1. Introduction
This Privacy Policy explains how CarbonFlow Africa ("CarbonFlow", "we", "us", or "our") collects, uses, stores, and protects personal information when you use our website at https://carbonflow.africa, the Admin Platform (https://app.carbonflow.africa), the EcoLedger Community Portal (https://community.carbonflow.africa), the EcoLedger mobile app, the CarbonFlow Ranger (Field) mobile app, the Impact Portal (https://impact.carbonflow.africa), and related APIs hosted at https://api.carbonflow.africa.
CarbonFlow provides a multi-tenant conservation operations platform for conservancies, NGOs, carbon projects, and community benefit programs. Because we process data on behalf of participating organisations, your conservancy or programme operator is usually the primary decision-maker about how your information is used for conservation and benefit-distribution purposes. This policy describes CarbonFlow's role as platform operator and data processor where applicable.
We do not sell your personal information.
2. Who We Are
CarbonFlow Africa operates conservation technology services focused on measurement, reporting and verification (MRV), GIS intelligence, ranger field operations, community transparency, and audit-ready benefit distribution.
General enquiries: hello@carbonflow.africa
Privacy and data rights: privacy@carbonflow.africa
User support: support@carbonflow.africa
3. Information We Collect
The information we collect depends on which product you use and your role (staff, ranger, community member, investor, or visitor). We collect only what is necessary to operate the platform.
3.1 Personal information
- Full name, national ID number (where registered by your conservancy), and role (e.g. tenant admin, field officer, community member, finance officer, auditor, investor).
- Staff and ranger accounts created by your organisation's administrators.
- Community member accounts created automatically after successful phone OTP verification, linked to an existing beneficiary (landowner) record.
3.2 Contact information
- Email address (required for staff and ranger login; community accounts may use a system-generated email derived from the verified phone number).
- Phone number and M-Pesa number for beneficiaries and payout processing.
- Organisation contact details supplied during conservancy onboarding.
3.3 Profile information
- Assigned program, zone, tenant affiliation, and account status (active/inactive).
- Tenant branding preferences (logo, colours, organisation name) configured by administrators.
- Wallet balance summaries and transaction history visible to authorised community users.
3.4 GPS and location data
- Latitude, longitude, and accuracy metadata when rangers submit field records, complete patrol assignments, or when community users report human-wildlife conflict (HWC) incidents through EcoLedger.
- Location is not collected continuously in the background. It is captured only when you actively submit a field activity, incident report, or assignment completion that requires geolocation.
- Conservancy, parcel, and grazing boundaries configured by administrators (GIS polygons) — these describe land areas, not your device's live movement.
3.5 Biodiversity observations
- Species names, counts, vegetation indicators, soil measurements, wildlife sightings, and related notes entered in ranger field surveys.
- Survey metadata including collection time, conservancy, assignment link, and GPS coordinates of the observation point.
3.6 Human-Wildlife Conflict (HWC) reports
- Incident description, date, severity, species involved, damage estimates (KES), livestock or crop loss counts, injuries, fatalities, and optional photographs.
- GPS coordinates when you choose to attach location to a report.
- Linkage to the reporting beneficiary where applicable.
3.7 Patrol and assignment records
- Patrol routes, task assignments, completion status, and verification metadata (including GPS coordinates and accuracy when a ranger marks an assignment complete).
- Field officer activity summaries shown on ranger dashboards.
3.8 Restoration and carbon project information
- Restoration activity records, carbon measurements, allocation templates, revenue batches, and verification project documentation entered by authorised staff.
- Aggregated impact metrics exported in PDF, Excel, or verification packs for auditors and investors.
3.9 Wallet and payment information
- Beneficiary wallet balances, ledger entries, payout requests, and distribution allocations.
- M-Pesa phone numbers used for STK push payments and B2C benefit payouts.
- Transaction references returned by Safaricom M-Pesa (e.g. receipt numbers, conversation IDs) and payment status messages.
- SaaS billing records for tenant subscriptions processed via Paystack (payer email and transaction references).
- CarbonFlow does not store your M-Pesa PIN or mobile money account password.
3.10 Device and app information
- Mobile: authentication tokens stored in secure device storage (Expo SecureStore); offline sync queues in local storage (AsyncStorage on EcoLedger; SQLite on the Ranger app) until uploaded.
- Push notification tokens (Expo) when you enable notifications on EcoLedger.
- App version and sync timestamps needed for offline-first operation.
3.11 Log and audit data
- Server audit logs recording user ID, tenant ID, action type, entity changed, timestamp, IP address, and browser user-agent for security and compliance.
- API access logs, rate-limit events, and authentication outcomes.
- OTP request records (phone number, expiry, verification status) for community login — OTP codes are short-lived and marked verified after use.
3.12 Cookies and similar technologies (web)
- HttpOnly session cookies (`cf_token`, `cf_tenant_id`) on the Admin and Community web portals to maintain your signed-in session (typically up to 7 days, Secure and SameSite=Lax in production).
- Session storage fallbacks for API authentication in the browser tab.
- The public marketing website does not set analytics or advertising cookies. Third-party images (e.g. CDN-hosted photography) may involve standard browser requests to those hosts.
4. How We Use Information
- Authenticate users and enforce role-based access (password login for staff/rangers; SMS OTP for community members).
- Operate conservancy programs: GIS maps, patrol assignments, field data collection, biodiversity monitoring, and HWC response workflows.
- Calculate and display carbon, revenue, and impact metrics for authorised staff and investors.
- Process authorised conservation benefit distributions via M-Pesa to registered beneficiary phone numbers.
- Send in-app, push, or SMS notifications about payments, assignments, announcements, and grievances according to your organisation's settings.
- Generate audit trails, PDF statements, Excel exports, and verification packs for compliance.
- Maintain platform security, prevent fraud, and troubleshoot service issues.
- Improve the service and provide optional AI-assisted report drafting when explicitly enabled by your organisation (see Third-Party Services).
5. Legal Basis for Processing
Under the Kenya Data Protection Act (2019) and GDPR-aligned principles, we rely on one or more of the following, depending on context:
- Contract — to provide the platform services your organisation has subscribed to.
- Legitimate interests — to secure the platform, prevent abuse, and maintain audit integrity, balanced against your rights.
- Legal obligation — where we must retain or disclose information under applicable law.
- Consent — where required for optional features such as push notifications or certain community submissions, which you can withdraw through device or in-app settings.
- Vital interests or public interest — where incident or HWC reporting supports community safety and wildlife management programmes operated by your conservancy.
7. Mobile Money & Payment Processing
Community benefit payments use Safaricom M-Pesa. When a payout is initiated, we send the beneficiary phone number and amount to M-Pesa to complete the transfer. Payment status callbacks are authenticated and logged.
M-Pesa pay-in (STK Push) may be used for authorised payment flows. We receive transaction references from Safaricom but never your PIN.
Payment information is used solely for authorised conservation benefit distribution, revenue reconciliation, and fraud prevention within your programme.
Demo tenants are blocked from live M-Pesa payouts in production environments.
8. Location Data
The Ranger app requests foreground location permission when you create field records, biodiversity surveys, or complete GPS-verified assignments.
EcoLedger requests location when you submit an HWC incident and choose to include coordinates.
Coordinates are stored as part of the submitted record in our PostGIS-enabled database and displayed on authorised GIS dashboards.
You can deny location permission, but features that require proof of place may not function.
Offline map downloads store conservancy boundary GeoJSON on your device for reference; they do not track your movement.
9. Photos and Uploaded Documents
Rangers and community users may upload JPEG, PNG, or WebP images for field evidence and HWC incidents.
Administrators may upload CSV/XLSX files to import beneficiary lists (parsed server-side; import files are not retained as permanent uploads).
Verification and audit documents may be uploaded by authorised staff.
Files are stored on CarbonFlow-controlled servers, organised by tenant, and accessible only to authorised users.
