1. Who We Are
KESCE — Key Estate Subscription & Control Engine is a rental property management system developed and operated in Kenya. We provide landlords and property managers with tools to manage tenants, track rent payments, manage bills, and generate financial reports.
For the purposes of Kenya's Data Protection Act 2019, KESCE is the Data Controller — meaning we determine how and why your personal data is processed.
Data Controller contact: kescerentals@gmail.com
2. What Data We Collect
When you register as a landlord:
- Full name, email address, phone number, country
- Password (stored as a secure hash — never readable)
- Account creation date and login activity
When you use the system:
- Property details you enter (name, location, unit count)
- Tenant information you add (name, phone, rent amount, move-in date)
- Payment records you log (amounts, dates, M-Pesa codes)
- Bill and expense records you create
- Caretaker names and login details you set up
Automatically collected:
- Login timestamps and session identifiers
- IP address (used only for login security — rate limiting)
We do not collect: payment card numbers, M-Pesa PINs, ID numbers, or any biometric data.
3. Why We Collect It
- To provide the service — your property, tenant, and payment data is the core of what KESCE manages for you
- To secure your account — email and password are used to authenticate you and protect your data
- To process subscriptions — we need your contact details to manage your plan and send receipts
- To send important notifications — account alerts, subscription reminders, and system updates
- To improve the system — anonymised usage patterns help us fix bugs and build better features
- To comply with the law — Kenya's Data Protection Act 2019 requires us to process data lawfully and transparently
4. How We Store & Protect Your Data
Your data is stored in a secured MySQL database on our hosting server. We apply the following protections:
- Passwords are hashed using bcrypt — even we cannot read your password
- Sessions are regenerated on every login to prevent session hijacking
- SQL queries use prepared statements to prevent injection attacks
- HTTPS encryption protects all data in transit between your device and our server
- IP-based rate limiting blocks repeated failed login attempts automatically
- Daily backups protect against data loss
Your data is isolated per account. No landlord can ever access another landlord's data. Every query in our system is scoped strictly to your user ID.
5. Who We Share Your Data With
We do not sell, rent, or trade your personal data to any third party. Ever.
The only external services that may receive limited data are:
- Safaricom Daraja API — receives payment amount and your phone number to process M-Pesa STK Push payments. No other personal data is sent.
- SMTP email provider — your email address is used to send you system notifications and receipts. Email content passes through the SMTP server in transit.
Both of these are essential to the service and operate under their own privacy policies.
6. Your Rights Under the Data Protection Act 2019
As a KESCE user and a data subject under Kenya's Data Protection Act 2019, you have the following rights:
Right to Access
Request a copy of all personal data we hold about you.
Right to Correct
Ask us to correct any inaccurate information about you.
Right to Portability
Download all your data in a portable format from your account.
Right to Deletion
Request permanent deletion of your account and all associated data.
Right to Object
Object to how we process your data in specific circumstances.
Right to Withdraw Consent
Unsubscribe from marketing communications at any time.
To exercise any of these rights, email us at kescerentals@gmail.com or use the tools available in your account settings.
7. How Long We Keep Your Data
- Active accounts — data is kept for as long as your account exists
- Inactive accounts — accounts with no login for 24 months may be flagged for deletion after notice
- Deleted accounts — when you request deletion, your data is permanently removed within 30 days. A 7-day cancellation window is given before deletion begins.
- Payment records — anonymised transaction logs may be retained for up to 7 years for legal and financial compliance
- Login security logs — IP-based rate limit records are cleared after 24 hours
8. Cookies
KESCE uses only essential session cookies — small pieces of data stored in your browser to keep you logged in. We do not use advertising cookies, tracking cookies, or any third-party analytics cookies.
- PHPSESSID — a session identifier that keeps you logged in. It expires when you close your browser or log out.
No cookie consent banner is required for strictly essential cookies under most privacy frameworks.
9. Children's Privacy
KESCE is a professional business tool intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has registered an account, please contact us immediately and we will delete it.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in the law. When we make significant changes, we will notify you by email and by posting a notice on your dashboard.
The date at the top of this page always shows when this policy was last updated. Continued use of KESCE after changes are posted means you accept the updated policy.