Privacy Policy

Bustani ERP ("Bustani", "we", "our") provides club management software to Rotary clubs and similar service organisations. This policy explains what personal information we collect, why we collect it, how we use it, and the rights you have over it.

We act as a data processor on behalf of each club for member and donor records the club uploads, and as a data controller for the account information of users who sign up directly with us.

• Account data: name, email, phone, role, and password hash for users who sign in.
• Club & member records: member profiles, dues, attendance, committee assignments, and documents uploaded by club administrators.
• Donor & project data: donor names, contact details, donation amounts, project allocations, and tax receipts.
• Payment data: M-Pesa transaction references, Stripe charge IDs, and invoice records. We do not store full card numbers or M-Pesa PINs — those are handled by Safaricom and Stripe directly.
• Operational data:IP address, approximate location (country, region, city) derived from your IP via a third-party geolocation lookup, browser type and version, operating system, screen size and time-zone, the page you are currently viewing, session start and end times, and audit logs of sensitive actions. Some of this information is used to derive a non-reversible "device fingerprint" that lets us recognise the same device across sessions without storing more identifying detail than necessary.
• Security signals:when you sign in we record login attempts (success and failure), the IP and device they came from, and any flags raised by automated rules (for example: sign-in from a country you haven't used before, sign-in from a known VPN/datacentre, two simultaneous sessions from different countries, physically implausible travel between sign-ins). These are used solely to detect account compromise.

While you are signed in, we run lightweight session monitoring to protect your account and your club's data. Specifically:

• Your browser sends a heartbeat to our server every ~45 seconds while a tab is open and visible. The heartbeat carries your IP, the page you are on, and a tab identifier.
• We look up your IP's approximate location and network operator (ASN) using a third-party geolocation service, and cache the result for 24 hours so the same IP is not looked up repeatedly.
• We compute a "device fingerprint" from your browser, operating system, time-zone, screen size and a small set of similar signals. We do not use canvas / WebGL fingerprinting or similar advertising techniques.
• We compare each heartbeat against your recent history and raise an internal alert if something looks unusual (a new device, an impossible-travel jump, a connection from a known VPN). Administrators of your organisation may review these alerts.

The lawful basis for this processing is our legitimate interest in keeping your account secure (Kenya Data Protection Act 2019, s.30(1)(f); GDPR Art. 6(1)(f) where applicable). We have completed a Data Protection Impact Assessment which is available to data subjects on request.

You can opt out of detailed session monitoring at any time from Security settings. Opting out suppresses IP and device collection, geolocation, and anomaly detection for your account; we still record that you are signed in (operational data).

• To deliver the service you or your club has signed up for.
• To process payments and send receipts via Stripe and Safaricom M-Pesa.
• To send transactional notifications (dues reminders, meeting alerts, password resets).
• To detect fraud, abuse, and unauthorised access.
• To comply with Kenyan tax, anti-money-laundering, and Data Protection Act 2019 obligations.

We share data only with processors that help us run the service:

• Stripe — card payments and payouts.
• Safaricom (M-Pesa) — mobile money collections and disbursements.
• DigitalOcean — managed Postgres and application hosting (Frankfurt region).
• Email and SMS providers — transactional messages.
• ipinfo.io — IP geolocation lookup (country, region, city, network operator) for session security monitoring. The lookup sends only your IP address; results are cached for 24 hours.

We do not sell personal data, and we do not share it with advertisers or data brokers.

Account and member data is retained while your club's account is active. Financial records (invoices, receipts, donation records) are retained for at least seven years as required by Kenyan tax law. When an account is deleted, non-financial personal data is removed within 30 days.

Session monitoring data is held for the following periods:

• Live presence (current sessions): up to 5 minutes after your last activity.
• Raw IP address and device fingerprint history: 90 days, then deleted.
• Per-day and per-month online-time totals: 3 months and 13 months respectively.
• Security alerts: 7 days in our hot store, longer in our durable audit store as required for incident response (typically up to one year).
• Login attempt history: up to two years for fraud and credential-stuffing detection.
• Audit-log entries (sensitive actions, viewing of forensic detail): retained as long as the related records.

Under the Kenya Data Protection Act 2019 you have the right to access, correct, export, or delete your personal data, and to object to or restrict processing. Members and donors should contact their club's administrator first; account holders can email us directly.

To exercise any of these rights, get in touch via the contact page.

For session security monitoring specifically, signed-in users can opt out at any time from Security settings without contacting us.

We use a small number of strictly necessary cookies to keep you signed in and to remember your theme and language preferences. We do not use advertising or third-party tracking cookies. You can disable cookies in your browser, but signing in will not work without them.

We encrypt data in transit (TLS) and at rest, isolate each club's data using row-level security in our database, and restrict employee access to production systems on a need-to-know basis. Despite reasonable precautions no system is perfectly secure; if you suspect a breach please contact us immediately.

We may update this policy as the service evolves. Material changes will be announced in-app and by email before they take effect.

Questions about this policy or your data? Get in touch.