VendoFlow

Privacy Policy

Last Updated: May 18, 2025

1. Introduction

At VendoFlow POS ("we," "our," or "us"), we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our point of sale application, website, and related services (collectively, the "Service").

This Privacy Policy is designed to comply with the Data Protection Act, 2019 of Kenya and other applicable data protection laws. By using the Service, you consent to the practices described in this Privacy Policy.

As a business operating in Kenya, we understand the importance of protecting personal data while facilitating legitimate business operations. Our Service is designed specifically for Kenyan businesses, with consideration for local business practices and regulatory requirements.

2. Data Controller and Data Processor Roles

Under the Data Protection Act, 2019 of Kenya:

  • You (the business using our Service) are considered the "Data Controller" for customer data that you collect through our Service
  • VendoFlow POS acts as a "Data Processor" when processing this customer data on your behalf
  • VendoFlow POS acts as a "Data Controller" for the information we collect directly from you (our business customer) for account management and service provision

This distinction is important for understanding our respective responsibilities under Kenyan data protection law.

3. Information We Collect

We collect several types of information to provide and improve our Service:

3.1 Business Information

When you register for our Service, we collect information about your business, including:

  • Business name and type
  • Kenya Revenue Authority (KRA) PIN
  • Business registration number
  • Business location and contact details
  • Owner/manager name and contact information
  • Staff information for user accounts
  • Payment information for subscription billing

3.2 Customer Data You Provide

Through your use of our POS system, you may collect and input information about your customers, which we process on your behalf:

  • Customer names and contact information
  • Purchase history and transaction details
  • Payment information (such as M-Pesa phone numbers or partial card details)
  • Loyalty program information
  • Customer preferences and notes

As the Data Controller for this information, you are responsible for obtaining appropriate consent from your customers and informing them about how their data will be used, in compliance with the Data Protection Act, 2019.

3.3 Usage and Technical Data

We automatically collect certain information about how you interact with our Service:

  • IP address and device information
  • Browser type and version
  • Operating system
  • Pages visited and features used
  • Time and date of your visits
  • System performance metrics
  • Error logs and troubleshooting information

4. How We Use Your Information

We use the information we collect for various purposes related to providing and improving our Service:

4.1 Business Information

  • Creating and managing your account
  • Processing subscription payments
  • Providing customer support
  • Sending service updates and administrative notifications
  • Verifying your identity and business legitimacy
  • Complying with legal obligations, including KRA requirements

4.2 Customer Data

  • Providing POS functionality, including sales processing and receipt generation
  • Enabling inventory management and reporting
  • Facilitating customer relationship management features
  • Generating business analytics and reports
  • Backing up data to prevent loss

4.3 Usage and Technical Data

  • Improving the Service and user experience
  • Troubleshooting technical issues
  • Monitoring system performance and security
  • Analyzing usage patterns to guide product development
  • Preventing fraud and unauthorized access

5. Legal Basis for Processing

Under the Data Protection Act, 2019 of Kenya, we process your information based on the following legal grounds:

  • Contract fulfillment: Processing necessary to provide the Service you have subscribed to
  • Legal obligation: Processing required to comply with Kenyan laws and regulations
  • Legitimate interests: Processing that serves our legitimate business interests, such as improving our Service and ensuring security
  • Consent: Processing based on specific consent you have provided

For customer data that you collect and we process on your behalf, we act based on your instructions as the Data Controller, and you are responsible for establishing the legal basis for collecting this information from your customers.

6. Data Sharing and Disclosure

We may share your information in the following circumstances:

  • Service Providers: We work with third-party service providers based in Kenya and internationally who help us provide the Service, including:
    • Cloud hosting providers
    • Payment processors (including M-Pesa integration partners)
    • Customer support tools
    • Analytics services
  • Legal Requirements: We may disclose information if required by Kenyan law, regulation, legal process, or governmental request
  • Business Transfers: If VendoFlow POS is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction
  • With Your Consent: We may share information with third parties when you have given us consent to do so

We do not sell your personal information or your customers' personal information to third parties.

7. M-Pesa and Payment Processing

Our Service integrates with M-Pesa and other payment methods common in Kenya. When processing payments:

  • We do not store complete M-Pesa transaction details or full card numbers
  • Payment processing is conducted through secure, PCI-compliant service providers
  • We maintain transaction records as required by Kenyan financial regulations
  • Integration with M-Pesa is subject to Safaricom's terms and conditions

You should review the privacy policies of the payment service providers you use through our Service for additional information on how they process payment data.

8. Data Security

We implement appropriate technical and organizational measures to protect your information:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication requirements
  • Staff training on data protection and security
  • Physical security measures for our offices and servers
  • Regular backups to prevent data loss

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

9. Data Retention

We retain your information for as long as your account is active or as needed to provide you with the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.

Specifically:

  • Business account information is retained for the duration of your subscription and for 7 years afterward, as required by Kenyan tax and business regulations
  • Transaction records are kept for a minimum of 7 years to comply with KRA requirements
  • Customer data you collect is retained according to your instructions and can be exported or deleted upon request, subject to legal retention requirements
  • Usage logs and technical data are typically retained for 1-2 years for security and performance analysis

10. Your Rights Under Kenyan Data Protection Law

Under the Data Protection Act, 2019 of Kenya, you have the following rights regarding your personal information:

  • Right to be informed about the collection and use of your personal data
  • Right to access your personal data
  • Right to correction of inaccurate personal data
  • Right to deletion of your personal data in certain circumstances
  • Right to restrict processing of your personal data
  • Right to data portability
  • Right to object to processing based on legitimate interests
  • Rights related to automated decision making and profiling

To exercise these rights, please contact us using the information in the "Contact Us" section below. We will respond to your request within 30 days.

For customer data that you collect through our Service, you are responsible for responding to requests from your customers who wish to exercise their rights under the Data Protection Act. We will assist you in fulfilling these requests as they relate to data we process on your behalf.

11. Cross-Border Data Transfers

VendoFlow POS operates primarily in Kenya, but we may transfer your information to service providers in other countries to provide our Service. When we transfer personal data outside of Kenya, we ensure that:

  • The recipient country has adequate data protection laws as determined by the Data Commissioner of Kenya
  • Appropriate safeguards are in place, such as standard contractual clauses or binding corporate rules
  • The transfer is necessary for the performance of a contract between you and VendoFlow POS
  • You have given explicit consent to the proposed transfer

By using our Service, you consent to the transfer of your information to countries that may have different data protection laws than Kenya.

12. Cookies and Similar Technologies

We use cookies and similar tracking technologies to track activity on our Service and hold certain information. These technologies help us:

  • Authenticate users and maintain session information
  • Remember your preferences and settings
  • Understand how you use our Service
  • Improve the user experience
  • Protect against fraudulent activity

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

13. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Privacy Policy.

For significant changes, we will provide additional notice, such as an email notification or an in-app message. We encourage you to review this Privacy Policy periodically for any changes.

14. Dispute Resolution

If you have a complaint about our privacy practices, please contact us first so that we can try to resolve your concern. If you believe we have not adequately addressed your complaint, you have the right to file a complaint with the Data Commissioner of Kenya.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

privacy@vendoflow.com

Phone: +254 704 803 331

VendoFlow POS
Parklands
Nairobi
Kenya

Our Data Protection Officer can be reached at dpo@vendoflow.com