Legal
Privacy Policy
Effective 17 July 2026. This policy covers the Kuramap website, the public Kuramap API, and the Kuramap mobile app.
The short version
- There are no adverts, no tracking cookies, no reader accounts, and we do not sell or share personal data with anyone.
- Reading the site does not require you to identify yourself. We measure page views with a cookieless analytics beacon (when it is switched on), and our server keeps short-lived request logs.
- Location, stated plainly: if you use “who represents me?” in the mobile app, your coordinates are sent to our API to work out which ward you are in. They are used to answer that one question and then discarded: they are not written to our database, and they are stripped out of our server request logs before the log line is written. They do travel over the network to us, and they come back in the API response — so they are handled, just never kept.
- Questions, objections, or a request to delete something: [email protected].
Who runs Kuramap
Kuramap is an independent, unincorporated civic project. It is deliberately not a company: there is no registered legal entity, no company number, and no corporate office. It is built, paid for and run by a private individual, who is the data controller for the purposes of the Data Protection Act, 2019 (Kenya) and who can be reached at [email protected].
We mention this because it is relevant to you: correspondence goes to a person, not a support department, and replies may take a few days.
The website
Analytics
Kuramap uses Cloudflare Web Analytics to count page views. It is enabled per deployment: when it is not enabled, no analytics script loads and no analytics data is collected at all. You can check which applies on any page — view the page source and look for a script loaded from static.cloudflareinsights.com. If it isn’t there, nothing is being measured.
When it is enabled, Cloudflare, Inc. acts as our processor and, per Cloudflare’s documentation, it:
- sets no cookies, writes nothing to localStorage, and does not fingerprint you by IP address or User-Agent;
- records the page visited, the referring URL, your country, your browser and operating system names, and page-load performance measurements (Core Web Vitals);
- uses your IP address at the edge to derive that country, and does not store or log the IP address itself;
- retains unsampled beacon data for 7 days, after which it is aggregated down to roughly 10% and remains visible in the dashboard for the previous six months.
Cloudflare describes this in its Web Analytics FAQ and its privacy policy.
Why there is no cookie banner
The beacon stores nothing on your device, so there is no cookie or local identifier to ask you to consent to. Our reading of the Data Protection Act, 2019 is that cookieless measurement of this kind does not require a consent banner. That is our own assessment and an assumption we are working under — it is not legal advice, and it has not been tested by a regulator. If you think it is wrong, please tell us at [email protected] and we will look at it again. You can also object to being measured at that address, or block the beacon in your browser, with no loss of functionality.
Server request logs
Our API server writes a log line for every HTTP request it handles. That line contains the time, the method, the request address, the response status, how long the request took, and a request ID. It records the network address the connection came from; because the site sits behind our own TLS proxy, that is normally the proxy’s internal address rather than your public IP address. Our proxy is not configured to write its own access logs.
Sensitive query values never reach the log. Coordinates (lat / lng) are replaced with REDACTED before the line is written, so a /lookup request is logged as having happened without recording where you were. The redaction keys off the parameter name rather than the specific endpoint, so any future endpoint that takes coordinates is covered by default.
These logs exist to keep the service running and to debug faults. They are not used to build a profile of you, and they are never archived, exported, or backed up anywhere.
Hosting
The site, the API and the database run on a single virtual server rented from Hetzner. Depending on where that server is located, your data may be processed outside Kenya.
The public API
Reading the API anonymously requires no account and no personal data. If you register for a developer key, we store:
- your email address — it is how you sign in (we email you a sign-in link) and how we would reach you about your key;
- a hash of each API key, never the key itself. We store only the SHA-256 digest; the key is shown to you once, at creation, and cannot be recovered from our database afterwards;
- usage counters per key — request counts used to enforce rate limits and daily quotas.
Sign-in link emails are delivered by Resend, which processes your email address for that purpose. We keep developer account data for as long as the account exists; ask us at [email protected] and we will delete it.
The mobile app
Location
The app declares the Android permissions ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION. Location is optional and is only requested when you choose the “who represents me?” feature; the rest of the app works without it. If you grant it, the app takes a single GPS fix and sends the latitude and longitude to our API as query parameters on a /lookup request, which returns the ward, constituency and county containing that point.
What happens to those coordinates
- They are sent to our server over an encrypted connection, and held in memory only for as long as it takes to answer the question.
- They are not stored in our database. The lookup is a read-only geometry query — it works out which ward contains the point and writes nothing.
- They are not written to our server request logs. Our logger strips the coordinates and writes REDACTED in their place, so the request is recorded but your position is not.
- They are echoed back to you in the API response, so the app can confirm which point was resolved. We don’t log that response.
- They are never used for advertising or profiling, never linked to an identity, and never shared with a third party.
Our Google Play Data Safety declaration reflects exactly this: location is collected — it does leave your device — but it is processed ephemerally and not stored. We say “collected” rather than “not collected” because the coordinates genuinely are transmitted to us; what we can honestly promise is that we don’t keep them.
Crash reporting
When a build is configured with a Sentry DSN, the app sends crash and error reports — and a 10% sample of performance traces — to Sentry, which processes them on our behalf so we can fix faults. Reports contain technical context such as the device model, OS version and a stack trace. Builds without a DSN send no telemetry at all.
How long we keep things
| Data | Kept for |
|---|---|
| Server request logs (coordinates already stripped — see above) | A rotating 15 MB buffer per service; overwritten as new requests arrive |
| Cloudflare Web Analytics (when enabled) | 7 days unsampled, then aggregated; ~6 months in Cloudflare’s dashboard |
| Developer email address + API key hashes | For as long as the account exists |
| Crash reports (when enabled) | Per Sentry’s retention policy |
Request logs are held in a small, fixed-size rotating buffer on the server (15 MB per service): the oldest lines are overwritten as new requests arrive, and nothing is copied off the machine.
Why we don’t quote a number of days here: that buffer is bounded by size, not by age, so how long a line survives depends on how busy the site is — on a quiet week it lasts longer. Promising “at most N days” would be a number our servers don’t actually enforce, so we’d rather tell you exactly what the mechanism is. The thing that protects your location isn’t a deletion deadline anyway: it’s that the coordinates are never written down in the first place.
What we don’t do
- No advertising, and no advertising or marketing trackers.
- No selling, renting or sharing of personal data.
- No tracking cookies and no cross-site tracking.
- No accounts for readers — the site is open to read.
- No profiling and no automated decisions about you.
Your rights
Under the Data Protection Act, 2019 you can ask what personal data we hold about you, ask us to correct or delete it, or object to how we use it. In practice we hold very little: unless you have registered for a developer key, we are unlikely to hold anything that identifies you at all.
Write to [email protected] and we will respond. If you are not satisfied, you can complain to the Office of the Data Protection Commissioner (Kenya).
Changes to this policy
If this policy changes we will update the effective date at the top of the page. If a change materially affects what we collect or how long we keep it, we will say so on the page rather than quietly editing it. The history of this page is public in our source repository.
See also our Terms of Use for the licence that applies to Kuramap’s data.