Dealer Privacy Notice

This Dealer Privacy Notice explains how Francton LLC, operating as Garisea (“Garisea,” “we,” “us”), handles personal data on the dealer dashboard at dealer.garisea.com.

It is in addition to, not in place of, the customer-facing Privacy Policy at garisea.com. Where the two overlap on dealer-account data, this Notice governs.

This Notice is written to comply with the Kenya Data Protection Act, 2019 and is aligned with the principles of the EU General Data Protection Regulation (GDPR) where applicable.

Francton LLC, operating as Garisea, is the data controller for:

• Your dealer-account data (your name, email, phone, KRA PIN, business identification, login activity, billing history, dashboard preferences).
• Buyer data (inquiries, messages, search history, account profile) collected by the platform. Garisea is the controller for this data; your dealership is a recipient of specific buyer details (name, phone, email, the message content) when a buyer initiates a lead with you.

For buyer data that flows off-platform — when you call the buyer, when the buyer visits your premises, when you exchange WhatsApp messages from your own number, when a sale contract is signed — your dealership is an independent data controller for that data under the Kenya Data Protection Act 2019, with your own data-protection responsibilities (lawful basis, retention, security, subject rights). See Dealer Terms §21 for the boundary.

Our Data Protection contact is [email protected].

We collect personal data in three ways: data you give us directly, data we collect automatically when you use the dashboard, and data we receive from third parties.

3.1 Data you give us

• Account data — name, email, phone, password (stored as a salted bcrypt hash — we never see the plaintext).
• Dealership identity — dealership name, physical address, contact phone, contact email, social handles, opening hours.
• Verification documents — KRA PIN, business registration, identification documents requested during verification or for badge eligibility. Document images are stored on our image hosting provider; metadata is in the primary database.
• Listing data — vehicle details (make, model, year, mileage, VIN, condition, price), photos, videos, viewing location, contact-channel preferences (which channels you enable per listing or globally).
• Lead handling — your replies to customer messages, notes you write internally, follow-up notes, dispute submissions.
• Reviews you reply to — your public replies to customer reviews.
• Payment requests— top-up and subscription orders you initiate. Actual card numbers and M-Pesa PINs are captured by our payment service provider on their hosted checkout — Garisea never sees, stores, or processes them. We receive only the transaction outcome (success / failure / amount / reference) from the provider's signed webhook.
• Support tickets — anything you write to us at our dealer support address or via the in-dashboard help center.

3.2 Data collected automatically

• Device and browser — IP address, browser type and version, operating system, device model, screen size, language, timezone.
• Usage data — dashboard pages you visit, actions you take (publish, edit, archive, reply, dispute), session duration, feature engagement.
• Audit log of sensitive actions — account state changes (active / suspended / closed), vehicle status changes (active / sold / reserved / deactivated), data exports, deletions, settings changes affecting billing or contact channels. Retained for compliance and dispute reconstruction regardless of analytics consent.
• Crash and error data — when a dashboard request errors, we capture the stack trace, request context, and your user ID (so we can correlate, not so we can identify you to a third party). Handled by a third-party crash monitoring provider with PII fields scrubbed in transit.
• Cookies and local storage — session cookies, CSRF tokens, preference flags. Full inventory in our Cookie Policy.

3.3 Data from third parties

• Google Sign-In — if you sign in with Google, we receive your name, email, profile picture URL, and a Google account identifier. We do not receive your Google password.
• Apple Sign-In — if you sign in with Apple, we receive an Apple identifier (the sub claim) and, on first sign-in only, your email (or an Apple relay address if you chose “Hide my email”) and full name if you allowed sharing. We exchange the one-time authorization code for a refresh token so we can revoke your Apple session at account deletion (Apple guideline 5.1.1(v) requires this); the refresh token is encrypted at rest with AES-256-GCM.
• Payment service provider — payment outcome webhook (success / failure / amount / reference / your dealer ID).

