Privacy Policy — Sponzy
App Name: Sponzy Data Controller: Sponzy (Sole Proprietorship, Kenya) Version: 1.0 Effective Date: 28 May 2026 Last Updated: 28 May 2026
Table of Contents
1. Introduction & Data Controller Identity
1.1 Who We Are
Sponzy ("we," "us," or "our") is a creator-brand sponsorship marketplace operated as a sole proprietorship registered in Kenya. Our registered address is in Nairobi, Kenya. For purposes of the Kenya Data Protection Act 2019 ("KDPA") and any other applicable data protection law, Sponzy is the data controller in respect of the personal data described in this Privacy Policy.
1.2 What This Policy Covers
This Privacy Policy ("Policy") explains how Sponzy collects, uses, stores, shares, and protects personal data in connection with:
This Policy applies to all users of the Platform, including Creators, Brands, event attendees, and visitors.
1.3 Our Commitment to Privacy
Sponzy is committed to processing personal data responsibly, transparently, and in accordance with applicable law. We collect only the data we need to provide our Services, we do not sell your personal data, and we do not use your data for advertising purposes.
1.4 Effective Date
This Policy is effective as of 28 May 2026. We will notify you of material changes to this Policy in accordance with Section 20.
2. Data We Collect
We collect the following categories of personal data:
2.1 Data You Provide Directly
When you register for and use Sponzy, you may provide us with the following:
Identity & Contact Data:
Account Credentials:
Creator Profile Data:
Brand Profile Data:
Financial & Payment Data:
User-Generated Content:
Event-Related Data:
2.2 Data Collected Automatically
When you access and use the Platform, we and our service providers automatically collect:
Device & Technical Data:
Usage & Behavioural Data:
Performance & Analytics Data:
2.3 Creator Performance & Social Media Data
When you connect your TikTok or other social media accounts to Sponzy via official API integrations, we collect:
We access this data only with your explicit OAuth authorisation and only to the extent necessary to verify campaign deliverables and calculate earnings. We do not access private messages on your social media accounts.
2.4 Financial Transaction Data
We maintain records of all financial transactions conducted through the Platform, including:
These records are retained for accounting, tax, and fraud prevention purposes.
2.5 AI Interaction Data
When you use Taste AI or other AI-powered features:
Please see Section 7 for our AI data processing policy.
2.6 Data From Third Parties
We may receive data about you from:
3. How We Collect Your Data
We collect your personal data through the following means:
3.1 Directly From You
You provide data directly when you:
3.2 Automatically Through the Platform
We collect data automatically through:
3.3 From Third-Party Integrations
We receive data from connected third-party platforms (TikTok, Google, Paystack) as described in Section 2.
3.4 From Other Users
Other users may provide data about you, for instance if a Brand includes information about a Creator in a campaign brief, or if a user tags or references you in a message.
4. Legal Basis for Processing
This section is primarily relevant to users in the European Union, United Kingdom, and other jurisdictions that require a lawful basis for processing personal data. For Kenyan users, the applicable provisions of the Kenya Data Protection Act 2019 apply (see Section 14).
| Processing Activity | Legal Basis |
|---|---|
| Creating and managing your account | Performance of contract (Art. 6(1)(b) GDPR) |
| Providing core marketplace functionality | Performance of contract |
| Processing payments and managing escrow | Performance of contract + legal obligation |
| Sending transactional emails (receipts, alerts) | Performance of contract |
| Sending marketing emails | Consent (Art. 6(1)(a) GDPR) — you may withdraw consent at any time |
| Sending push notifications (transactional) | Performance of contract |
| Sending push notifications (marketing) | Consent — you may opt out at any time |
| Platform analytics and performance monitoring | Legitimate interests (Art. 6(1)(f)) — improving the Platform |
| Fraud detection and security monitoring | Legitimate interests — protecting users and the Platform |
| Complying with legal obligations (tax, KYC) | Legal obligation (Art. 6(1)(c) GDPR) |
| Enforcing Terms of Service | Legitimate interests |
| Personalising content and recommendations (Taste AI) | Legitimate interests / Consent (where required) |
| AI feature improvement (anonymised data) | Legitimate interests |
| Metric verification for Creator earnings | Performance of contract |
Legitimate Interests Assessment: Where we rely on legitimate interests, we have assessed that our interests are not overridden by your interests, rights, and freedoms. In particular: analytics and security monitoring use aggregated or pseudonymous data where possible; you have the ability to opt out of non-essential processing; and the processing is proportionate to the benefit to the Platform and users.
