Legal
Privacy Policy
Last updated: 16 April 2026 · Version 1.0
1. Who we are
Election Edge Ltd (“we”, “us”) operates the VoteScores platform and related election integrity products. We are the data controller for the personal data described in this policy.
This policy complies with the Kenya Data Protection Act 2019 (DPA) and is supervised by the Office of the Data Protection Commissioner (ODPC).
2. What data we collect
| Data type | Purpose |
|---|---|
| Name, phone, email | Account creation and communication |
| Quiz responses | Candidate matching (processed locally where possible) |
| Device & IP data | Security, fraud prevention, rate limiting |
| Cookie preferences | Remembering your consent choices |
| Agent GPS coordinates | Field agent submission verification (agents only) |
3. Legal basis for processing
- Consent (DPA s.30(1)(a)) - quiz data, analytics, marketing
- Legitimate interest (DPA s.30(1)(f)) - security monitoring, fraud prevention
- Public interest (DPA s.30(1)(e)) - election transparency and citizen reporting
- Legal obligation (DPA s.30(1)(c)) - evidence preservation for election petitions
4. How we protect your data
- TLS 1.3 encryption for all data in transit
- AES-256 encryption at rest (via Supabase infrastructure)
- Multi-factor authentication required for privileged access
- Tamper-evident audit trail with hash chain verification
- Row-level security isolating campaign data
- Regular security audits and penetration testing
5. Data retention
| Data | Retention |
|---|---|
| Evidence records | 7 years (election petition statute) |
| Audit logs | 3 years (regulatory compliance) |
| Quiz responses | Election date + 90 days |
| User accounts | Until deletion or 2 years inactive |
| Session tokens | 24 hours |
6. Your rights
Under the Kenya DPA, you have the right to:
- Access your personal data (DPA s.26(a))
- Correct inaccurate data (DPA s.26(b))
- Delete your data (DPA s.26(c))
- Export your data in machine-readable format (DPA s.26(d))
- Object to processing (DPA s.26(e))
- Restrict processing (DPA s.26(f))
We respond to all requests within 30 days. Evidence data may be exempt from erasure under legal obligation basis.
7. Third-party sharing
We do not sell personal data. We share data only with:
- Supabase - database hosting (data processing agreement in place)
- IEBC / courts - evidence data when legally required for election petitions
- ODPC - breach notifications as required by law
8. Cookies
We use minimal cookies. See our Cookie Policy for full details. You can change your preferences at any time.
9. Data breach notification
In the event of a data breach affecting your personal data, we will notify the ODPC within 72 hours and inform affected individuals without undue delay, as required by the DPA.
10. Contact
For privacy inquiries or to exercise your rights, contact our Data Protection Officer:
Email: privacy@electionedge.co.ke
Address: Election Edge Ltd, Nairobi, Kenya
You also have the right to lodge a complaint with the Office of the Data Protection Commissioner.