Privacy Policy

Last updated: 3 June 2026

1. Overview

Daichi Vendor Portal ("we", "us", "our") is a cloud-based vendor management platform operated from Nairobi, Kenya. This Privacy Policy explains how we collect, use and protect personal and business information processed through the platform, in line with the Kenya Data Protection Act 2019 and the EU General Data Protection Regulation (GDPR) where applicable.

2. Information we collect

• Vendor company details: name, registration number, address, contact email and phone.
• Compliance documents: tax certificates, business permits, insurance certificates and similar uploads.
• Performance data: KPI scores, delivery records and procurement officer feedback.
• Contract data: titles, dates, values, SLA terms and uploaded contract files.
• User account data: name, email, role and authentication metadata.
• Activity logs: timestamps and actions taken inside the platform.

3. How we use information

We process information only to provide the vendor management service, including:

• Operating onboarding, scoring, contract and reporting features.
• Sending notifications about onboarding, contracts and scoring events.
• Producing compliance reports for the client organisation and its donors.
• Securing the service and investigating suspected misuse.

4. Lawful basis

We rely on the lawful bases of contract performance, legitimate interest and consent (where required) under Article 6 GDPR and equivalent provisions of the Kenya Data Protection Act.

5. Storage and security

Data is stored on Supabase infrastructure with row-level security policies that isolate each client organisation. Documents are stored in encrypted object storage. Access is restricted to authenticated users belonging to your organisation.

6. Data retention

Records are retained for the duration of the client subscription plus 24 months for audit purposes, after which they are deleted on request or anonymised.

7. Your rights

You may request access, rectification, deletion, restriction or portability of your data, and may object to processing. To exercise these rights, email privacy@daichi.co.ke.

8. Sharing

We do not sell personal data. We share data only with sub-processors strictly required to deliver the service (Supabase, Lovable Cloud) and with your organisation's authorised users.

9. International transfers

Where data is transferred outside Kenya or the EEA, we rely on standard contractual clauses and equivalent safeguards.

10. Contact

Data Protection Officer, Daichi Procurement Solutions, Nairobi — privacy@daichi.co.ke.