1. Introduction and Scope
VeriVote is an independent candidate intelligence platform built to empower Kenyan voters with objective, data-driven information about political candidates. This Data Security and Privacy Policy governs how VeriVote collects, processes, stores, protects, and deletes the personal data of every person who interacts with the platform.
This policy applies to:
- Voters and members of the public who use the VeriVote platform
- Candidates and their representatives who submit profiles or evidence
- VeriVote staff, analysts, and system administrators
- Third-party service providers and data processors engaged by VeriVote
- Developers building or maintaining the VeriVote platform
This policy does not apply to external websites linked from VeriVote. VeriVote is not responsible for the data practices of third-party sites.
1.1 What VeriVote is — and what it is not
VeriVote does not facilitate voting, voter registration, or any formal electoral transaction. It collects only the minimum data required to provide candidate intelligence to voters and to operate the platform securely. This distinction limits the sensitivity profile of most data the platform holds.
However, the platform does process voter account credentials, candidate personal records (which include sensitive constitutional compliance information), and evidence submitted by candidates in challenge processes. These categories are treated with the highest level of protection available under this policy.
2. Data Controller and Contact
| Role / Field |
Detail |
| Data Controller | AHV Initiative (VeriVote) |
| Registered Address | Nairobi, Kenya |
| Data Protection Officer | Wesley Ochieng — wesleyochieng95@gmail.com |
| Data Privacy Contact | privacy@verivote.co.ke |
| Supervisory Authority | Office of the Data Protection Commissioner (ODPC), Kenya |
| ODPC Contact | odpc.go.ke · info@odpc.go.ke · +254 (0) 20 2628 640 |
Legal obligation
Under Section 24 of the Kenya Data Protection Act 2019, VeriVote is required to register as a data controller with the Office of the Data Protection Commissioner before processing any personal data. This registration must be completed before the platform goes live.
3. What Data We Collect and Why
We collect only the data that is necessary for the stated purpose. The principle of data minimisation applies throughout the platform.
3.1 Voter / Public User Account Data
| Data Element |
Purpose |
Legal Basis (DPA 2019) |
| Email address |
Account creation, login, password reset |
Consent (s.30(a)) |
| Password (hashed, never plaintext) |
Authentication |
Legitimate interest (s.30(f)) |
| Name (optional) |
Personalisation |
Consent (s.30(a)) |
| Device / browser type |
Security and fraud detection |
Legitimate interest (s.30(f)) |
| IP address (anonymised after 30 days) |
Abuse prevention, rate limiting |
Legitimate interest (s.30(f)) |
| Session tokens |
Maintaining logged-in state |
Legitimate interest (s.30(f)) |
| Bookmarked candidates (if feature enabled) |
User preference |
Consent (s.30(a)) |
| Report Data submissions (if made) |
Platform integrity |
Legitimate interest (s.30(f)) |
3.2 Candidate Data
| Data Element |
Purpose |
Legal Basis (DPA 2019) |
| Full name, photo, constituency |
Candidate profile display |
Legitimate / public interest (s.30(f),(g)) |
| 80-indicator evaluation scores |
Core platform functionality |
Public interest (s.30(g)) |
| Constitutional compliance records |
Scoring and transparency |
Public interest (s.30(g)) |
| Evidence submitted in challenge process |
Candidate Response Protocol |
Consent (s.30(a)) at submission |
| EACC, court, audit records (publicly sourced) |
Indicator scoring |
Public interest (s.30(g)) |
| party_compliance_flag + source URL |
Party compliance notice display |
Public interest (s.30(g)) |
Important note on candidate data and public interest
Political candidates seeking public office hold positions of significant public trust. The Kenya Data Protection Act 2019 Section 30(g) permits processing of personal data where necessary for a public interest task. VeriVote's function of informing voters about candidates is grounded in this public interest basis. However, this does not permit unlimited processing — we apply the same minimisation, accuracy, and security standards to candidate data as to all other data.
