Effective date: 1 January 2025 · Last updated: 30 June 2025 · Jurisdiction: Republic of Kenya
Reconrails Ltd ("we", "us", "our") operates reconrails.com and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our reconciliation platform. Please read this policy carefully.
1. Information We Collect
1.1 Information you provide directly
- Contact forms: First name, last name, email address, organisation, and message content when you submit an enquiry.
- Demo requests: Name, email, phone number, organisation type, daily transaction volume, payment rails used, and reconciliation challenges.
- Newsletter: Email address when you subscribe to our newsletter.
- Platform accounts: Login credentials (bcrypt-hashed), display name, and role assignment for platform users.
1.2 Information collected automatically
- IP address and approximate geolocation (country/city level)
- Browser type and version, operating system
- Pages visited, time on site, referral URL
- Server-side logs for security and abuse prevention
1.3 Transaction data (platform customers only)
If you are a paying customer, your organisation's transaction data is processed within our reconciliation engine. This data is isolated per tenant and never used for any purpose other than providing the reconciliation service. We do not access, analyse, or share your transaction data with third parties.
2. How We Use Your Information
- To respond to enquiries and schedule product demonstrations
- To send the Reconrails newsletter (only if you subscribed — unsubscribe any time)
- To provide, operate, and improve the Reconrails
- To detect, prevent, and investigate security incidents or abuse
- To comply with legal obligations under Kenyan law and applicable regulations
- To send transactional communications (service alerts, account notifications)
3. Legal Basis for Processing
We process your personal data under the following legal bases under the Kenya Data Protection Act (KDPA) 2019:
- Consent — for newsletter subscriptions and optional communications
- Contract — for processing data necessary to deliver the platform service
- Legitimate interest — for security, fraud prevention, and business operations
- Legal obligation — for regulatory reporting and audit requirements
4. Data Sharing and Disclosure
We do not sell your personal data. We may share information with:
- Service providers: Cloud infrastructure (encrypted at rest), email delivery, analytics — bound by data processing agreements
- Professional advisers: Lawyers, auditors, as required for legal and compliance purposes
- Law enforcement: Only when required by a valid court order or legal process under Kenyan or applicable law
- Business transfers: In the event of a merger or acquisition, personal data may be transferred — we will notify you
5. Data Retention
- Contact form submissions: 2 years
- Demo request records: 3 years
- Newsletter subscribers: Until unsubscribed + 1 year
- Platform transaction data: As required by your institution's regulatory obligations (typically 7 years)
- Security and access logs: 90 days
6. Data Security
We implement industry-standard safeguards including:
- AES-256 encryption at rest for all stored data
- TLS 1.3 for all data in transit
- Role-based access control (RBAC) limiting data access to authorised personnel
- Tamper-evident audit logging of all administrative actions
- Regular penetration testing and security audits
- SOC 2 Type II and ISO 27001 compliance programmes
7. Your Rights (Kenya Data Protection Act 2019)
You have the right to:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your personal data (subject to legal obligations)
- Restriction — limit how we process your data in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Withdraw consent — for processing based on consent (e.g., newsletter)
- Object — to processing based on legitimate interest
To exercise any right, email us at privacy@reconrails.com. We will respond within 30 days.
8. Cookies
Our marketing website uses minimal cookies: session cookies for form handling, and optionally analytics cookies if you consent. No cross-site tracking or advertising cookies are placed. You may disable cookies in your browser settings without affecting core website functionality.
9. Third-Party Links
Our website may contain links to third-party sites. This policy does not apply to those sites. We encourage you to review their privacy policies before providing personal information.
10. Children's Privacy
Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify registered users of material changes via email. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of our services after changes constitutes acceptance.
12. Contact Us
For privacy-related enquiries, to exercise your data rights, or to lodge a complaint:
- Email: privacy@reconrails.com
- Post: Reconrails Ltd, Data Protection Officer, Westlands Business Park, Nairobi, Kenya
- Regulator: Office of the Data Protection Commissioner, Kenya — odpc.go.ke