ONGOZA
CYBER HUB
Back home
Privacy Policy

Your data, plainly.

Last updated: 13 May 2026

Honest disclaimer. This policy was drafted by the OCH team in good faith to describe how we actually handle data. It is not yet regulator-reviewed. If you spot something wrong, ambiguous, or non-compliant under your jurisdiction, email privacy@cybochengine.africa — we’ll fix it and notify affected users.

1. Who we are

OCH Debbie (“OCH”, “we”, “us”) is Africa’s Cyber Career Coach, operated by Ongoza Cyber Hub. Contact: hello@cybochengine.africa. Data Protection enquiries: privacy@cybochengine.africa.

2. What we collect

We collect only what the service needs to run.

  • Account. Email, first/last name, country, timezone, phone (only if you pair WhatsApp), authentication state.
  • Profile. Your track choice, intent, time budget, focus question, energy state — the answers from onboarding plus what you write in the coach.
  • Usage. Drills attempted, scores, streaks, milestones, credentials issued, last-active timestamps.
  • AI conversations. Your messages to Debbie and her responses. Used to personalize coaching and improve safety guardrails. Not used to train external models.
  • Payments. We do NOT see or store your card number or M-Pesa PIN. Paystack processes payment and shares only the transaction outcome, last 4 digits of the card, and the customer code.
  • Technical. IP address (for abuse detection and geographic personalization), user agent, error reports, performance metrics. No tracking pixels from ad networks.

3. Why we collect it (lawful bases)

  • Contract. Account + profile + usage are required to deliver the coaching service you signed up for.
  • Legitimate interest. Technical telemetry and security logs, to keep the service running and to detect abuse.
  • Consent. WhatsApp pairing, optional product-update emails. You can revoke at any time from /settings.
  • Legal obligation. Tax records, payment receipts, regulator subpoenas if we receive them under Kenyan / Nigerian / South African law.

4. Sub-processors

These companies process your data on our behalf. We choose them for reputation and DPAs; we do not sell your data to anyone.

  • Clerk — authentication (US-hosted; SOC 2)
  • Neon — Postgres database (US-hosted)
  • Vercel — application hosting (US-hosted; SOC 2)
  • Anthropic — the Claude model that powers Debbie (US-hosted; messages are processed but not used for model training per Anthropic’s commercial terms)
  • Paystack — payments (PCI-DSS Level 1)
  • Resend — transactional email
  • Twilio — WhatsApp messaging (when WhatsApp pairing is active)
  • Sentry — error monitoring (PII-scrubbed)
  • PostHog — product analytics (no third-party trackers piggy-backed)

5. Data residency

Our database and application servers are hosted in the United States. For users in Nigeria, South Africa, and Kenya, this means your personal data crosses a border to reach us. We rely on the standard contractual safeguards (model clauses, sub-processor DPAs) but you have the right to know.

If you require Africa-resident storage (some employers do), email privacy@cybochengine.africa — we’re evaluating an Africa region for 2027.

6. Retention

We keep your data for as long as your account is active. When you delete your account from /settings, we hard-delete your profile, usage, and AI conversations within 30 days. Payment receipts are retained for 7 years for tax compliance.

7. Your rights

Under NDPR, POPIA, DPA Kenya, and GDPR, you have the right to:

  • Access the data we hold about you
  • Correct anything that is wrong
  • Delete your account and all associated personal data
  • Export your data in machine-readable form
  • Object to specific processing (e.g. analytics)
  • Lodge a complaint with your local regulator (NDPC in Nigeria; Information Regulator in South Africa; ODPC in Kenya)

Most of these are self-service from /settings. Anything you can’t do yourself, email privacy@cybochengine.africa — we respond within 7 working days.

8. Children

OCH is for users 16 and older. We do not knowingly collect data from anyone under 16. If you believe a minor has created an account, email us and we will delete it.

9. Cookies + similar

We use first-party cookies for authentication (required — the service won’t work without them) and for product analytics (PostHog, anonymized session IDs). We do not use third-party advertising cookies. We do not piggy-back tracking pixels.

10. Security

All traffic is TLS-encrypted. Passwords are hashed by Clerk (we never see them). Payment details are tokenized by Paystack (we never see them). We follow least-privilege access internally; only engineers on-call can query the production database, and queries are logged.

If you discover a security vulnerability, please email security@cybochengine.africa rather than disclosing publicly. We do not yet have a paid bug bounty but we acknowledge every reporter.

11. Changes to this policy

We update this page when our practices change. The “Last updated” date at the top reflects the latest revision. Material changes (new sub-processor, new data category, change of legal entity) are emailed to all active users at least 14 days before they take effect.

12. Contact

Data Protection Officer: privacy@cybochengine.africa

General enquiries: hello@cybochengine.africa