Privacy Policy

Last updated: 9 July 2026

This policy explains how Mafichoni Limited ("Mafichoni", "we", "us"), a company registered in Kenya, collects, uses, and protects personal data when you use mafichoni.co.ke and the services on it - our consultancy website, the Mafichoni Academy, the member portal, and the talent marketplace. We process personal data in accordance with the Kenya Data Protection Act, 2019 and its regulations.

1. Data we collect

We collect only what each feature needs to work:

  • Account data. When you create an account: your email address, password (stored only as a secure hash by our authentication provider), and any profile details you add (full name, phone number, organization). If you sign in with Google, we receive your name and email address from Google; we never see your Google password.
  • Forms you submit. Contact requests (name, email, phone, organization, and your message), newsletter subscriptions (email), and resource download requests (name and email).
  • Learning data. Your course enrollments, lesson completion, quiz attempts and scores, and certificates earned.
  • Payment records. When you buy a course we record the amount, currency, payment method, status, and a transaction reference. We never receive or store your card number, M-Pesa PIN, or bank credentials - payments are processed directly by Safaricom (M-Pesa) or Paystack (cards).
  • Talent marketplace profiles. If you choose to join as talent: your headline, bio, skills, sectors, rates, experience, education, languages, links (portfolio, LinkedIn, CV), and country. You control this content, and it is only shown publicly after you submit it and our team vets it.
  • Gig and engagement data. Gigs you post as a client and engagement records for consulting work we do with you.
  • AI assistant conversations. Messages you send to our website concierge chat and inputs you provide to the AI skills-gap diagnostic are logged so we can provide the service and review its quality.
  • Usage analytics (no cookies, no tracking). We run our own first-party page-view counter. It stores the page path, the referring page, and a short technical hash that rotates every day and cannot identify you or follow you across days. We use no third-party analytics, no advertising trackers, and no cross-site cookies.

2. Cookies

We use only essential cookies: the session cookies our authentication provider (Supabase) sets to keep you signed in. There are no advertising, analytics, or third-party tracking cookies on this site. If you never sign in, browsing the site sets no identifying cookies at all.

3. How we use your data

  • To provide the services you asked for - your account, courses you enroll in, certificates, gigs, and engagements.
  • To respond to contact requests and provide quotes or proposals.
  • To process and confirm payments and send receipts.
  • To send the newsletter you subscribed to (you can unsubscribe at any time - see section 8).
  • To operate the AI features you choose to use (see section 5).
  • To understand which pages are read, using the cookieless analytics described above.
  • To keep the platform secure, prevent abuse, and comply with legal obligations.

We do not sell personal data, and we do not share it with anyone for advertising.

4. Certificates are publicly verifiable by design

When you complete a course, we issue a certificate with a permanent verification link so employers can confirm it is genuine. That public page shows only the name you set on your profile at the time of issue, the course title, your score, and the issue date - never your email or other account data. The link uses an unguessable identifier; only people you share it with can find it.

5. AI features and automated processing

The concierge chat, the AI skills-gap diagnostic, and gig-to-talent matching are powered by Anthropic's Claude models. The text you submit to these features (and, for matching, the skills listed in gigs and vetted talent profiles) is sent to Anthropic's API to generate the response. AI outputs are suggestions to help you navigate our services - gig matches are recommendations reviewed by people, and no decision with legal or similarly significant effect on you is made solely by automation.

6. Who processes data on our behalf

We use a small set of service providers, each only for the purpose stated: Supabase (database and authentication), Vercel (website hosting), Safaricom (M-Pesa payments), Paystack (card payments), Resend (transactional email such as receipts), Anthropic (AI features), and Google (only if you choose Google sign-in). Some of these providers store data on servers outside Kenya; where that happens, transfers are made with appropriate safeguards consistent with the Data Protection Act, 2019.

7. How long we keep data

Account, learning, and marketplace data is kept while your account is active. Payment records are kept as required for tax and accounting law. Contact requests and AI conversation logs are kept only as long as needed to handle them and review service quality. You can ask us to delete your account and associated data at any time (see section 8); we may retain what the law requires us to keep.

8. Your rights

Under the Kenya Data Protection Act, 2019 you have the right to:

  • be told what personal data of yours we hold and access a copy of it;
  • have inaccurate data corrected;
  • have your data deleted (subject to legal retention duties);
  • object to or restrict processing, including withdrawing newsletter consent at any time;
  • lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya.

To exercise any of these rights - including unsubscribing from the newsletter or deleting your account - email info@mafichoni.co.ke or use the contact form. We respond within the timelines the Act requires.

9. Security

All traffic to the site is encrypted (HTTPS, enforced). Access to personal data in our database is restricted by row-level security so users and staff can only read what their role permits. Passwords are hashed by our authentication provider and are never visible to us. Payment credentials never touch our servers.

10. Children

Our services are directed at professionals and organizations and are not intended for children. We do not knowingly collect personal data from anyone under 18; if you believe a child has provided us data, contact us and we will delete it.

11. Changes to this policy

If we change this policy we will update the date at the top of this page, and for material changes affecting signed-in users we will provide notice on the site. The current version always lives at this address.

12. Contact

Mafichoni Limited, Nairobi, Kenya · info@mafichoni.co.ke · mafichoni.co.ke/contact