Privacy Policy

This Privacy Policy describes how Invosafi Solutions ("we", "us", or "our") collects, uses, and protects your personal information when you use InvoSafi ("the Service").

1. Information We Collect

Account Information

When you sign up with Google, we receive: your email address, display name, and profile picture. This is stored securely in our database.

Document Content

Information you enter in your documents: business names, addresses, amounts, line items, logos, signatures, and photo attachments.

Payment Information

When you pay via M-Pesa (per-document or subscription), we receive: your phone number, M-Pesa receipt number, transaction amount, and transaction date. For subscription payments, we also store the plan selected, activation date, and remaining document quota. We do not store your M-Pesa PIN or any banking credentials.

Technical Data

IP address (for rate limiting and abuse prevention), browser user agent, and request timestamps.

2. Legal Basis for Processing

Under the Kenya Data Protection Act 2019, we process your personal data on the following legal bases:

  • Contractual necessity — To provide the Service, generate your documents, and process your payments
  • Consent — When you sign up for an account or submit information voluntarily
  • Legitimate interest — For fraud prevention, abuse detection, rate limiting, and improving the Service
  • Legal obligation — To comply with Kenyan tax and regulatory requirements

3. How We Use Your Information

  • Generate and store your documents
  • Process M-Pesa payments and manage subscriptions
  • Send documents via email when you use the sharing feature
  • Provide dashboard analytics for your account
  • Prevent fraud and abuse
  • Improve the Service

4. Data Sharing

We do not sell, rent, or share your personal information with third parties, except:

  • Safaricom: Phone number and payment amount are shared to process M-Pesa transactions
  • Supabase: Our database and authentication provider (hosted infrastructure)
  • Email delivery providers: When you share a document via email, the recipient's email address and document content are processed by our email delivery service
  • Legal requirements: When required by Kenyan law or court order

5. Data Retention

  • Guest documents: Unpaid guest documents are automatically deleted after 90 days
  • Paid documents: Retained indefinitely (or until you delete your account)
  • Payment records: Retained for 7 years (Kenyan tax compliance)
  • Subscription records: Retained for the duration of the subscription plus 7 years for tax compliance
  • Account data: Deleted within 30 days of account deletion request

6. Data Security

We use industry-standard security measures: HTTPS encryption, Row-Level Security in our database, secure httpOnly cookies, and access controls. However, no system is 100% secure, and we cannot guarantee the absolute security of your data.

7. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with the Kenya Data Protection Act 2019. The notification will include:

  • The nature of the breach
  • The categories of personal data affected
  • The remedial actions we have taken or plan to take
  • Recommendations for steps you can take to protect yourself

We will also notify the Office of the Data Protection Commissioner as required by law.

8. Your Rights

Under the Kenya Data Protection Act 2019, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data (right to be forgotten)
  • Object to processing
  • Data portability

Account Deletion: You may request deletion of your account and personal data by emailing [email protected] or by using the self-service option in your account dashboard. Account data will be deleted within 30 days of your request, except where retention is required by law (e.g., payment records for tax compliance).

9. Cookies

We use essential cookies only: Supabase authentication session and guest session identifier. No tracking or analytics cookies are used.

10. Third-Party Links

The Service may contain links to third-party websites or services. Invosafi Solutions is not responsible for the privacy practices or content of those external sites. We encourage you to review the privacy policies of any third-party services you access through our platform.

11. Children's Privacy

InvoSafi is not intended for users under 18. We do not knowingly collect data from minors. If we become aware that a minor has provided us with personal data, we will take steps to delete that information promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for legal reasons. We will post the updated policy on this page. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

Contact

For privacy inquiries or to exercise your data rights, contact us at [email protected].