Privacy Policy
Last updated: March 2026 · Vasty Rentals Ltd · Nairobi, Kenya
Formulated in compliance with the Kenya Data Protection Act, 2019 and the EU General Data Protection Regulation (GDPR) where applicable.
1. Introduction
Vasty Rentals Ltd, operating as Vasty Tenure ("we", "our", or "us"), is a property management and tenant verification platform serving landlords, property managers, and tenants across East Africa.
This Privacy Policy explains exactly what personal data we collect, why we collect it, how long we keep it, who we share it with, and the rights you have over your data. By registering on any Vasty Tenure platform you confirm that you have read and agreed to this policy.
2. Data We Collect
A. Account & Identity Data
- Full legal name, email address, phone number, password (hashed — never stored in plain text)
- Role (Tenant / Landlord / Property Manager)
- Profile picture (avatar) — optional
- Company or agency name — for landlords and property managers
- Date of birth — for tenants, used for KYC age verification
- Registration IP address and last login IP address
B. Identity Verification (KYC) Data
- Kenya National ID number and scanned copy
- Facial biometric data captured and processed by Didit Protocol (our third-party KYC provider)
- Liveness check result and face-match score (processed by Didit; Vasty does not store raw biometrics)
- KYC session ID and verification status
C. Property & Lease Data
- Property name, address, GPS coordinates, description, photos
- Unit details: number, type, rent amount, amenities
- Lease terms: start/end dates, rent amount, deposit, payment schedule
- Tenant application records
- Property ownership documents: Title Deed, Land Rates Clearance Certificate, Owner National ID
D. Financial & Payment Data
- Rent payment records: amount, date, method (M-Pesa / Paystack), status
- M-Pesa transaction IDs, phone numbers used for remittance, timestamps
- Paystack payment references and transaction metadata
- Arrears and outstanding balance records
- Landlord bank account details and Paystack subaccount codes (encrypted at rest)
- Mobile money provider and number (encrypted at rest)
E. Rental Certificate Data
- Certificate issue date, associated lease and property
- Payment receipt for certificate generation (Paystack)
- Certificate file stored on our servers
F. Technical & Usage Data
- Browser type, operating system, device type
- Session tokens and authentication cookies
- API request logs including timestamps and endpoints accessed
- Error logs and crash reports (via Sentry)
- Application performance metrics (anonymised)
3. Why We Collect It
| Data | Purpose | Legal Basis |
|---|---|---|
| Name, email, phone | Create and manage your account; send notifications | Contract performance |
| Password (hashed) | Authenticate your identity securely | Contract performance |
| National ID + biometrics | KYC verification to prevent fraud and build Trust Score | Consent + Legitimate interest |
| Payment records | Process rent, maintain ledger, generate receipts | Contract performance |
| Rental history | Build Vasty Trust Score; issue rental certificates | Consent |
| Property & lease data | Manage property portfolio and tenancy agreements | Contract performance |
| IP address & session logs | Security monitoring, fraud detection, legal compliance | Legitimate interest |
| Error & crash logs | Diagnose and fix platform issues | Legitimate interest |
| M-Pesa transaction data | Automated rent reconciliation | Contract performance + Consent |
| Bank/mobile money details | Disburse rent proceeds to landlords | Contract performance |
4. How Long We Store It
We retain personal data only for as long as necessary to fulfil the purpose it was collected for, or as required by Kenyan law (including the Kenya Revenue Authority's 7-year financial record requirement).
| Data Category | Retention Period |
|---|---|
| Account data (name, email, phone) | Duration of account + 2 years after deletion request |
| Financial & payment records | 7 years (Kenya Revenue Authority requirement) |
| KYC documents (ID copies) | 5 years after account closure |
| Biometric data (processed by Didit) | Not stored by Vasty — deleted by Didit per their policy after verification |
| Lease and tenancy records | 7 years after lease end date |
| Rental certificates | Indefinite (tenant may download at any time) |
| IP address & session logs | 90 days |
| Error and crash logs | 30 days |
| Property ownership documents | Duration of property listing + 2 years |
5. Who We Share It With
We do not sell your personal data to third parties. We share data only with the parties listed below, and only to the extent necessary:
Identity verification (KYC). Receives National ID number and biometric data solely to perform verification. Does not retain data beyond its own retention policy.
