Est. 1952[MA1] 

PRIVACY POLICY

Sasini Mobile Application

Android (Google Play) | iOS (Apple App Store)

PREAMBLE & INTRODUCTION

Sasini PLC (“Sasini”, “we”, “our”, or “us”), a public listed company in Kenya established in 1952 and having its headquarters in Nairobi, is committed to protecting the privacy and personal data of every individual who uses the Sasini Mobile Application (“the App”). This Global Privacy Policy (“Policy”) governs the collection, use, storage, sharing, and deletion of personal data across all versions and features of the App, available on the Google Play Store (Android) and the Apple App Store (iOS).

This Policy is designed to comply with, and exceed the requirements of, the following regulatory frameworks:

• The Kenya Data Protection Act, 2019 (KDPA) and the Data Protection (General) Regulations, 2021
• Google Play Store Data Safety and Privacy Policy requirements
• Apple App Store App Privacy and Data Use requirements
• Any other applicable national or international data protection laws

By downloading, installing, registering for, or using the Sasini Mobile Application, you acknowledge that you have read, understood, and agree to the terms of this Privacy Policy. If you do not agree to any part of this Policy, you must discontinue use of the App immediately and may request deletion of your account and data as described in Section 9.

SECTION 1: IDENTITY OF THE DATA CONTROLLER

For the purposes of applicable data protection law, the data controller responsible for your personal data is:

Sasini PLC designates a Data Protection Officer (DPO) to oversee compliance with this Policy and applicable data protection legislation. Data protection queries, complaints, and subject access requests may be directed to the DPO at sasiniapp@sasini.co.ke with the subject line: “DATA PROTECTION REQUEST”.

SECTION 2: CATEGORIES OF PERSONAL DATA WE COLLECT

We collect the following categories of personal data depending on your user type and the features you use. We collect only what is necessary for the specific purpose described.

2.1 Identity & Registration Data

Collected from all users during registration and account creation:

• Full legal name
• Email address (primary account identifier and communication channel)
• Phone number
• Password (stored only as a salted cryptographic hash — never in plain text)
• Preferred language (English or Swahili)
• User type (Sasini Farmer or Guest/Buyer)
• Date of registration and account creation timestamp

2.2 Farmer-Specific Identity & Verification Data

Collected exclusively from users registering as Sasini Farmers. This data is required to validate the farmer’s identity against Sasini’s internal factory database:

• Sasini Farmer ID (official registration number issued by Sasini)
• National Identity Card (NIC) Number / National ID
• Unique Digital ID (UID) — generated and assigned by Sasini’s system upon verification
• Date of Birth (DOB)
• Gender
• Village of residence
• Buying Centre affiliation
• County of residence
• Sub-County of residence

2.3 Profile & Account Management Data

• Profile information maintained in ‘My Profile’ section
• Language preference settings
• App notification preferences
• Session identifiers and authentication tokens (time-limited, invalidated on logout or password change)

2.4 Agricultural & Transactional Data (Farmer Accounts Only)

The following data is generated by or associated with a farmer’s activity within the App, and is synchronized from Sasini’s systems:

• Produce delivery records: receipt numbers, delivery dates, produce weights (in kilograms), number of bags, delivery status (Pending / Approved), and unique digital receipt numbers
• Payment records: payment periods, total weight delivered per period, unit price per kilogram, gross earnings (‘Green Leaf Pay’), bank charges, deductions (fertilizer, farm inputs, tool credits from Agri Shop), and net income
• Farm input and Agri Shop order history: items ordered, quantities, unit prices in Kenyan Shillings (KES), and order status (Pending, Processing, Completed, Cancelled)
• Produce pickup requests: produce type, estimated weight, preferred collection date, pickup location, and request status (Requested / Accepted / Declined)
• Pest and disease reports: farm location, crop type affected (Tea, Coffee, Macadamia), pest type, severity level (Low, Medium, High, Extreme), symptom descriptions (up to 1,000 characters), and photographic evidence

2.5 AI Assistant Interaction Data

When you use the Sasini AI Assistant (the Digital Agronomist), the following data is processed:

• Text messages and queries you type into the AI chat interface
• Images you upload for crop diagnostics (transmitted via encrypted Base64 encoding)
• AI conversation session IDs and chat history (stored only while your account is active; permanently deleted on request or upon account deletion)
• Vector search embeddings generated from your query text for knowledge retrieval (not linked to PII)

2.6 Device & Technical Data

Automatically collected when you use the App:

• Device type, manufacturer, and model
• Operating system version (Android or iOS)
• App version number
• IP address (used for security logging and fraud prevention)
• Firebase installation ID and Firebase Cloud Messaging (FCM) token (for push notifications)
• Crash logs and error reports (via Firebase Crashlytics)
• App performance metrics and diagnostics (via Firebase Performance Monitoring)
• Session start and end timestamps
• Network type (Wi-Fi / mobile data)

2.7 Location Data

Location data is collected only when you use the Weather & Alerts module and only with your explicit permission:

• High-accuracy GPS coordinates (latitude and longitude) to provide micro-climate weather data and farm-specific alerts
• Movement detection data — if you move between farm plots, the App refreshes weather data for your new location. This data is processed locally on your device and is not stored on our servers beyond the active session

2.8 Photographic & Media Data

• Photos captured or uploaded for pest and disease reports — transmitted securely to Sasini’s agronomy team for analysis
• Photos submitted with produce pickup requests — used to verify produce readiness
• Images uploaded to the AI Assistant for crop diagnostics — processed by the Vision Inference Engine and not stored permanently after the session

2.9 Feedback & Ratings Data

When you submit feedback through the App:

• Star ratings (1-5 scale)
• Net Promoter Score (NPS) rating (1-10 scale)
• ‘Success Tags’ qualitative selections
• Written review text

Feedback data submitted through the in-app Feedback module is anonymized before being aggregated for operational analysis.

2.10 Communications Data

• Emails and support queries sent to sasiniapp@sasini.co.ke
• In-app support tickets or help requests

2.11 Data We Do NOT Collect

SECTION 3: HOW WE USE YOUR PERSONAL DATA (PURPOSES & LEGAL BASIS)

We only use your personal data for the purposes described below. For each purpose, we identify the applicable legal basis under the Kenya Data Protection Act 2019 together with the applicable Kenyan Laws.

SECTION 4: DATA SHARING & THIRD-PARTY PROCESSORS

We do not sell, lease, or trade your personal data to any third party. We do not share your data with advertisers or marketing companies. We do not use your data for targeted advertising. Your personal data is only shared in the limited circumstances described below, and always under strict data processing legislation.

4.1 Internal Sharing — Sasini ERP Systems

Farmer data is synchronized with Sasini’s internal factory servers and database systems to support delivery tracking, payment processing, and agronomy services. This is an internal transfer within the Sasini organization and is necessary for the App to function.

4.2 Third-Party Service Providers (Data Processors)

We use the following trusted third-party service providers who process data on our behalf, under contractual obligation to comply with data protection law:

4.3 Legal Disclosures

We may disclose your personal data to regulatory authorities, law enforcement agencies, or courts if required by applicable law, including the Kenya Data Protection Act, court orders, or other legal processes. We will notify you of such disclosures where legally permitted to do so.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of Sasini PLC or its assets, your personal data may be transferred to the relevant successor entity. You will be notified of such a transfer and any material changes to this Privacy Policy.

SECTION 5: DATA SECURITY & TECHNICAL SAFEGUARDS

Sasini implements a comprehensive, multi-layered security architecture to protect your personal data against unauthorized access, disclosure, alteration, or destruction. The following technical and organizational measures are in place:

5.1 Encryption

• Transport Layer Security: All data transmitted between the App and our servers is encrypted using industry-standard TLS 1.3. The backend scans for valid SSL/TLS 1.3 certificates on every connection initiation before any data is allowed to load.
• Database Encryption: All data stored in our backend databases is encrypted at rest using AES-256 encryption.
• Password Security: Passwords are never stored in plain text. All passwords are converted using a salted cryptographic hashing algorithm (bcrypt or equivalent), creating a one-way hash that renders stolen data useless even in the event of a breach.
• Image Transmission: Images uploaded for AI diagnostics or pest reports are transmitted via secure Base64 encoding over the encrypted TLS channel.

5.2 Authentication & Access Controls

• Multi-Factor Authentication (MFA): All users are required to verify their email address via a time-limited verification link containing a unique token generated via a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) before account activation.
• Password Complexity Requirements: Passwords must contain at least one uppercase letter, one lowercase letter, one numeric digit, and one special character (@, #, $, *). Minimum length requirements are enforced.
• Brute-Force Protection: After consecutive failed login attempts, the account is immediately locked and a secure password reset link is dispatched to the user’s registered email address. The user has one attempt to set a new password before further restrictions apply.
• Session Management: Authentication tokens are time-limited and are automatically invalidated upon logout or password change.
• Role-Based Access Control (RBAC): The App enforces strict RBAC to ensure users can only access modules and data appropriate to their verified user role (Farmer or Guest/Buyer).

5.3 Input Validation & Injection Prevention

• SQL Injection Prevention: All user inputs are sanitized using parameterized queries before being processed by the backend database, stripping any executable code.
• Spam Prevention for Email Verification: A 60-second mandatory cooldown is enforced between email verification resend requests to prevent server spamming.
• Idempotency Keys: Duplicate form submissions (e.g., multiple taps on ‘Submit’ due to network lag) are handled via Idempotency Keys, ensuring only one request is processed.

5.4 Data Integrity & System Reliability

• Zero-Cache Strategy for Financial Data: The Deliveries and Payments modules perform a fresh API call on every load to ensure financial data accuracy, preventing stale or cached data from being displayed.
• Finite State Machine (FSM) for Orders and Pickups: Orders and pickup requests follow strictly controlled state transitions (e.g., Pending → Processing → Completed), preventing unauthorized modification of records once they reach a locked state.
• Backed Cart Persistence: Shopping cart data is serialized to prevent data loss during connectivity interruptions.
• 31-Day Query Constraint: Delivery data queries are limited to 31-day windows to prevent server timeouts and ensure performance integrity.

5.5 Incident Response

In the event of a personal data breach, Sasini will notify affected users and the relevant supervisory authority (the Office of the Data Protection Commissioner of Kenya, and other applicable regulators) within the timeframes required by law, and no later than 72 hours of becoming aware of the breach where required by GDPR.

SECTION 6: DATA RETENTION POLICY

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following table outlines our retention periods by data category[MA4] :

After the applicable retention period, personal data is securely and permanently deleted or anonymized so that it can no longer be linked to an individual. Data retained for legal compliance purposes is not accessible to users and is stored in a restricted, encrypted environment.

SECTION 7: YOUR DATA SUBJECT RIGHTS

Subject to applicable law, you have the following rights with respect to your personal data. You can exercise any of these rights by contacting us at sasiniapp@sasini.co.ke. We will respond to all valid requests within 30 days.

7.1 Right of Access

You have the right to request a copy of all personal data we hold about you, the purposes for which it is being processed, the categories of data held, and the recipients to whom it has been disclosed.

7.2 Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You may update your profile information directly within the App via Settings > My Profile.

7.3 Right to Erasure (Right to be Forgotten)

You have the right to request the deletion of your personal data. We will honor all valid erasure requests subject to legal retention requirements. See Section 9 for full details on account and data deletion procedures.

7.4 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while a dispute about data accuracy is being resolved.

7.5 Right to Data Portability

Where technically feasible, you have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV).

7.6 Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

7.7 Right to Withdraw Consent

Where processing is based on your consent (e.g., location data for weather features), you may withdraw your consent at any time through your device settings without affecting the lawfulness of prior processing.

7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the relevant supervisory authority:

• Kenya: Office of the Data Protection Commissioner (ODPC) — www.odpc.go.ke

7.9 Deactivation vs. Deletion

You have two distinct options for managing your account:

• Account Deactivation: Temporarily pauses your account. Your data is retained and your account can be restored by contacting Sasini support. Navigate to: Settings > Deactivate Account.
• Account Deletion: A permanent, irreversible action that purges all personal data from our active systems. See Section 9 for the full deletion procedure.

SECTION 8: CHILDREN’S PRIVACY

If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete that data from our systems without delay. If you believe a minor has provided us with personal data, please contact us immediately at sasiniapp@sasini.co.ke.

SECTION 9: ACCOUNT DELETION & DATA DELETION POLICY

Sasini provides users with full control over their personal data, including the right to request permanent deletion of their account and all associated personal data. This section documents our deletion procedures in full compliance with Google Play Store Data Safety requirements and Apple App Store privacy requirements.

9.1 In-App Account Deletion

Users can request full and permanent deletion of their account and all associated personal data directly within the App:

• Navigation Path: Settings > Delete Account
• Effect: Initiates an immediate, permanent, and irreversible deletion of the user account and all associated personal data stored in our active systems
• Confirmation: Users will be prompted to confirm the deletion with a warning that the action cannot be undone
• Processing Time: Account deletion is processed immediately upon confirmation. All personal data is removed from our active databases as per our data retention policy.

9.2 Web / Support-Based Deletion Request

Users may also request account or data deletion outside the App using the following channels:

• Email: sasiniapp@sasini.co.ke (subject line: “ACCOUNT DELETION REQUEST”)
• Help Centre: Contact details provided in the Help & Support section of the App

To process your request efficiently, please include your account identifier (registered email address) in your request. We will acknowledge your request within 5 business days and confirm completion of deletion within 30 days.

9.3 Data Deleted Upon Full Account Deletion

When a full account deletion request is processed, the following data is permanently and irreversibly deleted from all active systems with no recovery period:

• User profile information (name, email, phone, gender, DOB, location details)
• Account credentials and identifiers
• Farmer-specific registration data (Farmer ID, National ID reference, UID, Buying Centre, village, county, sub-county)
• App usage history and session data
• Stored preferences and language settings
• AI chat history and all conversation session data
• Agricultural and transactional records from active systems (delivery records, payment summaries, order history accessible within the App)
• Pest and disease reports
• Produce pickup request history
• Notification history
• Feedback submissions
• Device tokens and FCM registration data

9.4 Partial Data Deletion — AI Chat History

In addition to full account deletion, users may delete specific data items without closing their account:

• AI Chat Deletion: Users may delete individual AI chat conversations at any time within the AI Assistant module. Deleted AI chats are permanently and irreversibly removed from our systems and cannot be restored.
• This feature gives users granular control and ownership over their AI interaction data while retaining full access to all other App features and account information.

9.5 Data Retained After Account Deletion (Legal Retention)

Some data may be temporarily retained after account deletion for legally required purposes. This data is not accessible to users, is stored in a restricted encrypted environment, and is automatically and permanently deleted after the retention period expires:

9.6 Deletion Summary

SECTION 10: COOKIES, TRACKING TECHNOLOGIES & ANALYTICS

The Sasini Mobile Application does not use browser cookies. However, the following technologies are used within the App for the purposes described:

• Firebase Analytics SDK: Collects anonymized app usage data (screen views, feature interactions) for internal product improvement. No cross-app or cross-site tracking is performed.
• Firebase Crashlytics SDK: Captures crash reports and error logs to diagnose and fix technical issues. Data is linked to a Firebase installation ID, not to personal identifiers.
• Firebase Performance Monitoring: Tracks app load times and network request performance metrics to optimize the user experience.
• Firebase Cloud Messaging (FCM) Token: A device-specific token used exclusively to deliver push notifications. This token is not used for advertising or third-party tracking.

We do not use third-party advertising SDKs, cross-app tracking technologies, or any form of behavioral profiling for commercial purposes.

SECTION 11: INTERNATIONAL DATA TRANSFERS

Some of the third-party service providers we use (such as Google Firebase and Google Weather API) may process data in countries outside Kenya. Where such transfers occur, we ensure that appropriate safeguards are in place:

Data processed by Google services (Firebase, Google Weather API) is subject to Google’s data processing terms and privacy policies, available at policies.google.com.

SECTION 12: PUSH NOTIFICATIONS

The Sasini App uses Firebase Cloud Messaging (FCM) to deliver push notifications to your device. Push notifications are sent for the following events:

• New delivery records approved by the factory
• Payment processing and payment period updates
• Farm input and Agri Shop order status changes
• Produce pickup request status updates (Accepted or Declined)
• Broadcasts and announcements from the Company
• Pest and disease alerts affecting your region

You may manage push notification preferences through your device operating system settings at any time (Settings > Notifications > Sasini). Disabling push notifications will not affect your ability to use the App or access your data.

SECTION 13: DEVICE PERMISSIONS REQUESTED BY THE APP

SECTION 14: GOOGLE PLAY DATA SAFETY DECLARATIONS

In accordance with Google Play’s Data Safety section requirements, the following summarizes the data practices for the Sasini Mobile App:

SECTION 15: APPLE APP STORE PRIVACY NUTRITION LABEL DECLARATIONS

In accordance with Apple’s App Store privacy requirements, the following outlines our ‘Privacy Nutrition Label’ disclosures:

15.1 Data Used to Track You

NONE. The Sasini App does not use any data to track users across apps or websites owned by other companies for advertising or data broker purposes.

15.2 Data Linked to You

The following data categories are collected and linked to your identity:

• Contact Info: Name, email address, phone number
• Identifiers: User ID, Farmer ID, device ID
• Financial Info: Payment records and ledger data (read-only display)
• Location: Precise location (GPS) — only when you use the Weather feature and only with your permission
• User Content: Photos uploaded for pest reports, produce pickups, and AI diagnostics; AI chat messages
• Diagnostics: Crash logs and performance data

15.3 Data Not Linked to You

• Anonymized, aggregated feedback and app analytics data

15.4 Data Not Collected

• Health & Fitness data
• Browsing or search history
• Sensitive personal data (biometrics, political, religious, racial data)
• Contacts list
• Calendars or reminders

SECTION 16: CHANGES TO THIS PRIVACY POLICY

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our data practices, applicable law, or the App’s features. When we make material changes, we will:

• Update the ‘Last Reviewed’ date at the top of this document
• Notify users via a push notification and/or in-app banner at the time of their next login
• In the case of significant changes affecting your rights, we will provide 30 days’ advance notice before the changes take effect

Your continued use of the App after the effective date of any revised Privacy Policy constitutes your acceptance of the changes. If you do not agree to the revised Policy, you may delete your account as described in Section 9.

SECTION 17: CONTACT US — DATA PROTECTION ENQUIRIES

For all privacy-related queries, data subject access requests, complaints, or to exercise any of your rights as described in this Policy, please contact us using the following details:

For complaints about data protection compliance, you may also contact the Office of the Data Protection Commissioner of Kenya (ODPC) at www.odpc.go.ke.

SECTION 18: GOVERNING LAW & JURISDICTION

This Privacy Policy is governed by and construed in accordance with the laws of Kenya, in particular the Kenya Data Protection Act, 2019, and the Data Protection (General) Regulations, 2021. Any disputes arising in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of Kenya, without prejudice to the rights of users in other jurisdictions to bring claims before their local supervisory authorities.

SECTION 19: DEFINITIONS & GLOSSARY

SASINI PLC

Global Privacy Policy — Sasini Mobile Application

Version 1.0 | Effective 27 April 2026

For questions: sasiniapp@sasini.co.ke | www.sasini.co.ke | +254-020-3342166

 [MA1]Insert our logo

 [MA2]To confirm, cross reference with policy

 [VM3]There is the google play and Apple privacy policies

 [MA4]Align with internal policy

COOKIE POLICY

SASINI PLC COOKIE POLICY

1. Introduction

Welcome to Sasini PLC (“we,” “our,” or “us”). This Cookie Policy explains how we use cookies and similar tracking technologies on our website www.sasini.co.ke

By using our website, you agree to the use of cookies as described in this policy. You can manage your cookie preferences at any time.

