Last updated: January 2026
Aviation Professionals of Kenya ("APK") is committed to protecting your personal information. This policy explains how we collect, use, and safeguard your data.
This Privacy Policy is governed by the Kenya Data Protection Act 2019, the Data Protection (General) Regulations 2021, the Kenya Information and Communications Act (Cap 411A), and where applicable, the EU General Data Protection Regulation (GDPR). APK Kenya is registered with the Office of the Data Protection Commissioner (ODPC) as a data controller.
We collect: Identity data (name, photo, membership number, aviation role, airline); Contact data (email, phone); Professional data (aviation licence, employer, work email); Authentication data (password stored as a one-way cryptographic hash, never in plain text); Payment data (M-Pesa receipt numbers and Pesapal transaction references only, we never store card numbers or PINs); Technical data (IP address, browser type, device, pages visited); Usage data (partner benefits viewed and redeemed, events RSVPd). We do not collect sensitive personal data such as racial origin, political opinions, or health data.
We collect data directly from you during registration and profile updates; automatically via cookies and session tracking; from Google OAuth if you sign in with Google; and from payment processors (Pesapal, Safaricom M-Pesa) who share transaction confirmation data with us.
Your data is used for: Membership management (contract performance); Payment processing (contract performance); Communications including verification emails, renewal reminders, and announcements (legitimate interest); Security and fraud prevention (legitimate interest); Legal compliance with Kenyan regulatory and tax requirements (legal obligation); Platform improvement using anonymised usage data (legitimate interest). We do not use your data for automated decision-making that produces legal effects.
APK Kenya does not sell, rent, or trade your personal data. We share data only with: Service providers bound by data processing agreements (Supabase, Vercel, Resend, Pesapal, Safaricom); Partner venues who see only your name, membership status, plan type, and applicable discount when you redeem via QR scan; Regulatory authorities if required by law; and successors in the event of a business transfer subject to equivalent privacy protections.
We implement: HTTPS (TLS 1.2+) for all data transmission; bcrypt hashing for passwords; Row-Level Security (RLS) on all database tables; Rate limiting, input validation, and authentication on all API endpoints; No logging of sensitive data to server logs; Restricted access to production systems; Regular security audits. In the event of a breach, we will notify you and the ODPC within 72 hours as required by law.
We use essential cookies (required for authentication, cannot be disabled), analytics cookies (anonymised usage data to improve the platform), and preference cookies (to remember your settings). We do not use advertising or tracking cookies. You can manage cookie preferences via our cookie consent banner.
Membership and account data is retained for the duration of membership plus 7 years (Kenya tax requirements). Payment records are retained for 7 years (KRA requirements). Technical logs are retained for 90 days. Email communications are retained for 3 years. Data is securely deleted or anonymised when no longer required.
Under the Kenya Data Protection Act 2019 and GDPR where applicable, you have the right to access your personal data; correct inaccurate data; request erasure subject to legal retention requirements; restrict processing; receive your data in a portable format; object to processing; and withdraw consent. Contact us at apk.kenya@gmail.com. We will respond within 30 days. You may also lodge a complaint with the ODPC at odpc.go.ke.
Your data is hosted on servers in the United States (Supabase, Vercel). Where we transfer data outside Kenya, we ensure appropriate safeguards including standard contractual clauses, in compliance with Section 48 of the Kenya Data Protection Act 2019.
Our platform is not intended for persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with data, contact us immediately and we will delete it.
We may update this Privacy Policy from time to time. We will notify you of material changes via email and by posting the updated policy with a revised effective date. Continued use of the platform after the effective date constitutes acceptance.
Aviation Professionals of Kenya (APK Kenya). Email: apk.kenya@gmail.com. Website: apk.co.ke. For regulatory complaints contact the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.