Privacy Policy

4. Data Security

We take appropriate measures to protect the security and integrity of the data provided by merchants. All sensitive personal data collected is encrypted both during transmission and storage. We implement industry-standard security measures to protect collected data against unauthorized access, disclosure, or alteration. Additionally, we regularly conduct security audits and employ strict access controls to safeguard collected data

Data Backups: We take the security of your data seriously, including data backups. We employ industry-standard encryption measures to ensure that data backups are encrypted and protected from unauthorized access or disclosure. This encryption helps safeguard your personal information even in the event of a backup restoration process.

It is important to remember that while we implement appropriate measures to protect personal information, no method of transmission or storage is completely secure. Therefore, we cannot guarantee absolute security of personal information. We encourage merchants and their customers to take precautions and use strong passwords, maintain the confidentiality of their account information, and promptly inform us of any unauthorized access or use of their accounts.

5. Data Retention

We retain all collected data only for as long as necessary to fulfill the purposes outlined in this privacy policy, unless a longer retention period is required or permitted by law. Once the data is no longer needed, we take steps to securely delete or anonymize it to prevent unauthorized access or use.

If a merchant chooses to delete or uninstall our app, we will promptly delete all personal information associated with their account, including any data collected from their customers. This ensures that their personal information is no longer retained within our systems. Note that even though we take measures to securely delete or anonymize personal information, residual copies may remain in our backup systems for a limited period of time. However, these backups are securely stored and access to them is restricted to prevent unauthorized use.

6. Data Sharing

We do not share any collected personal data with any third party unless required by law or governmental request. We do not sell or share this information with third parties, except as necessary to provide our services or if required to do so by law, regulation, or legal process.

7. Data Separation

Separating test and production data helps us maintain the confidentiality and reliability of your personal information. We employ secure infrastructure and access controls to maintain the separation and prevent unauthorized access to production data during testing or development activities.

While we take precautions to keep the test and production data separate, it is important to note that in certain circumstances, limited data may be used for testing purposes. However, any data used for testing is handled with the same level of security and confidentiality as production data, and appropriate measures are taken to protect its integrity.

By implementing data separation practices, we aim to uphold the highest standards of data privacy and security to ensure the protection of your personal information.

8. Data Loss Prevention

We are committed to safeguarding your personal information and have implemented a comprehensive data loss prevention strategy to minimize the risk of data loss, unauthorized access, or unauthorized disclosure. Our data loss prevention measures include:

• Regular data backups: We regularly back up our systems to ensure the availability and recoverability of data in the event of any unforeseen incidents.
• Redundancy and fault-tolerant architecture: Our infrastructure is designed with redundancy and fault-tolerant mechanisms to mitigate the impact of hardware or software failures and ensure the continuous availability of your data.
• Firewalls and security measures: We maintain robust firewalls and employ industry-standard security measures to protect against unauthorized access, data breaches, and other malicious activities.
• Access controls: We have strict access controls in place to limit access to personal information to authorized personnel only. These controls are regularly reviewed and updated to ensure the principle of least privilege is maintained.
• Employee training and awareness: We provide regular training to our employees to raise awareness about data protection best practices, including data loss prevention.

While we have taken these measures to prevent data loss, it is important to acknowledge that no system is completely immune to risks. In the event of any data loss or breach, we have incident response protocols in place to promptly identify and mitigate the impact of such incidents.

9. Access to Personal Data

We understand the importance of maintaining the confidentiality and security of your personal data. To ensure the protection of your information, we have implemented strict access controls and procedures to limit staff access to customers' personal data. Our access control measures include:

• Role-based access: Access to personal data is granted only to authorized staff members who require access to perform their job responsibilities. Access rights are assigned based on job roles and responsibilities, and access is regularly reviewed and updated as needed.
• Confidentiality agreements: All staff members who have access to customers' personal data are required to sign confidentiality agreements that legally bind them to maintain the confidentiality and privacy of the data they handle.
• Training and awareness: We provide comprehensive training to our staff members on data protection, privacy best practices, and their responsibilities regarding the handling of customers' personal data.
• Monitoring and auditing: We employ monitoring and auditing mechanisms to track and log access to personal data. This allows us to detect and investigate any unauthorized or suspicious activities promptly.

By implementing these measures, we strive to ensure that only authorized personnel with a legitimate need for accessing customers' personal data have the necessary permissions. We regularly review and update our access controls to maintain the highest level of data security.

10. Access Logging

We maintain a comprehensive access logging system to track and monitor access to personal data. This logging system records the following information:

• Date and time of access
• User or staff member accessing the data
• Type of data accessed
• Purpose or reason for accessing the data
• IP address or device information of the accessing party

The access logs serve several purposes, including:

• Security Monitoring: We review access logs to detect and prevent unauthorized access or suspicious activities related to personal data.
• Audit and Compliance: Access logs help us ensure compliance with privacy regulations and internal policies by providing an audit trail of data access activities.
• Incident Investigation: In the event of a security incident or data breach, access logs can be used to investigate the incident, identify the scope of the breach, and take appropriate remedial actions.

We maintain access logs for a defined retention period as required by applicable laws and regulations. These logs are securely stored and accessible only to authorized personnel for legitimate purposes.

By logging access to personal data, we enhance the security and accountability of our systems, ensuring that any unauthorized or inappropriate access can be promptly identified and addressed.

11. Security Incident Response

We have implemented a comprehensive security incident response policy to promptly and effectively respond to any security incidents that may occur. This policy includes the following key elements:

• Detection and Reporting: We employ monitoring systems and procedures to detect potential security incidents. Any suspected or confirmed security incidents are promptly reported to our designated incident response team.
• Response and Mitigation: Upon detection of a security incident, our incident response team initiates immediate actions to contain and mitigate the impact of the incident. This may involve isolating affected systems, implementing temporary measures, and taking steps to prevent further unauthorized access or data loss.
• Investigation and Analysis: We conduct a thorough investigation of security incidents to determine the cause, scope, and potential impact. This includes analyzing system logs, conducting forensic examinations, and gathering relevant evidence.
• Communication and Notification: In the event of a security incident that poses a risk to individuals' rights and freedoms, we will notify affected individuals and any relevant authorities in accordance with applicable laws and regulations. We will provide clear and timely communication about the incident, its impact, and any recommended actions individuals should take to protect themselves.
• Remediation and Preventive Measures: After resolving a security incident, we take appropriate measures to remediate the situation and prevent similar incidents from occurring in the future. This may involve implementing additional security controls, updating policies and procedures, and conducting staff training and awareness programs.

Our security incident response policy is regularly reviewed, tested, and updated to ensure its effectiveness in addressing new and emerging threats. We are committed to maintaining the confidentiality, integrity, and availability of personal data and continuously improving our security measures

12. User Consent and Choices

By using our app, you consent to the collection, processing, and storage of data as described in this policy. You have the right to access, rectify, or delete this data. If you wish to exercise these rights or have any concerns about your data privacy, please contact us using the information provided at the end of this policy.

13. Children's Privacy

The App is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under the age of 13, we will take steps to delete such information.

14. Compliance with GDPR, Kenyan Laws, and Other Data Protection Laws:

We are committed to protecting your privacy and ensuring the security of your personal information in accordance with applicable laws and regulations, including the General Data Protection Regulation (GDPR) in the European Union and the data protection laws of Kenya. This Privacy Policy outlines how we collect, use, and safeguard your data, taking into consideration the principles and requirements set forth in these regulations. By using our app, you acknowledge that your personal information will be handled in compliance with the GDPR, Kenyan laws, and other relevant data protection laws. In addition to the GDPR and Kenyan laws, we also seek to be compliant with other applicable data protection laws that may apply to our operations. We recognize the importance of privacy and data protection and strive to uphold high standards of compliance and accountability.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the revised policy on the App. We encourage you to review this policy periodically for any updates.