3.3 Data We Do NOT Collect
VeriVote does not collect and will never collect:
- How any individual voter intends to vote or has voted
- Ethnic, racial, religious, or political opinion data from voters
- Biometric data
- Financial payment information (if any paid tier is introduced, payment is processed by a third-party PCI-DSS compliant processor — VeriVote does not hold card data)
- Location tracking or GPS data
- Contact lists, social graphs, or data from any third-party apps
Why this matters for VeriVote specifically
Voter profiling by political platforms has caused significant democratic harm globally. VeriVote's mission is to inform voters, not to profile them. The restrictions above are structural safeguards against the platform being used — or compromised into being used — for voter targeting.
4. How We Protect Personal Data
VeriVote applies a layered security architecture covering both organisational controls and technical measures across authentication, encryption, and infrastructure.
4.1 Authentication and Access Control
| Control |
Specification |
| Password storage |
Passwords hashed using bcrypt (cost factor ≥12) or Argon2id. Plaintext passwords are never stored, logged, or transmitted. |
| Password complexity |
Minimum 10 characters including uppercase, lowercase, and at least one number or symbol. Enforced at both frontend and backend API layer. |
| Password reset |
Time-limited reset link sent via email, expires in 60 minutes. Tokens are single-use. |
| Session management |
Session tokens expire after 24 hours of inactivity. Tokens are invalidated on logout. Concurrent sessions limited to 5 per account. |
| Brute force protection |
Login endpoint rate-limited to 10 attempts per 15 minutes per IP. After 5 consecutive failures, account is soft-locked for 30 minutes with email notification to the account owner. |
| Multi-factor authentication |
Strongly recommended. Architecture permits TOTP-based MFA to be added. |
| Role-based access control |
Three tiers: Public voter (read only), Authenticated candidate (read + submit evidence), Admin/analyst (full access). No privilege escalation without explicit admin approval. |
| Admin access |
All admin actions logged with timestamp, user ID, and action description. Admin credentials must use separate strong passwords not shared with personal accounts. |
4.2 Data Encryption
- All data in transit: TLS 1.2 minimum, TLS 1.3 preferred. HTTP connections redirected to HTTPS. HSTS header enforced.
- All data at rest: AES-256 encryption for the database and all backup storage.
- Candidate evidence files (submitted in challenge process): encrypted at rest in object storage. Access via pre-signed time-limited URLs only.
- Password reset tokens: stored as a SHA-256 hash. Plaintext tokens exist only in the email and in transit — never in the database.
- Backup encryption: all backups encrypted before transfer to off-site storage. Encryption keys stored separately from backup data.
4.3 Infrastructure Security
- Database: not exposed to public internet. Accessible only via application server or VPN.
- API endpoints: authenticated endpoints require valid session token. Unauthenticated requests return 401.
- Input validation: all user-supplied input sanitised at API layer. Parameterised queries mandatory (no raw SQL string concatenation).
- Dependency management: third-party packages audited quarterly. Known CVEs must be patched within 72 hours of disclosure.
- Penetration testing: annual external penetration test required before major releases. Findings must be documented and remediated.
- Secrets management: API keys, database credentials, and encryption keys stored in environment variables or a dedicated secrets manager — never in source code or version control.
5. Data Retention Policy
This section defines how long VeriVote retains each category of data and what happens when the retention period expires.
