Legal

Privacy Policy

Last updated: 2026-05-06

1. Who we are

Ocality (“we”, “us”) connects home seekers in Kenya with verified estate agents. This policy explains what data we collect, why, and your rights under the Kenya Data Protection Act, 2019.

2. What we collect

From home seekers

  • Phone number (verified by SMS OTP), first and last name, optional email.
  • Property brief: areas of interest, intent (rent/buy), budget, bedrooms, urgency, optional notes.
  • Submission timestamps and the verification token issued at OTP success.

From agents

  • Display name, phone number (verified), preferred zones, FCM push token.
  • Token wallet balance and transaction history.
  • Lead acceptances, interactions logged on accepted leads, and ratings submitted.

3. How we use your information

  • To match home seekers with agents who cover the requested zones.
  • To send transactional SMS, push, and (where applicable) email notifications.
  • To enforce rate limits, detect abuse, and protect the integrity of the marketplace.
  • To compute pricing, run the agent token wallet, and prevent duplicate purchases.

4. For agents

Agents only see data necessary to evaluate and act on a lead. Before accepting a lead, agents see masked phone numbers, the lead area, property type, bedrooms, budget range, move-in urgency, the seeker’s name, and notes. The full phone number is unlocked only after the agent spends tokens to accept the lead, and we keep an audit trail of every accept and unlock.

FCM push tokens are stored solely to deliver agent-app notifications and are deleted on sign-out or account deletion. Token wallet records are retained as long as required by tax and accounting law.

5. Sharing with third parties

We do not sell your data. We share strictly on a need-to-know basis with:

  • Supabase (managed Postgres + auth) — primary data store.
  • An SMS provider for OTP delivery.
  • Sentry for error reporting (no PII payloads).
  • Vercel for hosting.

6. Your rights under Kenya DPA 2019

  • Right to access, rectify, or erase your data.
  • Right to object to processing or withdraw consent at any time.
  • Right to data portability for data you provided.
  • Right to lodge a complaint with the Office of the Data Protection Commissioner.

7. Retention

Lead briefs are retained while you remain matched. Verified accepted leads, token transactions, and ratings are kept for as long as required for service operation and legal compliance. You can request immediate deletion at any time.

8. Contact & deletion

To delete your data, visit /delete. For all other privacy queries, email us at privacy@ocality.app.