PRIVACY POLICY 

(Kenya Data Protection Act, 2019 Compliance)

Nexvolve Limited (“we”, “us”, “our”) is committed to protecting personal data and complying with the Kenya Data Protection Act (DPA), 2019.
This Privacy Policy applies to all Nexvolve software systems, modules, and services (“the Services”).
It explains the types of data we process, how it is used, and your rights under the law.

1. Data We Collect

We may collect and process:

Account Data

• Name

• Email address

• Phone number
  
  

Organization & Entity Data

• Entities created within the system (e.g., tenants, clients, members, customers)

• Organization information
  
  

System & Workflow Data

• Automated notifications generated by the system

• Tasks, tickets, sales data, and workflows

• Automation settings

• Internal metadata required for system operation
  
  

Service Logs

• Login and access activity

• API requests

• Technical and performance logs

• Error logs
  
  

Notification Delivery Data

For sending automated messages through external communication channels, we process:

• recipient contact details (e.g., phone number, email address)

•  message content generated by the system

• delivery status and metadata where provided
  
  

We do NOT:

• access or read private conversations on external messaging platforms beyond system-generated messages

• store full chat histories from external messaging applications

• monitor or analyze inbound messages outside the scope of system functionality
  
  

2. How We Use Data

We process data to:

• Operate and deliver all Nexvolve systems and modules

• Send system-generated notifications

• Manage tasks, tickets, workflows, and sales tools

• Maintain system security and prevent abuse

• Improve features and performance

• Provide customer support
  
  

We do not use personal data for advertising or sell it to third parties.

3. Legal Basis for Processing

Our processing is based on:

✔ Performance of a contract  

To provide the Services to the Organization.

✔ Legitimate interest  

Including security, fraud prevention, analytics, billing, and service optimization.

✔ Consent (where applicable)  

Where required under applicable law.

Role of Nexvolve

Nexvolve acts in two roles:

1. Data Controller  

For personal data related to our own business operations, including:

• account registration

• billing and payments

• customer support

• system administration
  
  

2. Data Processor  

For all data entered into the system by Organizations (including End Users such as tenants, clients, or customers).

In this role:

• the Organization is the Data Controller  

• Nexvolve processes data only on behalf of the Organization  

• processing is limited to providing the Services 
  
  

Organizations are responsible for ensuring they have a lawful basis for the data they input into the system.

4. Data Storage & Location

All personal data is securely stored in Supabase, our managed cloud PostgreSQL provider, using modern industry-standard protections.

Personal data may be processed and stored in secure data centers located outside Kenya, including but not limited to the United States, Ireland, and Germany.

These transfers occur through our infrastructure providers (including database hosting, application hosting, and communication gateways) and are necessary for the operation of the Services.

We ensure that all such transfers are protected by appropriate safeguards in accordance with the Kenya Data Protection Act (2019).

Frontend hosting platforms are not used to store personal data.

5. Data Sharing

We do not sell personal data.

We share only the minimum necessary data with trusted service providers required for delivering the Services, including:

• Communication gateway providers

• Cloud database hosting providers

• Payment processing providers
  
  

All third-party providers follow strict data protection obligations.

6. User Rights (Kenya DPA, 2019)

You have the right to:

• Access personal data

• Request correction or deletion

• Object to processing

• Withdraw consent (where applicable)

• Request data portability

• Lodge a complaint with the Office of the Data Protection Commissioner

7. Data Retention

We retain personal data only for as long as necessary to provide the Services, fulfill contractual obligations, maintain security and audit records, resolve disputes, and comply with applicable legal requirements.

Where Nexvolve acts as a Data Processor, retention of End User data is determined primarily by the client Organization, subject to operational and legal requirements.

Upon account closure or termination, data may be deleted, anonymized, or retained only where necessary for legal, billing, security, or dispute-resolution purposes.

8. Data Protection Contact

Nexvolve Limited has appointed a data protection contact responsible for oversight of data protection compliance and data subject requests.

Data Protection Contact:

Holger Keune

Email: dpo@nexvolve.app

You may submit requests to:
📧 privacy@nexvolve.app