Skip to main content
Zahara

Privacy Policy

Last updated: 28 March 2026

1. Who We Are

Zahara is operated from Nairobi, Kenya. We are the data controller responsible for your personal information.

Contact for data requests: privacy@gozahara.co

2. Data We Collect

  • Account data: name, email, phone number, date of birth
  • Profile data: education level, KCSE grades, German level, field of interest, personal story, career goals
  • Documents: uploaded files (certificates, letters), AI-generated documents
  • Payment data: M-Pesa phone number, transaction references (we do not store M-Pesa PINs)
  • Usage data: pages visited, features used, device type (via analytics cookies, with consent)

3. Why We Collect It

  • Service delivery: to generate personalised documents, match you with schools, and process payments
  • Service improvement: to understand how users interact with Zahara and improve features
  • Communication: to send receipts, document delivery emails, and service updates

We process your data under contractual necessity (service delivery) and legitimate interest (improvement). Analytics require your consent.

4. Where Your Data Lives

All personal data is stored in Supabase (EU Frankfurt, Germany). Your data never leaves the European Union. Our payment processor (IntaSend) operates under Kenyan data protection law.

5. Data Retention

We keep your data for as long as your account is active. When you request deletion, we soft-delete your account immediately and permanently erase all data after a 30-day grace period. This includes all profile data, generated documents, and uploaded files.

6. Your Rights

Under the Kenya Data Protection Act (KDPA) 2019 and the EU General Data Protection Regulation (GDPR), you have the right to:

  • Access your personal data
  • Correct inaccurate information
  • Delete your account and all associated data
  • Export your data in a portable format
  • Withdraw consent for analytics at any time
  • Object to processing based on legitimate interest

To exercise any of these rights, email privacy@gozahara.co or use the account settings page.

7. Data Sharing

We share data only with:

  • Supabase (EU Frankfurt) — database and file storage
  • Anthropic (Claude API) — AI document generation (prompts only, no stored PII)
  • IntaSend — M-Pesa payment processing
  • Resend — transactional email delivery

We do not sell, rent, or trade your personal data. User documents in the vault are private and never used for AI training or data enrichment.

8. Account Deletion

You can request account deletion from your account settings or by emailing us. Deletion cascades across all tables and storage with a 30-day grace period during which you can reactivate. After 30 days, all data is permanently erased.

9. Cookies

We use the following types of cookies:

  • Essential cookies: authentication session, CSRF protection. These are required and cannot be disabled.
  • Analytics cookies: PostHog (EU-hosted) for understanding usage patterns. Only loaded after you give consent.

You can manage your cookie preferences at any time using the cookie banner or your account settings.

10. Complaints

If you believe your data rights have been violated, you can lodge a complaint with:

  • Office of the Data Protection Commissioner (ODPC), Kenya — www.odpc.go.ke
  • Your local EU supervisory authority if you are based in the EU

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The "last updated" date at the top reflects the most recent revision.