Privacy Policy

1. Introduction

Kwijo ("we", "us", "our") is an AI-powered business management platform designed for small and medium enterprises in Kenya. We are committed to protecting the privacy and security of your personal data in accordance with the Kenya Data Protection Act, 2019 (DPA), the Data Protection (General) Regulations, 2021, and all applicable laws.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Kwijo platform, including our website, mobile application, AI agents, and related services (collectively, the "Service").

By using our Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent as the legal basis for processing, you may withdraw consent at any time by contacting us or adjusting your settings within the platform.

2. Data Controller

The data controller responsible for your personal data is:

3. Data We Collect

We collect the following categories of personal data:

3.1 Account Information

• Phone number (used for WhatsApp OTP authentication)
• Name and business details (business name, type, location, county)
• Business registration and KRA PIN (if voluntarily provided during onboarding)

3.2 Business Data

• Sales records and transaction history
• Product and inventory information (including product images)
• Customer and contact details
• Expense records and financial data
• Invoices and payment records
• Business goals and performance metrics

3.3 Google Account Data (Optional)

If you choose to connect your Google account, we access:

• Gmail: Read and send emails on your behalf
• Google Calendar: Read and create calendar events

We only access Google data when you explicitly connect your account and grant permission via Google's OAuth consent flow. You can disconnect your Google account at any time from the Settings page, at which point we revoke the access token and delete stored Google data.

3.4 Payment Data

• M-Pesa phone number used for payments
• Transaction references and payment status
• Subscription and billing history

We do not store your M-Pesa PIN or any financial credentials. Payment processing is handled directly by Safaricom through the M-Pesa Daraja API using the STK Push mechanism.

3.5 Chat and AI Interaction Data

• Conversations with AI agents (chat messages)
• AI-generated responses and recommendations
• Agent memory and context data used to personalize interactions

3.6 Technical Data

• Push notification subscription tokens
• Device and browser information (user agent)
• Usage patterns and feature interaction logs

4. How We Use Your Data

We process your personal data for the following purposes:

5. AI and Automated Processing

Kwijo uses artificial intelligence (Google Gemini AI models) to process your business data and provide automated recommendations, insights, and assistance. This includes:

• Analysing sales patterns and inventory levels
• Generating business advice and recommendations
• Providing Kenyan tax, registration, and compliance guidance
• Creating designs and marketing materials
• Setting and tracking business goals

Important: AI-generated recommendations are informational and do not constitute professional financial, legal, or tax advice. You are responsible for all business decisions made using the platform.

Under Section 35 of the Kenya Data Protection Act, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. You may request human review of any AI-generated recommendation by contacting us at privacy@kwijo.com.

6. Google API Services User Data

Kwijo's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6.1 What Google Data We Access

• Gmail: We read your recent emails and send emails on your behalf when instructed through the Amina (Personal Assistant) agent.
• Google Calendar: We read your calendar events and create new events when instructed through the Amina agent.

6.2 How Google Data Is Used

Google user data is used exclusively to:

• Display your emails and calendar events within the Kwijo chat interface
• Send emails and create calendar events when you explicitly request it through an AI agent
• Provide contextual business assistance based on your schedule and communications

6.3 Limited Use Compliance

We strictly comply with Google's Limited Use requirements:

• Google data is only used to provide and improve user-facing features visible in the Kwijo app
• We do not transfer Google data to third parties except as necessary to provide the Service, for security purposes, or as required by law
• We do not use Google data for advertising, retargeting, or selling to data brokers
• We do not allow humans to read your Google data unless you provide explicit consent, it is necessary for security investigation, or it is required by law

6.4 Google Data Storage & Security

• Google OAuth tokens are encrypted using AES-256-CBC before storage
• Tokens are stored in our secure database and are never exposed to the client
• We automatically refresh expired tokens and revoke them when you disconnect

6.5 Disconnecting Google

You can disconnect your Google account at any time from the Settings page. When you disconnect:

• We revoke the OAuth access and refresh tokens
• We delete all stored Google tokens from our database
• Gmail and Calendar features are immediately disabled for your account

7. Data Sharing and Third-Party Processors

We share your data with the following categories of third-party processors, solely for the purposes of providing the Service:

We do not sell, rent, or trade your personal data to any third party. We do not share your data with advertisers or data brokers.

