Privacy Policy

Last Updated: January 2025

1. Introduction

Welcome to our Point of Sale (POS) System. We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy describes:

• What information we collect
• How we use your information
• How we protect your data
• Your rights under Kenyan law
• How to contact us about privacy concerns

2. Data Controller Information

Data Controller: [Your Company Name]

Registration Number: [Your Business Registration Number]

Physical Address: [Your Business Address], Nairobi, Kenya

Email: privacy@yourcompany.co.ke

Phone: +254 XXX XXX XXX

Data Protection Officer: [DPO Name if applicable]

3. Information We Collect

3.1 Account Information

When you register for an account, we collect:

• Personal Details: Full name, email address, phone number
• Business Information: Business name, registration number, physical address
• Login Credentials: Username and encrypted password
• Role Information: User role (Manager, Cashier)

3.2 Transaction Data

During business operations, we collect:

• Sales Records: Transaction amounts, dates, times, and items sold
• Payment Information: M-Pesa transaction IDs, customer phone numbers
• Customer Data: Phone numbers, purchase history, transaction counts
• Inventory Data: Product details, stock levels, supplier information

3.3 Customer Information

We automatically collect customer data when M-Pesa payments are processed:

• Phone numbers (from M-Pesa transactions)
• Purchase amounts and dates
• Transaction frequency
• Customer names (if provided voluntarily)

3.4 Technical Information

We automatically collect:

• Log Data: IP addresses, browser types, access times
• Device Information: Operating system, device type
• Usage Data: Features used, time spent, interaction patterns
• Audit Logs: User actions, system events, timestamps

4. How We Use Your Information

4.1 Primary Purposes

We use collected information to:

• Provide Services: Enable POS functionality, process transactions
• Account Management: Create and maintain user accounts
• Payment Processing: Facilitate M-Pesa transactions
• Customer Management: Track customer purchases and loyalty
• Inventory Management: Monitor stock levels and product performance
• Analytics: Generate sales reports and business insights

4.2 Communication

We may use your contact information to:

• Send service-related notifications
• Provide technical support
• Share important updates or changes
• Respond to your inquiries
• Send promotional materials (with your consent)

4.3 Legal Compliance

We may use your data to:

• Comply with legal obligations
• Respond to lawful requests from authorities
• Enforce our Terms of Service
• Protect our rights and property
• Prevent fraud and abuse

5. Legal Basis for Processing (Kenya Data Protection Act, 2019)

Processing Activity	Legal Basis
Account creation and management	Contract performance
Transaction processing	Contract performance
Customer data collection (M-Pesa)	Legitimate business interest
Analytics and reporting	Legitimate business interest
Marketing communications	Consent
Legal compliance	Legal obligation

6. Data Sharing and Disclosure

6.1 Third-Party Service Providers

We may share your data with:

• Safaricom (M-Pesa): For payment processing
• Cloud Service Providers: For data hosting and storage
• Analytics Providers: For service improvement
• Security Services: For fraud prevention

6.2 Legal Requirements

We may disclose your information if required by:

• Court orders or legal processes
• Kenya Revenue Authority (KRA) for tax purposes
• Law enforcement agencies investigating crimes
• Regulatory bodies with lawful authority

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity.

7. Data Security

7.1 Security Measures

We implement industry-standard security measures including:

• Encryption: Data encrypted in transit (SSL/TLS) and at rest
• Access Controls: Role-based access restrictions
• Authentication: Secure password requirements
• Monitoring: 24/7 security monitoring and audit logs
• Backups: Regular automated backups
• Staff Training: Security awareness for all personnel

7.2 M-Pesa Security

• We do not store M-Pesa PINs or sensitive credentials
• Transaction data is encrypted during transmission
• API communications use secure HTTPS protocols

7.3 Your Responsibility

You must:

• Keep your login credentials confidential
• Use strong, unique passwords
• Log out after each session
• Report suspicious activities immediately
• Ensure device security (antivirus, updates)

8. Data Retention

8.1 Retention Periods

Data Type	Retention Period
Account information	Duration of active account + 1 year
Transaction records	7 years (tax compliance)
Customer data	5 years from last transaction
Audit logs	3 years
Marketing data	Until consent withdrawn

8.2 Deletion

After retention periods expire, data is securely deleted or anonymized unless legal obligations require longer retention.

9. Your Rights Under Kenya Data Protection Act, 2019

9.1 Right to Access

You have the right to request:

• Confirmation of whether we process your personal data
• Access to your personal data
• Information about how we use your data

9.2 Right to Rectification

You can request correction of inaccurate or incomplete data.

9.3 Right to Erasure

You can request deletion of your data when:

• Data is no longer necessary for its original purpose
• You withdraw consent (where applicable)
• Data was unlawfully processed
• Legal obligations require deletion

9.4 Right to Restrict Processing

You can request limitation of data processing in certain circumstances.

9.5 Right to Data Portability

You can request your data in a machine-readable format for transfer to another service provider.

9.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time.

10. Customer Data and Consent

10.1 Customer Privacy

As a merchant using our system:

• You are responsible for informing your customers about data collection and usage
• You are responsible for informing your customers about data collection through M-Pesa transactions.
• You must obtain any required consent from customers before using their data for marketing.
• You must comply with all applicable laws when handling customer information.

10.2 Consent for Marketing

Customer data may only be used for marketing purposes if:

• Explicit consent has been obtained
• Customers are informed of their right to opt-out
• Consent records are maintained

11. International Data Transfers

If your data is transferred outside Kenya (e.g., cloud storage), we ensure adequate safeguards are in place, such as:

• Data processing agreements with providers
• Encryption and security controls
• Compliance with Kenya’s Data Protection Act requirements

12. Children’s Privacy

Our POS system is not intended for children under 18. We do not knowingly collect data from minors. If we become aware of such data collection, it will be deleted immediately.

13. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in technology
• Changes in laws or regulations
• Updates to our services

Any updates will be posted on this page with the “Last Updated” date revised. Significant changes will be communicated via email or system notifications.

14. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or your personal data, please contact us:

• Email: privacy@yourcompany.co.ke
• Phone: +254 XXX XXX XXX
• Address: [Your Business Address], Nairobi, Kenya
Dispute Resolution: If we cannot resolve your privacy concerns, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya.