Privacy Policy

Miliki is based in Nairobi, Kenya. We provide an AI-powered wealth diagnostic service for Kenyan individuals.

Data Controller: Miliki
Data Protection Officer: Brian Kuria
Email: dpo@miliki.app

• Account data: name, email address, phone number, county
• Assessment data: your answers to financial diagnostic questions including income, spending, debts, savings, and financial behaviours
• Payment data: M-Pesa transaction references, payment amounts, payment status
• Report data: your AI-generated wealth diagnostic report including wealth score, constraint analysis, and action plan
• Usage data: login timestamps, page views, device information (no tracking cookies)

• To provide the wealth diagnostic service you requested (contractual necessity)
• To process your M-Pesa payment (contractual necessity)
• To send SMS reminders at day 28, 56, and 84 (legitimate interest)
• To improve our service (legitimate interest, anonymised)

Your financial data — including income, debts, spending patterns, and betting activity — is classified as sensitive data under the Kenya Data Protection Act (KDPA). We process this data only with your explicit consent, which you provide during signup via the consent checkbox.

• Your assessment answers are sent to Anthropic's AI API (Claude) for analysis. Anthropic processes data in the United States. Appropriate safeguards are in place per KDPA Section 48 (cross-border transfers).
• Your payment is processed via IntaSend, a Kenya-based payment processor.
• SMS reminders are sent via Africa's Talking, a Kenya-based communications provider.
• Email notifications are sent via Resend.

• Your data is stored on servers located in Nairobi, Kenya (HostAfrica).
• Assessment conversation data (raw answers) is automatically deleted 90 days after report generation.
• Your report is retained indefinitely unless you request deletion.
• Payment records are retained as required by Kenyan financial regulations.
• If you do not pay, your assessment data is automatically deleted.

Under the Kenya Data Protection Act 2019, you have the right to:

• Access: Download all data we hold about you — Settings → Download my data
• Correction: Request correction of inaccurate data by contacting us
• Deletion: Delete your account and all associated data — Settings → Delete my account
• Objection: Object to processing by contacting us
• Portability: Export your data in machine-readable format (JSON)

We do not sell your data. We share data only with:

• Anthropic (AI processing) — United States, with safeguards
• IntaSend (payments) — Kenya
• Africa's Talking (SMS) — Kenya
• Resend (email) — United States, with safeguards

• All data is transmitted over HTTPS/TLS
• Passwords are hashed using bcrypt
• Database access requires authentication
• Rate limiting and account lockout protect against brute-force attacks
• Security headers (CSP, HSTS, X-Frame-Options) are enforced
• Login notifications alert you to new sessions

Brian Kuria (Founder & DPO)
Email: dpo@miliki.app
Response time: 7 days (per KDPA Regulations)

We may update this policy from time to time. Changes take effect when posted on this page. We encourage you to review this page periodically.