5. How We Use Your Data
We use the personal data we collect for the following purposes:
5.1 Providing and Operating the Platform
5.2 Processing Payments
5.3 Communications
5.4 Improving the Platform
5.5 Safety, Fraud Prevention & Compliance
5.6 Creator Earnings Verification
6. Data Sharing & Third Parties
Sponzy does not sell your personal data. We do not share your personal data with advertising networks. We share your data with third parties only as described below.
6.1 Service Providers (Data Processors)
We engage the following third-party service providers who process personal data on our behalf and under our instructions:
| Vendor | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase (EU region — eu-north-1) | Database, authentication, backend storage | All user data | supabase.com/privacy |
| Paystack | Payment processing, mobile money | Payment data, phone numbers, transaction records | paystack.com/privacy |
| Google Firebase | Push notifications, analytics, crash reporting | Device tokens, usage data, crash logs | firebase.google.com/support/privacy |
| Vercel | Hosting and content delivery network | Server logs, IP addresses | vercel.com/legal/privacy-policy |
| Upstash / Redis Cloud | Real-time caching and marketplace feed | Anonymised feed data, session cache | upstash.com/privacy |
| Groq (or equivalent LLM provider) | Powering Taste AI features | AI query inputs (anonymised where possible) | Provider's privacy policy |
| TikTok API | Creator performance data | TikTok user ID, metrics data | tiktok.com/legal/privacy-policy |
| Resend / Email provider | Transactional and marketing email delivery | Email address, name, email content | Provider's privacy policy |
All service providers are contractually obligated to process data only on our instructions, to maintain appropriate security measures, and to comply with applicable data protection law.
6.2 Marketplace Counterparties
When you participate in a sponsorship campaign:
You control what appears in your public profile through your account settings.
6.3 Business Transfers
If Sponzy is involved in a merger, acquisition, asset sale, or other business transfer, your personal data may be transferred to the acquiring entity. We will notify you by email and in-app notification before your data is transferred and becomes subject to a different privacy policy. You will have the opportunity to request deletion of your data before any such transfer.
6.4 Legal Disclosures
We may disclose your personal data where we have a good-faith belief that disclosure is necessary to:
Where permitted by law, we will notify you before complying with such a request.
6.5 With Your Consent
We may share your personal data with third parties not listed above where you have given us your explicit consent to do so. You may withdraw such consent at any time.
6.6 Aggregated & Anonymised Data
We may share aggregated, anonymised data (which cannot reasonably be used to identify you) with third parties for industry analysis, research, or marketing purposes.
7. AI Features & Automated Decision-Making
7.1 Taste AI
Sponzy's Taste AI feature uses machine learning algorithms and large language model (LLM) technology to generate personalised sponsorship opportunity recommendations for Creators and Creator recommendations for Brands. Taste AI is powered by third-party LLM providers (including Groq or equivalent) and is integrated into the Platform.
7.2 How AI Uses Your Data
Taste AI uses the following data to generate recommendations:
7.3 AI Training
We may use anonymised, aggregated user interaction data to improve the performance and accuracy of Taste AI. We do not use personally identifiable query content or conversation history to train AI models without your express consent.
7.4 Automated Decisions
Sponzy uses automated systems to:
These automated processes may affect which opportunities are presented to you. They do not constitute fully automated decisions that produce legal or similarly significant effects within the meaning of Art. 22 GDPR. However, if you believe an automated decision has unfairly affected your access to the Platform, you may request human review by contacting privacy@sponzy.app.
7.5 No High-Risk Automated Decisions
Sponzy does not use solely automated decision-making to make decisions about your account eligibility, creditworthiness, or legal rights without human review.
8. Cookies & Tracking Technologies
8.1 What We Use
Sponzy uses the following technologies to collect data when you use the Platform:
Strictly Necessary Technologies:
Analytics Technologies:
Functional Technologies:
8.2 No Third-Party Advertising Trackers
Sponzy does not use advertising tracking technologies such as the Meta Pixel, Google Ads conversion tracking, or TikTok Pixel. We do not serve targeted advertisements on the Platform.
