Legal
Privacy Policy
Last updated: June 2026 · Compliant with the Kenya Data Protection Act, 2019
Hekima AI Limited(“Hekima AI”, “we”, “our”) operates the learning platform at hekima-ai.org and the Hekima AI mobile app. We are committed to protecting the personal data of every learner, job seeker, and visitor who uses our services.
This policy explains what personal data we collect, why we collect it, how we use and share it, and what rights you have under the Kenya Data Protection Act, 2019 (the “Act”).
1. Who We Are (Data Controller)
Hekima AI Limited is the data controller responsible for your personal data. We are registered in Kenya and are subject to the Kenya Data Protection Act, 2019.
2. Information We Collect
Account information
- Email address and name
- Password (stored as a secure one-way hash — we never see your actual password)
- Google account details, if you sign in with Google (website only)
Learning activity
- Courses enrolled in, lessons completed, quiz attempts and scores
- Capstone project submissions
- Certificates issued (verified via hekima-ai.org/verify)
- Course feedback and ratings you submit voluntarily
AI tutor (Rafiki) conversations
Messages you send to Rafiki, our AI tutor, are processed in real time by AI providers listed in Section 5. We do not permanently store the full text of your Rafiki conversations on our servers, but AI providers may retain message data in accordance with their own privacy policies.
Payment information
We record your subscription plan, the amount paid (in KES), and a transaction reference number. We never receive or store your M-Pesa PIN, card number, or bank details — those are handled exclusively by Pesapal, our payment processor.
Device and technical information (app users)
- Device type, operating system version, and app version
- Push notification token (for study reminders, if you grant permission)
Usage and analytics data
- Pages and features you visit or use, and when
- IP address and approximate location (country/region level)
- Last active date (used to send optional re-engagement nudges)
3. How We Use Your Information
| Purpose | Legal basis (Kenya DPA 2019) |
|---|---|
| Create and manage your account | Performance of contract |
| Deliver course content, track your progress, and issue certificates | Performance of contract |
| Power the Rafiki AI tutor | Performance of contract |
| Process payments and maintain financial records | Performance of contract; legal obligation |
| Send transactional emails (payment receipts, password resets, welcome messages) | Performance of contract |
| Send optional learning nudge emails (max 4 per year, easy opt-out) | Legitimate interest; consent |
| Improve our courses, platform, and AI tutor | Legitimate interest |
| Detect fraud and ensure security | Legitimate interest; legal obligation |
4. Sharing Your Data
We do not sell your personal data. We share it only as necessary to provide our services, with the following categories of third-party processors:
| Provider | Purpose | Location |
|---|---|---|
| Anthropic | Rafiki AI tutor (Claude) | USA |
| Rafiki AI (Gemini); Google sign-in | USA | |
| OpenAI | Rafiki AI (GPT-4o) | USA |
| xAI | Rafiki AI — current events queries (Grok) | USA |
| Pesapal | Payment processing (M-Pesa, card) | Kenya |
| Vercel | Web platform hosting | USA/EU |
| Amazon Web Services | Cloud infrastructure, payments backend | USA |
| Upstash | Database (account data, progress, analytics) | EU/USA |
| PostHog | Product analytics (pseudonymous) | EU |
| Resend | Transactional email delivery | EU |
| Expo (EAS) | Mobile app distribution and updates | USA |
We may also disclose your data if required by Kenyan law, a court order, or a lawful request by a public authority.
5. International Data Transfers
Several of our service providers are based outside Kenya (primarily in the USA and EU). Under the Kenya Data Protection Act 2019, we are required to ensure that any transfer of personal data outside Kenya is to a country that provides an adequate level of protection, or that appropriate safeguards are in place. We rely on the data processing agreements and standard contractual terms of each provider listed above to meet this requirement.
6. Your Rights Under the Kenya Data Protection Act 2019
As a data subject under Kenyan law, you have the following rights:
- Right to be informed — to know what data we hold about you and how we use it (this policy fulfils that right).
- Right of access — to request a copy of the personal data we hold about you.
- Right to rectification — to ask us to correct inaccurate or incomplete data.
- Right to erasure — to ask us to delete your personal data (subject to legal and contractual obligations).
- Right to restrict processing — to ask us to limit how we use your data in certain circumstances.
- Right to data portability — to receive your data in a structured, machine-readable format.
- Right to object — to object to processing based on legitimate interest, including direct marketing.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at support@hekima-ai.org. We will respond within 21 days as required by the Act.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data (email, name, password hash) | Duration of account + 90 days after deletion request |
| Learning progress and certificates | Duration of account + 90 days |
| Payment records | 7 years (Kenya tax and financial record-keeping requirements) |
| Analytics and usage data | 13 months rolling (PostHog default) |
| Email unsubscribe preferences | Indefinitely (to honour your opt-out) |
8. Security
We apply appropriate technical and organisational measures to protect your personal data, including:
- HTTPS encryption for all data in transit
- Passwords stored as irreversible cryptographic hashes (bcrypt)
- Access controls limiting who within our team can access personal data
- Payment details handled exclusively by PCI-DSS-compliant Pesapal — we never see your card or M-Pesa PIN
No system is completely secure. If you discover a security vulnerability, please report it responsibly to support@hekima-ai.org.
9. Children and Young People
Our platform is intended for learners aged 16 and above. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at support@hekima-ai.org and we will delete it promptly.
10. Cookies and Analytics
We use essential cookies to keep you logged in and to protect against CSRF attacks. We also use PostHog, an analytics tool, to understand how the platform is used. PostHog data is pseudonymised (linked to a hashed identifier, not directly to your name or email). You can opt out of analytics tracking by contacting us.
11. Changes to This Policy
We may update this policy from time to time. When we make material changes, we will notify you by email and by posting a notice on the platform at least 14 days before the changes take effect. Your continued use of Hekima AI after that date means you accept the updated policy.
12. Contact Us and How to Complain
For any privacy-related questions, to exercise your rights, or to raise a concern, contact us:
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya:
© 2026 Hekima AI Limited. This policy is governed by the laws of Kenya.