Effective date: 6 June 2026. Last updated: 6 June 2026.
This Privacy Policy explains how Unique Brand Creatives ("iGig", "we") collects, uses, shares, and protects personal data when you use igig.co.ke (the "Platform"). It is intended to align with the Kenya Data Protection Act, 2019 (DPA) and its Regulations. iGig is the data controller for personal data processed about its users. Our registration with the Office of the Data Protection Commissioner (ODPC) is in progress.
1. Who we are & how to contact us
- Controller: Unique Brand Creatives, P.O. Box 87–30100, Eldoret, Uasin Gishu, Kenya.
- Privacy / Data Protection contact: dpo@igig.co.ke.
- You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya.
2. Personal data we collect
You provide:
- Account & profile: name, username, email, phone, password (hashed), profile photo, social-login identifiers (Google/Facebook) if used.
- Freelancer/seller data: service listings, portfolio, payout details, and identity/business verification documents (national ID, passport, driving licence, or business registration).
- Job-seeker data: resume/CV file, headline, summary, skills, experience, education, work history, certifications, portfolio links, salary expectation, location, availability, relocation preference, and partner-review consent status.
- Employer data: company name, industry, size, contact details.
- Orders, messages, reviews, support tickets, and dispute submissions.
Collected automatically:
- Device/usage data, IP address, browser, pages viewed, and similar analytics; cookies and similar technologies (see clause 9); push-notification subscription data if you opt in.
From third parties:
- Payment confirmations and limited transaction identifiers from payment processors (we do not store full card numbers); social-login profile basics where you connect those accounts.
Sensitive personal data. Identity/verification documents and CVs may contain sensitive personal data. We process these only for the purposes in clause 3, store them on a private, access-controlled store (not the public web), accessible only to you and authorised staff, and apply heightened safeguards.
3. Why we process data & lawful basis (DPA s.30)
| Purpose | Lawful basis |
|---|---|
| Create and operate your account; provide the marketplace | Performance of a contract |
| Process orders, hold/release funds, pay out, prevent fraud | Performance of a contract; legitimate interests; legal obligation |
| Identity/business verification & trust badges | Consent and/or legitimate interests; legal obligation (KYC/AML where applicable) |
| Job-seeker profile & partner/employer review | Consent (specific, withdrawable) |
| Support, disputes, and safety | Performance of a contract; legitimate interests |
| Security, logging, abuse prevention | Legitimate interests; legal obligation |
| Marketing emails / newsletters | Consent (opt-in; withdrawable any time) |
| Legal compliance, tax, accounting | Legal obligation |
Where we rely on consent, you may withdraw it at any time without affecting prior lawful processing.
4. How we share data
We share personal data only as needed:
- Between users to enable transactions (e.g. a Client and Freelancer see information necessary to communicate and fulfil an Order; a job-seeker profile is shared with employers/partners only with the job seeker's consent).
- Service providers (processors) acting on our instructions: hosting (Hostinger), payment processors (M-Pesa/Co-operative Bank, Paystack, Flutterwave, and others as enabled), email delivery (Hostinger SMTP), real-time messaging/push, and anti-abuse/CAPTCHA (Google reCAPTCHA). These are bound by data-processing terms.
- Legal/safety: to comply with law, court orders, or to protect rights, users, or the public.
- Business transfers: in a merger, acquisition, or asset sale, subject to this Policy. We do not sell personal data.
5. International transfers
Some processors may store or process data outside Kenya. Where this happens, we rely on an appropriate transfer basis under the DPA (e.g. adequacy, appropriate safeguards such as standard contractual clauses, or your consent) and take steps to protect your data.
6. Retention
We keep personal data only as long as necessary for the purposes above and to meet legal, tax, accounting, and dispute requirements, then delete or anonymise it. Indicative periods: account data for the life of the account plus 24 months; transaction and tax records for the period required by Kenyan tax law (currently at least 5 years); verification documents for 24 months after verification or account closure, whichever is later.
7. Your rights (DPA Part IV)
Subject to the DPA, you may: access your data; correct inaccurate data; request erasure; object to or restrict processing; withdraw consent; request portability; and not be subject to decisions based solely on automated processing that significantly affect you. To exercise these, contact dpo@igig.co.ke; we will respond within the statutory timeframe and may need to verify your identity.
8. How we protect data
We use technical and organisational measures including encryption in transit, hashed passwords, access controls, private (non-public) storage of CVs and verification/ID documents and invoices, authentication rate-limiting, upload restrictions, and least-privilege staff access. No system is perfectly secure; we maintain a breach-response process and will notify the ODPC and affected individuals where required by law.
9. Cookies & similar technologies
We use strictly necessary cookies (session, security/CSRF, language) and, with your consent where required, analytics/functional cookies. You can manage preferences via our cookie banner and your browser settings; disabling some cookies may affect functionality. We currently use only strictly necessary cookies (session, security/CSRF, language selection, and the cookie-consent preference); we do not currently set third-party analytics or advertising cookies. If that changes, this Policy and the banner will be updated.
10. Children
The Platform is not directed to persons under 18 and we do not knowingly collect their data. If you believe a minor has provided data, contact us to delete it.
11. Third-party links
The Platform may link to third-party sites/services with their own privacy practices, for which we are not responsible.
12. Changes
We may update this Policy; material changes will be notified on the Platform or by email. The current version is always available on the Platform.
13. Contact
Privacy questions: dpo@igig.co.ke — Unique Brand Creatives, P.O. Box 87–30100, Eldoret, Uasin Gishu, Kenya.