8.3 Managing Cookies
You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent the Platform from functioning correctly. Firebase Analytics can be opted out of through your account privacy settings where available.
8.4 Do Not Track
Sponzy does not currently respond to browser "Do Not Track" signals, as there is no industry standard for doing so. We will update this policy if we change this approach.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.
9.1 Retention Periods
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (profile, credentials) | Duration of account + 30 days after deletion | Service provision; deletion grace period |
| Transaction & payment records | 7 years from transaction date | Kenyan tax law (Income Tax Act) and financial record-keeping |
| Campaign data (briefs, deliverables, metrics) | 3 years from campaign completion | Dispute resolution, audit trail |
| Event and ticketing records | 3 years from event date | Legal disputes, compliance |
| Push notification tokens | Until invalidated or account deleted | Notification delivery |
| AI interaction data (anonymised) | Up to 2 years | AI model improvement |
| Server and access logs | 12 months | Security monitoring and incident response |
| Support communications | 3 years from last communication | Dispute resolution |
| Marketing consent records | 5 years from consent withdrawal | Compliance (burden of proof of consent) |
| Fraud investigation records | 5 years from closure of investigation | Legal and regulatory obligations |
9.2 Deletion Process
When you delete your account, Sponzy will:
10. Data Security
10.1 Security Measures
Sponzy implements the following technical and organisational security measures to protect your personal data:
Technical Measures:
Organisational Measures:
10.2 Payment Security
All payment processing is handled by Paystack, a PCI DSS-compliant payment service provider. Sponzy does not store full payment card numbers, CVV codes, or mobile money PINs. Paystack's security standards are available at paystack.com/security.
10.3 No Absolute Security
Despite our best efforts, no security system is impenetrable. We cannot guarantee that your data will never be subject to unauthorised access, disclosure, alteration, or destruction. By using the Platform, you acknowledge this inherent risk and agree to take reasonable steps to protect your own account credentials.
11. Security of AI-Assisted Infrastructure
11.1 AI-Assisted Development
The Sponzy Platform was built using a combination of traditional software development practices and AI-assisted code generation tools. While Sponzy has reviewed and tested the code and takes commercially reasonable steps to identify and remediate vulnerabilities, we believe in being transparent about the nature of our infrastructure.
11.2 Security Review Process
As part of our security programme, we have:
11.3 Known Risk Classes in AI-Generated Code
Common vulnerability classes associated with AI-assisted code development include:
We actively monitor for and remediate these vulnerability classes.
11.4 Reporting Security Issues
If you discover a security issue or potential data exposure affecting Sponzy, please report it responsibly:
11.5 Limitation of Liability
Where a data breach or security incident is attributable to a vulnerability in AI-assisted code components that (a) was not known to Sponzy at the time of deployment and (b) Sponzy took commercially reasonable steps to identify prior to deployment, our liability shall be limited to the maximum extent permitted by applicable Kenyan law. This limitation does not apply where Sponzy failed to act on a known, reported vulnerability within a reasonable time.
12. International Data Transfers
12.1 Where Data Is Stored
Your personal data is primarily stored on Supabase infrastructure located in the EU North 1 (Stockholm, Sweden) region. Other infrastructure providers store data in locations as follows:
12.2 Transfer Safeguards
Where personal data of Kenyan users or EU/EEA users is transferred to countries not recognised as providing adequate data protection, we rely on the following safeguards:
12.3 Countries Involved
Your data may be processed in the following countries: Kenya, Sweden (EU), United States, Nigeria. All such processing is subject to the contractual and legal safeguards described above.
13. Children's Privacy
13.1 Age Restriction
Sponzy is not directed at children under the age of 18 years. We do not knowingly collect personal data from anyone under the age of 18. Registration on the Platform requires users to confirm they are at least 18 years old.
13.2 If We Discover a Minor's Data
If we become aware that we have collected personal data from a person under the age of 18 without verified parental consent, we will:
13.3 Parental Requests
If you are a parent or guardian and believe your child under 18 has registered on Sponzy, please contact us immediately at privacy@sponzy.app with the account details. We will investigate and take appropriate action.
