Privacy Notice
Effective 2 June 2026. Issued under the Kenya Data Protection Act, 2019.
1. Who we are
TreesPartner Ltd ("TreesPartner", "we", "us") is a Kenyan-incorporated environmental restoration platform headquartered in Nairobi. We operate a planet-positive technology stack that connects donors, communities, Community Forest Associations (CFAs), tree nurseries and corporate partners across 18 African jurisdictions. For the purposes of the Data Protection Act, 2019 (Kenya) and the EU General Data Protection Regulation (GDPR), TreesPartner is the data controller of the personal data described in this notice. Our registered Data Protection Officer can be reached at dpo@treespartner.org.
2. Personal data we collect
We collect (a) identity data — name, national ID or passport, photograph; (b) contact data — email, telephone, postal and GPS location of planting sites; (c) financial data — payment instrument metadata, M-Pesa till, bank account, crypto wallet address; (d) conservation data — species planted, hectares restored, carbon offset estimates, biodiversity index; (e) technical data — device, IP, browser, cookies, satellite imagery attributable to land you steward; and (f) any data you voluntarily submit through registration, donation or merchant onboarding flows.
3. Lawful bases for processing
We rely on the following bases under section 30 of the Data Protection Act, 2019: consent (newsletter, marketing, optional biometric verification); contract (donations, marketplace purchases, escrow, CFA / Nursery agreements); legal obligation (anti-money-laundering, tax, forestry reporting under the Forest Conservation and Management Act, 2016 and the Climate Change Act, 2016 as amended in 2023); legitimate interests (platform security, fraud prevention, impact analytics); and vital interests (emergency response in restoration sites).
4. How we use your data
To process donations and marketplace orders, including escrow release; to verify planted trees via GPS, drone and Sentinel-2 satellite data; to issue blockchain-anchored certificates and carbon attestations; to comply with Kenya Revenue Authority and Kenya Forest Service reporting; to send tree-growth updates, impact reports and conservation alerts; and to improve our AI models for biodiversity scoring (always trained on aggregated, de-identified data).
5. Sharing and transfers
We share personal data with: payment processors (Stripe, Flutterwave, Safaricom M-Pesa, PayPal); on-chain custodians for crypto donations; accredited verifiers (Verra, Gold Standard, Plan Vivo); county governments and the Kenya Forest Service where statutorily required; and cloud infrastructure providers within Kenya, the EU and the United States. Cross-border transfers comply with section 48 of the Data Protection Act, 2019 and rely on Standard Contractual Clauses approved by the Office of the Data Protection Commissioner (ODPC).
6. Data retention
Donation and tax records: 7 years (Tax Procedures Act). Tree-stewardship and carbon-credit records: 30 years (compliant with Verra v4 lifecycle). Marketing data: until you withdraw consent. Account data: for the life of the account and 24 months after closure for audit. Anonymised impact data may be retained indefinitely for scientific research.
7. Your rights
Under the Data Protection Act, 2019 you have the right to be informed, to access, to rectify, to erase, to object, to restrict processing, to data portability, and to lodge a complaint with the ODPC at www.odpc.go.ke. Exercise any right by writing to privacy@treespartner.org; we respond within 7 days and resolve within 30 days.
8. Security
We apply ISO/IEC 27001-aligned controls: end-to-end TLS 1.3, AES-256 at-rest encryption, hardware-key custody for crypto treasury, least-privilege access, quarterly penetration testing and continuous threat monitoring. Suspected incidents are reported to the ODPC within the statutory 72-hour window.
9. Children
Our services are not directed to persons under 18. Schools & Institutions partnerships are administered through verified guardians or institutional accounts. Any inadvertently collected minor data is purged on notice.
10. Changes
We may amend this notice to reflect operational, legal or regulatory change. Material updates are communicated at least 30 days in advance via email and in-app banner. The effective date below indicates the current version.