Privacy Policy

1. Definitions

• “Data Controller” means the entity that determines the purposes and means of processing personal data. For the purposes of this Privacy Policy, Inflow Solutions Ltd is the Data Controller.
• “Data Processor” means any entity that processes personal data on behalf of the Data Controller.
• “Data Subject” means any identified or identifiable natural person whose personal data is processed.
• “Personal Data” means any information relating to an identified or identifiable natural person, as defined in the Kenya Data Protection Act, 2019.
• “Processing” means any operation performed on personal data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
• “Sensitive Personal Data” means data revealing a person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, sex, or any other data classified as sensitive under the Act.

2. Data We Collect

We may collect the following categories of personal data depending on the Product you use:

2.1. Information you provide directly

• Account information: name, email address, phone number, business name
• Payment information: billing address, payment method details (processed by third-party payment processors; we do not store full payment card numbers)
• Profile information: profile picture, preferences, settings
• Communications: messages, feedback, or support requests you send us
• Content: any data, files, or materials you upload or create within a Product

2.2. Information collected automatically

• Device information: device type, operating system, browser type, unique device identifiers
• Usage data: pages visited, features used, actions taken, time spent, crash reports
• Log data: IP address, access times, referring URLs, error logs
• Location data: approximate location based on IP address (we do not collect precise GPS location without your explicit consent)

2.3. Information from third parties

• Platform data: information provided by Platforms such as Shopify, QuickBooks, Google, or Apple when you install or connect a Product (e.g., store name, store URL, merchant ID)
• OAuth and single sign-on data: information received when you authenticate through a third-party provider

2.4. Cookies and similar technologies

We use cookies, local storage, and similar tracking technologies to recognise you, remember preferences, and analyse usage. See Section 11 for details.

3. Purposes of Processing

We process your personal data for the following purposes:

• Service delivery: To provide, maintain, and improve our Products, including processing transactions, managing your Account, and delivering features you request.
• Customer support: To respond to your enquiries, troubleshoot issues, and provide technical assistance.
• Communication: To send you service-related notices, updates, security alerts, and (with your consent) marketing communications.
• Analytics and improvement: To understand how our Products are used, identify trends, and improve functionality, performance, and user experience.
• Security and fraud prevention: To detect, investigate, and prevent fraudulent, unauthorised, or illegal activity, and to protect the rights and safety of our users and the Company.
• Legal compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
• Business operations: To manage our business, including billing, accounting, auditing, and enforcing our terms.

4. Legal Basis for Processing

Under the Kenya Data Protection Act, 2019, we process personal data on the following legal bases:

• Consent: Where you have given clear consent for us to process your personal data for a specific purpose.
• Contractual necessity: Where processing is necessary for the performance of a contract with you (e.g., providing a Product you have subscribed to).
• Legitimate interest: Where processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests (e.g., fraud prevention, product analytics, direct marketing to existing customers).
• Legal obligation: Where processing is necessary to comply with a legal obligation to which we are subject.

You may withdraw your consent at any time by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your personal data with the following categories of recipients:

• Service providers and processors: Third-party companies that perform services on our behalf, such as hosting, payment processing, analytics, email delivery, and customer support. These providers are contractually bound to process data only on our instructions and in accordance with this Privacy Policy.
• Platform operators: Where a Product operates on a Platform (e.g., Shopify, QuickBooks), certain data may be shared with the Platform operator as required for the Product to function.
• Legal and regulatory authorities: Where required by law, regulation, legal process, or governmental request.
• Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity.
• With your consent: Where you have explicitly consented to a specific disclosure.

6. Cross-Border Data Transfers

6.1. As a Kenyan company serving users globally, we may transfer personal data outside Kenya to countries where our service providers or infrastructure are located.

6.2. Where we transfer personal data outside Kenya, we ensure that adequate safeguards are in place as required by the Kenya Data Protection Act, 2019, including:

• Transferring to countries that provide adequate data protection as determined by the Office of the Data Protection Commissioner (ODPC);
• Implementing appropriate contractual safeguards (e.g., standard contractual clauses);
• Obtaining your explicit consent where required.

6.3. You may contact us to obtain further information about the safeguards we use for cross-border transfers.

7. Data Retention

7.1. We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.

7.2. General retention periods:

• Account data: retained for the duration of your Account and for up to 3 years after Account closure, unless a longer retention period is required by law.
• Transaction records: retained for up to 7 years for tax, accounting, and legal compliance purposes.
• Usage and analytics data: retained in aggregated or anonymised form indefinitely; identifiable usage data is retained for up to 2 years.
• Support communications: retained for up to 3 years after resolution.

7.3. When personal data is no longer needed, we will securely delete or anonymise it.

8. Data Security

8.1. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, including:

• Encryption of data in transit (TLS/SSL) and at rest where appropriate;
• Access controls and authentication mechanisms;
• Regular security assessments and monitoring;
• Employee training on data protection and confidentiality.

8.2. While we strive to protect your personal data, no method of transmission or storage is completely secure. We cannot guarantee absolute security.

8.3. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ODPC and affected Data Subjects in accordance with the Act.

9. Your Rights

Under the Kenya Data Protection Act, 2019, you have the following rights:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request that we correct inaccurate or incomplete personal data.
• Right to erasure: You may request that we delete your personal data, subject to legal retention requirements.
• Right to restrict processing: You may request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
• Right to object: You may object to the processing of your personal data where we rely on legitimate interests, including for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time.

To exercise any of these rights, contact us at the details provided in Section 14. We will respond within 30 days of receiving your request.

10. Children’s Privacy

10.1. Our Products are not directed at children under the age of 18. We do not knowingly collect personal data from children under 18.

10.2. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us. We will take steps to delete such data promptly.

10.3. In jurisdictions where a different age of digital consent applies, we comply with the applicable age requirement.

11. Cookies and Analytics

11.1. We use cookies and similar technologies for the following purposes:

• Essential cookies: Required for the Product to function (e.g., authentication, session management). These cannot be disabled.
• Analytics cookies: Help us understand how users interact with our Products (e.g., page views, feature usage). We may use third-party analytics services such as Google Analytics.
• Preference cookies: Remember your settings and preferences.

11.2. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Product functionality.

11.3. For analytics, we may collect anonymised or aggregated data that cannot be used to identify you.

12. Processors and Sub-Processors

12.1. We engage the following categories of third-party processors and sub-processors:

12.2. We require all processors to enter into data processing agreements and to implement appropriate security measures.

12.3. A current list of specific sub-processors may be requested by contacting us.

13. Changes to This Privacy Policy

13.1. We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on our website or within the Product.

13.2. The “Last updated” date at the top of this page indicates when the policy was last revised.

13.3. Your continued use of a Product after changes take effect constitutes acceptance of the updated Privacy Policy.