Legal

Privacy Policy

Effective date: 1 January 2025  ·  Last updated: March 2025  ·  Version 1.0

01

Who we are

HAPA ("we", "us", "our") is a live city discovery platform and a product of Cartlyf Technologies Limited, a technology company incorporated and operating in Kenya. Our registered address is Kitale, Kenya.

HAPA operates a mobile application and website (get-hapa.web.app) that connects people with venues and live events in their city. For the purposes of Kenya's Data Protection Act 2019 (DPA), Cartlyf Technologies Limited is the registered data controller for all Cartlyf products, including HAPA. Cartlyf holds active data protection certifications issued under the Kenya DPA, which apply to HAPA and all other products in the Cartlyf portfolio.

Cartlyf Technologies Limited is registered with Kenya's Office of the Data Protection Commissioner (ODPC) as a data controller and processor. This registration and its associated certifications cover all Cartlyf products, including HAPA.

02

What this policy covers

This Privacy Policy explains how HAPA collects, uses, stores, shares and protects your personal data when you:

  • Download and use the HAPA mobile application on iOS or Android
  • Visit our website at get-hapa.web.app or any associated domain
  • Register as a venue owner and use the Promote features of the app
  • Contact us for support or enquiries
  • Sign up to our mailing list or waitlist

This policy does not apply to third-party websites or services that may be linked from our platform. We encourage you to read the privacy policies of any external sites you visit.

03

Data we collect

We collect personal data in the following categories depending on how you use HAPA.

3.1 Data you give us directly

  • Phone number — collected when venue owners register and log in via OTP authentication. Required to create and access a venue owner account.
  • Email address — collected when you sign up to our waitlist, subscribe to updates, or make a payment. Also used for payment receipts from our payment processor.
  • Venue information — name, type, city/area, description and images that venue owners provide when setting up a venue profile.
  • Photos and videos ("vibes") — media content uploaded by venue owners through the app camera. This content is published on the platform and visible to all HAPA users.

3.2 Data we collect automatically

  • Location data — precise GPS coordinates collected when you grant location permission. Used to show venues near you and calculate travel times. We do not collect location data in the background when the app is closed.
  • Device information — device type, operating system version, app version, and unique device identifiers. Used for app performance and security.
  • Usage data — which screens you visit, how long you spend on them, which venues you view, posts you like, and features you use. Used to improve the app experience.
  • Anonymous authentication token — a randomly generated identifier assigned to explorers who browse without creating an account. This is not linked to your identity.

3.3 Data from third parties

  • Payment data — when you make a subscription or boost payment, our payment processor Paystack processes your payment details. We receive a transaction reference, payment status and the email you used. We do not receive or store your full card number or mobile money PIN.
  • Location place data — we use the Google Maps Platform API to provide venue search suggestions and directions. Location queries are processed according to Google's Privacy Policy.
04

How we use your data

We use your personal data only for the purposes described below. We do not sell your personal data to third parties. We do not use your data to serve you third-party advertisements.

  • To provide the HAPA service — showing you a live feed of nearby venues, enabling venue owners to post vibes, calculating distances and travel times, and providing venue search.
  • Account and authentication — verifying venue owner identity via OTP, maintaining your login session, and keeping your venue profile active.
  • Payments and billing — processing subscription payments and event boosts through Paystack, sending payment receipts, and managing your subscription status.
  • App performance and improvement — understanding how users navigate the app, identifying bugs and errors, and improving features based on usage patterns.
  • Safety and security — detecting and preventing fraud, unauthorised access, and misuse of the platform.
  • Communications — sending service-related notifications (e.g. subscription renewal reminders, payment confirmations). We only send marketing emails if you have opted in.
  • Legal compliance — meeting our obligations under applicable law, responding to lawful requests from authorities, and enforcing our Terms of Service.

We do not display third-party advertisements within the HAPA app or website. Our revenue comes from venue subscription plans and event boosts — not from advertising or selling your data.

05

Legal basis for processing

Under Kenya's DPA, we must have a lawful basis for processing your personal data. The bases we rely on are:

  • Contract — processing necessary to provide the service you have signed up for, including authentication, posting vibes, and managing subscriptions.
  • Consent — for location access (you grant this via your device's permission system), for marketing emails (you opt in explicitly), and for anonymous browsing.
  • Legitimate interests — for app analytics, security monitoring, and improving the service, where these interests are not overridden by your rights.
  • Legal obligation — where we are required to process data to comply with applicable law.

Where we rely on consent, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

06

Who we share your data with

We share personal data only with the third parties described below. All third parties are required to handle your data securely and only for the purposes we specify.

