Privacy Policy

For the purposes of the Data Protection Act, Tufariji is the data controller in respect of personal data processed through our platform.

Data Controller: Tufariji
Jurisdiction: Republic of Kenya
Primary users: Individuals and organizations located in or dealing with funerals in Kenya

If you have any questions or concerns about this Privacy Policy or how we handle your personal data, contact us at privacy@tufariji.co.ke.

We may designate a data protection contact or officer as our operations grow, and any such details will be added here and on our website.

This Privacy Policy applies to personal data that we collect and process when:

• You visit or interact with our website and public memorial pages.
• You create, edit, or administer a memorial or funeral page, including as a family coordinator or partner.
• You view a memorial page and submit content, such as condolences or stories, where enabled.
• You contact us via email, contact forms, or support channels.

This Privacy Policy does not apply to:

• Third-party websites, platforms, or services accessed through Tufariji, such as YouTube, Facebook Live, payment gateways, or Google Maps.
• Processing that our partners carry out independently of Tufariji in their own systems.

We process personal data in accordance with the principles and obligations set out in Kenyan data protection law, including:

• Lawfulness, fairness, and transparency: we process personal data only where there is a valid legal basis and in a transparent manner.
• Purpose limitation: we collect and process personal data only for specific, explicit, and legitimate purposes related to providing and improving the Service.
• Data minimization: we only collect personal data that is adequate, relevant, and limited to what is necessary for those purposes.
• Accuracy: we take reasonable steps to ensure personal data is accurate and kept up to date where necessary.
• Storage limitation: we retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
• Integrity and confidentiality: we use appropriate technical and organizational measures to secure personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Our primary legal bases for processing personal data are consent, performance of a contract, compliance with a legal obligation, and legitimate interests.

When you create an account, including as a family coordinator or partner, we may collect:

• Name
• Email address
• Authentication-related details, such as OAuth identifiers or magic-link token logs
• Basic account metadata, including account type and roles such as owner, admin, or contributor

We do not store your password where we use federated login or magic-link authentication.

For each memorial page, the creator or collaborators may provide:

• Full name of the deceased
• Dates of birth and death
• Biography or obituary text
• Photos of the deceased and related events
• Funeral program details and uploaded PDF
• Event information including date, time, venue name, address, and map links
• Hymn titles and, where added, lyrics
• Eulogies, tributes, stories, timeline milestones, optional scripture verses, or epitaphs

This content may include personal data of the deceased and living individuals, such as names and relationships of family members or authors of tributes. It is provided and managed by the page creator and collaborators.

If the memorial page owner enables interactive features such as a condolence wall or stories, visitors may submit:

• Name or chosen display name
• Email address, where configured
• Message content such as condolences, stories, or tributes
• Date and time of submission
• Moderation status and related activity, such as approved, rejected, or edited

For paid tiers or other monetized features, we collect limited payment-related data such as:

• Payment reference numbers or transaction IDs returned by payment providers
• Tier purchased and related billing metadata

We do not store your full payment instrument details, such as card numbers. These are processed by the relevant payment providers under their own privacy policies.

When you access or use the Service, we may automatically collect technical and usage data such as:

• IP address and general location derived from it
• Device type, operating system, and browser type
• Referring site or source
• Pages viewed, actions taken, and timestamps
• Basic performance and error logs

If you contact us for support, we may also collect your contact details, message content, attachments, and internal notes relating to your request.

We may share personal data in limited circumstances, including:

1. Within Tufariji: team members and contractors who need the data to perform their duties and who are subject to confidentiality obligations.
2. Service providers and processors: trusted providers supporting hosting, storage, email delivery, payments, analytics, and error monitoring.
3. Public memorial content: content published on a memorial page may be visible to visitors with the page link or QR code, subject to any access controls we provide.
4. Legal and regulatory requirements: where disclosure is reasonably necessary to comply with law, legal process, or requests from competent authorities.
5. Business transfers: where personal data is transferred as part of a merger, acquisition, reorganization, or sale of assets, subject to continued protection consistent with this policy.

We do not share personal data with third parties for their independent direct marketing purposes without your explicit consent.

Our platform is primarily focused on users and data subjects in Kenya. However, some service providers or infrastructure may be located outside Kenya.

Where personal data is transferred outside Kenya, we will ensure that such transfers comply with the Data Protection Act and Regulations through appropriate safeguards, contractual protections, or required consents.

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law.

• Memorial page content: retained for the duration of the page's active life, after which the page may be taken offline. We may retain a backup or archived copy for a limited period to allow recovery or comply with legal obligations.
• Account data: retained for as long as your account is active and for a reasonable period thereafter where needed for legal, accounting, or fraud-prevention purposes.
• Technical logs: retained for a limited time necessary for security, troubleshooting, and analytics, after which they are anonymized or deleted.

Where the purpose for processing personal data has lapsed, we will erase, delete, anonymize, or pseudonymize the data in accordance with applicable law, subject to any legal retention requirements.

Under Kenyan data protection law, data subjects may have rights including:

• The right to be informed of the use to which your personal data is put
• The right to request access to personal data in our custody
• The right to object to the processing of all or part of your personal data, including withdrawal of consent where processing is based on consent
• The right to request correction or deletion of inaccurate, outdated, misleading, or unlawfully retained personal data
• The right to request portability or restriction of certain processing where applicable

You may exercise these rights by contacting privacy@tufariji.co.ke. We may need to verify your identity before responding to certain requests, and some rights may be subject to legal limitations.

Our Service is designed for use by adults or by organizations acting on behalf of families. However, memorial pages may include information about children, for example as relatives or in stories.

Where personal data relates to a child, consent should ordinarily be provided or authorized by a parent or legal guardian, and we expect memorial creators and partners to respect this requirement.

If you believe we have collected personal data about a child without proper consent or in a way that violates the law, contact us so that we can investigate and, where appropriate, delete or anonymize the data.

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

• Secure hosting and network configuration
• Access controls and authentication for administrative interfaces
• Encryption of data in transit and at rest where appropriate
• Regular software updates and security monitoring

While we work hard to protect personal data, no system can be guaranteed to be perfectly secure. Users should also take steps to protect their own accounts and devices.

Our Service may use cookies or similar technologies to:

• Maintain session state and authentication
• Remember user preferences or settings
• Collect basic analytics and performance data

Where required by law, we will seek consent for non-essential cookies. You can usually control cookies through your browser settings, but disabling certain cookies may limit functionality.

If you have concerns about how we handle your personal data, we encourage you to contact us first so that we can try to resolve the issue.

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner in Kenya. Learn more at odpc.go.ke.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or improvements to the Service.

When we make material changes, we will update the last updated date at the top of this document and may also provide additional notice, such as a prominent notice on our website or via email.

Your continued use of the Service after any changes take effect will constitute acceptance of the updated Privacy Policy.