Privacy Policy

1. Introduction

VumaCloud LTD ("VumaCloud", "we", "our", or "us"), a company incorporated under the laws of the Republic of Kenya with its registered office at One Africa Place, Waiyaki Way, Nairobi, Kenya, is committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, store, disclose, and safeguard your personal data when you use our services (VumaERP, VumaMail, VumaAPI, and our websites). It applies to all individuals whose personal data we process, including customers, prospective customers, website visitors, and Authorised Users.

This Policy is prepared in compliance with the Data Protection Act 2019 (Kenya) ("DPA"), the regulations thereunder, and the guidance issued by the Office of the Data Protection Commissioner (ODPC). Where our services are used in other jurisdictions, we also comply with applicable local data protection laws.

2. Data Controller and Data Processor

Under the DPA:

• VumaCloud as Data Controller: When we collect personal data directly from you (e.g., account registration, contact forms, billing), we act as the data controller and determine the purposes and means of processing.
• VumaCloud as Data Processor: When you use our services to store and process personal data of your customers, employees, or contacts (e.g., customer records in VumaERP, emails in VumaMail), we act as a data processor on your behalf. You remain the data controller for such data.

We have registered with the Office of the Data Protection Commissioner (ODPC) in compliance with Section 18 of the DPA.

3. Personal Data We Collect

3.1 Data You Provide Directly

• Account information: Full name, email address, phone number, company name, job title, and business registration details.
• Billing information: MTN MoMo phone number, bank account details, or card details (processed by third-party payment processors; we do not store full card numbers).
• KYC information: Business registration certificates, KRA PIN (or equivalent tax ID), and identification documents where required for compliance.
• Support correspondence: Emails, WhatsApp messages, chat logs, and call recordings related to customer support.
• User-generated content: Data you enter into the Services, including business records, invoices, employee records, and email content.

3.2 Data Collected Automatically

• Device and browser data: IP address, browser type, operating system, device identifiers, and screen resolution.
• Usage data: Pages visited, features used, timestamps, click patterns, and session duration.
• Cookies and similar technologies: We use cookies, local storage, and similar tracking technologies as described in Section 10.
• Log data: Server logs including access times, error logs, and API request metadata.

3.3 Data from Third Parties

• Payment verification data from MTN MoMo and other payment providers.
• Tax compliance data from RRA systems (EBM, E-Tax).
• Publicly available business registration information.

4. Legal Basis for Processing

In accordance with Section 30 of the DPA, we process personal data on the following legal bases:

• Performance of a contract (Section 30(a)): Processing necessary to provide the Services you have subscribed to, including account management, billing, and technical support.
• Consent (Section 30(b)): Where you have given explicit consent, such as for marketing communications and non-essential cookies. You may withdraw consent at any time.
• Legitimate interests (Section 30(e)): Processing necessary for our legitimate business interests, including service improvement, fraud prevention, and security, provided such interests are not overridden by your rights and freedoms.
• Legal obligation (Section 30(c)): Processing required to comply with Applicable Law, including tax reporting, anti-money laundering requirements, and responses to lawful requests from government authorities.

5. How We Use Your Personal Data

• Service delivery: To provide, maintain, and improve our Services, including account provisioning, technical support, and feature updates.
• Billing and payments: To process transactions, generate invoices, and manage subscriptions via MTN MoMo, bank transfer, or card.
• Tax compliance: To integrate with RRA EBM and generate compliant tax documents on your behalf.
• Communications: To send service-related notifications (e.g., downtime alerts, billing reminders, security notices). Marketing communications are only sent with your consent.
• Security: To detect, prevent, and respond to security incidents, fraud, and abuse.
• Analytics: To understand how our Services are used and to improve user experience. Analytics data is aggregated and anonymised where possible.
• Legal compliance: To comply with legal obligations, respond to legal process, and enforce our Terms of Service.

6. Data Sharing and Disclosure

We do not sell your personal data. We may share personal data only in the following circumstances:

• Service providers: Trusted third-party providers who process data on our behalf, including cloud hosting providers (servers located in Africa and Europe), payment processors (MTN MoMo, Airtel Money), email delivery services, and customer support tools. All service providers are bound by data processing agreements.
• Tax authorities: Where required for tax compliance, we transmit invoice and transaction data to RRA systems (EBM, E-Tax) as authorised by you.
• Legal requirements: Where required by Applicable Law, court order, or government request, in accordance with Section 51 of the DPA.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections.
• With your consent: For any other purpose, only with your explicit consent.