13.4 COPPA (US Children)
For users in the United States, Sponzy is not directed at children under 13 within the meaning of the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal data from children under 13. If we discover such data has been collected, we will delete it immediately.
14. Your Rights Under the Kenya Data Protection Act 2019
The Kenya Data Protection Act 2019 ("KDPA") grants you the following rights in relation to your personal data processed by Sponzy. These rights apply to all users in Kenya and East Africa.
14.1 Right to Be Informed
You have the right to be informed about how your personal data is collected and used. This Privacy Policy is our primary mechanism for fulfilling this obligation.
14.2 Right of Access
You have the right to request a copy of the personal data Sponzy holds about you. We will respond to access requests within 30 days.
14.3 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data. You may update most profile data directly in your account settings. For other corrections, contact privacy@sponzy.app.
14.4 Right to Erasure
You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and no other legal basis applies. Note that we may retain certain data as required by Kenyan law (see Section 9).
14.5 Right to Object
You have the right to object to processing of your personal data where such processing is based on legitimate interests or is for direct marketing purposes. We will cease such processing unless we have compelling legitimate grounds that override your interests.
14.6 Right to Withdraw Consent
Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time without penalty. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
14.7 Right to Lodge a Complaint
If you believe Sponzy has violated your data protection rights, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):
Office of the Data Protection Commissioner Website: odpc.go.ke Email: info@odpc.go.ke Physical Address: Nairobi, Kenya
14.8 How to Exercise Your Rights
To exercise any of the above rights, contact us at privacy@sponzy.app. We will respond within 30 days of receiving your request. We may need to verify your identity before processing your request.
15. Your Rights Under GDPR (EU/UK Users)
If you are located in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation (EU) 2016/679 and UK GDPR respectively:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your personal data | Email privacy@sponzy.app |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Account settings or email |
| Erasure (Art. 17) | Request deletion ("right to be forgotten") | Account settings or email |
| Restriction (Art. 18) | Limit how we process your data | Email privacy@sponzy.app |
| Portability (Art. 20) | Receive your data in a machine-readable format | Email privacy@sponzy.app |
| Object (Art. 21) | Object to processing based on legitimate interests or direct marketing | Email privacy@sponzy.app |
| Automated Decisions (Art. 22) | Not be subject to solely automated significant decisions | Email privacy@sponzy.app |
| Withdraw Consent (Art. 7) | Withdraw consent at any time without penalty | Account settings or email |
Response Time: Within 30 days of receipt; may be extended to 90 days for complex requests with notice. No Fee: No charge for the first request; reasonable fee for manifestly unfounded or excessive requests.
Right to Complain to a Supervisory Authority:
15.1 EU/UK Representative
As Sponzy is based in Kenya and may process data of EU/UK residents, we are in the process of appointing an EU and UK representative as required by GDPR Art. 27 and UK GDPR. Details will be published here when confirmed: privacy@sponzy.app.
16. Your Rights Under CCPA/CPRA (California Users)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
16.1 Right to Know
You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources from which we collected it, the business or commercial purposes for which we use it, and the categories of third parties with whom we share it.
16.2 Right to Delete
You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (such as data we are required to retain by law).
16.3 Right to Correct
You have the right to request correction of inaccurate personal information.
16.4 Right to Opt-Out of Sale or Sharing
Sponzy does not sell or share personal information for cross-context behavioural advertising. You do not need to opt out, as we do not engage in these practices.
16.5 Right to Limit Sensitive Personal Information
We do not use sensitive personal information (as defined by CPRA) for purposes beyond those necessary to provide our Services.
16.6 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA/CPRA rights. We will not deny you services, charge you different prices, or provide a different quality of service because you exercised these rights.
16.7 How to Submit a Request
Submit CCPA/CPRA requests to privacy@sponzy.app or through your account settings. We will respond within 45 days (extendable to 90 days with notice). We may verify your identity before processing requests.
17. Other Regional Rights
17.1 South Africa — POPIA
If you are located in South Africa, you have rights under the Protection of Personal Information Act 4 of 2013 (POPIA), including rights of access, correction, deletion, and objection. The Information Regulator of South Africa can be contacted at inforegulator.org.za.
17.2 East Africa — Regional Frameworks
Users in Uganda, Tanzania, Rwanda, and other East African countries should be aware that data protection legislation continues to develop in these jurisdictions. Sponzy applies KDPA standards as a baseline for all East African users and will comply with applicable local law as required.
17.3 Brazil — LGPD
If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including rights of access, correction, deletion, portability, and objection. The national data protection authority is the ANPD (gov.br/anpd).
17.4 Canada — PIPEDA / Law 25
If you are located in Canada, you have rights under PIPEDA and applicable provincial privacy legislation, including the right to access and correct your personal information. The Office of the Privacy Commissioner of Canada can be contacted at priv.gc.ca.
18. Marketing Communications & Opt-Out
18.1 Marketing Emails
With your consent (obtained at registration or at the point you opt in), we may send you marketing emails about new Platform features, sponsorship opportunities, platform updates, and special promotions. Every marketing email will include an unsubscribe link. You can also manage your email preferences in your account settings.
To opt out of marketing emails: Click the "Unsubscribe" link in any marketing email, or update your notification preferences in your account settings. We will process your opt-out within 10 business days. Please note that opting out of marketing emails will not affect transactional emails (payment confirmations, security alerts, account notifications).
18.2 Push Notifications
With your permission (granted through your browser or device settings), we send push notifications via Firebase Cloud Messaging. These may include:
To opt out of push notifications: Update your browser or device notification settings at any time. You can also manage push notification preferences within your Platform account settings.
18.3 In-App Notifications
We may send you in-app messages and notifications within the Platform interface. These are integral to the Service and cannot be entirely disabled, though you can manage their frequency and type in your account settings.
18.4 No SMS Marketing
Sponzy does not currently conduct SMS marketing campaigns. Phone numbers collected are used solely for OTP authentication and mobile money payouts.
19. Data Breach Notification
19.1 Our Commitment
Sponzy maintains a documented incident response plan for data security breaches. We are committed to detecting, investigating, and responding to potential breaches promptly.
19.2 Notification to ODPC
In the event of a personal data breach, Sponzy will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, where feasible and as required by the Kenya Data Protection Act 2019.
19.3 Notification to Affected Users
Where a data breach is likely to result in a high risk to the rights and freedoms of affected users, Sponzy will notify those users without undue delay. The notification will include:
19.4 Reporting a Suspected Breach
If you believe your data has been exposed or that a breach affecting Sponzy has occurred, please contact hello@sponzy.app immediately.
20. Changes to This Privacy Policy
20.1 Updates
We may update this Privacy Policy from time to time to reflect changes in our data practices, new features, or changes in applicable law. We will post the updated Policy on the Platform with a revised "Last Updated" date.
20.2 Notice of Material Changes
For material changes to this Policy — particularly those that reduce your rights or introduce new ways of using your data — we will provide at least 30 days' advance notice by:
20.3 Continued Use = Acceptance
Your continued use of the Platform after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree to the updated Policy, you must stop using the Platform and may delete your account and request erasure of your personal data.
20.4 Historical Versions
Previous versions of this Privacy Policy are available upon request by emailing privacy@sponzy.app.
21. Contact & Data Protection Information
21.1 General Privacy Inquiries
For all questions, requests, or complaints regarding this Privacy Policy or your personal data:
Sponzy Nairobi, Kenya Privacy Email: privacy@sponzy.app Response Time: We aim to respond to all privacy inquiries within 30 days.
21.2 Security & Breach Reports
For urgent security issues or suspected data breaches: Security Email: hello@sponzy.app Security reports acknowledged within 72 hours.
21.3 Data Protection Officer
Sponzy is a sole proprietorship and does not currently meet the threshold for mandatory DPO appointment under the KDPA. However, we treat all data protection inquiries with the same level of seriousness. All data protection inquiries should be directed to privacy@sponzy.app.
21.4 Regulatory Authority
Office of the Data Protection Commissioner (ODPC) Website: odpc.go.ke Email: info@odpc.go.ke Nairobi, Kenya
You have the right to lodge a complaint with the ODPC at any time if you believe Sponzy has failed to comply with its obligations under the Kenya Data Protection Act 2019.
This Privacy Policy was last updated on 28 May 2026. A version history is available upon request.
[END OF PRIVACY POLICY]