Privacy & data policy
TraceGadget Kenya is operated by Xcobean Limited, a Kenya-registered company. This page sets out exactly what data we collect, what we do with it, what we never collect, and how you can hold us to it.
What we do
We run a verification registry for electronic devices that have a unique serial identifier (IMEI, serial number, MAC address). Owners voluntarily register their devices. Buyers, repair shops, dealers and law-enforcement units can verify a device's status before transacting. The verification API returns only the status (safe / stolen / recovered) and basic device descriptors — never the owner's identity.
How the privacy model works
The service is designed to fit cleanly within Article 31 of the Constitution of Kenya and the Data Protection Act, 2019:
- Identifiers are only ever submitted by voluntary owner registration. We do not ingest telco IMEI streams.
- Public lookups return only safe / stolen / recovered. Owner name, email, phone and address never leave the server in a public response.
- Lookup logs store SHA-256 hashes of the searched identifier and the searcher's IP — so the log itself cannot be turned into a side-channel revealing who searched for what.
- API keys are stored as SHA-256 hashes only. We cannot recover a lost key — only re-issue.
What we collect
| From whom | What | Why | Retention |
|---|---|---|---|
| Account owners | email, name, optional phone, password hash (bcrypt) | Authenticate registrations and status changes | For the life of the account |
| Account owners | device identifiers, brand, model, optional proof of ownership | Enable status reporting and chain of custody | For the life of the account or until the owner deletes the device |
| Public visitors | SHA-256(identifier searched), SHA-256(IP), user-agent, timestamp | Abuse detection and rate-limit enforcement | 90 days rolling |
| API key holders | account contact + per-key call counts (hashed identifiers) | Authentication, rate limiting, usage reporting | Same as account; counts 12 months |
| Verified police / law-enforcement units | org name, contact, officer accounts, posted recovered devices | Operate the recovered-device bulletin and process claims | For the life of the org account |
What we never collect
- Mass telco IMEI feeds.
- Real-time phone location.
- SIM card identifiers.
- Citizens' national identity card numbers.
- Plaintext API keys (we store only their SHA-256 hashes).
What the public sees
A public /check query returns exactly one of not reported stolen, reported stolen or recovered, optionally accompanied by brand / model so the searcher can confirm they have the right device. No owner-identifying information is ever returned. The same shape is exposed through the JSON API at /api/v1/public-check.
Recovered-device bulletin
Verified law-enforcement units can post recovered devices to a public bulletin so owners can find their property. Only the brand, model, partial identifier (last four digits / characters), recovery date, recovery location and posting unit are public. The full identifier stays private and is only used to (a) auto-match a registered-stolen device and notify its owner, and (b) verify a citizen's in-person claim.
Your rights
- Access: ask for a copy of everything we hold about you.
- Correction: have inaccurate data corrected.
- Erasure: have your account and all associated devices deleted within 30 days.
- Portability: receive your device list and history as a machine-readable export.
- Complaint: lodge a complaint with the Office of the Data Protection Commissioner.
To exercise any of these, email the DPO at the address below.
Disputes
A device wrongly listed as stolen can be challenged through our dispute process at [email protected]. Disputes are reviewed within 7 working days; resolution is logged in an audit trail. If upheld, the listing is removed and a note is attached for transparency.
Security
- All traffic served over HTTPS with HSTS; HTTP redirects to HTTPS.
- Passwords stored as bcrypt hashes.
- Sessions held as opaque random tokens with server-side revocation.
- Database backups every 6 hours, 14-day retention, encrypted at rest.
- Security disclosures: [email protected].
What we are not
- We are not a police service. We do not make arrests or investigate, and a TraceGadget entry does not replace filing an OB report.
- We are not a registry of guilt. A "reported stolen" entry is a claim made by an owner; it does not declare any third party a thief.
Contact
Operator: Xcobean Limited.
Data Protection Officer: [email protected].
Disputes: [email protected].
Security: [email protected].
General: [email protected].
Last updated 2026-05-31. Material changes will be summarised in a notice on this page for 30 days.