Privacy Policy

1. Data Controller

Vendly ("we", "us", or "our") is the data controller responsible for your personal data. We are committed to protecting your privacy in accordance with the Kenya Data Protection Act, 2019 (the "DPA") and the regulations made thereunder.

If you have questions about this policy or our data practices, please contact us at privacy@vendly.co.ke.

2. Personal Data We Collect

We collect the following categories of personal data:

• Account information: Full name, email address, organization name, and password (stored in hashed form).
• Business data: Invoices, quotations, customer records, product/service information, financial transactions, and other data you enter into the platform in the course of using our services.
• Usage data: Log data, device information, browser type, IP address, pages visited, and interaction patterns collected automatically when you use our services.
• Communications: Records of your correspondence with us, including support requests.

3. Purpose and Lawful Basis for Processing

Under Sections 25 and 30 of the DPA, we process your personal data on the following lawful bases:

• Consent (Section 30(1)(a)): You provide explicit consent when creating your account. You may withdraw consent at any time, though this may affect your ability to use our services.
• Performance of a contract (Section 30(1)(b)): Processing is necessary to provide you with the Vendly platform and services you have requested.
• Legitimate interest (Section 30(1)(f)): We process usage data to improve our services, ensure security, and prevent fraud, where such processing does not override your fundamental rights and freedoms.
• Legal obligation (Section 30(1)(c)): We may process data where required by applicable Kenyan law, including tax and accounting regulations.

4. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: Retained for the duration of your account and up to 30 days after account deletion to allow for account recovery.
• Business data: Retained for the duration of your account. Upon account deletion, business data is permanently deleted within 90 days, unless retention is required by law.
• Usage data: Retained in identifiable form for up to 12 months, after which it is anonymized or deleted.
• Financial records: Retained for up to 7 years as required by Kenyan tax and accounting legislation.

5. Your Rights as a Data Subject

Under Section 26 of the DPA, you have the following rights with respect to your personal data:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to any legal obligations requiring retention.
• Right to data portability: You may request your data in a structured, commonly used, and machine-readable format.
• Right to object: You may object to the processing of your personal data where processing is based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at privacy@vendly.co.ke. We will respond to your request within 30 days.

6. Cross-Border Data Transfers

Our services may involve the transfer of your personal data to servers located outside Kenya. In accordance with Section 48 of the DPA, we ensure that any such transfers are subject to appropriate safeguards, including:

• Transfers to countries with adequate data protection laws as determined by the Data Commissioner.
• Contractual clauses that ensure the recipient provides an equivalent level of protection.
• Your explicit consent where required.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest.
• Password hashing using industry-standard algorithms.
• Access controls limiting data access to authorised personnel only.
• Regular security assessments and monitoring.

8. Cookies and Tracking

We use essential cookies required for the operation of our platform (e.g., authentication tokens and session management). We may also use analytics cookies to understand how our services are used. You can control cookie preferences through your browser settings.

9. Third-Party Services

We may share your personal data with trusted third-party service providers who assist us in operating our platform (e.g., cloud hosting, email delivery, payment processing). These providers are contractually bound to process your data only on our instructions and in accordance with the DPA.

10. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

11. Complaints

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with:

We encourage you to contact us first at privacy@vendly.co.ke so that we may attempt to resolve your concern directly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or through a notice on our platform prior to the changes taking effect. Your continued use of our services after notification constitutes acceptance of the updated policy.

13. Contact Us

For any questions or requests regarding this Privacy Policy or your personal data, please contact: