Skip to content
LeadAfrik

Legal

Privacy Policy

Last updated: 10 May 2026

Who we are

LeadAfrik Public Economics Hub (“LeadAfrik”, “we”) is a public-economics publication and education platform operated by Stephen Omukoko Okoth from Nairobi, Kenya. We are subject to the Kenya Data Protection Act, 2019 (DPA) and supervised by the Office of the Data Protection Commissioner (ODPC). For users in the EEA / UK, we observe the GDPR equivalent rights.

Contact for privacy matters: info@leadafrik.com.

What we collect

When you visit the site

  • Basic request data — IP address, user agent, referrer — collected by our hosting provider (Vercel) for security and abuse prevention
  • Anonymous analytics — page views, country, device class — via Vercel Analytics or Google Analytics if you have not opted out

When you create a learner account

  • Name, email address, and a hashed password (we never store passwords in plaintext)
  • The access code you redeem and its scope
  • Device fingerprint (user agent + IP at login) for the three-device-limit enforcement
  • Test attempts, scores, and certificates issued
  • Conversation transcripts with the AI tutor (used to deliver the service; not used for training)

When you submit an access or sales-leads form

  • Name, email, phone (optional), organisation, what you're trying to do, payment evidence you choose to share

Why we process it

  • To deliver the service you're paying for (legitimate interest / contract)
  • To issue and verify certificates (contract)
  • To enforce the access-code rules and prevent abuse (legitimate interest)
  • To send you transactional emails (codes, certificates, password resets) (contract)
  • To comply with our legal obligations (KRA tax records, ODPC compliance)

We do not sell your data, profile you for advertising, or share your data with third parties for marketing purposes.

Third parties that process data on our behalf

  • Vercel (USA) — hosting and analytics
  • Turso / libSQL (USA) — primary database
  • Google AI Studio / Gemini API (USA) — AI tutor responses; conversation content is sent to Google for processing only and is not used to train Google models per their API terms
  • SMTP provider — transactional email delivery

Cross-border data transfers from Kenya to these processors rely on the contractual safeguards required by section 48 of the DPA.

How long we keep your data

  • Learner accounts — until you delete them, or 24 months after your access code expires (whichever is sooner)
  • Test attempts and certificates — kept for as long as the certificate is verifiable (the public verification URL must continue to work)
  • AI tutor transcripts — purged after 12 months
  • Access requests + sales leads — kept for 24 months for tax and audit purposes, then deleted

Your rights under the Kenya DPA

  • Access — request a copy of what we hold about you
  • Correction — fix anything inaccurate
  • Erasure — delete your account and associated data (see /account when signed in, or email us)
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing for direct marketing
  • Complaint — lodge a complaint with the ODPC at odpc.go.ke

To exercise any of these, sign in to your account or email info@leadafrik.com. We respond within 14 days.

Cookies

We use a small number of cookies. A “necessary” cookie remembers your signed-in session (the JWT). Optional “analytics” cookies measure aggregate site usage. You can accept or decline the optional cookies via the banner shown on your first visit, and change your choice any time by clearing site data in your browser.

Security

Passwords are stored using the scrypt password-hashing function with per-user salt. Cookies are HTTP-only, secure-flagged, and SameSite=Lax. We use HTTPS throughout. Despite this, no system is perfectly secure — if you suspect a breach affecting your data, email info@leadafrik.com immediately.

Children

The service is intended for users aged 18 or older. If you are 13–17 you may use the service only with verifiable consent from a parent or guardian (DPA s.33). We do not knowingly process data of anyone under 13.

Changes

We may update this policy. Material changes will be announced on the site or by email.