Version: 1.0
Effective Date: March 7, 2026
1. Introduction and Scope
This Privacy Policy describes how we processes personal and financial data. We provide an automated VAT and expense management platform for Small and Medium Enterprises (SMEs).
2. Controller vs. Processor Distinction
- The Client (SME): Is the Data Controller. You determine the purpose and means of processing the financial data of your business and employees.
- The App: Is the Data Processor. We process data only upon your instructions and to provide the service.
3. Legal Basis for Processing
We process data under the following legal grounds:
- Contractual Necessity: To provide the automated VAT filing and expense features you have subscribed to.
- Legal Obligation: To assist you in meeting statutory tax obligations under the Kenya Revenue Authority (KRA) and other regional tax bodies.
- Legitimate Interests: To maintain the security of our platform and improve our OCR extraction algorithms.
4. Automated Data Extraction (OCR)
Our service utilizes Optical Character Recognition (OCR) to automatically extract data (totals, tax rates, vendor names) from uploaded receipts and invoices.
User Verification Clause: All automated extractions are subject to human error. The User is solely responsible for verifying the accuracy of all scanned data and exported reports prior to official tax submission. The Company assumes no liability for incorrect tax filings resulting from unverified data.
5. Transborder Data Flows
Data is stored on secure servers located in the United Kingdom. Transfers from Kenya to the UK are governed by Standard Contractual Clauses (SCCs), ensuring a level of protection equivalent to that required by the Kenya Data Protection Act (2019).
6. Data Retention vs. Right to Erasure
Under UK GDPR and Kenya DPA, you have the right to request erasure. However:
- Statutory Overlap: Your right to erasure is limited by our (and your) legal obligation to retain financial records for tax purposes.
- Retention Period: Identifiable financial records will be retained for a period of seven (7) years to comply with tax audit requirements, after which they will be permanently deleted or anonymized.
7. Anonymized Data Usage
We may aggregate and anonymize data to create industry benchmarks and improve our extraction models. Identifiable financial data is never sold to third parties.
Part 2: Data Processing Agreement (DPA) Framework
Subject: Alignment with GDPR Article 28 and Kenya DPA Section 42.
1. Processing Instructions
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country.
2. Confidentiality
The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Security of Processing
We implement rigorous technical and organizational measures, including:
- Cross-Company Isolation: Strict logical separation of data between different SME accounts.
- Audit Logging: Comprehensive “Who, What, When” logging of all data access and modifications.
- Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
4. Sub-processors
The Controller provides a general authorization for the Processor to engage sub-processors (e.g., cloud hosting providers). The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors.