Privacy Policy
Last updated: March 27, 2026
Effective Date: 1 March 2026
This Privacy Policy explains how the platform ("we", "us", "our") collects, uses, and protects personal data from tenants and their end-users. We are committed to compliance with the Kenya Data Protection Act, 2019.
1. Multi-Tenant Architecture
Our platform operates a multi-tenant SaaS model. Each tenant's data is logically isolated -- tenants cannot access another tenant's data. We act as a data processor on behalf of tenants (who are data controllers for their own customers).
2. Data We Collect
- Tenant account data -- business name, owner name, email, phone number, and subdomain
- End-user data -- data entered by tenant customers (names, emails, bookings, orders) is stored on behalf of the tenant
- Usage data -- pages visited, features used, IP addresses, device type, and timestamps
- Billing data -- subscription plan and payment references (we do not store card numbers or M-Pesa PINs)
3. How We Use Data
- Providing the service -- operating the platform, managing tenant accounts, and delivering features
- Billing -- coordinating with payment processors for subscription billing
- Platform improvement -- analysing aggregated usage patterns to improve performance and develop features
- Communication -- transactional emails (verification, billing receipts) and, with consent, product updates
- Legal compliance -- meeting obligations under Kenyan law
4. BYOK Payment Model
We operate a Bring Your Own Key (BYOK) payment model. The platform never collects, holds, or intermediates any money. Tenants provide their own payment processor credentials (M-Pesa, Paystack). All payment transactions occur directly between the tenant and their payment provider.
5. Data Storage and Security
- Data is stored on secure servers with encryption at rest (AES-256) and in transit (TLS 1.2+)
- Tenant data is logically isolated at the database level
- We implement access controls, regular security audits, and monitoring
- Database backups are encrypted and stored in geographically separated locations
6. Third-Party Sharing
We do not sell personal data. We share data only with:
- Infrastructure providers -- hosting and cloud services under strict confidentiality agreements
- Payment processors -- only the minimum data required for subscription billing
- Legal authorities -- when required by law or a valid request from the ODPC
7. Your Rights
Under the Kenya Data Protection Act, 2019, you have the right to access, rectify, delete, restrict processing, port your data, and withdraw consent. Contact our support team to exercise these rights. We will respond within 30 days.
8. Data Retention
- Active accounts -- data is retained while the account is active
- After deletion -- personal data is removed within 30 days, except billing records retained for 7 years for tax compliance
- Tenant customer data -- deleted when the tenant account is deleted or upon tenant request
9. Changes to This Policy
We will notify you of material changes via email at least 14 days before they take effect.