1. Introduction
At Thayu Labs Ltd (“we,” “us,” “our”), we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, share, store, and protect your information when you use our mobile applications and related services, including but not limited to: Sentii, Thimo, Nyimbo Cia Ngai, Muse, Resonance, and any future applications we may publish (collectively, the “Services”).
This Privacy Policy is designed to comply with the Kenya Data Protection Act, 2019, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the U.S. Children’s Online Privacy Protection Act (COPPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), the UK Data Protection Act 2018, and the requirements of the Apple App Store and Google Play Store.
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Full name, email address, phone number, username, and password when you register for an account.
- Profile Information: Profile photo, biography, preferences, and other information you choose to provide.
- Payment Information: Billing details and payment method information. For in-app purchases through Apple or Google, payment processing is handled by the respective store and we do not receive or store your full payment card details.
- User Content: Posts, comments, reviews, photos, videos, messages, and other content you create or share through our Services.
- Communications: Inquiries, feedback, support requests, and other messages you send to us.
2.2 Information Collected Automatically
- Device Information: Device type, operating system and version, device identifiers (e.g., IDFA, GAID, Android ID), hardware model, screen resolution, and language settings.
- Usage Data: Pages and screens viewed, features used, actions taken, session duration, timestamps, referring URLs, and interaction patterns.
- Log Data: IP address, browser type, access times, crash logs, error reports, and diagnostic data.
- Location Data: Approximate location derived from IP address. We do not collect precise GPS location unless you explicitly grant permission, which you may revoke at any time through your device settings.
- Cookies & Similar Technologies: Where our Services include web-based components, we may use cookies, pixels, and similar tracking technologies. See Section 7 for details.
2.3 Information from Third-Party Sources
- Social Login: If you sign in using a third-party service (e.g., Google, Apple, Facebook), we may receive your name, email address, and profile picture as permitted by that service.
- Analytics & Advertising Partners: We may receive aggregated or de-identified data from our analytics and advertising partners.
3. How We Use Your Information
We process your information for the following purposes and corresponding legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and operate the Services | Contractual necessity |
| Create and manage your account | Contractual necessity |
| Process payments and subscriptions | Contractual necessity |
| Communicate with you (alerts, updates, support) | Legitimate interest / Consent |
| Analyse usage patterns and improve our Services | Legitimate interest |
| Personalise your experience and content | Legitimate interest / Consent |
| Display advertisements | Consent / Legitimate interest |
| Detect fraud, prevent abuse, and ensure security | Legitimate interest / Legal obligation |
| Comply with legal obligations | Legal obligation |
| Enforce our Terms of Service | Legitimate interest |
4. Advertising
Some of our Services display advertisements provided by third-party ad networks. These networks may use device identifiers, usage data, and other information to serve personalised ads. Our advertising partners may include:
- Google AdMob
- Facebook Audience Network
- Other ad networks as disclosed within each app
Your Choices: You can opt out of personalised advertising by adjusting your device settings:
- iOS:Settings > Privacy & Security > Tracking > disable “Allow Apps to Request to Track.”
- Android:Settings > Google > Ads > Opt out of Ads Personalisation.
Where required by law (including under GDPR and Apple’s App Tracking Transparency framework), we will request your consent before enabling personalised advertising or cross-app tracking.
5. Data Sharing & Third-Party Services
We do not sell your personal information. We may share your data in the following limited circumstances:
- Service Providers: We share data with trusted third-party service providers who process it on our behalf, including:
- Firebase (Google) — authentication, database, analytics, crash reporting, and cloud messaging
- Payment processors (e.g., M-Pesa, Stripe) — transaction processing
- Ad networks (e.g., Google AdMob) — advertising services
- Analytics providers (e.g., Crashlytics, Mixpanel, Amplitude) — app performance and usage analytics
- Cloud hosting providers — data storage and infrastructure
- Legal Compliance: We may disclose your information where required by law, regulation, legal process, or governmental request.
- Safety & Rights: We may disclose information to protect the rights, property, or safety of Thayu Labs Ltd, our users, or the public.
- Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.
All service providers are contractually obligated to protect your data and use it only for the purposes we specify.
6. International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence, including countries that may not provide the same level of data protection. Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or other regions with data transfer restrictions, we implement appropriate safeguards, including:
- EU Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Your explicit consent where required
Firebase and Google services may process data in data centres located globally. For more information on Google’s data processing practices, visit Google’s privacy policy.
7. Cookies & Tracking Technologies
Our mobile apps and any associated web services may use the following technologies:
- SDKs (Software Development Kits): Firebase SDK, analytics SDKs, and advertising SDKs embedded in our apps may collect device identifiers, usage data, and performance metrics.
- Cookies: Used in web-based portions of our Services for session management, preferences, and analytics.
- Pixels / Web Beacons: May be used in emails or web pages to track engagement.
You can manage cookie preferences through your browser settings and tracking preferences through your device settings (see Section 4).
8. Data Retention
We retain your personal information only for as long as necessary to fulfil the purposes described in this Privacy Policy and to comply with our legal obligations:
- Account data: Retained while your account is active. After deletion, personal data is purged within 30 days, except where retention is required by law.