7. Cross-Border Data Transfers

In accordance with Section 48 of the DPA, we may transfer personal data outside Kenya only where:

• The recipient country or organisation provides adequate data protection safeguards as determined by the ODPC;
• Appropriate safeguards are in place, such as standard contractual clauses or binding corporate rules;
• You have given explicit consent to the transfer after being informed of the risks; or
• The transfer is necessary for the performance of a contract between us and you.

Our primary data storage is in Africa, with backup and disaster recovery infrastructure in Europe. All cross-border transfers are subject to appropriate technical and contractual safeguards.

8. Data Security

We implement appropriate technical and organisational measures in compliance with Section 41 of the DPA, including:

• Encryption: TLS 1.2+ for data in transit; AES-256 encryption for data at rest.
• Access controls: Role-based access control, multi-factor authentication for administrative access, and principle of least privilege.
• Network security: Firewalls, intrusion detection systems, and regular vulnerability assessments.
• Physical security: Data centre access controls, CCTV monitoring, and environmental controls.
• Backup and recovery: Regular automated backups with tested disaster recovery procedures.
• Employee training: All staff handling personal data receive regular data protection training.
• Incident response: Documented data breach response plan in compliance with Section 43 of the DPA.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Active account data: Retained for the duration of your subscription plus thirty (30) days after termination for data export.
• Billing records: Retained for seven (7) years as required by the Kenya Revenue Authority and the Income Tax Act (Cap. 470).
• Tax documents: Retained as required by RRA regulations.
• Support correspondence: Retained for two (2) years from the date of resolution.
• Usage and analytics data: Aggregated and anonymised data may be retained indefinitely. Identifiable usage data is retained for twelve (12) months.
• Marketing consent records: Retained for as long as the consent is active, plus two (2) years.

After the retention period, personal data is securely deleted or anonymised using industry-standard methods.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and services:

• Essential cookies: Required for the Services to function (authentication, session management, security). Cannot be disabled.
• Analytics cookies: Help us understand how visitors use our website (e.g., Google Analytics). These are only set with your consent.
• Preference cookies: Remember your settings such as country and language preferences.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Services.

11. Your Rights Under the Data Protection Act 2019

Under Part IV of the DPA, you have the following rights:

• Right of access (Section 26(a)): You have the right to request a copy of the personal data we hold about you.
• Right to rectification (Section 26(b)): You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (Section 26(c)): You have the right to request deletion of your personal data, subject to our legal retention obligations.
• Right to data portability (Section 26(d)): You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON).
• Right to object (Section 26(e)): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to restrict processing (Section 26(f)): You have the right to request restriction of processing in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right not to be subject to automated decision-making (Section 35): You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond within thirty (30) days of receiving your request, as required by the DPA. We may request verification of your identity before processing your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at [email protected] or visit www.odpc.go.ke.

12. Children's Privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. In accordance with Section 33 of the DPA, if we become aware that we have collected personal data from a child without appropriate parental or guardian consent, we will take steps to delete such data promptly.

13. Data Breach Notification

In accordance with Section 43 of the DPA, in the event of a personal data breach that is likely to result in risk to your rights and freedoms:

• We will notify the ODPC within seventy-two (72) hours of becoming aware of the breach.
• Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email and/or in-app notification.
• The notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address the breach.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to you at least thirty (30) days in advance via email or in-app notification. The "Last updated" date at the top of this page indicates when the Policy was last revised. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

15. Contact Us

For any questions about this Privacy Policy, your personal data, or to exercise your rights, contact us at:

VumaCloud LTD — Data Protection Officer
One Africa Place, Waiyaki Way, Nairobi, Kenya

• All enquiries: [email protected]
• Phone/WhatsApp: +254 783 150 465

Supervisory Authority:
Office of the Data Protection Commissioner (ODPC)
P.O. Box 30166-00100, Nairobi, Kenya
Website: www.odpc.go.ke
Email: [email protected]