Rust Privacy Policy

Effective Date: March 06, 2025

Last Updated: March 06, 2025

Rust is committed to safeguarding your privacy and ensuring transparency in how we collect, use, store, and share your personal data. This Privacy Policy applies to Rust, an Android application available on the Google Play Store, designed to connect buyers and sellers, facilitate financial transactions, and provide location-based services with enhanced privacy features. This policy complies with the Kenya Data Protection Act, 2019 (DPA), the Central Bank of Kenya regulations (where applicable), Google Play Store requirements, and other relevant laws.

By using the App, you agree to the collection and use of your information as outlined herein. If you do not agree, please refrain from using the App.

1. Data Controller

Rust

Under the DPA, we are the data controller responsible for your personal data. For financial transactions, we may act as a data processor when working with third-party payment providers.

2. Information We Collect

We collect personal data to deliver and enhance our services, including location-based features, financial transactions, and communication tools. The types of data we collect are:

2.1 Information You Provide

Account Registration Data: Full name, email address, phone number, age, and password (encrypted) during registration via the Register and Verification activities.

Verification Data: A verification code sent to your email for identity confirmation.

Financial Data: Transaction details (e.g., payment amounts, dates, recipient details) when you use the payment activity or related features.

User-Generated Content: Photos, videos, or files you upload if using the camera or external storage.

2.2 Information Collected Automatically

Contact Data: With your explicit consent (via READ_CONTACTS), we access your phone contacts (names and phone numbers) to sync securely. This data is hashed for privacy.

Location Data: With your explicit consent (via ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, and ACCESS_BACKGROUND_LOCATION):

Precise location (latitude/longitude) for features like finding nearby sellers.

Coarse location for approximate positioning.

Background location when the App is not in use, if enabled, to provide ongoing services (e.g., proximity alerts).

Camera Data: With your consent (via CAMERA), we access your camera for capturing photos or videos .

Telephony Data: With your consent (via CALL_PHONE), we may initiate calls (e.g., to contact sellers or support), collecting call metadata (e.g., dialed number, timestamp).

Storage Data: With your consent (via READ_EXTERNAL_STORAGE, up to Android 12), we access files or media from your device for upload or display purposes.

Device and Usage Data: Device identifiers (e.g., IMEI, Android ID), IP address (via INTERNET), OS version, app usage stats (e.g., session duration), and crash reports.

Firebase Data: Firebase user ID and push notification tokens.

2.3 Information from Third Parties

Payment Providers: Transaction confirmations and statuses from financial service providers (e.g., M-Pesa, banks) via the payment activity.

Analytics Providers: Aggregated usage data from Firebase Analytics.

3. Legal Basis for Processing

We process your personal data under the following legal bases per the DPA:

Consent: You provide explicit consent for accessing contacts, location (including in the background), camera, telephony, storage, and processing financial transactions (Section 30, DPA).

Contractual Necessity: We process registration, financial, and user-generated data to create accounts, fulfill transactions, and deliver services (Section 25, DPA).

Legitimate Interests: We collect device, usage, and location data to enhance functionality, security, and user experience, balanced against your rights (Section 25, DPA).

Legal Obligation: We process data to comply with Kenyan financial and tax laws (e.g., transaction records).

4. How We Use Your Information

We use your data for:

Account Creation and Authentication: To register and verify you via Firebase Authentication (Register, Verification).

Contact Syncing: To hash and sync contacts securely for privacy features.

Location-Based Services: To provide features like mapping , finding nearby sellers, or proximity alerts (using background location).

Financial Transactions: To process payments, track history, and facilitate interactions (payment).

Communication: To initiate calls (CALL_PHONE) or send notifications.

Content Features: To capture/upload photos or videos (CAMERA, READ_EXTERNAL_STORAGE) for seller listings or user profiles.

Service Improvement: To analyze usage , fix bugs, and enhance performance.

Legal Compliance: To meet Kenyan laws (e.g., tax reporting, anti-money laundering).

5. How We Share Your Information

We do not sell your data. We may share it as follows:

Service Providers: With trusted partners (e.g., Firebase/Google Cloud, payment processors, telephony services) under strict data protection agreements.

Financial Institutions: With banks or mobile money providers (e.g., M-Pesa) for transactions, limited to necessary data.

Legal Obligations: With Kenyan authorities (e.g., Central Bank, KRA) if required by law.

Business Transfers: In mergers or sales, with notice provided.

6. Data Storage and Security

Storage Location: Data is stored on Google Cloud servers (Firebase), with financial data shared with Kenyan providers and some processed locally.

Retention Period:

Account data: Kept while your account is active.

Contact data: Until permission is revoked or account deleted.

Location data: [Specify, e.g., 30 days] unless needed for transactions.

Financial data: 7 years per Kenyan financial laws.

Camera/storage data: Until deleted by you or account closure.

Device/usage data: Up to 24 months, then aggregated/deleted.

Security Measures: Encryption (HTTPS, hashed contacts, TLS for transactions), tokenization, access controls, and audits. No system is fully secure, however.

7. Your Rights Under the DPA

You have the following rights:

Right to be Informed: This policy details our practices.

Right of Access: Request your data (e.g., contacts, transactions, location history).

Right to Rectification: Correct inaccurate data.

Right to Erasure: Request deletion, subject to legal retention.

Right to Restrict Processing: Limit use in certain cases.

Right to Data Portability: Receive data in a structured format.

Right to Object: Object to processing based on legitimate interests.

Right to Withdraw Consent: Revoke permissions via App settings (Settings).

8. Mandatory Permissions

The App requires these permissions to function:

READ_CONTACTS: For secure contact syncing. Denial prevents account creation, redirecting to login.

ACCESS_FINE_LOCATION & ACCESS_COARSE_LOCATION: For location-based services (e.g., RelativeDistanceMapActivity). Denial disables transaction and proximity features, redirecting to login.

ACCESS_BACKGROUND_LOCATION: For ongoing location services when the App is closed. Denial limits functionality but may allow partial use.

Optional Permissions

CAMERA: For photo/video capture. Optional; denial disables upload features.

CALL_PHONE: For initiating calls. Optional; denial prevents call functionality.

READ_EXTERNAL_STORAGE: For accessing files (up to Android 12). Optional; denial limits media uploads.

9. Financial Transactions

Processing: Facilitated via payment activity with providers (e.g., M-Pesa, banks). You initiate transactions, and we transmit necessary data securely.

Security: Financial data is encrypted and tokenized where possible.

Records: Kept for 7 years for auditing and compliance with Kenyan laws.

10. Cookies and Tracking Technologies

Firebase Analytics uses device identifiers for tracking. Opt out anytime, though this may limit features. No traditional cookies are used.

11. Children’s Privacy

The App is for users 18+ (per Verification). We do not knowingly collect data from minors. If discovered, such data is deleted. Contact us if this occurs.

12. International Data Transfers

Data may be transferred to Google Cloud servers outside Kenya (e.g., US) under DPA Section 49 via contractual clauses. Financial data shared with Kenyan providers remains local where required.

13. Changes to This Privacy Policy

Updates will be notified via email or in-app notice at least 7 days in advance. Continued use after updates constitutes acceptance.

14. Contact Us

For questions or rights requests, contact our Data Protection Officer:

[Your Company Name]

Email: [Your Contact Email]

Phone: [Your Contact Phone Number]

Lodge complaints with the Office of the Data Protection Commissioner:

Address: [ODPC Address, e.g., Nairobi, Kenya]

Website: [ODPC Website URL]

For transaction disputes, contact us or your payment provider.

15. Compliance with Google Play Store

This policy is accessible in the App (Settings) and on our Play Store listing, meeting Google’s requirements.