  • Supabase — our cloud database and authentication provider. Your data is stored on Supabase's infrastructure. Supabase is based in the United States and processes data in accordance with its data processing agreement and GDPR-compatible safeguards.
  • Paystack — our payment processor for subscriptions and boosts. Paystack processes payment transactions and is subject to PCI DSS compliance. Paystack is a Nigerian company operating across Africa with data processing infrastructure in Nigeria.
  • Google LLC — for the Google Maps Platform API used in venue search and directions. Location queries are processed by Google in accordance with its Privacy Policy.
  • Twilio / SMS provider — for delivering one-time passcodes to venue owners during login. Your phone number is passed to the SMS provider for the sole purpose of delivering the code.
  • Law enforcement and regulators — where we are required by law, court order, or lawful authority to disclose your data. We will notify you where legally permitted to do so.

We do not share your data with advertisers, data brokers, or any party for the purpose of targeted advertising.

07

Cross-border data transfers

HAPA stores data on infrastructure provided by Supabase, which may be located outside Kenya. Under the Kenya DPA, we are permitted to transfer personal data outside these countries where the receiving country has adequate data protection measures in place.

Cartlyf Technologies Limited maintains records of the legal basis, safeguards and justification for each cross-border data transfer as required under the Kenya DPA and Cartlyf's ODPC registration. Our primary cloud infrastructure uses Supabase and operates under GDPR-equivalent contractual protections.

By using HAPA, you consent to your personal data being transferred to and processed in countries outside your country of residence, including the United States, subject to appropriate safeguards.

08

Data retention

We keep your personal data only for as long as necessary for the purposes set out in this policy or as required by law.

  • Venue owner accounts — retained for as long as the account is active. If you delete your account, we delete your personal data within 30 days, except where we are required by law to retain it.
  • Vibe posts (photos/videos) — active posts are available in the feed on the day they are posted. Posts are archived after expiry and can be deleted by the venue owner at any time from the dashboard.
  • Payment records — transaction records are retained for 7 years as required for financial and tax compliance under Kenyan law.
  • Location data — precise location data is used in real time and is not stored persistently beyond the session.
  • Analytics data — aggregated and anonymised usage data may be retained indefinitely for product improvement purposes.
  • Mailing list data — retained until you unsubscribe or request deletion.
09

Your rights

Under Kenya's DPA, you have the following rights regarding your personal data. To exercise any of these rights, contact us at hapaapp.official@gmail.com.

  • Right of access — you have the right to request a copy of the personal data we hold about you.
  • Right to rectification — you have the right to request that we correct inaccurate or incomplete data.
  • Right to erasure — you have the right to request that we delete your personal data, subject to certain legal exceptions.
  • Right to object — you have the right to object to processing of your personal data, in particular for direct marketing purposes.
  • Right to restrict processing — you have the right to request that we restrict how we use your data in certain circumstances.
  • Right to data portability — you have the right to receive your personal data in a structured, machine-readable format.
  • Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting prior processing.

We will respond to all requests within 21 days in accordance with Kenya's DPA requirements. For complex requests, we may extend this by a further 14 days and will notify you accordingly.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant regulator:

  • Kenya — Office of the Data Protection Commissioner (ODPC). Website: odpc.go.ke
10

Children's privacy

HAPA is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13 years of age. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hapaapp.official@gmail.com and we will delete that data promptly. You may also contact Cartlyf Technologies Limited directly at hapapp.official@gmail.com.

Venue owners must be at least 18 years of age to register a venue profile and make payments on the platform.

11

Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction or alteration. These measures include:

  • Encrypted data transmission using HTTPS/TLS for all data in transit
  • Supabase Row-Level Security (RLS) policies to ensure users can only access their own data
  • OTP-based authentication for venue owner accounts — no passwords stored
  • Paystack PCI DSS-compliant payment processing — we never store card or mobile money credentials
  • Regular security reviews of our backend infrastructure

No method of transmission or storage is 100% secure. If you become aware of any security issue, please report it immediately to hapapp.official@gmail.com. We will investigate all credible reports promptly.

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the relevant data protection authority and affected users without undue delay and within the timeframes required by applicable law.

12

Cookies and tracking

Our website (get-hapa.web.app) uses minimal cookies necessary for the site to function. We use:

  • Essential cookies — required for the website to work correctly, including session management. These cannot be disabled.
  • Analytics cookies — we may use privacy-respecting analytics to understand how visitors use our website. We do not use Google Analytics in a way that tracks individual users across sites.

The HAPA mobile application does not use browser cookies. App-level authentication tokens are stored securely in your device's secure storage (Expo SecureStore) and are not accessible to other apps.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of our website.

13

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Notify venue owners via the app or email of any significant changes
  • Where required by law, seek your consent for material changes to how we process your data

We encourage you to review this policy periodically. Continued use of HAPA after the effective date of a revised policy constitutes your acceptance of the changes.

14

Contact us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your data, please contact us using the details below.

General privacy enquiries
hapaapp.official@gmail.com
Security issues
hapapp.official@gmail.com
Registered address
Cartlyf Technologies Limited
Kitale, Kenya
Response time
We aim to respond within 5 business days. Legal requests within 21 days.