1. Introduction
Kappit ("Kappit", "we", "our", or "us") is committed to protecting the personal data of every individual who uses our platform. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you access or use the Kappit business management platform ("the Service").
This policy is issued in accordance with the Kenya Data Protection Act, 2019 and the guidelines of the Office of the Data Protection Commissioner (ODPC). By using the Service, you acknowledge that you have read and understood this Privacy Policy.
Kappit acts as a data processor on behalf of each business ("Company Owner") that uses our platform. The Company Owner is the data controller responsible for the personal data of their employees, customers, and suppliers. Kappit processes personal data only in accordance with the instructions of the Company Owner and applicable law.
2. What We Collect
2.1 Company Information
When a business registers on Kappit, we collect:
- Business name and trading name
- Business registration number and KRA PIN
- Physical address, postal address, telephone, and email address
- Industry sector and business type
- Names and contact details of company officers and authorised contacts
- Bank account details (where provided for payment processing purposes)
2.2 Employee Information
When employee records are created in the HR module, we collect and store:
- Full name, national identification number, and date of birth
- Gender and nationality
- Residential address, telephone number, and email address
- Emergency contact details
- Employment details: job title, department, reporting line, start date
- Salary, allowances, and deduction information
- Bank account details for payroll processing
- NSSF membership number and NHIF membership number
- KRA PIN for PAYE processing
- Leave balances and attendance records
- Performance notes (where entered by a manager)
- Profile photograph (if uploaded)
2.3 Customer Information
- Customer business name, contact person, and contact details
- Physical and postal address
- Transaction history: invoices, payments, and credit notes
- Outstanding balances and credit limit
- Communication records and notes
2.4 Supplier Information
- Supplier name, business registration number, and KRA PIN
- Contact person and contact details
- Bank account details for payment processing
- Purchase history, outstanding payables, and credit terms
- Quotation and order history
2.5 Payroll Information
- Gross salary, net salary, and payslip history
- PAYE calculations and monthly tax deductions
- NSSF contributions (employer and employee)
- NHIF contributions
- HELB deductions (where applicable)
- Salary advances and employee loans
- Housing levy contributions
2.6 Accounting Information
- Chart of accounts and account balances
- Journal entries and transaction records
- Invoices, receipts, credit notes, and purchase orders
- Bank reconciliation data and statements
- Expense records and receipts
- Tax records and VAT data
2.7 Uploaded Documents
The platform allows users to upload supporting documents, which may include:
- Copies of national identification documents
- Contracts, agreements, and letters of appointment
- Quotations, delivery notes, and goods received notes
- Expense receipts and proof of payment
- Any other business document uploaded by an authorised user
2.8 System and Security Logs
- Login records: IP address, device type, browser, operating system, timestamp
- Security events: failed login attempts, account lockouts, password changes
- Audit logs: records of who viewed, created, edited, or deleted data, and when
- Session records: active sessions and session termination events
- Error logs for technical support and debugging
2.9 Usage Analytics
We collect aggregated, non-personally identifiable usage data to understand how the platform is used and to improve the Service. This includes feature usage frequency, navigation patterns, session duration, and performance metrics. This data does not identify individual users.
2.10 Cookies
We use cookies to maintain your session, protect the platform from cross-site request forgery, and remember your preferences. Please refer to our Cookie Policy for full details.