8. Cross-Border Data Transfers

Your data may be transferred to and processed in countries outside Kenya, including within the European Union and the United States. We ensure that such transfers comply with Section 48 of the Kenya Data Protection Act by:

• Using processors that maintain adequate data protection standards (including GDPR compliance for EU-based processors)
• Implementing appropriate safeguards including encryption in transit and at rest
• Ensuring contractual obligations with all processors regarding data protection
• Obtaining your consent for cross-border data transfers where required

9. Data Retention

We retain your data for the following periods:

• Account data: Retained for the duration of your account and for 90 days after account deletion to allow for recovery.
• Business data (sales, inventory, customers, expenses): Retained for the duration of your account. Available for export before account deletion.
• Chat messages and AI interactions: Retained for the duration of your account.
• Google tokens: Deleted immediately upon disconnecting your Google account or deleting your Kwijo account.
• Payment records: Retained for 7 years as required by the Kenya Income Tax Act for financial record-keeping.
• Push notification tokens: Automatically removed when they become stale or when you unsubscribe.

10. Data Security

We implement appropriate technical and organisational measures to protect your data:

• Encryption: Data in transit is protected by TLS/HTTPS. Sensitive tokens (Google OAuth) are encrypted at rest using AES-256-CBC.
• Access control: Row-level security (RLS) policies ensure you can only access your own data. All database queries are tenant-scoped.
• Authentication: Secure authentication via WhatsApp OTP or Google OAuth with session management.
• Infrastructure: Our database is hosted on Supabase (AWS eu-central-1) with automated backups, monitoring, and security patches.
• API security: All API endpoints require authentication. Cron endpoints use secret-based authorization.

11. Your Rights Under the Kenya Data Protection Act

As a data subject, you have the following rights:

• Right to be informed: You have the right to know what data we collect, why, and how we use it (as described in this policy).
• Right of access: You may request a copy of your personal data. We will respond within 7 days.
• Right to rectification: You may request correction of inaccurate data. We will respond within 14 days.
• Right to erasure: You may request deletion of your personal data when it is no longer necessary for the purposes for which it was collected.
• Right to object: You may object to processing of your data, including for direct marketing and proactive messaging.
• Right to data portability: You may request your data in a commonly used, machine-readable format.
• Right regarding automated decisions: You may request human review of decisions made solely by automated processing (including AI recommendations).

To exercise any of these rights, contact us at privacy@kwijo.com. We will respond within the timeframes specified by the DPA.

12. Push Notifications

With your permission, we send push notifications to your device for important business events such as payment confirmations, reminders, stock alerts, and proactive business tips. You can:

• Enable or disable push notifications from the Settings page
• Control the frequency of proactive messages (minimal, balanced, or active)
• Set quiet hours during which no proactive notifications are sent (default: 8 PM – 7 AM EAT)
• Revoke browser notification permissions at any time

13. Web Search

When you ask an AI agent a question that requires current information, the agent may perform a web search on your behalf using the Tavily search API. The search query is derived from your conversation and sent to Tavily's servers in the United States. Search results are used solely to provide you with relevant, up-to-date information and are not stored beyond the current conversation context.

14. Children's Data

Kwijo is a business management platform intended for users aged 18 years and above. We do not knowingly collect personal data from children under 18. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will:

• Notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay, providing details of the breach, potential consequences, and measures taken
• Document the breach, its effects, and remedial actions taken

16. Cookies and Local Storage

We use essential cookies and browser local storage for:

• Authentication: Session cookies to keep you logged in
• Preferences: Theme preference (light/dark mode) stored in local storage
• Referral tracking: A cookie to attribute referral codes during sign-up

We do not use tracking cookies, analytics cookies, or advertising cookies.

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, sending you a notification through the platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

If we make changes to how we process Google user data, we will prompt you to re-consent before the new processing begins.

18. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

19. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at: