or anonymised so that you can no longer be identified from it.
7. Your Rights Under the Data Protection Act, 2019
As a data subject under the Kenya DPA 2019, you have the following rights:
| Right | Description |
|---|---|
| Right of Access | You may request a copy of the personal data we hold about you. |
| Right to Rectification | You may request correction of inaccurate or incomplete personal data. You can also update most information directly through your account settings. |
| Right to Erasure | You may request deletion of your personal data, subject to exceptions for legal obligations, defence of legal claims, and public interest. Also known as the "right to be forgotten". |
| Right to Restrict Processing | You may request that we limit how we process your personal data in certain circumstances. |
| Right to Data Portability | You may request your personal data in a structured, commonly used, machine-readable format, and have it transmitted to another data controller. |
| Right to Object | You may object to processing based on legitimate interests, including profiling and direct marketing. |
| Right to Withdraw Consent | Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal. |
| Right Not to Be Subject to Automated Decisions | You may request human review of decisions made solely through automated processing that significantly affect you. |
How to Exercise Your Rights
To exercise any of these rights:
- Email our Data Protection Officer at privacy@counselconnect.co.ke;
- Use the privacy settings in your account dashboard;
- Submit a support ticket through the Platform.
We will respond to your request within thirty (30) days. We may request additional information to verify your identity before processing your request. If we are unable to fulfil your request, we will explain the reasons.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
- Encryption at rest: Data stored in our databases is encrypted at rest.
- Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
- Audit logging: Access to sensitive data is logged and monitored, including message deletion audit trails.
- Payment security: Payment processing is handled by Paystack, which is PCI-DSS compliant. We do not store credit card numbers or M-Pesa PINs.
- Rate limiting: API rate limiting to prevent abuse and brute-force attacks.
- Input validation: All user input is validated and sanitised to prevent injection attacks.
Data Breach Notification
In the event of a personal data breach that poses a real risk of harm to data subjects, we will:
- Notify the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours of becoming aware of the breach, as required by the DPA 2019;
- Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
- Document the breach, its effects, and the remedial measures taken.
9. Cross-Border Data Transfers
Some of our service providers process data outside of Kenya. In accordance with Section 48-50 of the DPA 2019, we ensure that adequate safeguards are in place for all cross-border transfers, including:
- Verifying that the recipient country provides adequate data protection;
- Implementing standard contractual clauses or equivalent safeguards where the recipient country does not provide adequate protection;
- Ensuring that our service providers are contractually bound to process personal data only in accordance with our instructions and applicable data protection laws.
Our primary service providers and their data processing locations are disclosed in Section 5.2. You may contact our DPO for further details on the safeguards applied to specific transfers.
11. Children's Privacy
The Platform is not directed at, and is not intended for use by, anyone under the age of eighteen (18). We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such data promptly. If you believe that a child under 18 has provided us with personal data, please contact our DPO at privacy@counselconnect.co.ke.
12. Automated Decision-Making
We use automated processing in the following areas:
- Feed Algorithm: Your feed content is ordered by an algorithm that considers engagement signals, recency, your connections, topics you follow, and your past interactions. This does not produce legal effects but affects which content you see first.
- Ad Targeting: Advertisements are targeted based on your profile data, interests, location, and engagement patterns. You see ads that the algorithm determines are most relevant to you.
- Content Recommendations: Job, mentorship, connection, and content suggestions are generated by algorithms based on your profile and activity data.
- Fraud Detection: We use automated tools to detect suspicious activity, including unusual login patterns, payment anomalies, and platform abuse.
- Gazette Matching: Gazette hits are determined by automated keyword matching with confidence scoring.
You have the right to request human review of any automated decision that significantly affects you. Contact our DPO to exercise this right.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. For material changes, we will provide notice through the Platform, email, or other reasonable means at least thirty (30) days before the changes take effect.
We maintain versioned records of this policy. The "Effective Date" at the top indicates when the current version took effect. Previous versions are available upon request.
14. Contact & Complaints
Data Protection Officer
Email: privacy@counselconnect.co.ke
Subject line: "Data Protection Request"
Office of the Data Protection Commissioner (ODPC)
If you are not satisfied with our response to your data protection request, you have the right to lodge a complaint with the ODPC:
Office of the Data Protection Commissioner
Immaculate Conception Catholic Church, Norfolk Towers, 5th Floor
Kijabe Street, Nairobi
P.O. Box 2440-00100, Nairobi, Kenya
Email: complaints@odpc.go.ke
General Support
For non-privacy-related enquiries, please use the in-app support system or email support@counselconnect.co.ke.