Privacy Policy

Who we are

VantageKE is the data controller for personal data collected through this website, including account, newsletter, contact, editorial, publishing, and site security data. You can contact us about privacy requests at vantage254@hotmail.com.

Information we collect

We collect the information you provide when you create an account, sign in, contact us, subscribe to the newsletter, submit a news tip, or work with our editorial tools. This may include your name, email address, password credentials handled by our authentication system, message content, subject line, consent records, role, profile details, bylines, media metadata, and article publishing records.

We also collect limited technical data needed to run and secure the site, such as IP address, user agent, session identifiers, authentication cookies, rate-limit records, verification tokens, confirmation tokens, unsubscribe tokens, timestamps, and logs. If you use Google sign-in, Google may provide account details needed to authenticate you.

Vercel Web Analytics is enabled for public and auth pages. Vercel describes this product as cookieless and anonymized; it reports aggregated page, referrer, device, browser, operating system, and general location insights without tying page views to a named visitor.

Why we use personal data

We use personal data to operate the website, authenticate users, protect accounts, manage newsroom access, publish and maintain articles, respond to messages, confirm newsletter consent, send email updates, prevent abuse, measure site performance, comply with legal duties, and protect the rights and safety of VantageKE, our readers, contributors, and the public.

Our lawful bases under Kenya data protection law include consent, performance of a requested service, compliance with legal obligations, legitimate interests in operating and securing a news website, and processing for journalistic, public-interest, historical, statistical, or related purposes where applicable.

Sharing and processors

We do not sell or rent your personal information. We may share personal data with service providers that help us run the site, including hosting and analytics providers, MongoDB/database infrastructure, Resend for email, Cloudinary for media storage and delivery, Google for optional sign-in, and authentication, security, and operational tooling used by the project.

We may also disclose information where required by law, to respond to valid legal processes, to enforce our terms, to protect users or the public, or as part of a merger, acquisition, restructuring, or transfer of assets. If future advertising, remarketing, or behavioral tracking scripts are added, they must be disclosed and consent-gated where required before use.

Cookies and analytics

We use essential cookies and similar technologies for authentication, sessions, security, and account access. These are necessary for the service to work. Current Vercel Web Analytics does not use cookies. You can control browser cookies through your browser settings, but blocking essential cookies may prevent sign-in or account features from working.

Retention

We keep personal data only for as long as needed for the purpose collected, legal compliance, security, dispute handling, and newsroom records. Account data is kept while the account is active and may be anonymized or deleted after an approved request. Sessions and verification records expire automatically. Rate-limit records expire after the security window resets.

Pending newsletter confirmations are configured for cleanup after a short confirmation window. Confirmed or unsubscribed newsletter records are kept until you unsubscribe, request deletion, or they are no longer needed. Contact messages are configured for periodic cleanup unless they are needed for legal, security, advertising, or editorial follow-up. Published bylines, articles, media, and correction records may be kept as part of the public news archive.

Cross-border transfers

Some providers may process or store data outside Kenya. Where personal data is transferred outside Kenya, we rely on appropriate safeguards, contractual protections, legal necessity, consent, or another basis allowed by Kenya data protection law.

Security

We use technical and organizational measures such as authenticated admin access, role-based permissions, secure cookies in production, email verification, rate limiting, database indexes, provider security controls, and restricted administrative workflows. No internet service is perfectly secure, but we work to reduce risk and respond promptly to incidents.

Children

This website is a general news site and is not intended to collect account, newsletter, or contact-form data from children under 18 without appropriate consent from a parent or guardian. If you believe a child has provided personal data to us, contact us so we can review and remove it where required.

Your rights

Subject to lawful limits, you may request information about your personal data, access to it, correction, deletion, restriction, objection to processing, withdrawal of consent, or portability where applicable. Newsletter subscribers can unsubscribe using the link in newsletter emails. You may also complain to the Office of the Data Protection Commissioner if you believe your rights have been infringed.

Incidents and updates

If a personal data breach requires notification under Kenya law, we will notify the Office of the Data Protection Commissioner without undue delay and, where required, within 72 hours of becoming aware of it. We will also notify affected users where the law requires or where notice is necessary to help reduce risk.

We may update this policy from time to time. The latest version will be posted on this page with a new update date.