Privacy Policy

Effective Date: February 9, 2026

1. Introduction and Scope

Family Roots ("we," "our," or "us") is a genealogy platform that enables users to create, manage, and share family trees. This Privacy Policy applies to all personal data processed through our website, mobile applications, and related services.

We comply with the Kenya Data Protection Act (KDPA) 2019, General Data Protection Regulation (GDPR), and other applicable data protection laws. Our Data Protection Officer can be contacted at dpo@familyroots.co.ke.

2. Data Controller and Processor Information

Data Controller

Generations Registry
Kenya
Email: privacy@familyroots.co.ke
Phone: +254 (0) XXX XXX XXX

Data Protection Officer

For data protection inquiries, contact our DPO at dpo@familyroots.co.ke

3. Personal Data We Collect

We collect personal data that you voluntarily provide and data collected automatically:

A. Information You Provide

• Account Registration: Name, email address, phone number, date of birth, and password
• Profile Information: Profile picture, biographical details, location, and social media links
• Family Tree Data: Names, dates of birth, death dates, relationships, photographs, and biographical information about family members
• Documents: Family records, certificates, historical documents, and images you upload
• Payment Information: Payment method details (processed through secure third-party processors; we do not store credit card data)
• Communications: Messages, support inquiries, feedback, and correspondence with our team

B. Information Collected Automatically

• Device Information: Device type, operating system, browser type, and device identifiers
• Usage Data: IP address, pages visited, time spent, clicks, and interaction patterns (via cookies and analytics)
• Location Data: General geographic location (country/region level, not precise GPS)
• Log Data: Server logs recording access times, urls, and error messages

4. Legal Basis for Processing Data (KDPA Compliance)

Under the Kenya Data Protection Act, we process your personal data based on:

• Consent: You have explicitly consented to processing (e.g., account creation, newsletter subscription)
• Contract: Processing is necessary to perform our services and terms of use
• Legal Obligation: We are required by law to process data (e.g., anti-money laundering compliance)
• Vital Interests: Processing protects your vital interests or rights
• Legitimate Interest: We have a legitimate business interest that does not override your rights

5. How We Use Your Data

We use your personal data for the following purposes:

• Creating and maintaining your account
• Providing and improving our genealogy services
• Processing token purchases and payments
• Sending transactional emails (account confirmations, password resets)
• Responding to support inquiries
• Personalizing your experience and content recommendations
• Conducting analytics and improving platform security
• Detecting and preventing fraud, abuse, and unauthorized access
• Complying with legal obligations and resolving disputes
• Marketing communications (only with your opt-in consent)

6. Data Sharing and Disclosure

We do not sell your personal data to third parties. However, we may share data with:

A. Service Providers

• Payment Processors: For secure transaction processing (e.g., M-Pesa integration)
• Cloud Hosting: Infrastructure providers for data storage and backup
• Analytics Services: To understand usage patterns and improve services
• Support Services: Customer service platforms for handling inquiries

B. Legal Requirements

We may disclose data when required by:

• Court orders or judicial proceedings
• Law enforcement agencies in Kenya or internationally
• Regulatory authorities and government bodies
• Prevention of fraud, security threats, or illegal activities

C. Business Transfers

If Family Roots undergoes a merger, acquisition, or asset sale, your data may be transferred as part of the transaction. We will notify you of any such change.

7. Data Retention

We retain your personal data for as long as necessary to provide services and comply with legal obligations:

• Active Accounts: Retained while your account is active
• Inactive Accounts: Retained for 12 months after last login, then securely deleted
• Payment Records: Retained for 7 years (as per financial regulations)
• Support Communications: Retained for 3 years
• Marketing Data: Retained until you unsubscribe

You may request deletion of your data at any time, subject to legal requirements.

8. Data Subject Rights (KDPA Rights)

Under the Kenya Data Protection Act, you have the following rights:

A. Right to Access

You can request a copy of all personal data we hold about you. Submit requests to dpo@familyroots.co.ke.

B. Right to Rectification

You can correct inaccurate or incomplete personal data. Update your profile or contact us for assistance.

C. Right to Erasure

You can request deletion of your personal data, subject to legal retention requirements. We will process deletion requests within 30 days.

D. Right to Data Portability

You can request your data in a machine-readable format and transfer it to another service. We will provide data exports within 15 business days.

E. Right to Object

You can object to processing of your data for marketing, analytics, or other purposes (except where necessary for contractual or legal obligations).

F. Right to Restrict Processing

You can request we limit how we use your data pending verification of accuracy or legality of processing.

G. Right to Lodge a Complaint

You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya if you believe your rights have been violated.

9. Data Security

We implement comprehensive security measures to protect your personal data:

• Encryption: SSL/TLS encryption for data in transit; AES-256 encryption for data at rest
• Access Controls: Role-based access, password protection, and multi-factor authentication
• Regular Audits: Security assessments, penetration testing, and vulnerability scanning
• Employee Training: GDPR and KDPA compliance training for all staff
• Incident Response: Procedures for data breach detection and notification
• Backup Systems: Regular backups with secure recovery protocols

Important: No method of transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

A. Essential Cookies

Required for account functionality, authentication, and security.

B. Analytics Cookies

Track usage patterns and platform performance (Google Analytics, Mixpanel).

C. Marketing Cookies

Used for retargeting and personalized advertising (only with consent).

You can control cookies through your browser settings. Disabling cookies may limit some features.

11. Children's Privacy

Family Roots is not intended for children under 13. We do not knowingly collect data from children. If we discover data from a child, we will delete it immediately. Parents/guardians concerned about data collection should contact us at privacy@familyroots.co.ke.

12. International Data Transfers

We primarily store data in Kenya. However, we may transfer data internationally to service providers in the EU, US, or other countries. All transfers comply with the KDPA and include appropriate safeguards such as:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules
• Adequacy decisions

13. Third-Party Links

Our platform may contain links to third-party websites. We are not responsible for their privacy practices. Review their privacy policies before sharing personal information.

14. Data Breach Notification

In the event of a data breach affecting your personal data, we will:

• Notify you within 72 hours (as per KDPA requirements)
• Inform the Office of the Data Protection Commissioner
• Describe the nature of the breach and its likely impact
• Provide contact information and recommended protective measures

15. Changes to Privacy Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Effective Date." Significant changes will be communicated via email. Continued use of the platform constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related inquiries, requests, or complaints, contact us:

• Email: privacy@familyroots.co.ke
• Data Protection Officer: dpo@familyroots.co.ke
• Mailing Address: Generations Registry, Kenya

Response times:

• General Inquiries: 5-7 business days
• Data Subject Requests: 15-30 calendar days (as per KDPA)
• Urgent Issues: 24-48 hours

17. Regulatory Compliance

This Privacy Policy ensures compliance with:

• Kenya Data Protection Act (KDPA) 2019
• General Data Protection Regulation (GDPR) - EU users
• Kenya Consumer Protection Act 2012
• Electronic Communications and Transactions Act (ECTA) 2021