Cookie Policy

1. Purpose, Scope, and Interpretive Posture

1.1 Purpose

This Cookie Policy (the “Policy”) explains how Tajji Real Estate Limited (“Tajji”, “we”, “us”) uses cookies and similar technologies across:

BomaOS – shared property infrastructure for landlords and operators;
Jirani – tenant identity, payment, and participation platform; and
Tajji public websites, including informational and investor pages.

1.2 Infrastructure Posture

Tajji operates as infrastructure and not as a marketplace, advertising network, data broker, or behavioral advertising intermediary. The use of cookies under this Policy reflects that infrastructure posture.

1.3 Relationship to Privacy Policy

This Policy forms part of Tajji’s broader data governance framework and must be read together with the Tajji Privacy Policy. In the event of interpretive overlap, this Policy governs tracking technologies specifically, while the Privacy Policy governs broader personal data processing.

2. Definitions

2.1 Cookies

“Cookies” are small text files placed on a user’s device when visiting a website or using certain web-based services.

2.2 Similar Technologies

For purposes of this Policy, “cookies” includes related technologies such as:

Local storage objects;
Session storage;
Secure HTTP-only authentication tokens;
Software development kit (SDK) identifiers in mobile applications; and
Pseudonymous device identifiers.

2.3 Duration

Cookies may be:

Session-based (deleted when the browser closes); or
Persistent (retained for a defined period or until deleted).

3. Legal Basis for Use

3.1 Strictly Necessary Cookies

Strictly necessary cookies are used under one or more of the following bases:

Contractual necessity;
Legitimate interest in secure infrastructure operation;
Legal obligation (including security, audit, and compliance requirements).

Under the EU ePrivacy Directive, such cookies do not require prior consent.

3.2 Analytics and Functional Cookies

Analytics and functional cookies are used under:

Legitimate interest (in the Kenya Data Protection Act context); and/or
User consent (in the EU/EEA and other jurisdictions where required).

Where required by applicable law, Tajji will obtain explicit consent prior to enabling non-essential cookies.

4. Categories of Cookies Used

4.1 Strictly Necessary Cookies

4.1.1 Operational Scope

Strictly necessary cookies are essential to the secure operation of BomaOS and Jirani.

4.1.2 Functions Enabled

These cookies enable, without limitation:

Secure authentication and session management;
Multi-factor authentication state handling;
Load balancing;
CSRF protection;
API gateway routing;
Role-based access enforcement;
Security logging and audit traceability.

4.1.3 Restrictions

Strictly necessary cookies:

Do not perform advertising tracking;
Are not used for cross-site behavioral profiling;
Are not sold, licensed, or disclosed for marketing purposes.

4.2 Analytics Cookies (PostHog)

4.2.1 Provider

Tajji uses PostHog, cloud-hosted within the European Union, for analytics and feature governance.

4.2.2 Purposes

PostHog is used for:

Website analytics;
Product analytics (desktop and mobile);
Event tracking;
Error monitoring;
Feature flag evaluation;
In-product surveys.

4.2.3 Data Categories

Analytics cookies may process:

Pseudonymized user/session identifiers;
Hashed internal user identifiers;
Truncated or anonymized IP addresses;
Browser and device metadata;
Page visits and in-product interactions;
Performance and latency metrics;
Consent version identifiers.

IP addresses are anonymized.

4.2.4 Authenticated Environments

Within authenticated BomaOS and Jirani environments, analytics events may be linked to authenticated user identity strictly for:

Platform integrity;
Audit reconstruction;
Capacity planning;
Feature optimization;
Security monitoring.

Such linkage is internal and is not used for advertising, cross-site marketing, or third-party behavioral profiling.

4.2.5 Advertising Exclusion

No advertising identifiers, marketing pixels, or cross-site tracking technologies are deployed.

4.3 Functional Cookies

Functional cookies enable:

Language preference storage;
User interface settings;
Survey display state;
Feature flag rollout consistency.

Functional cookies do not track users across unrelated websites.

5. Express Exclusions

Tajji does not deploy:

Advertising cookies;
Behavioral marketing trackers;
Third-party marketing pixels;
Cross-site advertising networks;
Data resale technologies.

Tajji does not sell personal data and does not monetize user behavior through advertising infrastructure.

6. Consent Management

6.1 Consent Interface

Where required by applicable law (including the EU ePrivacy Directive), users will be presented with a cookie consent interface.

6.2 Activation Controls

Non-essential cookies (analytics and functional) will not be activated until consent is provided where legally required.

6.3 User Options

Users may accept, reject, or customize cookie preferences through the consent interface.

6.4 Mandatory Cookies

Strictly necessary cookies cannot be disabled, as they are required for secure infrastructure operation.

6.5 Audit of Consent

Consent records are stored in an auditable manner, including:

Consent status;
Timestamp;
Policy version;
Device or session context.

7. Withdrawal or Modification of Consent

7.1 User Controls

Users may:

Modify cookie preferences through the cookie settings interface (where available);
Clear cookies via browser settings; or
Contact Tajji at: karibu@tajji.io.

7.2 Effect of Withdrawal

Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

Disabling certain cookies may affect non-essential functionality.

8. Retention

8.1 General Principle

Retention varies by cookie category and is limited to what is necessary for operational, security, audit, and improvement purposes.

8.2 Category-Level Retention

Strictly Necessary – Session duration or limited persistence aligned with security posture;
Analytics – Configurable retention aligned with infrastructure audit and analytics needs;
Functional – Duration required to maintain preference state.

8.3 Analytics Limitation

Analytics data is retained only as long as necessary for:

Service improvement;
Capacity planning;
Audit reconstruction;
Security investigation.

Retention aligns with Tajji’s broader data retention framework.

9. Cross-Border Transfers

9.1 EU Hosting

Analytics data may be processed within the European Union (PostHog EU hosting).

9.2 Safeguards

Where personal data is transferred outside Kenya:

Appropriate safeguards apply;
Encryption in transit and at rest is enforced;
Processor agreements are in place;
Access is role-restricted.

10. Security and Infrastructure Integrity

10.1 Security Controls

Cookies and analytics technologies operate within Tajji’s broader infrastructure security posture, including:

Encryption at rest and in transit;
Role-based access control;
Immutable audit logging;
Multi-factor authentication;
Segregated fund-class ledger systems;
Deterministic event reconstruction.

10.2 Non-Interference Principle

No cookie or analytics mechanism alters:

Payment semantics;
Fund custody posture;
Containment states;
Principal-of-record attribution.

11. Mobile Applications

Where Tajji mobile applications are used:

Equivalent SDK-based identifiers may be employed instead of browser cookies;
Analytics behavior mirrors the website posture;
No mobile advertising SDKs are deployed.

12. Children’s Data

Tajji does not knowingly deploy analytics or tracking technologies to profile children.

Where minor data appears in tenancy contexts, it is processed strictly within lawful occupancy governance.

13. Amendments

Tajji may update this Policy to reflect:

Regulatory developments;
Infrastructure changes;
Analytics tooling updates.

Material updates will be communicated via platform notice or website publication.

Tajji Cookie Policy