- Transaction records: Retained for 7 years for financial and legal compliance.
- Communication logs: Retained for 90 days for quality assurance and dispute resolution.
- Usage and analytics data: Retained for 120 days for analytics and service improvement, then anonymised or deleted.
- Notification logs: Retained for 90 days.
- User Content: Removed within 30 days of account deletion or content removal, except where shared with third parties or required for legal purposes.
9. Data Security
We implement industry-standard technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, alteration, or destruction. These measures include encryption of data in transit (TLS/SSL) and at rest, access controls, regular security assessments, and secure development practices.
While we strive to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.
10. Children’s Privacy
We take children’s privacy seriously and comply with the U.S. Children’s Online Privacy Protection Act (COPPA), the EU GDPR provisions regarding children’s data (Article 8), and the UK Age Appropriate Design Code.
- Under 13: We do not knowingly collect personal information from children under 13 without verifiable parental consent. If we learn that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly.
- Ages 13–17: Certain features may require parental consent. We limit data collection from minors to what is necessary to provide the Services.
- Parental Rights: Parents or guardians may contact us at thayulabs@gmail.com to: (a) review the personal information collected from their child; (b) request corrections; (c) request deletion; or (d) withdraw consent for further collection or use.
11. Your Rights Under the Kenya Data Protection Act, 2019
If you are a Kenyan resident, you have the following rights under the Data Protection Act, 2019:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data.
- Right to erasure — request deletion of your personal data.
- Right to data portability — request your data in a structured, machine-readable format.
- Right to object — object to the processing of your data for certain purposes.
- Right to withdraw consent — withdraw consent for data processing at any time.
To exercise these rights, contact us at thayulabs@gmail.com. You may also lodge a complaint with the Office of the Data Protection Commissioner of Kenya at www.odpc.go.ke.
12. Your Rights Under the GDPR (EU/EEA/UK Users)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure / “right to be forgotten” (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object to processing (Article 21)
- Right not to be subject to automated decision-making (Article 22)
- Right to withdraw consent at any time (Article 7)
Legal Bases for Processing: We process your data based on: (a) your consent; (b) the performance of a contract with you; (c) our legitimate interests (e.g., fraud prevention, service improvement); or (d) compliance with legal obligations. See the table in Section 3 for specific legal bases per purpose.
EU Representative: As a small business, we are currently in the process of appointing an EU representative. In the meantime, please direct any inquiries to thayulabs@gmail.com.
Data Protection Officer: For data protection inquiries, please contact us at thayulabs@gmail.com.
You may lodge a complaint with your local supervisory authority. A list of EU Data Protection Authorities is available at edpb.europa.eu.
13. Your Rights Under the CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes of processing, and the categories of third parties with whom we share your data.
- Right to Delete: You may request the deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out:You have the right to opt out of the “sale” or “sharing” of your personal information. While we do not sell personal information for monetary consideration, certain data sharing with advertising partners may constitute a “sale” or “sharing” under CCPA. You may opt out by adjusting your device’s ad tracking settings or by contacting us.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
Categories of Personal Information Collected: Identifiers (name, email, phone, IP address, device IDs); internet or electronic network activity (usage data, browsing history within our apps); geolocation data (approximate); commercial information (purchase and subscription history); and inferences drawn from the above.
To exercise your rights, email us at thayulabs@gmail.com or use the in-app privacy settings where available. We will verify your identity before processing your request.
14. Users in Other Jurisdictions
Brazil (LGPD): If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados, including the right to access, correct, delete, and port your data. Contact us at thayulabs@gmail.com to exercise these rights.
Other Jurisdictions: We respect the privacy rights granted to you by the laws of your country of residence. If you have questions about your specific rights, please contact us.
15. Apple App Tracking Transparency (ATT)
On iOS 14.5 and later, we comply with Apple’s App Tracking Transparency framework. Before tracking your activity across apps and websites owned by other companies for advertising or sharing your data with data brokers, we will present the ATT prompt requesting your permission. You may change your preference at any time in Settings > Privacy & Security > Tracking.
If you opt out of tracking, we will not use your IDFA (Identifier for Advertisers) and will limit ad personalisation accordingly.
16. “Do Not Track” Signals
Some web browsers transmit “Do Not Track” (DNT) signals. At this time, there is no universally accepted standard for how to respond to DNT signals. However, where required by law (such as under the Global Privacy Control standard recognised by the CCPA), we will honour such signals as opt-out requests for the sale or sharing of personal information.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by posting the updated policy within our apps and, where practicable, by sending a notification at least 30 days before the changes take effect. The “Last Updated” date will be revised. Your continued use of the Services after the updated Privacy Policy takes effect constitutes your acceptance of the changes.
18. Contact Us
Thayu Labs Ltd
P.O. Box 6367–00100 GPO, Nairobi, Kenya
Email: thayulabs@gmail.com
For privacy-specific inquiries, please use the subject line “Privacy Inquiry” in your email.
For complaints under the Kenya Data Protection Act, you may contact the Office of the Data Protection Commissioner at www.odpc.go.ke.