Privacy Policy

1. Introduction

Polymarket Kenya ("we", "us", or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains what data we collect, how we use it, how we protect it, and your rights regarding your information. By using the Platform, you consent to the practices described in this policy.

2. Data We Collect

Account Information

• Email address -- used for account authentication, notifications, and support communications.
• Phone number -- used for M-Pesa deposit/withdrawal processing and two-factor authentication.
• Display name -- chosen by you for your public profile on the Platform.
• MetaMask wallet address -- your Polygon blockchain wallet address, linked to your account for on-chain transactions.

Transaction Data

• Trade history including markets traded, positions held, order types, and amounts.
• Deposit and withdrawal records (M-Pesa transaction IDs, Polygon transaction hashes, amounts, timestamps).
• UTB token balances and transfer history.

Technical Data

• IP address and approximate geolocation.
• Browser type, device type, and operating system.
• Pages visited, session duration, and interaction patterns.
• Referral source and search terms used to reach the Platform.

3. Field-Level Encryption

We employ field-level encryption to protect your most sensitive personal information at rest in our database:

• AES-256-GCM encryption: Your email address and phone number are encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode) before being stored. This is a military-grade authenticated encryption algorithm that provides both confidentiality and integrity.
• HMAC-SHA256 indexing: Encrypted fields use HMAC-SHA256 blind indexes to enable secure lookups without decrypting the data. This means we can find your account by email or phone without ever storing those values in plaintext.
• Per-record uniqueness: Each encrypted value uses a unique initialization vector (IV), ensuring that identical plaintext values produce different ciphertext. Even if two users have similar data, the encrypted representations are completely different.
• Encryption keys are stored separately from the database and rotated according to our security policies.

4. How We Use Your Data

• Account Management: To create and maintain your account, authenticate your identity, and provide customer support.
• M-Pesa Processing: To initiate and process deposits and withdrawals via the PayHero payment gateway using your phone number.
• Transaction Execution: To execute trades, record positions, settle markets, and maintain your UTB balance.
• Security & Fraud Prevention: To detect and prevent unauthorized access, fraud, market manipulation, and abuse of the Platform.
• Communications: To send transactional emails (trade confirmations, withdrawal notices), security alerts, and important Platform updates.
• Analytics: To understand usage patterns, improve Platform performance, and develop new features. Analytics data is aggregated and anonymized where possible.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

5. Data Sharing

We do not sell your personal data. We share information only in the following circumstances:

• PayHero (M-Pesa Gateway): Your phone number is shared with PayHero to process M-Pesa deposits and withdrawals. PayHero is bound by their own privacy policy and data processing agreements with us.
• Polygon Blockchain: Your wallet address and UTB transaction data are recorded on the Polygon public blockchain. Blockchain transactions are inherently public and immutable. Anyone can view wallet addresses and transaction amounts on Polygonscan, but these are not linked to your personal identity unless you publicly share your wallet address.
• SendGrid (Email): Your email address is shared with SendGrid to deliver transactional and notification emails.
• Law Enforcement: We may disclose information if required by law, court order, or government regulation, or to protect the rights, safety, and security of our users and the Platform.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred to the successor entity with equivalent privacy protections.

6. Data Retention

• Account information is retained for as long as your account is active.
• Transaction records are retained for a minimum of 7 years to comply with financial record-keeping requirements.
• Technical logs (IP addresses, session data) are retained for up to 12 months.
• Upon account deletion, personal information (email, phone) is permanently erased from our database. Transaction history is anonymized but retained for compliance purposes.
• Blockchain data (wallet addresses, on-chain transactions) cannot be deleted as it is permanently recorded on the Polygon network.

7. Your Rights

You have the following rights regarding your personal data:

• Access: You may request a copy of the personal data we hold about you.
• Correction: You may request correction of inaccurate or incomplete personal data.
• Deletion: You may request deletion of your personal data, subject to our legal retention obligations. Account deletion can be initiated through your account settings or by contacting support.
• Data Portability: You may request an export of your data in a machine-readable format.
• Withdraw Consent: You may withdraw consent for data processing at any time, though this may affect your ability to use certain Platform features.
• Objection: You may object to the processing of your personal data for specific purposes.

To exercise any of these rights, contact us at support@polymarketkenya.com. We will respond to requests within 30 days.

8. Cookies & Tracking

• Essential Cookies: Used for authentication, session management, and security. These are necessary for the Platform to function and cannot be disabled.
• Analytics Cookies: Used to understand how users interact with the Platform and to improve performance. These can be disabled in your browser settings.
• We do not use third-party advertising cookies or tracking pixels.
• We do not engage in cross-site tracking or sell data to advertising networks.

9. Security Measures

We implement multiple layers of security to protect your data:

• Encryption at Rest: Sensitive personal data (email, phone number) is encrypted at the field level using AES-256-GCM before storage.
• Encryption in Transit: All communications between your browser and our servers use TLS 1.2+ (HTTPS) encryption.
• Two-Factor Authentication (2FA): Available for account login to add an additional layer of security.
• Rate Limiting: API and login endpoints are protected by rate limiting to prevent brute-force attacks and abuse.
• Access Controls: Employee access to user data is restricted on a need-to-know basis with audit logging.
• Regular Audits: Security practices and systems are reviewed periodically to identify and address vulnerabilities.

10. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have collected data from a person under 18, we will promptly delete that information and terminate the associated account. If you believe a minor has created an account, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Platform at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Platform after changes become effective constitutes acceptance of the updated policy.

12. Contact Information

For privacy-related questions, data access requests, or concerns about your personal information, please contact us:

• Email: support@polymarketkenya.com
• Platform: Use the Contact page or in-app support
• Location: Nairobi, Kenya