Privacy at Yapa.
We hold information the way we hold trust — carefully, with intent, and only for as long as it serves the work. This policy is governed by the Kenya Data Protection Act, 2019.
01Who we are
Yapa is operated by Ony Group Ltd., a company registered in Nairobi, Kenya. We are the data controller for information collected through yapahub.com, the Yapa platform, and its surfaces — including, without limitation, Machant, Hapa Kule, and Kaya.
This policy applies across Ony Group Ltd., its subsidiaries, affiliates, related parties, and group companies who may process personal data in connection with Yapa. Where another Ony Group entity acts as a joint controller or processor, it does so under this policy and a written agreement aligned with the Kenya Data Protection Act, 2019 (the “DPA”) and the regulations made under it.
This policy describes what information we collect, how we use it, and the rights you have in relation to it. We have written it plainly because the relationship we want with you depends on you understanding it.
02What we collect
We collect personal data from the people who use Yapa and its surfaces — operators, account holders, visitors, and those who write to us. We collect only what we need to operate the platform, deliver the products you have asked for, and respond to the people who contact us. Where Ony Group affiliates participate in delivering a product, we may receive personal data from them, and they may receive it from us, under the safeguards described in this policy.
Information you give us
- Your name, email address, organization, and role — when you request access or write to us.
- The content of messages you send us through the contact form or by email.
- Account and transactional records once you use the platform — the details of commerce, experience, and wealth you choose to hold in Yapa.
Information we gather automatically
- Basic request logs: IP address, browser type, timestamps, pages visited. Kept for operational and security reasons.
- Anonymous, aggregate usage — so we understand which parts of the site people find useful. We do not use third-party advertising trackers.
03Why we collect it
Three reasons, no more:
- To provide the service — to run the platform you have chosen to use.
- To respond to you — when you write to us, we reply.
- To keep the system safe and functional — security, fraud prevention, and diagnostics.
04Legal basis
Under applicable data protection law (including the Kenya Data Protection Act, 2019 and regulations made under it), we rely on the following lawful bases:
- Contract — to provide the service you have asked us to provide.
- Legitimate interests — to operate, secure, and improve the platform, balanced against your rights.
- Consent — where you have given it, for example by writing to us.
- Legal obligation — where we are required to keep records by law.
06How long we keep it
As long as it serves the work, and no longer. In practice:
- Account and transactional data — for the life of your relationship with Yapa, plus the period required by law.
- Contact form messages — up to 24 months, unless we are in active conversation.
- Operational logs — up to 90 days, unless required for security investigation.
07Your rights
Depending on your jurisdiction, you have some or all of the following rights in relation to your personal data:
- Access — to know what we hold about you.
- Rectification — to correct inaccurate information.
- Erasure — to ask us to delete your data where appropriate.
- Portability — to receive your data in a structured format.
- Objection and restriction — to limit how we process your data.
- Withdrawal of consent — at any time, without affecting prior lawful processing.
To exercise any of these rights, or to lodge a concern, write to our Data Protection Officer at dpo@yapahub.com. We will respond within the timelines set by the DPA. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya.
08Security
We take security seriously because it is the precondition for trust. We use encryption in transit and at rest, role-based access controls, regular reviews, and a small team with narrow permissions. No system is perfect; we work to keep ours close to it.
09International transfers
Where we use service providers located outside Kenya, your information may be transferred across borders. Where required, we use standard contractual clauses and other appropriate safeguards to protect your data during transfer, in line with the Kenya Data Protection Act.
10Children
Yapa is not intended for people under 18. We do not knowingly collect personal information from children. If you believe a child has provided information to us, contact us and we will remove it.
11Changes to this policy
We may update this policy as the platform evolves. Material changes will be announced on this page and, where appropriate, by email. The effective date at the top of this document will always reflect the current version.
12How to reach us
For any question about this policy, any request related to your personal data, or any matter arising under the DPA — write to our Data Protection Officer:
Data Protection Officer
Ony Group Ltd. & affiliates
dpo@yapahub.com
The DPO is the primary contact for all privacy matters across Yapa, Ony Group, and its related entities. We read every message.
Questions are welcome.
Privacy is not a legal artifact to us. If something here is unclear, we would rather hear about it than leave it unread.