3. Why We Collect It
We collect and process personal data for the following lawful purposes:
- Contractual necessity — to fulfil our obligations under the subscription agreement, including providing access to all subscribed features
- Legitimate interests — to operate, maintain, and improve the platform; to detect and prevent fraud and security threats; and to communicate service updates
- Legal obligation — to comply with Kenyan tax law (KRA requirements), employment law, anti-money laundering regulations, and any court orders or lawful requests from regulatory authorities
- Consent — where you have explicitly consented to specific data processing, such as receiving marketing communications
4. How We Use Your Data
Personal data collected through the platform is used for the following specific purposes:
- HR & Payroll — Employee personal and financial data is used to calculate salaries, statutory deductions, and generate payslips and payroll reports
- Invoicing & Accounting — Customer and supplier data is used to generate invoices, receipts, purchase orders, and financial statements
- Inventory Management — Product and transaction data is used to track stock levels, movements, and valuations
- Security & Fraud Prevention — Login records, IP addresses, and audit logs are used to detect, investigate, and respond to security incidents and suspicious activity
- Communications — Contact details are used to send invoices, payment reminders, quotations, and statements to customers and suppliers
- Platform Improvement — Aggregated, anonymised usage data is analysed to identify areas for improvement and to prioritise new features
- Legal Compliance — Financial and employment records are retained to meet KRA, NSSF, NHIF, and other regulatory obligations
- Support — Account information and error logs are used to diagnose technical issues and respond to support requests
5. How Data Is Stored
All data is stored on secure cloud infrastructure operated by reputable cloud service providers. Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3.
Each company's data is stored within a logically isolated tenant environment. Physical and logical access to production databases is restricted to authorised Kappit engineering personnel only, and all access is logged and monitored.
Kappit processes data in accordance with the data localisation guidance issued by the Office of the Data Protection Commissioner (ODPC) of Kenya.
6. How We Protect Data
Kappit employs a multi-layered security approach to protect personal data:
- Encryption — All data in transit is encrypted using TLS 1.3; all data at rest is encrypted using AES-256
- Access Control — Role-based access control (RBAC) limits access to data based on each user's assigned role and permissions
- Multi-Tenant Isolation — Database-level tenant scoping ensures that no user can access another company's data
- Audit Logging — All sensitive operations — including data access, creation, modification, and deletion — are logged with timestamps and user identifiers
- Intrusion Detection — Automated monitoring systems detect and alert on anomalous access patterns and potential security incidents
- Password Security — Passwords are stored using secure one-way hashing algorithms and are never stored in plain text
- Security Assessments — Kappit conducts regular security assessments and responds to responsibly disclosed vulnerabilities
- Staff Training — Kappit personnel with access to personal data receive data protection training and are bound by confidentiality obligations
7. Data Retention
We retain personal data for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal obligations. The following retention periods apply:
| Data Category | Retention Period | Basis |
|---|---|---|
| Business & financial records | 7 years after the relevant tax period | KRA / Tax Procedures Act |
| Employee payroll & HR records | 7 years from date of creation | Employment Act, 2007 |
| NSSF & NHIF contribution records | 7 years | NSSF Act / NHIF Act |
| Login history & security logs | 12 months | Security operations |
| Security audit logs | 3 years | Legal compliance |
| Communication records | 3 years | Business operations |
| Policy acceptance records | Duration of subscription + 5 years | Legal compliance |
| Uploaded documents | Duration of subscription + 30 days | Contractual obligation |
After the applicable retention period, data is securely and irreversibly deleted or anonymised. Where retention is legally required, we will explain the reason if you request deletion.
8. Corrections & Deletion
Requesting Corrections
Company Owners and authorised Managers can correct most business and employee data directly within the Kappit platform. For corrections to your own account information (such as your registered email address or name), contact privacy@kappit.co.ke.
Requesting Deletion
You may request deletion of personal data in the following circumstances:
- The data is no longer necessary for the purpose for which it was collected
- You withdraw consent (where consent is the legal basis for processing)
- The data was processed unlawfully
- Deletion is required to comply with a legal obligation under Kenyan law
Please note: Kappit is not able to delete data that we are legally required to retain under Kenyan law, including financial records required by the KRA. In all cases, we will clearly explain what we are retaining and why.
To request deletion, contact privacy@kappit.co.ke. We will respond within 21 days as required by the Kenya Data Protection Act.
9. Data Export
Company Owners can export their business data at any time through the Kappit platform. Exports are provided in commonly used formats (CSV, PDF, or Excel) depending on the data type.