We use the data we collect to:

• Run the dealer dashboard — authenticate you, keep your session, store listings, route customer leads to the right dealer, surface analytics on your performance, send in-product notifications.
• Verify your dealership — review KRA PIN, business registration, and other identification documents to grant verification badges and unlock listing privileges.
• Bill subscriptions and packs — relay orders to our payment service provider, credit your wallet on confirmation, auto-pause campaigns when the wallet falls below threshold, generate KRA-compliant invoices and receipts.
• Detect fraud, abuse, and policy violations — listing scams, impersonation, ad-fraud, AUP violations, chargeback abuse, off-platform diversion.
• Send transactional communications — lead alerts, billing notices, status changes, dispute outcomes, verification updates, security notifications (password reset, login lockout, account closure confirmation).
• Send marketing communications, with consent — product newsletters, feature announcements, partner promotions. You can opt out anytime from Settings → Notifications without affecting transactional messages.
• Provide aggregate analytics — dashboard usage data feeds product analytics in aggregate. Where analytics identify your dealership specifically, that processing is gated on the cookie consent you set in this dashboard.
• Improve the marketplace — anonymized usage patterns feed product improvement (which features dealers use, where they drop off, which surfaces convert).
• Comply with legal obligations — respond to lawful requests from Kenyan regulators, courts, or law enforcement; retain transaction records for the 7-year KRA statutory period; maintain audit logs.

Under the Kenya Data Protection Act 2019 and GDPR Article 6 (where applicable), our lawful basis for processing your personal data is:

• Contract performance — the bulk of dashboard processing flows from our Dealer Terms (publishing listings, routing leads, billing, providing analytics you signed up for).
• Legitimate interests— fraud prevention, security monitoring, aggregate analytics, sub-processor relationships needed to run the platform. We balance these against your rights and limit data use to what's necessary.
• Consent — optional things like analytics + advertising cookies, marketing email subscriptions. Withdraw any time without affecting other processing.
• Legal obligation — KRA records retention, regulator requests, audit-trail keeping, breach notification.

We share your data only when needed to provide the service, with your consent, or when required by law.

6.1 With customers

Your dealership's public profile(business name, location, ratings, badges, contact channels you've enabled, opening hours, active listings) is visible on garisea.com and the customer mobile app. The personal email and password you use to sign in are never displayed.

6.2 With service providers

We use trusted third-party service providers to run the dashboard. Each is bound by a data-processing agreement that limits how they may use your data. The categories of providers we engage are:

• Payment processing— to charge subscriptions, packs, and wallet top-ups. Card and M-Pesa details are captured on the provider's hosted checkout; Garisea does not see, store, or process them.
• Email and SMS delivery — to send transactional email (lead alerts, billing notices, security alerts) and SMS one-time codes, and — with consent — marketing email.
• Cloud hosting and database — to run the dashboard, the API, and our primary database. Data is encrypted in transit and at rest.
• Content delivery and image / video hosting — to serve vehicle photos, dealership logos, KRA PIN images, and verification documents at scale.
• Push notifications — to deliver lead, billing, and message alerts to your browser or device.
• Crash and error monitoring — to capture scrubbed error reports so we can fix bugs.
• Aggregate dashboard analytics — gated on cookie consent; helps us understand which features get used.
• Maps and location autocomplete — to render dealership location previews and search-completion lists.
• Bot mitigation and DDoS protection — to keep the dashboard safe from automated abuse.
• Background job scheduling — to run time-sensitive workflows like billing reminders and notification fan-out.
• AI-assisted features — limited use of large-language-model providers for lead suggestions and listing-description help. Content is sent under zero-data-retention agreements; no personal data beyond what you explicitly entered is included.

We periodically review our provider list and add or remove providers as the platform evolves. Material changes are reflected in this Notice and notified per §13.

We do not sell your personal data, and we do not share it so that other companies can advertise their own products to you. We do share a limited set of data with our own advertising and measurement partners — see Section 6.3.

6.3 Advertising and measurement partners

To run and measure Garisea's owndealer-recruitment advertising — and to know which campaign brought you to Garisea — we share a limited set of data with Meta (Facebook / Instagram) and Google:

• What we share — a hashed (one-way encrypted) version of your email, phone number, and Garisea account ID, used only to match you to an ad view; on the Garisea mobile app, your device advertising identifier (iOS only if you allow App Tracking Transparency; Android subject to your ad-ID settings); and key actions (sign-ups and, in the app, installs). We never share your raw email or phone number — only the hashed form.
• Why — to measure whether our ads work, reach dealers similar to you, and attribute sign-ups and app installs. We do notdo this to let Meta or Google advertise other companies' products to you.
• Your control — turn off the Advertisingcategory in our cookie banner; in the app, decline App Tracking Transparency (iOS) or reset/limit your advertising ID (Android). You can also manage ad personalisation directly with Meta and Google.

Meta and Google act as independent data controllers for the information they receive and handle it under their own privacy policies.

6.4 With authorities

We may disclose your data when required by Kenyan law — for example, a lawful court order, a regulator's formal request, a criminal investigation by the Directorate of Criminal Investigations (DCI), or a binding KRA request. We'll notify you of the request unless legally prohibited from doing so.

6.5 Business transfers

If Garisea is sold, merged, or restructured, your personal data may be transferred to the acquiring entity under the same privacy commitments. We'll notify you by email at least 30 days before any such transfer where reasonably possible.

We keep your personal data only as long as we need it for the purposes described in this Notice, then delete or anonymize it.

• Active dealer accounts — kept while the account is open.
• Closed accounts — profile and personal data are removed from active systems within 30 days of account closure. Anonymized aggregate analytics derivatives may be retained indefinitely (they no longer link back to you).
• Listings — retained until you delete them or close the account. Sold or deactivated listings stay in the search index for ~30 days to honor existing share-links, then move to a hidden archive.
• Lead conversations — retained while your account is active. After account closure, removed within 30 days.
• Reviews left about you— generally remain live after account closure to inform other buyers. The reviewer's display name is anonymized to “Former user” if they have themselves deleted their customer account.
• Invoices, receipts, payment records — retained for 7 years, as required by KRA records retention rules.
• Audit log (account state changes, moderation actions, data exports, deletions, sensitive settings changes) — retained for 7 years regardless of account state, for compliance and dispute reconstruction.
• Customer search history used to power dealer insights — anonymized after 90 days. Anonymized aggregate data is retained indefinitely; we do not retain a customer-identifying link to old searches.
• Backups — automated database backups may retain your data for up to 30 days after deletion. Backups are access-restricted and used only for disaster recovery.

We apply industry-standard safeguards to protect your data:

• Encryption in transit — all connections to the dashboard, the API, and our sub-processors use TLS 1.2 or higher.
• Encryption at rest — the production database encrypts data at rest. Sensitive secondary credentials (Apple Sign-In refresh tokens) are additionally encrypted with AES-256-GCM before storage.
• Passwords — never stored in plaintext. We use bcrypt with a per-password salt; even an engineer with full database access cannot see your password.
• Authentication — short-lived JWT access tokens (30 minutes) + refresh-token rotation. Stored on web in httpOnly cookies with the Secure and SameSite attributes.
• Account lockout — after 5 failed login attempts in 30 minutes, the account is temporarily locked. We notify you by email.
• Webhook signature verification — incoming webhooks (payment confirmations, email bounce reports, media upload notifications) verify HMAC signatures before being trusted.
• CSRF protection — state-changing dashboard requests carry a CSRF token that we verify server-side.
• Access controls — engineer access to production data is role-based, audited, and time-bounded. Customer support staff see only the minimum data needed to help you.
• Secret hygiene — secrets rotate on a 90-day cadence and immediately on suspected compromise. Automated pre-commit scans block accidental credential commits.

No system is 100% secure. If we ever detect a personal data breach affecting your account, we will notify you and the Office of the Data Protection Commissioner within 72 hours of becoming aware, as required by the Kenya Data Protection Act 2019.

Under the Kenya Data Protection Act 2019 (Sections 26–33) and GDPR Articles 15–21 where applicable, you have the following rights over your personal data:

• Right of access — request a copy of the data we hold about you. Use the export tool in Settings → Account or email [email protected]. You receive a JSON archive covering profile, listings, leads, invoices, and notification preferences.
• Right to correction — fix inaccurate data. Most fields are editable directly in Settings → Profile. For things you can't edit yourself (e.g. registered email change with verification), email [email protected].
• Right to erasure (“right to be forgotten”) — delete your account and personal data. Available in Settings → Account. Personal data is removed within 30 days. Tax-mandated transaction records and 7-year audit logs are retained as required by law.
• Right to data portability — receive your data in a structured, machine-readable format (the JSON export referenced above).
• Right to object — object to processing based on legitimate interests (e.g. marketing emails). Toggle off in Settings → Notifications or email [email protected].
• Right to withdraw consent— where we process based on consent (analytics cookies, advertising cookies, marketing email), you can withdraw at any time. Withdrawal doesn't affect processing that already happened.
• Right to restrict processing — ask us to pause processing while we investigate a complaint. Email [email protected].
• Right to lodge a complaint— if you believe we've mishandled your data, you can complain to the Office of the Data Protection Commissioner (Kenya).

We respond to rights requests within 30 days, as required by law. Our Data Protection contact is [email protected].

Garisea's primary infrastructure runs on cloud providers with servers primarily located in Europe and the United States. When we transfer your personal data outside Kenya, we rely on the recipient's certifications (e.g. EU-US Data Privacy Framework participants) or contractual safeguards equivalent to the Kenya Data Protection Act 2019. We never transfer data to a jurisdiction without comparable privacy protections.

The dashboard uses automated systems to rank your listings in search results, score lead intent (a Cold-to-Very-Hot indicator), auto-pause campaigns when your wallet falls below threshold, auto-deactivate listings flagged stale by moderation, and filter clearly-fraudulent activity. None of these decisions have a significant legal or material effect on you in the sense of Section 35 of the Kenya Data Protection Act — they affect ranking, presentation, and automated platform hygiene rather than whether you can transact. If you believe an automated decision (e.g. a listing wrongly hidden, a lead wrongly flagged invalid) has materially harmed you, contact [email protected] and a human moderator will review the outcome.

When buyer personal data (name, phone, email, message content, trade-in details) is delivered to your dealership through a lead, you become an independent data controller for that data. Your duties — under the Kenya Data Protection Act 2019 and these Dealer Terms — include: processing the data only for the specific inquiry it relates to (no marketing list addition, no resale, no third-party transfer); keeping the data secure (no sharing in unsecured WhatsApp groups beyond your staff, no spreadsheet of buyer contacts on an unsecured laptop); deleting the data when no longer needed for the inquiry; responding to buyer data-subject requests made to you directly within 30 days; and notifying Garisea promptly if you learn of a personal data breach affecting buyer data you obtained through the platform. See Dealer Terms §11 and §21 for the full scope.

We may update this Notice from time to time as the platform evolves, as our sub-processor list changes, or as the law requires. Material changes will be communicated by email at least 14 days before they take effect, with an in-dashboard notice. The “Last updated” date at the top of this page reflects the most recent revision. Continuing to use the dashboard after an update means you accept the updated Notice.

For privacy questions, complaints, or to exercise your rights:

• Data Protection: [email protected]
• Dealer support: [email protected]
• Trust & safety: [email protected]
• Operated by: Francton LLC, Nairobi, Kenya.

To complain to the Kenyan data-protection regulator: Office of the Data Protection Commissioner — www.odpc.go.ke.