Privacy Policy

1. Introduction

CRB Checker Kenya ("we", "us", "our") operates crbchecker.co.ke. We are committed to protecting your personal data in accordance with the Kenya Data Protection Act 2019 and the regulations issued by the Office of the Data Protection Commissioner (ODPC).

This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights as a data subject.

2. Data We Collect

When you use our service, we may collect the following categories of personal data:

• Identity data: Full name, national ID number
• Contact data: Email address, mobile phone number
• Payment data: M-Pesa transaction reference numbers (we do not store card numbers or M-Pesa PINs)
• Usage data: IP address, browser type, pages visited, timestamps
• Session data: Encrypted session identifiers stored in browser cookies
• Credit report data: CRB report content retrieved on your behalf from licensed Credit Reference Bureaus

3. How We Use Your Data

We use your personal data solely for the following purposes:

• To create and manage your account
• To process M-Pesa payments and verify transactions
• To retrieve your CRB credit report from authorised bureaus
• To deliver your credit report securely through your dashboard
• To send account-related communications (no marketing emails without consent)
• To maintain security logs and prevent fraud
• To comply with legal obligations under Kenyan law

4. Legal Basis for Processing

Under the Data Protection Act 2019, our legal bases for processing your data are:

• Contractual necessity: Processing is required to deliver the service you have requested
• Consent: Where you have given explicit consent (e.g. marketing communications)
• Legal obligation: Where we are required by law to retain or disclose data
• Legitimate interests: Fraud prevention, site security, and service improvement

5. Data Sharing

We do not sell your personal data. We may share data with:

• Licensed Credit Reference Bureaus (TransUnion Kenya, Metropol Corporation, CreditInfo Kenya) — solely to retrieve your credit report
• Safaricom M-Pesa API — for STK Push payment processing
• Hosting providers — under data processing agreements
• Law enforcement or regulators — when legally compelled

6. Data Retention

We retain your personal data only as long as necessary:

• Account data: For the duration of your account plus 12 months after deletion request
• Credit report data: Accessible for 30 days after purchase, then automatically purged
• Payment records: Retained for 7 years for tax and audit compliance
• Security logs: Retained for 90 days

7. Your Rights

Under the Data Protection Act 2019, you have the right to:

• Access your personal data held by us
• Correct inaccurate personal data
• Request deletion of your data ("right to be forgotten")
• Object to or restrict certain processing
• Data portability — receive your data in a structured, machine-readable format
• Lodge a complaint with the Office of the Data Protection Commissioner (ODPC)

To exercise any of these rights, contact us at: support@crbcheck.com

8. Cookies

We use strictly necessary cookies for:

• Session management (keeping you logged in)
• Remembering your theme preference (dark/light mode)

We also use Google Analytics and Google Ads cookies for measuring website performance. You can opt out via Google's opt-out tool.

9. Security

We implement industry-standard security measures including HTTPS encryption, hashed password storage (bcrypt), atomic file writes, and rate-limited authentication. See our Security page for full details.