About This Policy
Kilimora Company Limited by Guarantee ("Kilimora", "we", "us", "our") is a social enterprise building research and product development solutions that use emerging technology to bridge the gap between youth and women-led SMEs and global climate finance. We are committed to protecting the privacy of every person whose data we collect and process.
This includes smallholder farmers enrolled on the AgriKonnekt platform, cooperative partners, institutional buyers, development finance institutions, research partners, donors, website visitors, and any other individual who interacts with our organisation.
This policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over your information. We process personal data in compliance with the Kenya Data Protection Act 2019 and, where applicable, international data protection standards including the General Data Protection Regulation.
Original Author: Strategic Operations and Product Lead · Relevant Teams: All Staff, Volunteers, Partners
Key Definitions
What We Collect and Why
Kilimora collects data strictly for defined operational purposes. The table below details each category of data, its purpose, legal basis, and retention period.
| Data Category | What It Includes | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Farmer & Cooperative | Identity, contact details, farm location, land use, payment information | Platform participation, practice verification, payments, market access | Consent | Participation period + 7 years |
| Environmental | Soil conditions, land use changes, biodiversity indicators, verification records | Environmental outcome measurement, reporting, climate finance participation | Consent | Up to 10 years (registry requirements) |
| Financial Transaction | Payment references, amounts, timestamps | Payment processing and financial accountability | Contractual necessity | Up to 7 years |
| Partner & Institutional | Organisation details, professional contacts | Partnership management, transactions, collaboration | Legitimate interest | Relationship duration + 3 years |
| Research | Collaborator identities and affiliations | Joint research and policy development | Consent | Up to 5 years post-project |
| Website & Communications | Device information, usage patterns, contact form submissions | Platform functionality and user engagement | Legitimate interest | Under 2 years |
| Application Data | Personal and professional details submitted for roles | Recruitment and opportunity matching | Consent | Up to 2 years |
How We Share Data
Data is shared only when necessary to deliver services or meet legal obligations.
Data may be shared with the following categories of recipients only when required:
- Verification bodies — environmental certification and carbon standard registries require verified data records to issue carbon credits
- Financial service providers — M-Pesa and mobile money infrastructure providers process payment transactions directly to farmer accounts
- Research collaborators — university and institutional research partners receive anonymised or aggregated data under signed data-sharing agreements
- Institutional partners — development finance institutions and food procurement buyers receive verified outcome data to support transactions
Where possible, data is aggregated or anonymised before sharing. Personally identifiable data is shared only with explicit consent or when strictly required for transactions or regulatory compliance.
Data Security
Kilimora applies structured safeguards across all systems to reduce risk exposure. These include:
- Encryption — data is encrypted in transit and at rest across all digital infrastructure
- Controlled access — access is role-restricted and authenticated; only authorised personnel can access personal data
- Minimal data transfer — system design limits the movement of personal data to what is strictly necessary for each function
- Regular security reviews — controls are tested and updated on a rolling basis
- Edge-first architecture — the AgriKonnekt MRV system processes data at the device level (Arduino edge devices) before any transmission, reducing network exposure
No system is fully immune to risk. Mitigation measures are actively enforced and Kilimora will notify affected data subjects and the relevant regulatory authority in the event of a reportable breach.
Your Rights
Under the Kenya Data Protection Act 2019 and applicable international standards, individuals have the following rights over their personal data. All requests are processed within 21 days upon verification of identity.
Request a copy of all personal data we hold about you, including how it is being used.
Request correction of any inaccurate or incomplete personal data we hold.
Request erasure of your data where there is no longer a lawful basis for retaining it.
Request that we limit how we process your data in certain circumstances.
Receive your data in a structured, machine-readable format for transfer to another service.
Object to processing based on legitimate interest, including for direct marketing purposes.
Consent may be withdrawn at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Requests to exercise any right should be submitted to hello@kilimora.africa with the subject line Data Protection Enquiry.
Community Data Principles
Kilimora operates on a custodial model. Data originates from individuals and communities and is not treated as a proprietary asset.
- Data is used only for defined purposes. Additional use requires renewed and explicit consent.
- Individuals may request access to their full data records at any time through any Kilimora field representative or digital contact channel.
- More than 60% of participants in Kilimora-supported systems are women receiving direct financial benefits. Data governance is structured to protect economic agency and prevent misuse.
- Environmental and soil data linked to an individual farmer belongs to that farmer and is shared with carbon market buyers only with their documented understanding and agreement.
- Kilimora will never use farmer data to disadvantage or discriminate against the communities whose labour generates it.
Policy Updates
This policy may be revised to reflect operational changes, new services, or regulatory updates. The date at the top of this document indicates when the policy was last materially reviewed.
Continued engagement with Kilimora services after a policy update indicates acceptance of the revised terms. Material updates that significantly change how data is used will be communicated directly to registered participants and partners through appropriate channels before taking effect.
The current version of this policy is always accessible at kilimora.africa/privacy-policy.
Complaints
Concerns regarding how Kilimora handles personal data should be directed through the contact channels below. We commit to acknowledging your concern within five working days and resolving it within 30 days.
If you are not satisfied with our response, you retain the right to lodge a formal complaint with the Office of the Data Protection Commissioner of Kenya, established under the Kenya Data Protection Act 2019.
Email hello@kilimora.africa with the subject line Data Protection Enquiry. Include your name, a description of your concern, and any relevant reference numbers or dates.
Contact Information
95 Riverside Drive, Nairobi, Kenya