This Privacy Policy explains how TumaText Limited (“TumaText,” “we,” “us,” “our”) collects, uses, discloses, and protects personal data in providing our bulk‑SMS platform and related services (the “Service”) to you (“you,” “your,” “Customer”) in Kenya. We are committed to complying with the Constitution of Kenya, the Data Protection Act, 2019, and all other applicable laws. 


1. Key Legal Framework

  • Constitution of Kenya (2010): Article 31 guarantees every person’s right to privacy, including the privacy of communications and private affairs .
  • Data Protection Act, 2019 (No. 24 of 2019): Implements Article 31(c) & (d) and sets out principles, rights, and obligations for data controllers and processors .

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, deletion.
  • Data Controller: TumaText, which determines the purposes and means of processing your data.
  • Data Processor: Third parties (e.g., telecom operators, payment gateways) that process data on our behalf.
  • Data Subject: You, the individual whose personal data is processed.

3. Data Protection Principles

We adhere to the fundamental principles in Section 25 of the Act:

  1. Lawfulness, Fairness & Transparency: We process data only on lawful grounds and in a manner you can understand.
  2. Purpose Limitation: We collect data for specified, explicit, and legitimate purposes.
  3. Data Minimisation: We only collect the minimum data necessary for our purposes.
  4. Accuracy: We keep your data accurate and up to date.
  5. Storage Limitation: We retain data no longer than necessary.
  6. Integrity & Confidentiality: We secure your data against unauthorized access or disclosure.
  7. Accountability: We implement measures to demonstrate compliance .

4. What We Collect & How

  • Account Information
  • Data Items: Name, email address, phone number, organization
  • Source: You (when registering)
  • Purpose: Account creation, billing, and customer support
  • Message Content & Logs
  • Data Items: SMS text, list of recipient numbers, timestamps
  • Source: You (when submitting messages)
  • Purpose: Delivering your messages, troubleshooting delivery issues
  • Payment Details
  • Data Items: Transaction IDs, amounts paid, invoice records
  • Source: Our payment gateway partners
  • Purpose: Billing, financial reconciliation, auditing
  • Usage & Analytics Data
  • Data Items: IP address, device type, feature usage logs
  • Source: Automated collection (cookies, server logs)
  • Purpose: Service performance monitoring, product improvement, security
  • Marketing Preferences
  • Data Items: Opt‑in/opt‑out selections for newsletters and promotions
  • Source: You (preference settings)
  • Purpose: Managing your subscriptions and sending relevant communications

5. Legal Bases for Processing

  • Consent: For marketing messages and where required by law.
  • Contract Performance: To provide the Service, process payments, and manage your Account.
  • Legal Obligations: To comply with laws, tax requirements, and lawful regulatory requests.
  • Legitimate Interests: For fraud prevention, service security, and product development.

6. Disclosure & International Transfers

  • We may share personal data with:
  • Service Providers: Telecom carriers, cloud hosts, payment processors—each bound by confidentiality and data‑protection agreements.
  • Regulatory Bodies & Law Enforcement: When required under the Information and Communications Act or by court order.
  • Any transfer of personal data outside Kenya will follow the safeguards in Section 40 of the Data Protection Act (e.g., adequacy decisions, contractual clauses, or your consent) .

7. Data Retention

  • Account Data: Kept while your Account is active and for up to 7 years afterward for compliance.
  • Message Logs: Retained for at least 6 months and up to 2 years for troubleshooting and legal obligations.
  • Marketing Records: Kept until you withdraw consent or opt out.

8. Data Security

We use encryption, access controls, and regular security audits to protect your data against unauthorized access, loss, or alteration.

9. Your Rights under the Act

You have the right to:

  • Access your personal data.
  • Rectify inaccurate or incomplete data.
  • Erase data that’s no longer necessary.
  • Restrict processing in limited cases.
  • Port your data in a structured, machine‑readable format.
  • Object to processing (e.g., for direct marketing).
  • Withdraw Consent at any time without affecting earlier processing.

To exercise these rights, contact our Data Protection Officer (below).

10. Contact & Complaints

Data Protection Officer

Email: [email protected]

If you believe we’ve mishandled your data, you may also complain to the Office of the Data Protection Commissioner at www.odpc.go.ke.

11. Changes to This Policy

We may revise this Policy to reflect legal updates or improvements to our practices. We’ll notify you by email or via our platform. Continued use after changes means you accept the new terms.


By using TumaText, you acknowledge that you’ve read and understood this Privacy Policy in accordance with Kenyan law.