Upon account termination, Company Owners may request a full data export within 30 days of the termination date. After this period, data may be permanently deleted from our systems, subject to legal retention obligations.
Individual employees may request a copy of their own personal data by contacting their Company Owner or by emailing privacy@kappit.co.ke.
10. Multi-Tenant Security
Kappit is a multi-tenant platform. Every company's data is assigned a unique tenant identifier at the database level. All database queries executed on behalf of an authenticated user are automatically scoped to that user's company, making cross-tenant data access technically impossible under normal platform operation.
Additional safeguards include:
- Session-level business context enforcement — every authenticated session is bound to a specific tenant
- Middleware-level tenant verification on every request
- Continuous monitoring for anomalous access patterns that may indicate cross-tenant probing
- Immediate escalation and investigation of any detected cross-tenant access attempt
11. Audit Logs
Kappit maintains comprehensive audit logs of all sensitive operations performed within each business workspace. These logs record:
- Who performed the action (user identifier)
- What action was taken (create, view, update, delete)
- Which record was affected (resource type and identifier)
- The previous values and new values (for update operations)
- The timestamp of the action
- The IP address and device used
Audit logs are retained for 3 years and are available to Company Owners through the Security Centre within the platform. Audit logs serve as an important internal control mechanism for detecting errors, fraud, and unauthorised data access.
12. Communications History
Kappit stores a record of communications sent through the platform on behalf of your business. This includes:
- Invoice emails, payment reminders, and statements sent to customers
- Quotation and purchase order communications sent to suppliers
- Employee invitation messages
- Delivery and transaction notifications
Communication records include the recipient's contact details, the message type, the date and time of sending, and — where available — delivery status. These records are stored as part of your business history and are subject to the retention periods described in Section 7.
Kappit does not use your outbound business communications for advertising purposes or share them with third parties, except where necessary to operate the delivery mechanism (e.g., an email service provider).
13. Third-Party Integrations
Kappit may in the future offer integrations with third-party services, including but not limited to:
- Payment gateways (e.g., M-Pesa, Equity, card processors)
- Kenya Revenue Authority eTIMS for electronic tax invoicing
- Banking platforms for automated reconciliation
- Communication platforms (e.g., WhatsApp Business API, SMS gateways)
Where data is shared with third-party integration partners, it will be limited to the minimum data necessary for the integration to function, governed by a formal Data Processing Agreement, and disclosed to you in advance of the integration being activated.
You will have control over which integrations are enabled for your workspace. Enabling an integration constitutes your consent to the data sharing described in that integration's terms.
14. Your Rights
Under the Kenya Data Protection Act, 2019, you have the following rights in relation to your personal data:
Right of Access
You have the right to request a copy of the personal data we hold about you, information about how we use it, and who we share it with.
Right to Correction
You have the right to request the correction of inaccurate or incomplete personal data.
Right to Deletion
You have the right to request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention obligations.
Right to Restriction
You have the right to request that we restrict the processing of your data in certain circumstances — for example, while a dispute about its accuracy is being resolved.
Right to Object
Where we process your data on the basis of legitimate interests, you have the right to object to that processing. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Data Portability
Where processing is based on your consent or a contract, and is carried out by automated means, you have the right to receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another service provider.
Right to Withdraw Consent
Where we process data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Right to Complain
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.
To exercise any of your rights, contact our Data Protection Officer at privacy@kappit.co.ke. We will acknowledge your request within 7 days and respond fully within 21 days, as required by the Kenya Data Protection Act.
15. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact our Data Protection Officer:
| Data Protection Officer | privacy@kappit.co.ke |
| Security Concerns | security@kappit.co.ke |
| General Enquiries | hello@kappit.co.ke |
| Postal Address | Kappit, Nairobi, Kenya |
This Privacy Policy may be updated from time to time to reflect changes in the law or our practices. We will notify you of material changes with at least 30 days' notice and will require re-acceptance where required by law.
© 2026 Kappit. All rights reserved. Registered in Kenya.