Privacy & Data Protection Policy

Welcome. This Privacy and Data Protection Policy governs how Ufanisi Kenya Party (UKP) — a registered political party under the Political Parties Act, 2011 (No. 11 of 2011) — collects, processes, stores, and shares your personal information when you interact with our membership portal at join.ukp.co.ke, our main website at ukp.co.ke, or engage with us through any other official channel.

UKP is committed to upholding the highest standards of data governance. We process personal data as a Data Controller as defined under Kenya's data protection framework, and we do so only in ways that are lawful, fair, transparent, and strictly necessary for our democratic and statutory purposes.

Political parties by democratic design must maintain comprehensive and accurate membership registers to satisfy electoral law requirements and to facilitate internal democratic processes. When you register as a member of UKP through join.ukp.co.ke, we lawfully collect the following categories of personal data:

• Identity Data: Surname, other names, National Identification Card (NIC) number or Passport number, date of birth, and gender.
• Contact Data: Mobile phone number, email address (optional), postal code, postal town, and P.O. Box number.
• Electoral & Geographic Data: County, constituency, ward, and polling station — the four tiers of Kenya's electoral geography established under the Elections Act, 2011.
• Special Category (Sensitive) Data: Religion, ethnicity, and membership in special interest groups — Youth, Women, Persons with Disabilities (PWDs). This data is subject to heightened legal protection under Section 44 of the Data Protection Act, 2019.
• Biometric-Equivalent Data: Passport-style photograph (optional), captured in digital Base64 format for membership card generation.
• Technical Data: Server logs, IP addresses, and browser information collected automatically for security and anti-fraud purposes under our legitimate interest basis.

Every piece of data we collect serves a specific, documented, and lawful purpose. We do not collect data merely because we can. Our processing purposes are:

• Statutory Compliance & ORPP Submission: The Political Parties Act, 2011, Section 18(b) mandates that every registered political party must maintain an up-to-date register of its members, which must be submitted periodically to the Registrar of Political Parties. Failure to maintain this register can result in deregistration of the party.
• Electoral Location & Internal Democracy: Your ward, constituency, and county data enables UKP to place you in the correct electoral bracket for internal party primaries, grassroots elections, and delegate conferences, as required by the Political Parties Act, 2011, and the Elections Act, 2011.
• Affirmative Action & Representation: Gender, disability, and youth status data enables UKP to formulate equitable policies that advance the two-thirds gender principle under Article 27(8) of the Constitution, and meet the representation thresholds for special interest groups under the Political Parties Act.
• Official Party Communications: Contact information is used to send you verified party updates, policy announcements, event invitations, and election information via SMS and email.
• Member Verification & Document Access: Your National ID, when matched against our secure database, unlocks access to official party documents including the Manifesto, Constitution, and Election Rules.

Your passport-style photo is entirely optional. You can register as a full, verified UKP member without uploading a photograph. However, if you choose to upload a photo, the following applies:

• Your photo is converted to a secure Base64-encoded data string and transmitted over an encrypted HTTPS connection directly to our database.
• The image is stored in our encrypted MySQL database, accessible exclusively to authorized senior Secretariat personnel.
• Your photo is used solely for generating your personalised official UKP Membership Card, and for verifying your identity against the card when presented at official party functions.
• We will never use your photo in public campaigns, marketing materials, social media, or any other purpose without obtaining separate, specific, written consent from you.

UKP does not sell, rent, trade, or otherwise monetise your personal data under any circumstances. Data sharing is strictly limited to the following lawful scenarios:

• The Office of the Registrar of Political Parties (ORPP): We are legally compelled to submit membership lists to the ORPP as a condition of our registration and continued operation as a political party. This sharing is non-negotiable and is grounded in the Political Parties Act, 2011.
• Independent Electoral & Boundaries Commission (IEBC): During party primaries and candidate nominations, limited electoral data may be shared with the IEBC to verify voter registration status and ensure compliance with the Elections Act, 2011, Sections 27–32.
• Vetted Communication Providers: We use licensed SMS and email gateway providers to send party communications. These providers receive only your contact number or email address. All providers operate under binding Non-Disclosure Agreements (NDAs) and are prohibited from processing your data for any other purpose.
• Lawful Court Orders: We will disclose data if compelled by a valid Kenyan court order, warrant, or lawful directive issued by a competent authority. We will, to the extent permitted by law, notify you of such requests.
• Security & Fraud Prevention: In cases of suspected identity fraud, election manipulation, or cybercrime, we may share relevant technical data with Kenya's Directorate of Criminal Investigations (DCI) under the Computer Misuse and Cybercrimes Act, 2018.

The security of your personal data is a matter we take with the utmost seriousness. We implement multiple layers of technical and administrative controls to prevent unauthorised access, disclosure, alteration, or destruction of your information:

• TLS/SSL Encryption: All data transmitted between your device and our servers is encrypted in transit using modern Transport Layer Security (TLS 1.2 and above) protocols. Look for the padlock icon in your browser's address bar when using join.ukp.co.ke.
• Database Access Controls: Our membership database (MySQL with UTF-8 encoding) is protected by role-based access controls. Only senior, authorised UKP Secretariat personnel can access the full membership register.
• Anti-Bot Verification: Our registration portal uses server-side Math CAPTCHA and CSRF token validation to prevent automated bot registrations and cross-site request forgery attacks.
• Strict Verification (ID + DOB): Member card retrieval requires both a National ID number and an exact Date of Birth, implementing dual-factor identity verification that protects your record from unauthorised public access.
• Data Minimisation at Display: When presenting membership data, our system displays only the minimum fields necessary for the requested purpose, never exposing more than is needed.
• Server Infrastructure: All data is stored on servers domiciled within or with contractual assurances equivalent to Kenyan data residency requirements, consistent with Section 48 of the Data Protection Act.

The Data Protection Act, 2019 vests you with powerful, legally enforceable rights over your personal data. UKP is obligated to honour these rights without undue delay and at no cost to you. Your rights include:

Our portal at join.ukp.co.ke uses PHP server-side sessions ($_SESSION) exclusively for critical security functions. We do not use tracking cookies, advertising cookies, or analytics cookies that follow you across the internet.

• CAPTCHA Sessions: Your Math CAPTCHA answer is stored temporarily in a server-side session variable that is destroyed immediately after submission, whether correct or not.
• CSRF Tokens: A Cross-Site Request Forgery token is stored in session to prevent malicious third parties from executing unauthorised form submissions on your behalf.
• No Third-Party Trackers: We do not embed Google Analytics, Facebook Pixel, or any behavioural advertising SDK on our registration portal.

UKP may update this Privacy Policy from time to time to reflect changes in Kenyan law, our operational practices, or guidance from the ODPC. When material changes are made, we will:

• Update the Effective Date displayed at the top of this page.
• Send a notification via SMS or email to all registered members whose contact details we hold.
• Display a notice on our homepage at ukp.co.ke for a minimum of 30 days.

Your continued use of our services after the effective date of any updated policy constitutes your acceptance of those changes. If you disagree with any changes, you retain the right to resign your membership and request erasure of your data as described in Section 7.

To exercise any of your data rights, report a suspected data breach, or ask questions about this policy, please contact our designated Data Protection Officer (DPO) through any of the channels below. All requests will be acknowledged within 3 business days and resolved within the statutory timeframes.