Shambaboy Privacy Policy

2.1 Information from Workers

• Identity information: full name, national ID or passport number, date of birth, gender, contact details (phone number, email address).
• Work information: task completion records, skills demonstrated, performance ratings, attendance history, supervisor comments.
• Location information: GPS coordinates when submitting task verifications (to confirm you were at the farm).
• Photos: photos taken through the Shambaboy apps to verify tasks. Photos cannot be uploaded directly from your gallery.
• Device information: device model, operating system, unique device identifier (to prevent account sharing and fraud).

2.2 Information from Farm Owners and Supervisors

• Name, contact details, farm location, farm size, crop types.
• Operational data (task assignments, inventory, schedules).
• Payment information (for subscription billing).
• Comments and notes about workers and farm operations.

2.3 Information from Diaspora Users

• Login credentials (email, password).
• Location of access (to comply with cross-border data transfer laws).
• Relationship to farm (owner, investor, family member, estate administrators).

3.1 To Provide Our Core Services

• Task verification: recording and verifying farm activities through photos, GPS, and timestamps.
• Worker identity profiles: building portable work histories that workers can take to other farms.
• Farm management: helping farm owners track operations, assign tasks, and manage workers.
• Compliance records: creating audit trails for export standards (e.g., GLOBALG.A.P), financial institutions, and government requirements.

3.2 To Prevent Fraud and Ensure Platform Integrity

• Detecting false task submissions.
• Identifying unusual patterns or activities that may indicate fraud.
• Preventing account sharing.
• Verifying worker identity.

3.3 To Share with Institutional Partners (With Consent)

• The worker's supervisor and farm owner: enhances monitoring, evaluation, work records, task submissions, and performance data to verify worker performance and manage farm operations.
• Potential employers: when a worker applies for jobs at other farms.
• Banks and microfinance institutions: for credit assessment and agricultural lending.
• Insurance companies: for agricultural insurance verification.
• Export buyers: for compliance certification and verification.
• Government agencies: when required by law; e.g., court orders or legal processes, requests from government authorities, investigations by regulatory bodies.
• Carbon and climate partners: for agricultural carbon credit verification (e.g., Consuming Carbon).
• Service providers: cloud hosting providers (data stored in Kenya), SMS and email service providers (notifications), payment processors (subscription billing), security and fraud prevention services.

3.4 To Improve Our Services

• Analysing usage patterns (anonymised).
• Identifying best practices across farms.
• Improving fraud detection models.
• Enhancing user experience.

3.5 To Improve Communication

• Sending task notifications and reminders.
• Providing customer support.
• Notifying you of important changes to our services.
• Sending security alerts (e.g., unusual account activity).

Under Kenyan law, all service providers are contractually required to protect your data and use it only for specified purposes.

4.1 Technical Security Measures

• Encryption: all data transmitted between your device and our servers is encrypted using industry-standard TLS 1.3.
• Data storage: all personal data is stored on secure servers physically located in Kenya.
• Access controls: only authorised personnel can access your data, and all access is logged.
• Regular security audits: quarterly security assessments and regular data security upgrades.

4.2 Organisational Security Measures

• Staff training: employees receive data protection training on hiring and regular refreshers during employment.
• Confidentiality agreements: staff sign confidentiality agreements on hiring and renew them annually.
• Data Protection Officer (DPO): a dedicated DPO oversees data protection and compliance.
• Incident response mechanisms: procedures to respond to data breaches within 72 hours.

5.1 Your Data Stays in Kenya

• All personal data is stored on servers in Kenya.
• When you access your dashboard, you are viewing data through an encrypted connection.
• Data is not downloaded or stored on your device.

5.2 Legal Protections for Cross-Border (Diaspora) Access

We use Standard Contractual Clauses approved by data protection authorities to ensure your data remains protected when accessed from the European Union (EU), the United Kingdom (UK), the United States of America (USA), Canada, Australia, and other approved jurisdictions.

5.3 Diaspora User Responsibilities

• Use only Shambaboy's encrypted connections (do not screenshot or download personal data).
• Access only from secure devices (not public or shared computers).
• Comply with Kenyan data protection laws.

6.1 What AI Does

• Fraud detection: AI flags potentially fraudulent task submissions for human supervisor review.
• Image verification: AI checks if photos are authentic (not reused or manipulated).
• Pattern recognition: AI detects unusual patterns that may need investigation.

6.2 What AI Does NOT Do

IMPORTANT: AI does not make final decisions about employment (hiring, firing, promotions), compensation (wages, bonuses), or your legal rights and obligations (data access, deletion requests). All important decisions are made by human supervisors and farm owners.

6.3 User Rights Regarding AI

• Right to know: you will be notified if AI flags your submission.
• Right to human review: you can request human review for any AI flag.
• Right to explanation: we will explain in simple language why AI flagged your submission.
• Right to challenge: you can provide evidence if you believe AI made a mistake.
• Right to opt-out: you can choose to have all submissions manually reviewed (may take longer).

7.1 Right to Access

• In-app: tap "My Profile" or "My Data".
• Download: use the "Export My Data" button.
• Request: email support@shambaboy.com.
• SMS: text "ACCESS" to +254-722575426.
• Response time: within 48 hours electronically; 7 days for written requests.

7.2 Right to Data Portability

• Export complete work history in JSON, CSV, or PDF format.
• Transfer profile to competing platforms.
• Share credentials with potential employers.
• Export as many times as needed (free, unlimited).

7.3 Right to Rectification

• In-app: tap "Report Error" next to any data field.
• Email: support@shambaboy.com with details.
• Response: factual errors corrected within 48 hours.

7.4 Right to Erasure (Deletion)

• Marketing data: deleted immediately upon request.
• Core profile data: retained for 7 years to comply with the Kenya Employment Act and tax laws.
• After the retention period: personal identifiers removed and records anonymised.

7.5 Right to Object

• Marketing communications (unsubscribe anytime).
• Data sharing with specific institutional partners.
• AI processing of user submissions (opt for manual review).

7.6 Right to Withdraw Consent

• Biometric data processing.
• Data sharing with institutional partners.
• Marketing communications.

Note: withdrawing consent may affect your ability to use certain features.

7.7 Right to Lodge a Complaint

If you believe Shambaboy has violated your data protection rights, you can contact the Shambaboy Data Protection Officer at support@shambaboy.com, or file a complaint with Kenya's Office of the Data Protection Commissioner (ODPC):

• Email: datacommissioner@odpc.go.ke
• Website: www.odpc.go.ke
• Phone: +254-20-2675580