5.1 Retention Schedule
| Data Category |
Retention Period |
Trigger for Deletion |
Legal Basis |
| Voter account — active |
Indefinite while account active |
Account deletion request |
DPA s.40 |
| Voter account — inactive |
24 months from last login |
Automated job |
DPA s.40 |
| Session tokens |
24 hours from last activity |
Automated expiry |
Security |
| Password reset tokens (unused) |
60 minutes from creation |
Automated expiry |
Security |
| Password reset tokens (used) |
90 days from use |
Automated cleanup |
DPA s.40 / audit |
| Login / activity logs |
12 months rolling |
Automated rotation |
DPA s.40 / security |
| IP addresses (full) |
30 days |
Automated anonymisation |
DPA s.40 |
| IP addresses (anonymised) |
12 months |
Automated deletion |
DPA s.40 |
| Candidate profile data |
Electoral cycle + 5 years |
Manual review at cycle end |
Public interest / DPA s.30(g) |
| Candidate evaluation scores |
Electoral cycle + 5 years |
Manual review at cycle end |
Public interest / DPA s.30(g) |
| Candidate evidence submissions |
3 years from submission date |
Automated job |
DPA s.40 |
| public_log_entry (accepted challenge) |
Permanent (transparency record) |
Not deleted |
Public interest accountability |
| Cookie consent records |
5 years |
Automated cleanup at 5 years |
GDPR Art.7(1) / DPA s.30 |
| Staff access logs |
3 years |
Automated cleanup |
DPA s.40 / accountability |
| Report Data / voter flag submissions |
90 days from resolution |
Automated cleanup |
DPA s.40 |
| Exported user data packages |
72 hours from creation |
Auto-deleted from server |
Security / DPA s.40 |
5.2 Special Rule: Electoral Cycle Data
Candidate evaluation data occupies a special category. VeriVote retains candidate evaluation records for the duration of the electoral cycle they were produced for, plus five years. This allows voters to review historical candidate performance, enables accountability journalism, supports legal appeals processes, and permits academic analysis of electoral integrity over time.
At the end of the retention period, candidate data is anonymised (not deleted) unless the candidate makes a deletion request under Section 6.3. Anonymisation means all personally identifying fields are removed, leaving only aggregate statistical data with no link to the individual.
5.3 Special Rule: Permanent Transparency Records
When a candidate's evidence challenge is accepted and results in a score change, a public log entry is written to the candidate's permanent record. This record is not subject to deletion. It records that a score was changed, the date, and the reason — not the full content of the evidence. This permanence is a governance requirement of the Candidate Response Protocol v2.0. The DPA Section 30(g) public interest basis covers this retention.
6. Your Rights Under the Kenya Data Protection Act 2019
The Kenya Data Protection Act 2019 grants you the following rights. VeriVote is legally obligated to honour all of them.
6.1 Right of Access (DPA Section 26)
You have the right to know what personal data VeriVote holds about you and to receive a copy of it. This is fulfilled by the Data Export feature in Account Settings.
Response timeline: 21 days (DPA Section 26(3))
6.2 Right to Data Portability
Download your data from Account Settings → Privacy → "Download My Data". The export is a machine-readable JSON file, available within 1 hour, and auto-deleted from our servers after 72 hours.
Export includes: account information, bookmarked candidates, Report Data submissions, cookie consent record, and a full list of data categories held about you.
6.3 Right to Erasure (Right to be Forgotten)
Delete your account from Account Settings → "Delete My Account". Deletion is permanent and completed within 24 hours. Your email, name, and all personal identifiers are permanently deleted.
Special case: Candidate account deletion
If a candidate requests deletion, account credentials and personal contact information are deleted immediately. Evaluation scores and constitutional compliance data may be retained for the remainder of the electoral cycle retention period under DPA s.30(g). The candidate will be notified in writing of what is retained, why, and for how long, and may contest retained data through the Candidate Response Protocol.
6.4 Right to Rectification (DPA Section 27)
Request correction of inaccurate personal data. For voters: handled via Account Settings (name, email). For candidates: handled via the Candidate Response Protocol v2.0 (evidence challenge process). VeriVote must respond within 21 days.
6.5 Right to Object (DPA Section 29)
You may object to processing of your personal data where that processing is based on legitimate interest. On receipt of a valid objection, VeriVote must cease processing unless it can demonstrate compelling legitimate grounds that override your interests.
6.6 How to Exercise Your Rights
| Channel |
Details |
| Email | privacy@verivote.co.ke — subject line: "Data Subject Request" |
| In-app | Account Settings → Privacy → "Manage My Data" (export and deletion) |
| Response time | 21 days from receipt. Complex requests: up to 42 days with notification. |
| Identity verification | VeriVote may ask you to verify your identity. We will ask for the minimum information necessary. |
| No charge | All data subject rights requests are fulfilled at no cost to you. |
| Escalation | If your request is not fulfilled within 42 days, lodge a complaint with the ODPC: odpc.go.ke |
7. Cookie Policy and Consent Mechanism
7.1 Cookies VeriVote Uses
| Cookie Name |
Type |
Duration |
Purpose |
| vv_session |
Strictly necessary |
Session (browser close) |
Maintains the user's authenticated session. Required for logged-in features. |
| vv_csrf |
Strictly necessary |
Session |
CSRF protection token. Required for all form submissions. |
| vv_consent |
Strictly necessary |
5 years |
Records the user's cookie consent choice. Required to prevent repeated consent prompts. |
| vv_prefs |
Functional |
1 year |
Stores user display preferences (e.g., dark mode). Only set if user is logged in. |
| _ga, _gid |
Analytics (optional) |
2 years / 24 hours |
Google Analytics — aggregate usage statistics. Only set if user consents. Can be declined. |
| _fbp |
Marketing (not used) |
N/A |
VeriVote does not use Facebook Pixel or any marketing/tracking cookies. |
7.2 Cookie Consent
A cookie consent banner appears on your very first visit to any VeriVote page before any non-essential cookies are set. The banner contains a plain-language explanation, an "Accept All" button, a "Reject Non-Essential" button (equally prominent — not greyed out or harder to reach than Accept), a "Manage Preferences" option, and a link to this Privacy Policy.
Strictly necessary cookies (vv_session, vv_csrf) are set without consent as they are technically required. Analytics cookies are never loaded unless you actively accept them. You can change your cookie preferences at any time via Account Settings → Privacy → Cookie Preferences.
8. Data Sharing and Third Parties
VeriVote does not sell, rent, or trade personal data. We do not share personal data with political parties, campaigns, candidates (other than a candidate's own data), government agencies, or commercial advertisers.
8.1 Third-Party Processors
VeriVote may share data with third-party service providers who process data on our behalf. All third-party processors must sign a Data Processing Agreement (DPA) with VeriVote before receiving any data, process data only for the purpose VeriVote specifies, apply equivalent security standards, and delete or return all data upon termination of the engagement.
| Processor Category |
Examples |
Data Shared |
| Cloud hosting |
AWS, GCP, Azure, Hetzner |
All platform data — server infrastructure only; processor has no right to access content |
| Email delivery |
SendGrid, AWS SES, Mailchimp Transactional |
Email address and content for transactional emails (password reset, notifications) |
| Analytics (optional, consent-gated) |
Google Analytics |
Anonymised usage statistics. No personal identifiers. Only active if user consented. |
| Object storage |
AWS S3, Cloudflare R2 |
Candidate evidence files (encrypted), user export packages (72-hour lifecycle) |
| Monitoring / alerting |
Datadog, Sentry |
Error logs and performance metrics (no personal data in logs) |
8.2 Legal Disclosure
VeriVote may disclose personal data to a government authority or law enforcement body only if required by applicable Kenyan law and only to the minimum extent required. We will notify affected users of any such disclosure if we are legally permitted to do so.
8.3 International Data Transfers
If cloud hosting services store data outside Kenya, VeriVote will ensure that appropriate safeguards are in place under DPA Section 48 (transfers to third countries). These safeguards include adequacy decisions or standard contractual clauses. Users will be informed of cross-border transfer arrangements in this policy.