Payment processing for rent collection and rental certificate fees. Receives payment card/M-Pesa details to process transactions.
SMS delivery for OTP login codes and payment notifications. Receives phone number and message content.
Error monitoring. May receive anonymised stack traces and limited technical metadata. No personal identifiers are intentionally transmitted.
A tenant's name, Trust Score, KYC verification status, and rental history summary are visible to landlords reviewing a tenancy application. Raw ID documents are never shared.
A landlord's name, contact details, and property ownership verification status are visible to their current tenants.
We may disclose data when required by a valid court order, subpoena, or regulatory directive under Kenyan law.
6. Data Security
We apply industry-standard security controls including:
- All data in transit encrypted via TLS 1.2+
- Passwords hashed using bcrypt with a unique salt per user
- Sensitive fields (bank account numbers, mobile money numbers) encrypted at rest using AES-256
- JWT access tokens with short expiry; refresh tokens rotated on use
- Role-based access control: landlords cannot access other landlords' data; tenants cannot access other tenants' data
- IP-based fraud scoring and account freeze mechanisms
- Regular dependency audits and security patching
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware, as required by the Kenya Data Protection Act.
7. The Vasty Trust Score
The Vasty Trust Score is a proprietary metric calculated from a tenant's verified payment history, lease completion records, and KYC status on the Vasty platform. It is not a credit score and is not reported to any credit bureau.
By registering as a Tenant, you explicitly consent to the aggregation of your rental payment and lease data into a Trust Score that may be viewed by landlords when you apply to rent a property. You may withdraw consent at any time by contacting us — doing so will remove your Trust Score from landlord-facing views but will not delete the underlying payment records (which are retained for financial compliance reasons).
Vasty does not use automated decision-making that produces legal effects or similarly significant effects solely on the basis of the Trust Score. Landlords make their own tenancy decisions.
8. Your Rights
Under the Kenya Data Protection Act, 2019, and where the GDPR applies, you have the following rights. To exercise any of them, email privacy@vasty.ke with the subject line matching the right you are exercising. We will respond within 30 days.
Right to Access
Request a copy of all personal data we hold about you. We will provide this in a structured, machine-readable format.
Right to Rectification
Request correction of inaccurate or incomplete data. You can also update most information directly in your account settings.
Right to Erasure ("Right to be Forgotten")
Request deletion of your personal data. We will delete what we can; some data (e.g. financial records) must be retained by law and will be flagged accordingly.
Right to Data Portability
Request your data in a portable format (JSON/CSV) so you can transfer it to another service.
Right to Restrict Processing
Ask us to pause processing of your data while a dispute or complaint is being resolved.
Right to Object
Object to processing based on legitimate interest (e.g. fraud detection logging). We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent
Where processing is based on your consent (e.g. Trust Score aggregation), you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to Lodge a Complaint
If you believe your data rights have been violated, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at odpc.go.ke.
9. Cookies
We use the following cookies:
- access_token — JWT access token for authenticated API requests. Expires after 1 hour.
- refresh_token — Used to issue a new access token without re-login. Expires after 7 days.
- user_type — Stores your role (TENANT/LANDLORD) for client-side routing. Expires after 7 days.
- user_data — Stores a minimal user profile object for UI personalisation. Expires after 7 days.
- theme — Stores your dark/light mode preference. Persistent.
We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will notify you by email and display a prominent notice in the application at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. The "Last updated" date at the top of this page will always reflect the most recent revision.
11. Contact & Data Protection Officer
For any privacy-related enquiries, data subject requests, or to reach our Data Protection Officer:
Vasty Rentals Ltd — Data Protection Officer
📧 privacy@vasty.ke
📍 Nairobi, Kenya
To escalate a complaint to the regulator: Office of the Data Protection Commissioner (ODPC) — odpc.go.ke