10. GIS and Mapping Data
CarbonFlow stores spatial data including conservancy boundaries, land parcel polygons, grazing blocks, patrol routes, field observation points, and HWC incident locations using PostGIS.
GIS data is used for MRV, operational planning, incident response, and reporting.
Aggregated map layers may appear in admin dashboards, offline mobile map views, and exported reports.
11. Data Retention
- Account and programme data is retained while your organisation maintains an active tenant and as needed to provide the service.
- Audit logs are retained for security, compliance, and verification purposes in line with programme and legal requirements.
- OTP records are short-lived (typically 10 minutes) and marked after verification.
- Offline queues on mobile devices are deleted after successful sync.
- When a tenant is deactivated or you request deletion (see Section 16), we delete or anonymise data within a reasonable period unless law requires longer retention.
12. Security Measures
- All web and API traffic uses HTTPS/TLS encryption in transit.
- Passwords are stored using industry-standard hashing (bcrypt); we never store plain-text passwords.
- Session tokens are signed (JWT) and validated on each API request.
- Role-based access control limits features by user role (super admin, tenant admin, field officer, community member, finance, auditor, investor, etc.).
- Strict tenant scoping prevents one organisation from accessing another's data.
- M-Pesa and payment callbacks require shared-secret authentication in production.
- Rate limiting on login and OTP endpoints reduces brute-force and abuse risk.
- Append-only audit logging tracks material changes with actor, timestamp, and request metadata.
- Local offline databases on mobile devices are not encrypted by the app; protect your device with a screen lock and do not share unlocked devices.
13. Children's Privacy
CarbonFlow is designed for conservancy operations and is not directed at children under 16. We do not knowingly collect personal information from children without appropriate authority from a parent, guardian, or programme operator.
If you believe a child has provided personal information without consent, contact us at privacy@carbonflow.africa and we will take appropriate steps.
14. International Data Transfers
CarbonFlow is operated from Kenya. Your data may be processed on cloud infrastructure located in or outside Kenya (including the European Union or United States) where our hosting and service providers operate.
When data is transferred internationally, we implement appropriate safeguards consistent with the Kenya Data Protection Act and GDPR principles, including contractual protections with sub-processors.
15. Your Rights
Subject to applicable law (including the Kenya Data Protection Act, 2019), you may have the right to:
- Access personal information we hold about you.
- Request correction of inaccurate or incomplete information.
- Request deletion or restriction of processing in certain circumstances.
- Object to processing based on legitimate interests.
- Withdraw consent where processing is consent-based.
- Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya.
- Community members should contact their conservancy administrator first; CarbonFlow will assist your organisation in fulfilling valid requests.
16. Data Deletion Requests
To request access, correction, or deletion, email privacy@carbonflow.africa or support@carbonflow.africa with your name, phone number or email, conservancy name, and the nature of your request.
We may need to verify your identity before fulfilling a request. Some data may be retained where required for legal, audit, or financial record-keeping obligations.
Tenant administrators can deactivate users and manage beneficiary records through the Admin Platform.
18. Third-Party Services
- Africa's Talking — SMS for OTP and notifications.
- Safaricom M-Pesa — mobile money transactions.
- Paystack — tenant subscription billing.
- Expo — mobile builds and push notifications.
- Netlify — marketing and web portal hosting.
- Railway / PostgreSQL — API and database hosting.
- OpenAI — optional AI-assisted reporting when `AI_FEATURES_ENABLED` is turned on; report context may be sent to generate drafts.
- Google Fonts — typography loaded in web and mobile apps.
- Each third party has its own privacy policy governing their processing.
19. Changes to this Privacy Policy
We may update this policy to reflect changes in our platform, legal requirements, or processing practices. We will post the revised policy on this page and update the "Last updated" date.
Material changes affecting community or ranger apps will be communicated through your organisation or in-app notice where appropriate.
20. Contact Information
CarbonFlow Africa
Website: https://carbonflow.africa
General: hello@carbonflow.africa
Privacy & data rights: privacy@carbonflow.africa
Support: support@carbonflow.africa