9. Data Breach Response Plan
A data breach is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Under DPA 2019 Section 43, VeriVote must notify the ODPC of any breach within 72 hours of becoming aware of it.
| Window |
Owner |
Required Actions |
| 0–4 hours |
Engineer |
Identify scope. Contain the breach. Preserve evidence (do not delete logs). Notify CTO and Data Protection Officer immediately. |
| 4–24 hours |
DPO + CTO |
Assess severity. Determine which data categories are affected. Determine whether personal data is at risk. Begin drafting ODPC notification. |
| 24–72 hours |
DPO |
Submit notification to ODPC (odpc.go.ke) if personal data is at risk. Notification must include: nature of breach, categories of data affected, approximate number of users affected, likely consequences, and measures taken or proposed. |
| 72–120 hours |
DPO + Engineering |
Notify affected users if the breach poses a high risk to their rights and freedoms. Notification must be direct (email) and in plain language. |
| 5–14 days |
Engineering |
Implement full remediation. Document root cause. Update security controls. |
| 30 days |
Leadership |
Post-incident review. Policy and procedure updates if required. |
Security contact
Report security vulnerabilities to: security@verivote.co.ke
VeriVote will acknowledge receipt within 48 hours and commit to a remediation timeline within 7 days.
Do not publicly disclose a vulnerability before VeriVote has had 90 days to remediate it.
10. Children and Minors
VeriVote is intended for use by voters who are eligible to vote under Kenyan law (18 years and older). VeriVote does not knowingly collect personal data from persons under 18. If we become aware that a user under 18 has created an account, we will delete the account and all associated data within 14 days.
11. Policy Governance and Updates
| Item |
Detail |
| Policy owner | VeriVote Leadership Team |
| Review frequency | Reviewed and updated at least annually, or within 30 days of any material change to platform data practices. |
| Notification of changes | Material changes will be communicated to registered users by email at least 14 days before taking effect. |
| Minor changes | Non-material updates (e.g. formatting, contact details) may be made without prior notice. The version date at the top of this document will be updated. |
| Version history | All previous versions of this policy retained internally for 5 years. |
| Conflict with other docs | This policy takes precedence over any conflicting provisions in internal developer briefs or platform documentation regarding user data handling. |
12. Glossary
| Term |
Definition |
| Data controller |
The entity that determines how and why personal data is processed. VeriVote is the data controller for all user data on the platform. |
| Data processor |
A third party that processes data on behalf of the data controller. Cloud hosting, email delivery, and analytics providers are data processors. |
| Personal data |
Any information that can identify a living individual, directly or indirectly. Includes names, email addresses, IP addresses, and device identifiers. |
| DPA 2019 |
Kenya Data Protection Act 2019. The primary data protection law governing VeriVote's operations. |
| GDPR |
General Data Protection Regulation (EU). Applies to VeriVote when processing data of EU-resident users. |
| ODPC |
Office of the Data Protection Commissioner, Kenya. The supervisory authority that receives breach notifications and complaint escalations. |
| Data subject |
The individual whose personal data is being processed. In VeriVote's context, this means voters, candidates, and staff. |
| Processing |
Any operation performed on personal data — collection, storage, use, disclosure, deletion, or any other handling. |
| Data minimisation |
The principle that only the minimum data necessary for a specific purpose should be collected. |
| Retention period |
The defined maximum length of time for which a category of data is kept before it is deleted or anonymised. |
| Anonymisation |
The irreversible process of modifying data so it can no longer be linked to an individual. Anonymised data is no longer personal data. |
| Pseudonymisation |
Replacing direct identifiers with a reference code. The individual can still be re-identified with the right key. Pseudonymised data is still personal data. |
| Electoral cycle |
For Kenyan general elections: the five-year period between scheduled general elections. |
VeriVote: Verify Candidates. Vote Confidently.
Data Security & Privacy Policy v1.0 · March 2026 · Governing law: Kenya Data Protection Act 2019
privacy@verivote.co.ke