Who We Are
Uhakikihub ("we", "us", "our") is an AI legal research platform operated from Nairobi, Kenya. We provide AI-powered legal research, document analysis, contract drafting, litigation strategy, and document compliance review services grounded in Kenyan law.
Our services are accessible via uhakikihub.com and the Uhakikihub Microsoft Word Add-in. This Privacy Policy applies to both.
We are subject to the Data Protection Act, 2019 (Kenya) and operate in accordance with its principles under Section 25 of that Act.
Scope of This Policy
This policy applies to all visitors to uhakikihub.com and its subdomains, all registered users, all users of the Word Add-in, and all persons who upload documents or submit queries to our AI services.
Data We Collect
3.1 Account Registration Data
Full name, email address, password (bcrypt hash — never stored in plaintext), account creation timestamp, and email verification status.
3.2 Usage and Query Data
Query text, mode selected, AI-generated responses, legal sources cited, session identifiers, and timestamps. We do not use your query content to train AI models.
3.3 Uploaded Documents
File and extracted text, original filename, file size and type, SHA-256 checksum, auto-detected metadata, and processing results. See Section 9 and Section 10 for retention.
3.4 Word Plugin Data
Document text only when you explicitly invoke Document Review, the document filename, and authentication tokens. We do not access any Word document unless you click "Analyse Active Document."
3.5 Technical Data
IP address (security and rate limiting only), browser type, OS, request timestamps, and anonymised error logs. We do not build behavioural profiles.
3.6 Data We Do Not Collect
Payment card details, government ID numbers, biometric data, precise location data, social media data, or sensitive personal data as defined under Section 2 of the Data Protection Act 2019.
How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing AI legal research responses | Query text, session data, uploaded documents | Contract performance |
| Authenticating your account | Email, password hash, login timestamps | Contract performance; legitimate interest |
| Maintaining conversation history | Query text, responses, session IDs | Contract performance; consent |
| Sending verification and reset emails | Email address, secure tokens | Contract performance |
| Fraud prevention and security | IP address, usage patterns, error logs | Legitimate interest; legal obligation |
| Platform error diagnostics | Anonymised error logs | Legitimate interest |
| Complying with Kenyan law | Account data and usage records as required | Legal obligation |
| Communicating material service changes | Email address | Legitimate interest |
Legal Basis for Processing
Under Section 30 of the Data Protection Act 2019 we process your data on these bases:
- Contract performance — processing necessary to provide the service you signed up for.
- Legitimate interest — platform security, fraud prevention, and error diagnostics.
- Legal obligation — compliance with the Data Protection Act 2019 and lawful orders of Kenyan courts.
- Consent — may be withdrawn at any time without affecting prior processing.
Data Sharing and Disclosure
6.1 We Never Sell Your Data
We do not sell, rent, lease, or trade your personal data to any third party under any circumstances.
6.2 Service Providers
We engage limited third-party processors bound by data processing agreements: a cloud infrastructure provider, an AI model provider (enterprise terms prohibit training on your content), an email delivery provider, and a payment processor (we never receive card details).
6.3 Legal Disclosures
We may disclose data where required by a valid Kenyan court order or lawful regulatory directive. Where permitted we will notify you before complying.
6.4 Business Transfers
In a merger or acquisition, your data may transfer to the successor entity. We will notify registered users and provide an opportunity to delete accounts before any transfer.
AI Processing and Legal Accuracy
7.1 How Queries Are Processed
Query text is transmitted to our AI model provider via encrypted API connection solely to generate a response. Our enterprise agreement prohibits the provider from using your queries for model training.
7.2 No Legal Privilege
Communications with Uhakikihub do not attract legal professional privilege. Do not submit privileged communications through this platform.
7.3 Accuracy Limitations
AI-generated legal research may contain errors or outdated information. Always verify with primary sources and a qualified Kenyan advocate.
Microsoft Word Add-in
8.1 What the Plugin Accesses
The Word Add-in holds ReadWriteDocument permission enabling it to read your open document text when you invoke Document Review, insert AI text at your instruction, and apply highlights at your instruction.
8.2 What the Plugin Does Not Do
The plugin does not access documents without your explicit instruction, run in the background, access files outside Word, or store document content beyond the active session.
8.3 Authentication
Your session token is stored in browser local storage within the Office task pane and used solely to authenticate API requests.
Document Uploads
9.1 Processing
Uploaded documents are processed to extract text for responding to your query, classify the document by type and jurisdiction, and temporarily store text for multi-turn conversation.
9.2 Automatic Expiry
Documents you have not explicitly saved are automatically and permanently deleted 30 days after upload.
9.3 Saved Documents
Saved documents are retained until you delete them. You may delete saved documents at any time from your account.
9.4 Your Responsibility
You are solely responsible for ensuring you have the right to upload any document. Do not upload documents subject to confidentiality obligations or legal privilege restrictions.
Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Account registration data | Duration of account + 30 days after deletion | Contract; legal obligation |
| Conversation history | Duration of account; deletable at any time | Contract; user control |
| Unsaved uploaded documents | 30 days, then permanently deleted | Data minimisation |
| Saved uploaded documents | Until user deletes them | User consent |
| Security and access logs | 90 days | Legitimate interest; legal obligation |
| Password reset tokens | 15 minutes from issuance | Security |
| Email verification tokens | 24 hours from issuance | Security |
| Billing and payment records | 7 years (Kenya tax law) | Legal obligation |
On account deletion all personal data is permanently removed within 30 days except where retention is required by law.
Your Rights
Under the Data Protection Act 2019 you have the right to access (s.26), rectify (s.27), erasure within 30 days (s.38), restriction of processing (s.35), data portability (s.40), object to processing (s.34), withdraw consent at any time, and lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.
We respond to all rights requests within 21 days as required by Section 54 of the Act.
Security
Our measures include TLS 1.2+ encryption in transit, encryption at rest, bcrypt password hashing, short-lived single-use tokens, rate limiting and anomaly detection, and access controls restricting staff access to operational necessity.
12.1 Data Breach Notification
In the event of a breach likely to risk your rights we will notify you and the ODPC within 72 hours as required by Section 43 of the Data Protection Act 2019.
Cookies and Local Storage
| Technology | Purpose | Duration |
|---|---|---|
| Local Storage — auth token | Keeps you signed in between sessions | Until you sign out or clear browser storage |
| Local Storage — user preferences | Remembers your display name for the UI | Until you sign out |
| Session cookies | Standard web session management | Session end |
We do not use advertising cookies, third-party tracking cookies, or analytics cookies that profile your behaviour across websites.
Children and Minors
Our services are for legal professionals, law students, and adults aged 18 and above. We do not knowingly collect data from persons under 18. Contact us immediately if you believe a minor has registered.
Cross-Border Data Transfers
Some data may be processed outside Kenya by our cloud infrastructure and AI model providers. All transfers are subject to binding contractual data processing agreements as required by Section 48 of the Data Protection Act 2019.
Changes to This Policy
When we make material changes we will update the "Last updated" date, display a notice on the platform for 30 days, and send an email notification to registered users. Continued use after the effective date constitutes acceptance.
Contact Us
For all privacy enquiries, data subject access requests, or complaints:
Support: uhakikihub.com/contact
Nairobi, Kenya
If unsatisfied with our response you may escalate to:
Upper Hill, Nairobi, Kenya