2. What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us enhance your browsing experience, analyze traffic, and personalize content and advertisements.

Cookies can be:

• Session Cookies – Temporary and deleted when you close your browser.
• Persistent Cookies – Stored on your device until they expire, or you delete them.
• First-Party Cookies – Set by our website.
• Third-Party Cookies – Set by external services (e.g., social media platforms , related websites).

3. Types of Cookies We Use
4. a) Essential Cookies (Strictly Necessary)

These cookies are required for our website to function properly. They do not require user consent.

Examples:

• stocking items in your shopping cart
• Enabling secure logins
• Payment processing

1. b) Performance & Analytics Cookies

These cookies help us analyze website traffic, identify usage patterns, and improve website performance.

Examples:

• Google Analytics – Tracks website visitors

How to Opt-Out? You can disable analytics cookies via our cookie settings or your browser.

1. c) Functional Cookies

These cookies allow us to remember your preferences for a personalized experience.

Examples:

• Saving your language & currency preferences
• Remembering your login details

1. d) Marketing & Advertising Cookies

These cookies track user behavior to show relevant ads and improve our marketing campaigns.

How to Opt-Out? You can disable advertising cookies via our cookie settings or your browser.

4. How to Manage Your Cookie Preferences?

We grant you control over cookies. To adjust your settings, please use the cookie banner that appears when you visit our site

Change settings in your browser:

• Google Chrome: Settings > Privacy and Security > Cookies
• Mozilla Firefox: Preferences > Privacy & Security
• Safari: Preferences > Privacy
• Microsoft Edge: Settings > Site Permissions > Cookies

For more information on controlling cookies, visit our cookie setting page

5. Third-Party Cookies & Services

• We use third-party services that may place cookies on your device. These include:
  Google Analytics (Privacy Policy)
• Social Media platform like Facebook Ads (Privacy Policy)
• Payment Processors (MPESA)

These third parties have their own cookie policies, and we recommend you review them.

6. Changes to This Policy

We may update this Cookie Policy from time to time. Please review this page periodically for changes.

7. Contact Us

If you have any questions about our Cookie Policy, please contact us:

• Email: info@sasini.co.ke
• Website: sasini.co.ke

8. Commitment to Kenyan Law

We are committed to upholding the principles of the  Constitution and Kenyan laws . By ensuring that your personal data, including information collected through cookies, is processed lawfully, fairly, and transparently.

We are governed by the following principles:

• Lawfulness, fairness, and transparency: We provide clear and accessible information about our cookie usage, ensuring you understand how your data is processed.
• Purpose limitation, the cookies are used solely for specified, explicit, and legitimate purposes as detailed in this policy.
• Data minimization, we collect only the cookie data necessary to achieve the stated purposes.
• Accuracy, endeavor to take reasonable steps to ensure the accuracy of cookie data.
• Storage limitation, cookie data is retained only for the period necessary to fulfill the purposes for which it was collected, or as required by law.
• Integrity and confidentiality, we implement appropriate technical and organizational measures to protect cookie data against unauthorized access, use, or disclosure. As comprehensively outline in our ICT policy .
• Accountability, we retain and maintain records of our processing activities

Data Subject Rights as stipulated under the Data Protection Act, 2019

As a data subject under the Act, you have the following rights:

• The right to be informed of the use of your personal data.
• The right to access your personal data.
• The right to rectify inaccurate personal data.
• The right to erase personal data (where applicable).
• The right to object to the processing of personal data.
• The right to withdraw consent.
• The right to complain to the Office of the Data Protection Commissioner.

Contact Information:

For questions or concerns regarding this cookie policy or your rights under the Data Protection Act, 2019, please contact our Data Protection Officer at : info@sasini.co.ke.

Updates to this Policy:

We may update this cookie policy periodically to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website