KisoByte Solutions

Legal Framework & Data Controller Identity

1.1

Constitutional & Statutory Alignment

This Privacy Policy gives effect to Article 31 of the Constitution of Kenya (right to privacy) and complies with the Data Protection Act, 2019 ("DPA"), its regulations, and guidance issued by the Office of the Data Protection Commissioner (ODPC). It applies to personal data collected through our website, SaaS platform, APIs, support channels, and related services.

1.2

Company Identification & Role

KisoByte Solutions Ltd ("KisoByte," "we," "us") is the Data Controller when we determine how and why we process personal data relating to our direct clients, website visitors, and account holders. We act as a Data Processor when we host or process personal data on behalf of SaaS tenants (your end customers, employees, or members) according to your instructions and our data processing agreement.

1.3

ODPC Registration Status

KisoByte acknowledges its obligations as an entity engaged in automated processing of personal data under Kenyan law. We maintain registration and compliance measures with the ODPC as required for our processing activities and will update this policy if our registration status or scope changes.

Categories of Personal Data Collected

2.1

Standard Personal Data

We may collect names, physical or postal addresses, corporate email addresses, Kenyan phone numbers, job titles, company names, billing details, and account credentials necessary to provide our Services.

2.2

Sensitive Personal Data

Under Section 2 of the DPA, sensitive personal data includes biometric data, health information, property details, marital status, and family details (including names of children or spouses). KisoByte does not require sensitive data for core account setup. If your organisation stores such data on our platform (e.g. biometric login or HR records), it remains your responsibility as controller; we apply strict tenant isolation, encryption, and access controls to protect it.

2.3

Technical & Usage Data

We automatically collect IP addresses, browser types, device identifiers, operating system information, session logs, API usage metadata, error reports, and security audit trails to operate, secure, and improve the platform.

III

Legal Bases for Processing

3.1

Consent

Where required, we rely on clear, unambiguous, and freely given consent—for example, optional marketing communications or non-essential feature opt-ins. Signing up for core Services does not bundle consent to unrelated marketing; promotional emails require a separate, unticked opt-in where applicable.

3.2

Contractual Necessity

We process personal data necessary to perform our contract with you: account provisioning, software delivery, technical support, billing, and service-level commitments.

3.3

Legal Obligation

We may process data to comply with Kenyan statutory requirements, including tax and financial record-keeping (e.g. Kenya Revenue Authority), lawful requests from regulators or courts, and ODPC directions.

3.4

Legitimate Interests

We process data where necessary for our legitimate interests, balanced against your rights: platform security monitoring, fraud prevention, performance optimisation, and internal reporting—provided such interests are not overridden by your fundamental rights.

Processing Activities & Third-Party Integrations

4.1

Multi-Tenant Data Isolation

Each corporate tenant's data is logically segregated in our multi-tenant architecture. Access controls, database partitioning, and application-level tenancy rules prevent one client from viewing another's data except where you explicitly authorise cross-tenant features.

4.2

Communication & API Integrations

When you enable integrations (webhooks, Chatwoot, WhatsApp Business API, payment gateways, or email providers), personal data and message payloads may flow to those third parties under their privacy terms. You are responsible for configuring integrations and obtaining lawful bases and consents from data subjects.

4.3

AI & Autonomous Workflow Processing

Some features send prompts or workflow data to cloud-based large language models or autonomous agents to deliver the functionality you configure. We process inputs to provide the requested output. Client confidential data is not used to train public third-party models without explicit written agreement. Sub-processors (e.g. OpenAI, Anthropic) apply their own policies when connected.

Cross-Border Data Transfers

5.1

Geographic Storage Locations

Personal data may be stored or processed on secure cloud infrastructure located outside Kenya (for example, regions operated by AWS, DigitalOcean, Hetzner, or comparable providers) where required for performance, redundancy, or integrated services. Specific locations depend on your deployment and configuration.

5.2

Legal Mechanisms for Transfer

Transfers outside Kenya are made only where permitted under Sections 48 and 49 of the DPA: with appropriate safeguards recognised by the Data Commissioner, binding contractual clauses, or your explicit informed consent where applicable. We assess transfer risks and implement supplementary measures where needed.

Data Subject Rights

6.1

Right to be Informed

You have the right to know what personal data we collect, why we process it, who we share it with, and how long we retain it—through this policy and supplementary notices at the point of collection.

6.2

Right of Access

You may request a copy of personal data we hold about you, subject to identity verification and applicable exceptions. SaaS tenants should direct end-user access requests through their own privacy processes; we assist controllers as processor where contractually required.

6.3

Right to Object

You may object to processing based on legitimate interests or for direct marketing. We will cease marketing processing upon objection unless we demonstrate compelling legitimate grounds.

6.4

Right of Rectification

You may request correction of inaccurate, outdated, or incomplete personal data through your account settings or by contacting us.

6.5

Right of Erasure

You may request deletion of personal data where processing is no longer necessary, consent is withdrawn, or erasure is required by law—subject to legal retention limits and backup cycles.

VII

Data Retention & Permanent Deletion

7.1

Retention Schedules

We retain personal data for the duration of an active account and for a defined period thereafter (typically up to twelve months) to resolve disputes, meet tax obligations, and comply with law—unless a longer period is required.

7.2

Archiving & Anonymization

Legacy logs and analytics may be anonymised or aggregated so they can no longer identify individuals, while still supporting security and product improvement.

7.3

Hard Deletion Policies

Upon confirmed termination and deletion request, we remove personal data from active production systems within a reasonable timeframe. Encrypted backups may persist for a limited period before automatic purging, except where law requires longer retention.

VIII

Security Safeguards & Breach Management

8.1

Technical Measures

We implement encryption in transit (TLS/SSL), encryption at rest where appropriate, multi-factor authentication options, role-based access controls, network segmentation, and regular vulnerability management.

8.2

Organizational Measures

Our team receives data protection training, follows access-on-need principles, maintains processing records, and conducts periodic reviews of systems and vendors handling personal data.

8.3

Data Breach Notification Protocol

If we become aware of a personal data breach likely to result in risk to rights and freedoms, we will notify the ODPC within seventy-two (72) hours where required and inform affected users without undue delay when there is a high risk to their privacy, describing the nature of the breach and remedial steps taken.

Contact & Regulatory Recourse

9.1

Data Protection Officer (DPO)

Privacy and compliance inquiries may be directed to our Data Protection contact at info@kisobyte.co.ke with the subject line "Data Protection Request." We respond within timelines required by the DPA.

9.2

Right to Lodge a Complaint

If you believe your privacy rights have been violated, you may lodge a complaint with the Office of the Data Protection Commissioner at www.odpc.go.ke. We encourage you to contact us first so we can address your concern promptly.

9.3

Data Processing Agreements

Corporate clients acting as data controllers may request a formal Data Processing Agreement (DPA) to satisfy their own ODPC obligations. Contact us to execute a DPA tailored to your subscription and processing scope.

Privacy Policy

Nine sections.Built for Kenyan law.

Operational note for SaaS clients