Data Use Statement

Last updated: March 2026

1. Purpose of This Statement

This Data Use Statement explains specifically how IRU Vote, operated by IRU Business Group Ltd (Gahanga, Kicukiro, Kigali, Rwanda), collects, processes, stores, and shares data generated through the use of our digital voting platform. It supplements our Privacy Policy and is intended to give all platform participants — voters, candidates, organizers, observers, and administrators — a transparent view of how their data is handled.

2. Data We Collect and Why

  • Voter identity data (name, email, phone): Used solely to verify eligibility and deliver secure voting links. This data is never made public or shared with other voters or candidates.
  • Voting tokens: One-time cryptographic tokens are generated per voter per election. Tokens are stored as hashed values and are never recoverable in plaintext after generation.
  • Vote records: Each submitted vote is recorded with a timestamp and a hashed voter reference. Vote choices are stored separately from voter identity to enforce anonymity in results.
  • Candidate application data (personal info, uploaded documents): Collected with the candidate's consent and used only for election review by authorised organizers. Documents are stored securely and deleted after the retention period.
  • Usage and technical data (IP address, browser, timestamps): Logged automatically for system security, rate-limiting, and fraud prevention. Not used for profiling or targeted advertising.
  • Audit log data: All administrative actions (approvals, rejections, result publications) are logged with user identity and timestamp. These logs are immutable and accessible only to super administrators and authorised auditors.

3. How Data Is Used

  • To authenticate users and prevent unauthorised access.
  • To enforce one-vote-per-voter rules at the database level.
  • To generate and distribute secure, single-use voting links via email.
  • To calculate and publish election results after voting closes.
  • To provide anonymised turnout statistics to organizers and observers during voting.
  • To maintain a verifiable, tamper-evident audit trail for every election.
  • To send transactional emails (vote confirmation, application status updates).

4. What We Do Not Do with Your Data

  • We do not sell, rent, or trade any personal data to third parties.
  • We do not reveal how any individual voted. Vote secrecy is technically enforced.
  • We do not use personal data for advertising, profiling, or behavioural tracking.
  • We do not allow organizers to see individual voter choices — only anonymised totals.
  • We do not retain data beyond the defined retention periods without explicit legal justification.

5. Data Access Controls

Access to data is strictly role-based:

  • Super Administrators can access audit logs and system-wide data for oversight.
  • Organizers can access voter lists and candidate applications only within their own elections.
  • Observers have read-only access to turnout statistics and published results.
  • Voters and Candidates can only access their own records and election-specific information.

6. Data Retention

  • Voting tokens: Expire after voting closes or after 7 days, whichever comes first. Deleted after expiry.
  • Vote records: Retained for the period specified by the organising body or applicable law (minimum 90 days post-election).
  • Candidate documents: Retained for the duration of the election process and up to 30 days after results are published, then deleted.
  • Audit logs: Retained for a minimum of 12 months and cannot be deleted by any user.
  • Account data: Retained until account deletion is requested, subject to outstanding obligations.

7. Data Processing by Third Parties

To operate the platform, we use trusted third-party service providers who process data strictly on our behalf and under confidentiality agreements:

  • Email delivery (Resend / Nodemailer): Used to send voting links and notifications.
  • File storage (Cloudinary): Used to store candidate documents and profile images securely.
  • Hosting (Vercel): Used to serve the application and store database backups.

None of these providers are authorised to use your data for any purpose beyond delivering their service to us.

8. Legal Basis for Processing

We process personal data on the following legal bases:

  • Contractual necessity: To provide the voting service users signed up for.
  • Legitimate interests: To ensure platform security, prevent fraud, and maintain audit records.
  • Consent: For optional communications such as notifications and updates.
  • Legal obligation: To comply with applicable Rwandan and international data protection laws.

9. Your Rights

In relation to your personal data, you have the right to:

  • Request a copy of the data we hold about you.
  • Request correction of inaccurate or incomplete records.
  • Request deletion of your data where there is no legal reason to retain it.
  • Object to or restrict processing in certain circumstances.
  • Withdraw consent at any time where consent is the basis for processing.

To exercise any of these rights, contact us at support@iruVote.com. We will respond within 30 days.

10. Updates to This Statement

We may update this Data Use Statement as the platform evolves or as legal requirements change. Any material changes will be communicated to registered users by email, and the updated statement will be posted here with a revised date. Continued use of the platform after updates constitutes acceptance of the revised statement.

11. Contact Us

For questions about this Data Use Statement or how your data is handled:

  • Email: support@iruVote.com
  • Phone: 0795 381 733 / 0736 318 111
  • Address: Gahanga, Kicukiro, Kigali, Rwanda