Legal
Privacy Policy
Effective date: 1 January 2025 ·
Last updated: March 2026 ·
Governed by the Kenya Data Protection Act, 2019
Plain English summary: We collect only what we need to run your inventory business. We don't sell your data. We don't share it with anyone except Safaricom (for M-Pesa payments) and our hosting provider. You can request your data or delete your account at any time.
1. Who we are
inventory.co.ke is a software-as-a-service (SaaS) platform that provides inventory management, sales recording, invoicing, and business reporting tools to small and medium businesses in Kenya.
For the purposes of the Kenya Data Protection Act, 2019 (DPA), we are the data controller in respect of personal data you provide to us when creating an account or using our services.
Contact: hello@inventory.co.ke
2. Data we collect
2.1 Account data (vendors)
- Email address — used as your login identifier
- Business name — displayed in your invoices and receipts
- Phone number — optional, used for account recovery and notifications
- Business address — optional, displayed on invoices
- Business logo — optional, displayed on invoices and receipts
2.2 Business data you enter
This is data you create while using the platform. It belongs to you:
- Products, categories, and stock levels
- Sales records and transaction history
- Customer names and contact details
- Invoice and receipt data
- Expense records
2.3 Staff account data
- Staff name and username — created by the vendor (you), not by the staff member
- Hashed passwords — we never store plain-text passwords
2.4 Payment data
- M-Pesa transaction codes you submit when paying for a subscription
- Subscription status and payment history
- We do not store M-Pesa PINs, card numbers, or full phone numbers beyond what Safaricom returns in the STK push callback.
2.5 Technical data
- Session cookies (required for login to work)
- Browser localStorage (stores your dark/light mode preference only)
- Server logs — IP address, browser type, pages visited. Retained for 30 days for security purposes.
3. How we use your data
- To provide the service — your business data is used to display your inventory, generate reports, create invoices and receipts
- To process payments — transaction codes are verified against Safaricom's M-Pesa API to activate your subscription
- To send service notifications — low stock alerts, subscription expiry reminders, and account-related emails
- To maintain security — server logs help us detect and prevent unauthorised access
- To improve the platform — aggregated, anonymised usage patterns (never individual records)
We do not use your data for advertising. We do not sell or rent your data to any third party.
4. Legal basis for processing (DPA Section 30)
- Contract performance — processing your account and business data is necessary to deliver the service you signed up for
- Legitimate interests — server security logs and fraud prevention
- Consent — optional data such as phone number and business logo, which you may provide or withhold freely
- Legal obligation — we may retain certain records if required by Kenyan law (e.g. in response to a valid court order)
5. Who we share data with
We share data with the following third parties only to the extent necessary to operate the service:
Safaricom (M-Pesa)
When you pay via M-Pesa STK Push, your phone number is transmitted to Safaricom to initiate the payment request. Safaricom's own privacy policy governs how they handle that data. We receive only a transaction confirmation code and payment amount in return.
Hosting provider
Our servers are hosted on Hostpinnacle (Kenya). Your data is stored on servers physically located in Kenya. We do not transfer personal data outside Kenya.
Email service
We use Gmail SMTP to send transactional emails (low stock alerts, subscription reminders). Email addresses are transmitted to Google's servers solely for delivery purposes.
We will disclose your data to law enforcement or government authorities only if required by a valid legal order under Kenyan law, and only to the extent required.
6. How long we keep your data
- Active accounts — retained for as long as your account is active
- Inactive accounts — accounts with no subscription activity for 24 months will receive an email warning, followed by anonymisation of personal data if no response is received within 30 days. Your business records (sales, products) will be deleted. You may request earlier deletion at any time.
- Payment records — retained for 7 years in accordance with Kenya's Tax Procedures Act requirements
- Server logs — deleted after 30 days
- Deleted accounts — upon account deletion, all personal data is permanently removed within 30 days. Aggregated anonymised statistics may be retained.
7. Your rights under the Kenya Data Protection Act, 2019
As a data subject under Kenyan law, you have the following rights:
- Right of access (Section 26a) — you may request a copy of all personal data we hold about you
- Right to rectification (Section 26b) — you may correct inaccurate data via your profile settings at any time
- Right to erasure (Section 26c) — you may request deletion of your account and all associated personal data
- Right to data portability (Section 26e) — you may request an export of your business data in CSV format
- Right to object (Section 26f) — you may object to processing based on legitimate interests
- Right to withdraw consent — for optional data fields, you may withdraw consent at any time by deleting the data from your profile
To exercise any of these rights, email us at hello@inventory.co.ke. We will respond within 21 days as required by the DPA.
Account deletion: You can delete your account by emailing hello@inventory.co.ke with the subject line "Delete my account". We will confirm deletion within 7 days and complete it within 30 days.
8. How we protect your data
- All data is transmitted over HTTPS/TLS encryption
- Passwords are hashed using PBKDF2-SHA256 — we cannot see or recover your password
- Staff passwords are separately hashed — vendors cannot see staff passwords in plain text
- Each vendor's data is strictly isolated — no vendor can access another vendor's records
- Our admin panel is accessible only to authorised personnel via a separate authentication system
- Sessions are protected with CSRF tokens and HTTP-only cookies
In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours and notify affected users without undue delay, as required by DPA Section 43.
9. Cookies and local storage
- Session cookie (
sessionid) — essential for login. Expires when you close your browser or after 14 days of inactivity. Cannot be disabled without breaking the service.
- CSRF cookie (
csrftoken) — essential for form security. Required by all form submissions.
- localStorage — we store only your display preference (dark/light mode). No personal data. You can clear this in your browser settings at any time.
We do not use advertising cookies, analytics cookies, or any third-party tracking.
10. Minors
inventory.co.ke is a business tool intended for use by adults operating registered or informal businesses. We do not knowingly collect personal data from persons under the age of 18. If you believe a minor has created an account, please contact us immediately at hello@inventory.co.ke.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect. The updated policy will also be posted on this page with a revised effective date.
Continued use of the service after changes take effect constitutes acceptance of the updated policy.