Privacy Policy

1. Privacy commitment

DukaFlow recognises the importance of privacy and is committed to handling personal data in a lawful, fair, transparent, and proportionate way. This Policy is drafted with reference to Article 31 of the Constitution of Kenya and the Data Protection Act, 2019.

2. Who this Policy applies to

This Policy applies to personal data we collect from:

• website visitors;
• people who request demos, quotes, or contact us;
• customer representatives, account administrators, and users of DukaFlow services;
• suppliers, partners, and other business contacts whose information we process in the ordinary course of business.

3. Personal data we may collect

Depending on how you interact with DukaFlow, we may collect the following categories of personal data:

• identity and contact details, such as name, email address, phone number, and job title;
• business details, such as company name, sector, use case, size of team, and branch or location information;
• account and operational information, such as usernames, permissions, login records, device and browser metadata, and support history;
• transaction, product, and customer records uploaded or generated by customers within the platform;
• communications and enquiry details, including demo requests, support tickets, and correspondence with our team.

4. How we collect data

We may collect personal data when you:

• fill in a demo request or other contact form;
• use our website, app, or customer support channels;
• create or manage an account;
• connect integrations or upload business data;
• communicate with us by email, phone, chat, or social media.

5. Why we use personal data

We may use personal data to:

• respond to demo requests, enquiries, and support needs;
• provide, configure, secure, maintain, and improve our services;
• manage onboarding, billing, user administration, and service communications;
• monitor service health, troubleshoot incidents, and protect against fraud, misuse, and security risks;
• comply with legal, regulatory, tax, audit, and enforcement obligations;
• send marketing or product updates where permitted by law or where you have consented.

6. Legal basis and Kenyan data protection principles

We process personal data only where we have a lawful basis to do so, including consent, performance of a contract, steps taken at your request before entering a contract, compliance with legal obligations, and legitimate interests that are not overridden by the rights and freedoms of data subjects.

We aim to apply the core principles reflected in the Data Protection Act, including purpose limitation, data minimisation, accuracy, limited retention, transparency, and appropriate security safeguards.

7. Cookies, analytics, and product telemetry

We may use cookies and similar technologies to remember session preferences, support authentication, understand website usage, and improve performance. Where legally required, we will seek consent before using non-essential cookies or similar tracking tools.

8. Sharing personal data

We may share personal data only where reasonably necessary:

• with service providers who host, support, secure, or operate parts of our systems;
• with integration partners where you choose to connect third party tools or payment services;
• with professional advisers, auditors, or insurers subject to appropriate confidentiality protections;
• with regulators, public authorities, or law enforcement when disclosure is required by law or lawful request;
• as part of a business restructuring, financing, acquisition, or sale, subject to appropriate safeguards.

9. International transfers

If personal data is stored or accessed outside Kenya, we will take reasonable steps to ensure that the transfer is subject to adequate safeguards, contractual protections, or another lawful basis recognised under applicable Kenyan data protection law.

10. Security measures

We use technical and organisational measures appropriate to the nature of the data and the risks involved. These may include access controls, authentication controls, backups, logging, system monitoring, encryption in transit where appropriate, and internal access restrictions.

No system can be guaranteed to be completely secure, but we aim to act promptly and responsibly where we become aware of a relevant data security incident.

11. Retention

We keep personal data only for as long as reasonably necessary for the purpose for which it was collected, including contract performance, support, record-keeping, dispute resolution, compliance, and legitimate business needs.

When data is no longer needed, we may delete it, anonymise it, or securely archive it where retention is required by law.

12. Your rights

Subject to applicable law and necessary verification, you may have the right to:

• be informed about the use of your personal data;
• request access to personal data we hold about you;
• request correction of inaccurate or misleading data;
• object to processing in appropriate circumstances or withdraw consent where consent is the basis for processing;
• request deletion where the law permits;
• complain to the relevant authority if you believe your rights have been infringed.

13. Children's privacy

DukaFlow is intended for business use and is not directed at children. We do not knowingly collect personal data directly from children for consumer-facing marketing or account creation without an appropriate lawful basis.

14. Changes to this Policy

We may update this Policy from time to time to reflect changes in law, technology, business operations, or our services. The latest version published on our website will apply from the date shown above unless otherwise stated.

15. Contact

If you have questions about this Privacy Policy or how DukaFlow handles personal data, please contact us through the contact channels published on this website.