Privacy Policy

Introduction

This Privacy Policy (“Policy”) explains how Sabasi (“we”, “us”, or “our”) collects, uses, maintains, and discloses your personal information when you use:

• The Sabasi v2 mobile app (“App”),
• The Sabasi website and any related subdomains,
• Any other online services provided by Sabasi.

Sabasi offers a data collection platform designed for organizations, individuals, and researchers to manage and conduct surveys efficiently. This Policy applies to both guests and registered users of the Sabasi platform (“Users”, “You”, “you”). Through the Sabasi App, users can collect various types of data, including personal data, from survey participants. The personal data collected through surveys is processed on behalf of the organization or individual creating the survey (“Survey Owners”). Therefore, Sabasi acts as a data processor for the information collected from survey participants and a data controller for the information we collect from registered users.

By using the Sabasi platform, you agree to the collection and use of your information in accordance with this Policy. If you do not agree with any part of this Policy, please do not use our services.

This Policy may be updated periodically. You are advised to review this Privacy Policy regularly for any changes. If changes are made, we will notify you by updating the “Effective Date” at the top of this page and, if necessary, through a prominent notice within the App or by email. Your continued use of the Sabasi platform after changes are posted constitutes your acceptance of those changes.

1. Information We Collect, How We Collect It, and Data Retention

When you engage with our services, we collect your personal information, which is information that identifies (whether directly or indirectly) a particular individual. Except as otherwise indicated, the personal information we collect is necessary to carry out the requested action. If you do not provide us with your personal information, we would not be able to perform the requested service.

a) Register for an Account

When you register for an account, we will collect your identifiers, such as:

• Name
• Email address
• Phone number
• Organization name (if applicable)
• Country of residence

We use this information to create your account, allow access to the Sabasi platform, and communicate with you about the services. We may also collect additional data, such as the organization or industry you are associated with. If you contact us for support or assistance, we may collect additional details to help resolve your issue.

We retain your personal information for as long as your account is active and for no more than two years after it has become inactive. If you request that your account be deleted, we will remove your personal information within 30 days.

b) Fill Out a Contact Form

When you fill out a contact form on the Sabasi website or through the App, we collect:

• Name
• Email address
• Phone number (optional)
• Organization name (if applicable)
• Any additional information you include in your message.

We use this information to process your inquiry and provide assistance. We retain your personal information for up to two years after resolving your inquiry, or longer if your account remains active.

c) Participate in In-App Surveys

When you participate in surveys or contribute responses through the Sabasi platform, we collect:

• Survey responses
• Media files (such as images, audio, and videos) submitted through the surveys
• Geolocation data (if you consent to location sharing)

Survey responses may include personal data if you voluntarily provide it in the course of completing the survey. The data collected in surveys is stored and processed on behalf of the organization or entity that created the survey.

We retain survey responses and associated data for as long as necessary to fulfill the purpose of the survey, or for as long as required by the organization running the survey.

d) Use of Cookies and Tracking Technologies

We collect information automatically through cookies and similar tracking technologies when you interact with our website or App. This may include:

• IP address
• Browser type
• Operating system
• Device type and unique identifiers
• Time spent on pages
• Clicks and navigation data

We use this information to analyze usage patterns and improve the performance and user experience of the platform. You can manage cookie preferences through your browser settings. We retain this data for up to two years after your last interaction with our platform.

e) Communication and Customer Support

When you communicate with us via email or through the App’s built-in support feature (powered by Smartsupp), we collect:

• Email address
• Name
• Message content
• Any attachments or additional information you provide.

We use this data to respond to inquiries, provide support, and improve the service. We retain these communications for up to two years unless further retention is required for operational, legal, or regulatory reasons.

f) Data Retention

We retain your personal information only for as long as is necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Upon the deletion of your account or upon your request, we will securely erase your personal data within 30 days, unless legal obligations require us to retain it for a longer period.

2. How We Share Your Personal Information

We do not sell or rent your personal information to third parties. However, we may share your personal information in the following circumstances:

a) With Service Providers

We may share your personal information with third-party service providers who help us operate and improve our platform. These service providers include:

• Cloud storage providers: To securely store your data.
• Customer support platforms (e.g., Smartsupp): To assist with resolving inquiries and improving user support.

These third parties only have access to your personal information to perform specific tasks on our behalf and are contractually obligated not to disclose or use it for any other purpose.

b) With Survey Owners

When you participate in a survey, your personal data and survey responses are shared with the organization or individual (“Survey Owners”) who created the survey. Sabasi processes this data on behalf of the Survey Owners, and they are responsible for how your data is used and managed. If you have concerns about the use of your data in a survey, please contact the Survey Owner directly.

c) For Legal Obligations

We may disclose your personal information if required to do so by law or in response to valid legal processes, such as court orders, subpoenas, or government regulations. We may also share your information when necessary to:

• Comply with legal obligations,
• Protect and defend the rights or property of Sabasi,
• Prevent illegal activity, fraud, or harm to the platform, its users, or the public.

d) Business Transfers

In the event of a merger, acquisition, restructuring, or sale of Sabasi’s assets, your personal information may be transferred as part of the transaction. We will notify you via email or a prominent notice on our website or within the App if such a transfer occurs and will outline your options regarding your personal information.

e) With Your Consent

In any circumstances not covered by this Privacy Policy, we will ask for your explicit consent before sharing your personal information with third parties. You can withdraw your consent at any time by contacting us.

3. Your Options for Managing Your Information

You have the following choices regarding the personal information we collect and how it is used:

a) Access and Update Your Information

You can access and update your personal information through your account settings on the Sabasi platform. If any of the information you’ve provided is incorrect, you can correct it within the platform, or you may contact us directly for assistance.

b) Request to Delete Your Data

You have the right to request the deletion of your personal information. If you wish to delete your account or any personal data we hold about you, please contact us at help@sabasi.mobi. We will process your request within 30 days unless we are required by law or legal obligations to retain the data for a longer period.

c) Opt-Out of Marketing Communications

If you have subscribed to receive marketing communications from us, you may opt out at any time by clicking the “unsubscribe” link included in our emails. Even if you opt out of marketing emails, we may still send you necessary communications related to your account or services you’ve requested (e.g., system notifications, updates about your surveys).

d) Manage Cookies and Tracking Technologies

You can manage your cookie preferences through your browser settings. Most web browsers allow you to:

• Block cookies,
• Delete existing cookies, or
• Receive a notification before cookies are stored.

Please note that disabling cookies may affect your ability to use some features of the Sabasi platform. For detailed information on how to manage and delete cookies, visit [Insert Link to Cookie Policy, if applicable].

e) Control Location Data

If you have given the Sabasi app access to your location data, you can change this preference at any time through your device’s settings. Disabling location access will not prevent you from using the app but may limit certain features that rely on location data.

f) Limit Data Sharing with Survey Owners

If you participate in surveys, you are providing your data to the organization or individual that created the survey. You can choose not to participate in surveys if you do not wish to share your data with the Survey Owners. For more details on how your data will be used, refer to the privacy policy of the organization conducting the survey.

g) Withdraw Consent

Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time. If you wish to withdraw consent, please contact us at help@sabasi.mobi. However, withdrawing your consent may affect your use of certain features of the platform.

4. Your Rights Regarding Your Information

As a user of the Sabasi platform, you have several rights concerning the personal information we collect and process about you. These rights allow you to control how your data is used and help protect your privacy. You can exercise these rights by contacting us at help@sabasi.mobi.

a) Right to Access

You have the right to request a copy of the personal information we hold about you. We will provide you with a summary of your personal data and explain how we use it. You can request this information by contacting us at any time.

b) Right to Rectification

If the personal information we have about you is inaccurate or incomplete, you have the right to request that we correct or update it. You can make these changes directly through your account settings, or you can reach out to us for assistance.

c) Right to Erasure (Right to Be Forgotten)

You can request that we delete your personal information when it is no longer necessary for the purposes for which it was collected. We will delete your data unless we are required to keep it for legal or regulatory reasons.

d) Right to Restrict Processing

In certain situations, you have the right to request that we restrict the processing of your personal data. This means we will only store your data and not use it for any further processing unless you give us consent or it is necessary for legal reasons.

e) Right to Data Portability

As a registered user, you have the right to request a copy of the personal data you have provided to Sabasi in a structured, commonly used, and machine-readable format. You may also request that we transfer your data to another service provider, where technically feasible.

For Survey Participants: The right to data portability also applies to survey participants, but since Sabasi processes survey responses on behalf of the Survey Owner, you will need to submit your request to the Survey Owner. They are responsible for responding to requests for data portability related to the survey data they control.

f) Right to Object

As a registered user of Sabasi, you have the right to object to certain processing activities related to your personal data. This includes:

• Direct marketing: You may object to receiving marketing communications from Sabasi, and we will stop processing your data for this purpose upon your request.
• Processing based on legitimate interests: If we process your personal data based on our legitimate interests, you have the right to object to this processing. We will review your objection and, unless we have compelling legal reasons to continue processing, we will stop.

For Survey Participants: If you are a survey participant, Sabasi processes your data on behalf of the Survey Owner. In this case, the right to object must be exercised by contacting the Survey Owner directly, as they are the data controller responsible for determining how your data is used. Sabasi cannot directly respond to such requests from survey participants.

g) Right to Withdraw Consent

If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw consent.

h) Right to Lodge a Complaint

If you believe that your rights under this Privacy Policy or applicable data protection laws have been violated, you have the right to lodge a complaint with a data protection authority. We encourage you to contact us first so we can address your concerns.

How to Exercise Your Rights

• Registered Users: If you wish to object to data processing or request data portability, you can contact Sabasi directly at help@sabasi.mobi . We will respond to your request within 30 days, unless there are legal grounds for extending this period.
• Survey Participants: To exercise your right to object or request data portability, please contact the Survey Owner who collected your data. If you need assistance in contacting the Survey Owner, you may reach out to Sabasi at help@sabasi.mobi, and we will help facilitate communication with the Survey Owner.

5. Children’s Privacy

Sabasi is committed to protecting the privacy of children and complying with applicable child privacy laws, including the Children’s Online Privacy Protection Act (COPPA) in the United States and the General Data Protection Regulation (GDPR) in the European Union. Our platform is not intended for use by individuals under the age of 13, and we do not knowingly collect personal information from children under this age.

1. Age Verification

We take steps to verify the age of users during account registration to ensure compliance with child privacy laws. When a user registers for a Sabasi account, we ask them to confirm that they are at least 13 years old (or 16, depending on the applicable jurisdiction). If we have reason to believe that a user is under the minimum age, we will take appropriate steps to block or delete their account.

2. Parental Consent for Minors

In jurisdictions governed by the GDPR, the age threshold for consent may vary. Under the GDPR, the processing of personal data for children under the age of 16 is prohibited without parental consent, although EU Member States may set a lower age limit, with a minimum age of 13. In such cases, we will require verifiable parental consent before collecting or processing the personal data of minors.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at help@sabasi.mobi. Upon receiving such a notification, we will take steps to investigate and, if necessary, delete the child’s personal data from our records.

3. Handling of Minors’ Data

In the event that Sabasi inadvertently collects personal information from a child under the age of 13 (or under 16 in applicable jurisdictions), we will:

• Delete the data: We will promptly delete the personal data from our systems upon becoming aware of the situation.
• Notify the parent or guardian: If we have inadvertently collected a minor’s data, we will make reasonable efforts to contact the child’s parent or guardian to inform them of the situation and take any further actions required.

4. Compliance with COPPA and GDPR

Sabasi complies with the Children’s Online Privacy Protection Act (COPPA) in the United States, which requires parental consent before collecting any personal data from children under the age of 13. Similarly, we comply with the GDPR’s strict rules for processing minors’ data in the European Union, where parental consent is required for children under 16, unless national laws specify a lower age threshold.

In cases where our services may be used in jurisdictions with additional child privacy regulations, we will take steps to ensure compliance with those regulations and protect the privacy of minors.

5. Prohibited Use by Children

Sabasi’s platform is designed for use by organizations and individuals who are over the age of 13. We explicitly prohibit children under 13 from creating accounts or submitting personal data through the platform. If we discover that a child under 13 has registered for an account or submitted data without parental consent, we will take immediate action to remove the data and block access to the platform.

6. International Jurisdictions & Data Transfers

Sabasi operates on a global scale, and the personal data we collect may be transferred to and processed in countries other than your country of residence. This includes countries that may not have data protection laws as stringent as those in your jurisdiction, such as the European Union (EU) or Kenya. However, we take steps to ensure that your personal information is handled securely and in accordance with international data protection standards.

1. Safeguards for International Data Transfers

When transferring personal data internationally, Sabasi ensures that adequate safeguards are in place to protect the data, as required by the General Data Protection Regulation (GDPR), the Kenyan Data Protection Act (DPA), and other applicable data protection laws.

These safeguards may include:

• Standard Contractual Clauses (SCCs): For transfers from the EU or other jurisdictions that require compliance with the GDPR, Sabasi uses the Standard Contractual Clauses approved by the European Commission. These clauses are designed to ensure that the personal data transferred to third countries outside the EU receives adequate protection.
• Adequacy Decisions: In cases where personal data is transferred to countries with an adequacy decision from the European Commission, we rely on these decisions as evidence that the receiving country provides an equivalent level of data protection to that of the EU.
• Binding Corporate Rules (BCRs): Where applicable, Sabasi may rely on Binding Corporate Rules to ensure compliance with data protection standards when transferring data between entities within the same group or to our partners.
• Data Protection Agreements (DPAs): For cross-border transfers, especially to countries without an adequacy decision, Sabasi enters into Data Protection Agreements with the parties involved to ensure compliance with legal requirements and to protect personal data during and after the transfer.

2. Compliance with the Kenyan Data Protection Act (DPA)

Under the Kenyan Data Protection Act (DPA), Sabasi ensures that any cross-border data transfers meet the requirements for safeguarding personal information. We use contractual clauses or obtain consent from data subjects when required, and we ensure that the third country where the data is being transferred has adequate data protection measures in place.

Where data is transferred from Kenya to other countries, Sabasi takes reasonable steps to ensure that the data is treated in a manner consistent with Kenyan data protection principles, including:

• Obtaining consent: In cases where required by the Kenyan DPA, we seek explicit consent from data subjects before transferring their personal information outside of Kenya.
• Ensuring protection: We work with partners and service providers that have adequate data protection measures in place and, where applicable, enter into contractual agreements to safeguard data during transfers.

3. Data Transfers to Third-Party Service Providers

Sabasi works with third-party service providers, including cloud hosting providers and data processors, who may be located in other countries. When working with such providers, we ensure that:

• The service provider is compliant with relevant data protection laws and has appropriate security and privacy practices in place.
• Data transfer agreements are signed to ensure that the third-party service provider is bound by the same data protection obligations as Sabasi.

4. User Consent for Data Transfers

In cases where the law requires consent for international data transfers (such as under the Kenyan DPA), we will obtain your explicit consent before transferring your personal information outside your home country. You have the right to withdraw your consent for these transfers at any time by contacting us at help@sabasi.mobi.

5. Ongoing Review of Safeguards

We regularly review and update the safeguards we use for international data transfers to ensure compliance with evolving legal standards and technological advancements. Sabasi is committed to maintaining the highest standards of data protection and ensuring that your personal data is secure, regardless of where it is processed.

If you have any questions or concerns about international data transfers or the safeguards we use, you can contact us at help@sabasi.mobi.

7. Legal Jurisdictions and Local Compliance

Sabasi is based in Kenya and complies with the Kenyan Data Protection Act (DPA) and other applicable privacy laws in the jurisdictions where our platform is used. We are committed to safeguarding the personal data of our users in accordance with these legal requirements.

1. Compliance with the Kenyan Data Protection Act (DPA)

Sabasi adheres to the principles and obligations outlined in the Kenyan Data Protection Act (DPA), which governs the collection, processing, and storage of personal data in Kenya. The DPA ensures that personal data is processed lawfully, fairly, and transparently. Sabasi complies with the following key provisions of the DPA:

• Data Minimization: We only collect personal data that is necessary for the purposes for which it is processed.
• Lawful Processing: All data processing activities are carried out with a legal basis, such as user consent, performance of a contract, or compliance with legal obligations.
• Data Subject Rights: Kenyan users have the right to access, correct, or delete their personal data, as well as the right to object to processing and request data portability. These rights are respected and enforced in accordance with the DPA.
• Cross-Border Data Transfers: When transferring data outside Kenya, we ensure that adequate safeguards, such as Standard Contractual Clauses (SCCs) or Data Protection Agreements (DPAs), are in place to protect the data in accordance with the DPA.

2. Compliance with GDPR (for EU users)

For users in the European Union (EU), Sabasi complies with the General Data Protection Regulation (GDPR). This includes:

• Obtaining consent before processing personal data,
• Allowing users to exercise their data rights, such as the right to access, rectify, or delete their data, and the right to data portability,
• Appointing a Data Protection Officer (DPO), where required, to oversee compliance with GDPR obligations.

3. Compliance with Other Local Privacy Laws

In addition to the Kenyan DPA and GDPR, Sabasi is committed to complying with local privacy laws in the other jurisdictions where our platform is used. We review and update our practices regularly to ensure compliance with relevant privacy regulations in the regions where our users are located.

4. User Rights Under Local Privacy Laws

Users in Kenya and other jurisdictions where Sabasi operates have the following rights under applicable privacy laws:

• Right to Access: You can request access to the personal data we hold about you.
• Right to Correction: You can ask us to correct or update your personal data if it is inaccurate or incomplete.
• Right to Deletion: You can request that your personal data be deleted, subject to legal requirements for retention.
• Right to Object: You have the right to object to the processing of your personal data in certain circumstances, such as for direct marketing.
• Right to Data Portability: You can request that we transfer your personal data to another service provider, where feasible.

These rights may vary depending on the specific legal framework that applies to your jurisdiction. If you have questions about your rights or how we comply with local privacy laws, please contact us at help@sabasi.mobi.

5. Legal Recourse

If you believe that Sabasi has violated your privacy rights under the Kenyan DPA, GDPR, or other applicable laws, you may file a complaint with the appropriate regulatory authority. We encourage you to contact us first so that we can resolve any concerns before escalating to regulatory bodies.

8. We Do Not Track

Sabasi does not track its users or engage in targeted advertising based on user behavior. We do not collect personal data for tracking purposes, nor do we use tracking mechanisms like cookies to follow users across different websites or online services.

Additionally, we do not respond to Do Not Track (DNT) signals or similar mechanisms that allow users to express preferences regarding the collection of their information over time and across third-party websites or online services.

If you have any questions about our privacy practices or how we handle your data, please contact us at help@sabasi.mobi.

9. Information Security

At Sabasi, we take data security seriously and are committed to protecting your personal information from threats. We constantly monitor and work to improve our security framework to meet industry standards and safeguard the data you entrust to us.

Our approach to data security is based on three key principles: confidentiality, integrity, and availability. We employ administrative, organizational, physical, and technical measures to protect your information both in transit and at rest.

Confidentiality

• Physical Access Control: Our servers are hosted in the AWS cloud using secure facilities. Physical access to these data centers is restricted to authorized personnel only, and access is controlled using biometric authentication, keycards, video surveillance, and other security measures provided by the AWS cloud service provider.
• Electronic Access Control: All user accounts on the Sabasi platform are protected by password authentication. We encourage users to create strong passwords by providing feedback on password complexity. All user passwords are encrypted before storage using modern cryptographic standards. Plaintext passwords are never stored.
• Data Encryption:
  • At Rest: All data stored on our servers, including survey responses and personal information, is encrypted at rest using disk-level encryption.
  • In Transit: Data transmitted between your device and our servers is encrypted using modern encryption protocols such as SHA-256 with RSA encryption to ensure that your data remains secure while being transmitted.
• Internal Access Control: Only authorized system administrators have access to our servers for maintenance purposes. We enforce strict internal policies, including the use of two-factor authentication and SSH key authentication, to prevent unauthorized access to the server environment.

Integrity

• Data Transfer Control: We ensure that all data sent to and from our servers is encrypted to protect it from unauthorized access or interception during transmission. Data in transit is protected using strong encryption methods.
• Data Entry Control: Sabasi provides users with control over who can access and submit data on the platform. Permissions can be set to ensure that only authorized users can enter or modify data.
• Monitoring: We log access events and user activities for security purposes. Our system administrators regularly review logs to identify any unauthorized access or suspicious activity.

Availability and Resilience

• Data Backups: Sabasi performs regular backups of all user data to a remote, secure location. In the event of an unexpected outage, we are able to restore user data from the most recent backup to ensure minimal data loss and service disruption.
• System Redundancy: Our infrastructure is designed to be resilient, with multiple servers running concurrently to handle user traffic and ensure continuous operation. In the event of localized failures, our system automatically shifts the load to other instances to prevent downtime.
• Firewalls and Access Restrictions: Firewalls are configured to block unauthorized access to our servers, limiting external connections to only those required for operational purposes. Public traffic is routed through secure load balancers before reaching our internal servers.
• Emergency Response: Our system administrators are available to respond to critical issues around the clock. We have contingency plans in place to ensure that service is restored quickly in the event of a failure, with staff members distributed across multiple geographic locations for redundancy.

---

Security is a top priority at Sabasi, and we are committed to maintaining the highest standards for data protection. Our infrastructure and processes are continuously updated to adapt to new security challenges and industry best practices. If you have any questions about our security measures, feel free to contact us at help@sabasi.mobi.

10. Data Retention

At Sabasi, we retain personal information only for as long as is necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. This section outlines how long we retain different types of data and under what conditions data is deleted.

a) Account Information

Users have the ability to delete their own account directly from the Sabasi platform. When you delete your account, all personal information associated with the account, including your name, email address, and any other contact details, will be permanently deleted from our systems. Additionally, all surveys, responses, and any data you have created or submitted through the platform will be irreversibly deleted.

Once an account is deleted by the user, we will not retain any of the associated data, and it cannot be recovered. However, it may take up to 30 days for the deletion to be fully processed across all systems, including backups.

For inactive accounts:

• Accounts with no surveys or responses will be automatically deleted after 60 days of inactivity. All associated personal information will be permanently removed.
• Accounts with surveys or responses will be retained for one year after the last interaction. After this period, the account and all associated data will be permanently deleted unless legal obligations require us to retain it for a longer duration.

If your account is deleted automatically due to inactivity, all personal data and survey responses will be lost and cannot be recovered.

b) Survey Responses

Survey Data (Survey Owners): Survey responses and data collected via the Sabasi platform are controlled by the Survey Owner. Sabasi retains the data on behalf of the Survey Owner for as long as instructed by the Owner. Survey Owners are responsible for setting retention and deletion policies for the survey data they collect, in compliance with relevant data protection regulations. Once a Survey Owner requests deletion or after the survey has been fulfilled, Sabasi will delete the data promptly.

Survey participants should contact the Survey Owner directly for inquiries about the retention and deletion of their survey responses.

c) Communication Records

Support and Communication Records: Communications between you and Sabasi’s support team (such as emails or messages) are retained for up to two years after the issue is resolved. This retention period allows us to maintain a history of support interactions for troubleshooting and improving service quality. These records will be deleted after two years unless further retention is required by law.

d) Backups and Recovery

Sabasi performs regular backups of all user data, including survey responses and personal information, to a secure, remote location. Backups are kept for a rolling period of 90 days. In the event of data loss or system failure, we use these backups to restore user data to the most recent available state. Once data is deleted from our systems, it may remain in backups for up to 90 days before being fully purged.

e) Logs and Monitoring Data

For security and operational purposes, we retain system logs and monitoring data, such as server access records, for a period of up to 12 months. This information is used to detect, investigate, and prevent unauthorized access, breaches, and other security incidents. Logs may also be retained for compliance purposes, depending on regulatory requirements.

f) Legal Obligations

In some cases, we may be required to retain certain personal data for extended periods to comply with legal, tax, or regulatory obligations. For example, financial records or records related to legal disputes may need to be retained for a minimum of seven years under applicable laws.

g) Deletion and Anonymization

Once the retention period expires, or the data is no longer needed for its original purpose, we will securely delete or anonymize the data. Anonymization involves removing personal identifiers so that the data can no longer be linked to an individual. This allows us to use aggregated, non-personal data for statistical analysis, research, or platform improvement without compromising user privacy.

h) User-Initiated Deletion Requests

You have the right to request the deletion of your personal information at any time. To initiate a deletion request, please contact us at help@sabasi.mobi. We will process your request within 30 days, unless specific circumstances require us to retain the data (e.g., legal or regulatory obligations). Once your request is processed, we will securely delete or anonymize your personal data.

i) Data Retention for EU/EEA Users

If you are located in the European Union (EU) or European Economic Area (EEA), we will retain your personal data in compliance with the General Data Protection Regulation (GDPR). You have the right to request that we erase your data at any time, subject to any legal obligations we may have to retain it. We will provide a clear explanation of any such obligations if they apply to your request.

j. Survey Owner Responsibilities for Data Retention

Survey Owners are responsible for managing the retention and deletion of the survey data they collect. Sabasi provides the platform to store and process this data, but Survey Owners must:

• Define data retention periods for the surveys they create, ensuring that personal data is only retained for as long as necessary.
• Comply with data protection laws, such as the GDPR and Kenyan Data Protection Act, regarding the retention and deletion of personal data.
• Request data deletion from Sabasi when survey data is no longer needed or if a participant requests deletion of their personal data.

Survey Owners must also inform survey participants of their data retention policies through their own privacy policies.

k. Consistency in Retention Periods

The retention periods outlined above are designed to ensure consistency and compliance with applicable data protection regulations. Any variations in retention times are based on the nature of the data and the operational needs of Sabasi and Survey Owners. If you have any questions regarding data retention, please contact us at help@sabasi.mobi .

11. Role of Sabasi as Data Processor and Data Controller

Sabasi operates under two distinct roles depending on how data is collected and processed: data processor and data controller. This section outlines the responsibilities and obligations associated with each role, in compliance with international data protection regulations such as the General Data Protection Regulation (GDPR).

Sabasi as a Data Processor

When Sabasi processes data on behalf of an organization or individual (the “Survey Owner”) that is collecting information through our platform, Sabasi acts as a data processor. In this role, Sabasi only processes personal data according to the instructions and purposes defined by the Survey Owner. We do not control the data or determine how it is used; this is the responsibility of the Survey Owner, who acts as the data controller in this case.

Key Responsibilities as a Data Processor:

• Following Instructions: We process data strictly as directed by the Survey Owner. This includes collecting, storing, and transmitting survey responses as specified by the controller.
• Security and Confidentiality: We are responsible for implementing adequate security measures to protect the data we process. This includes encryption, access control, and secure storage, as outlined in our security policies.
• Non-Disclosure: We do not access or use the data for any purposes other than those specified by the Survey Owner. We only disclose data to third parties if directed by the Survey Owner or if required by law.
• Compliance with GDPR: If the Survey Owner is subject to the GDPR, we ensure that our data processing activities comply with the regulations. This includes signing Data Processing Agreements (DPA) with Survey Owners when required, to formalize our role as a data processor.

Example: If a non-profit organization creates a survey using the Sabasi platform, and participants provide their personal data through the survey, Sabasi acts as the data processor. The non-profit organization is the data controller and is responsible for determining how the data is used.

Sabasi as a Data Controller

In cases where Sabasi collects and processes personal data directly from users (e.g., for account registration, account management, or communication), Sabasi acts as a data controller. In this role, Sabasi determines the purpose and means of processing personal data and is responsible for ensuring compliance with applicable data protection laws.

Key Responsibilities as a Data Controller:

• Purpose of Data Collection: Sabasi determines why and how personal data is collected from users when they create accounts, interact with the platform, or use our services.
• Transparency and Consent: We inform users about what data is collected, how it will be used, and their rights. We ensure that consent is obtained where required, such as for marketing communications or location-based services.
• Data Subject Rights: As the controller, Sabasi is responsible for allowing users to exercise their rights, including access to personal data, correction of inaccuracies, data deletion, and the ability to withdraw consent at any time.
• Accountability: Sabasi is accountable for the proper handling of personal data and ensuring compliance with privacy regulations, including responding to user requests regarding their personal data.

Example: When a user signs up for a Sabasi account to create and manage surveys, Sabasi collects personal information such as their name, email, and organization details. In this case, Sabasi is the data controller, responsible for managing this data in accordance with privacy regulations.

Transition Between Roles

In some cases, Sabasi may act as both a data controller and data processor at different stages of data processing. For example:

• Account Data: When a user signs up, we are the data controller for the account information.
• Survey Data: When the same user creates a survey, we act as the data processor for the participants’ data collected through the survey on behalf of the user (Survey Owner).

To ensure compliance, Sabasi implements strict internal controls and security measures to protect data in both roles, adhering to industry standards and legal requirements.

Contacting Sabasi About Our Roles

If you have any questions about how Sabasi acts as a data processor or data controller, or if you need clarification on your rights under data protection laws, you can contact us at help@sabasi.mobi

We are committed to ensuring transparency and compliance with all applicable data protection laws and providing users with the information they need to understand their rights and how their data is managed.

12. User Rights and Data Requests

Sabasi is committed to respecting the rights of both registered users and survey participants regarding their personal information. However, it is important to clarify the different roles Sabasi plays and the corresponding rights available to each group.

Rights of Registered Users

As a registered user of the Sabasi platform (such as survey creators or administrators), you are entitled to exercise the following rights regarding the personal information you provide when creating and managing your account:

• Right to Access: You have the right to request a copy of the personal information we hold about you. You can contact us at help@sabasi.mobi to obtain a summary of your personal data.
• Right to Rectification: You can request corrections to any inaccuracies in your personal data or update your information directly through your account settings.
• Right to Deletion (Right to be Forgotten): You may request that we delete your personal data, including your account information, surveys, and responses, unless we are required to retain it for legal or regulatory reasons.
• Right to Data Portability: You can request that your personal data be provided in a machine-readable format for transfer to another service provider.
• Right to Restrict Processing: You may request that we limit the processing of your personal data in certain circumstances, such as while we are correcting or verifying information.
• Right to Withdraw Consent: Where we rely on your consent to process personal data (e.g., for marketing purposes), you can withdraw that consent at any time.
• Right to Object: You have the right to object to certain types of data processing, such as direct marketing or profiling.

To exercise any of these rights, please contact us at help@sabasi.mobi . We will respond to your request within 30 days, unless there are legal grounds for extending this period.

Rights of Survey Participants

If you are a survey participant providing data through the Sabasi platform, please note that Sabasi processes your data on behalf of the Survey Owner (the organization or individual who created the survey). In this case, the Survey Owner is the data controller responsible for managing your data and determining how it is used. As such, Sabasi is unable to directly fulfill requests related to your data rights.

If you are a survey participant and wish to:

• Access, correct, or delete your data,
• Withdraw consent for data processing,
• Object to the processing of your data,

You must contact the Survey Owner directly. They are responsible for handling such requests in accordance with their own privacy policies and applicable data protection laws. Sabasi does not have the authority to grant or deny access to your personal data submitted through surveys.

Clarification on Data Requests

Sabasi cannot independently modify or delete survey responses collected on behalf of a Survey Owner. However, we work closely with Survey Owners to ensure that they can manage your data requests effectively.

If you have difficulty contacting the Survey Owner or need assistance with your request, you may reach out to Sabasi’s support team at help@sabasi.mobi , and we will attempt to facilitate communication with the Survey Owner.

13. Data Sharing with Survey Owners

When you participate in a survey using the Sabasi platform, your personal data and survey responses are shared with the Survey Owner (the organization or individual who created the survey). Sabasi acts as a data processor in these situations, processing the data on behalf of the Survey Owner, who is the data controller. It is important to understand the following:

1. Responsibilities of Survey Owners

Survey Owners are solely responsible for determining how the data they collect through Sabasi is processed, used, and stored. This includes complying with all applicable data protection laws, such as the General Data Protection Regulation (GDPR) or other local regulations. Survey Owners are required to:

• Provide their own Privacy Policy: Survey Owners must inform survey participants about how their data will be used, processed, and stored through their own privacy policies. This should include details about the purpose of data collection, retention periods, and how participants can exercise their rights.
• Obtain consent: Survey Owners must ensure that they have obtained valid consent from survey participants, where required, before collecting any personal or sensitive data.
• Ensure data security: Survey Owners are responsible for implementing appropriate security measures to protect the personal data they collect, including encryption, access control, and secure storage. They must ensure that the data is handled in accordance with the relevant legal standards.

2. Sabasi’s Role

Sabasi provides the platform and tools for Survey Owners to collect data, but we do not control how Survey Owners use or process the data once it is collected. As a data processor, we follow the instructions of the Survey Owner and are not involved in the decisions regarding the purpose of data collection or how the data is managed.

• No liability for misuse: Sabasi is not liable for any misuse, unauthorized access, or breach of personal data that occurs due to the actions or negligence of the Survey Owner. It is the responsibility of the Survey Owner to ensure that their use of the data complies with legal requirements.
• Compliance with legal requests: If Sabasi receives a legal request related to the data we process on behalf of a Survey Owner (e.g., from law enforcement or regulatory authorities), we will notify the Survey Owner, unless prohibited by law, and will follow the legal processes required to handle such requests.

3. Requiring Compliance from Survey Owners

To use the Sabasi platform, Survey Owners must agree to:

• Comply with all applicable data protection laws in the jurisdictions where they operate, including ensuring that they have the legal basis to collect, process, and store personal data.
• Protect the rights of survey participants, including providing a mechanism for participants to exercise their rights (e.g., access, correction, deletion) as required by law.
• Handle sensitive data with care: If Survey Owners are collecting sensitive personal data (such as health information, ethnicity, or other protected categories), they must comply with the additional legal protections required for such data.

Survey participants should review the Privacy Policy of the Survey Owner to understand how their data will be used and managed. If you have any concerns about how a Survey Owner is handling your data, please contact them directly. Sabasi is not responsible for the data management practices of the Survey Owner.

4. Assisting with Data Requests

While Sabasi does not control the data collected through surveys, we work with Survey Owners to ensure that they can manage data requests effectively. If you, as a survey participant, wish to exercise your data rights (such as requesting access or deletion of your data), you must contact the Survey Owner. If you experience difficulties reaching the Survey Owner, you can contact Sabasi at help@sabasi.mobi , and we will facilitate communication with the Survey Owner.

Data Breach Notification

Sabasi takes the security of your personal data seriously and has implemented measures to detect, prevent, and respond to data breaches. In the event of a data breach that compromises your personal data, we will take swift action to mitigate the impact and ensure compliance with legal requirements for data breach notifications.

1. Internal Response to Data Breaches

Upon detecting a potential data breach, Sabasi will:

• Assess the breach to determine the nature, extent, and severity of the compromised data.
• Contain and mitigate the breach to prevent further exposure of personal data.
• Conduct a thorough investigation to understand the cause of the breach and implement corrective measures to prevent future incidents.

2. Notification to Users

If a data breach involves personal data that poses a risk to your rights and freedoms, Sabasi will notify affected users without undue delay. This notification will include:

• A description of the nature of the breach, including the types of data involved.
• The potential consequences of the breach for affected users.
• The steps Sabasi has taken or is taking to address the breach and mitigate its impact.
• Recommendations for affected users to protect themselves (e.g., changing passwords or monitoring accounts).
• Contact information for further inquiries about the breach.

In compliance with the General Data Protection Regulation (GDPR), Sabasi will notify affected users within 72 hours of becoming aware of the breach, unless it can be demonstrated that the breach is unlikely to result in a risk to the rights and freedoms of individuals.

3. Notification to Authorities

In the event of a data breach, Sabasi will notify the appropriate data protection authorities, such as the Office of the Data Protection Commissioner in Kenya or the relevant supervisory authority in the European Union, if the breach involves personal data subject to the GDPR. This notification will be made within 72 hours of discovering the breach, as required by law.

4. Third-Party Data Breach Notifications

If the data breach involves third-party service providers (e.g., cloud hosting providers) that Sabasi works with, we will coordinate with these providers to ensure a unified and timely response. Sabasi will ensure that users are notified promptly and that the breach is fully investigated and resolved in collaboration with the third-party provider.

5. Preventative Measures

Sabasi has implemented several security measures to prevent data breaches, including:

• Encryption of personal data both at rest and in transit to protect against unauthorized access.
• Access controls to ensure that only authorized personnel can access sensitive data.
• Regular security audits and vulnerability assessments to identify and address potential risks.

While Sabasi works diligently to prevent data breaches, we recognize that breaches may still occur, and we are prepared to respond promptly and transparently to protect the rights of our users.

If you have any questions or concerns about our data breach response plan, please contact us at help@sabasi.mobi

14. Data Anonymisation and Aggregation

Sabasi may anonymise and aggregate personal data for purposes such as statistical analysis, research, or platform improvement. The anonymisation process ensures that personal data is stripped of all identifying information, making it impossible to link the anonymised data back to any individual. Sabasi is committed to ensuring that the anonymisation process complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Anonymisation Process

The anonymisation process involves the following steps to ensure that individuals cannot be re-identified:

• Removal of Direct Identifiers: All personal identifiers, such as names, email addresses, and other direct identifiers, are removed from the dataset.
• Pseudonymisation: In cases where data must be processed for further analysis before full anonymisation, Sabasi may use pseudonymisation techniques. Pseudonymised data replaces identifying information with pseudonyms, but can still be re-linked to the individual under certain conditions. However, full anonymisation will be applied before any data is used for external purposes.
• Aggregation: Data is aggregated so that it can only be analyzed at a collective level, ensuring that individual contributions cannot be singled out or re-identified.
• Additional Safeguards: Sabasi uses additional safeguards, such as data minimisation and randomisation techniques, to ensure that any patterns or combinations in the data do not allow for re-identification.

2. Compliance with GDPR Standards

The GDPR requires that anonymised data be processed in a way that makes it impossible to re-identify individuals. Sabasi complies with this requirement by:

• Irreversible Anonymisation: Once data has been anonymised, it is not possible to reverse the process or re-identify the individuals whose data was collected.
• Processing of Anonymised Data: Anonymised data is no longer considered personal data under the GDPR. As such, it is not subject to the same restrictions on data processing. However, Sabasi ensures that anonymised data is handled responsibly and used strictly for legitimate purposes, such as statistical analysis and research.

3. Use of Anonymised Data

Anonymised data may be used for:

• Statistical Analysis: Aggregated, anonymised data can be analyzed to gain insights into trends and patterns, without compromising the privacy of individuals.
• Research and Development: Anonymised data helps Sabasi improve its platform and services by identifying usage patterns and areas for improvement.
• Reporting and Publication: Sabasi may publish reports or share anonymised data with third parties for research or business purposes, provided that the data cannot be linked back to any individual.

4. Limitations of Anonymisation

While Sabasi takes all necessary steps to ensure full anonymisation, it is important to note that:

• Re-identification Risk: In some rare cases, even anonymised data may present a risk of re-identification when combined with other external datasets. Sabasi takes every precaution to minimise this risk, including applying robust anonymisation techniques and carefully selecting the datasets used for analysis.
• Data Minimisation: To further reduce the risk of re-identification, Sabasi ensures that only the minimum amount of data necessary for the intended purpose is collected and processed.

5. Your Rights Regarding Anonymised Data

Since anonymised data is no longer considered personal data under the GDPR, it is not subject to the same rights (such as access, correction, or deletion) as identifiable data. However, if you have any concerns about the anonymisation of your data, you may contact Sabasi at help@sabasi.mobi, and we will address your concerns to the best of our ability.

15. Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. It is important that you review this Privacy Notice periodically to stay informed about how we are protecting your personal information.

a) Notification of Changes

When we make significant changes to this Privacy Notice, we will notify you in a clear and timely manner. Notifications may be sent via:

• Email: We will send a notification to the email address associated with your account, detailing the changes.
• In-App Notification: You will see a prominent notification within the Sabasi platform, which will direct you to the updated Privacy Notice.
• Website Update: We will post the updated Privacy Notice on our website at sabasi.mobi, and update the “Effective Date” at the top of the page to reflect when the changes go into effect.

b) Review Period

For major changes that impact how we handle your personal information, we will provide a review period of at least 30 days before the changes take effect. During this period, you will have the opportunity to review the changes and decide whether you agree to the new terms. If you do not agree, you can choose to discontinue using the Sabasi platform and delete your account.

c) Minor Changes

For minor updates, such as clarifications or improvements that do not significantly affect your rights or obligations, the changes will take effect immediately upon posting. We encourage you to regularly review the Privacy Notice for any updates.

d) Continued Use After Changes

Your continued use of the Sabasi platform after any changes to this Privacy Notice constitutes your acceptance of those changes. If you disagree with any changes, you must stop using the platform and may request to delete your account as described in the Account Information section.

e) Historical Versions

To maintain transparency, we will archive previous versions of this Privacy Notice and make them available upon request. You can contact us at help@sabasi.mobi to request a copy of an earlier version of this Privacy Notice.

f) User Responsibility

We strongly encourage you to keep your contact information, including your email address, up to date to ensure you receive any notices regarding updates to this Privacy Notice. It is your responsibility to review any changes that we communicate to you.

16. How to Contact Sabasi

If you have any questions, concerns, or requests regarding this Privacy Notice, or if you need assistance with your account or the services provided by Sabasi, you can contact us through the following methods:

a) By Email

For general inquiries, account issues, or requests related to your personal information, you can reach our support team at:

• Email: help@sabasi.mobi

We aim to respond to all inquiries within 48 hours. For more complex requests, such as data deletion or access requests, we will provide an update within 7 business days and complete the request within 30 days, as required by applicable data protection laws.

b) By Postal Mail

If you prefer to contact us by postal mail, you can send written correspondence to our office at the following address:

• Sabasi Team (Open Institute)
  9 Riverside Drive,
  Nairobi, Kenya

Please include detailed information about your inquiry or request in your letter so we can assist you as efficiently as possible. Note that responses to postal mail inquiries may take longer.

c) In-App Support

You can contact our support team directly through the Sabasi platform by using the in-app support feature powered by Smartsupp. Simply navigate to the Support section of the platform, where you can:

• Submit a support ticket,
• Chat with a live agent (when available), or
• Access our knowledge base for immediate answers to common questions.

For in-app support, we typically respond within 24 hours for standard inquiries, and within 1-3 business days for more detailed or complex requests.

d) Social Media

You can also follow and reach out to Sabasi via our official social media accounts. While these channels are primarily for updates and community interaction, we monitor them regularly for any inquiries and will direct you to the appropriate support channels.

• Twitter: https://x.com/open_institute
• LinkedIn: https://www.linkedin.com/company/2865525/admin/dashboard/
• Facebook: https://web.facebook.com/TheOpenInstitute?_rdc=1&_rdr

For privacy-related inquiries, we recommend using email or in-app support to ensure your request is handled in compliance with privacy laws.

e) For Data Protection Inquiries

If you have questions specifically regarding data protection, including GDPR compliance, data access, deletion requests, or security concerns, please include “Data Protection Inquiry” in the subject line of your email to ensure your request is directed to the appropriate team:

• Data Protection Officer: hello@openinstitute.com

We take privacy and data security seriously, and our team will handle your inquiry in accordance with applicable data protection regulations.

f) Escalation and Complaints

If you feel that your privacy rights have not been adequately addressed by our support team or you have a complaint regarding how we handle your personal information, you can escalate your concern by emailing us at help@sabasi.mobi. We will investigate your complaint and respond within 14 days.

For further escalation, you may have the right to lodge a complaint with a data protection authority or regulatory body in your jurisdiction. We encourage you to contact us first so that we can resolve the issue promptly.