Privacy Policy for Uwazo

This Privacy Policy describes how Uwazo ("we", "us", "our") collects, uses, and discloses Personal Data when you use the Uwazo Service (the "Service"), and explains your privacy rights.

We use your Personal Data to operate and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

• Account means a unique account created for You to access our Service or parts of our Service.
• Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
• Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Uwazo.
• Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
• Country refers to: Kenya.
• Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
• Large Language Models (LLMs) refer to third-party artificial intelligence services, such as Google Gemini and OpenAI models, that We use to process Your queries and generate responses within the Service.
• Personal Data is any information that relates to an identified or identifiable individual. This includes information you provide directly, information collected automatically, and information contained within Customer Content.
• Service refers to the Uwazo AI-powered chat application and related services accessible via the Website, designed to provide information on tax, laws, and business regulations.
• Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service.
• Customer Content refers collectively to User Documents, Chat Content, workspace metadata, and other information you or your Organization submit to the Service.
• Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
• Website refers to Uwazo, accessible from https://www.uwazo.com/
• You means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

2. Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using Our Service, We collect the following types of Personal Data:

Information from Social Authentication:

• Email address
• Display Name (First name and last name or preferred display name)
• Profile Photo

Information You Provide Directly:

• Customer Content: Files you upload, chat messages, workspace metadata, and other context you submit to the Service.
• Profile and Organization Information: Profile details, organization name, slug, billing and plan details, seat assignments, invitations, and roles.

Information for Payments:

• Payment details necessary to process transactions (We do not directly store Your full payment card information).

You are responsible for the accuracy of the information You provide to Us and for ensuring You have the right to upload any User Documents.

Usage Data

Usage Data is collected automatically when using the Service. This may include information such as your device's Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Service you visit, the time spent on those pages, unique device identifiers, and other diagnostic data. We also receive anti-bot signals from Vercel Bot Protection.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

• To provide and maintain our Service, including to monitor the usage of our Service, manage Your Account, and enable core functionalities.
• To personalize Your experience and provide context to our AI: Information such as your name, Customer Content, and workspace context is used to tailor responses and make the Service more relevant to you.
• To enable AI functionalities: Your prompts and the minimum necessary portions of Customer Content are processed by third-party Large Language Models (LLMs) such as Google Gemini and OpenAI solely to generate responses to your queries. We do not permit these providers to train or fine-tune their models on your data.
• To manage Your Account: to manage Your registration and authentication as a user of the Service.
• To contact You: To contact you by email regarding important updates to the Service, security notices, or information related to your Account or use of the Service.
• To manage Your requests: To attend and manage Your requests to Us.
• To process payments: To facilitate transactions for any paid features of the Service.
• For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets.
• For security and fraud prevention: To detect, prevent, and address technical issues, abuse, or violations of our policies.

We process Personal Data under the legal bases available under the Kenya Data Protection Act, including contract necessity (providing the Service), legitimate interests (security, fraud prevention, service improvement), consent (where required, e.g., marketing communications), and compliance with legal obligations.

Sharing of Your Personal Data

We may share Your personal information in the following situations:

• With Service Providers: We share your personal information with third parties that provide infrastructure or services on our behalf, including Supabase (authentication, database, storage), Paystack and M-PESA (payments), WorkOS or similar identity providers (SSO), Vercel Bot Protection, Exa (optional web search), analytics providers, and LLM providers (OpenAI, Google) to generate AI responses. These providers are contractually obligated to protect your data and may not use it for any other purpose.
• For business transfers: As described in the "Use of Your Personal Data" section.
• With Your consent or at Your direction: We may disclose your personal information for any other purpose with your explicit consent.
• For legal compliance: We may disclose information when required to do so by law or in response to valid requests from public authorities.

Retention of Your Personal Data

The Company will retain your Personal Data, including Account information, Customer Content, and workspace metadata, only for as long as your account remains active or as necessary for the purposes set out in this Privacy Policy.

Upon deletion of your Account, we will take commercially reasonable steps to delete Personal Data associated with your Account from our active systems. Some data may persist in backups for a limited period or as required by law, to resolve disputes, or enforce agreements.

Usage Data is generally retained for a shorter period for internal analysis, unless needed to strengthen security, improve Service functionality, or if legally required to be retained longer. For BYOB deployments, the Organization controls retention within its Supabase instance.

Security of Your Personal Data

The security of your Personal Data is important to us. We encrypt data in transit, rely on Supabase and our hosting providers for encryption at rest, apply access controls, and follow secure development practices. Access to Customer Content is limited to personnel who require it to operate or support the Service.

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. We will notify you without undue delay of any personal data breach that is likely to result in a high risk to your rights and freedoms.

3. Children's Privacy

Our Service is not intended for use by individuals under the age of 18 (the age of majority as defined under Kenyan law for data protection purposes). We do not knowingly collect personally identifiable information from anyone under the age of 18. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 18 without verification of parental consent, We take steps to remove that information from Our servers.

4. Links to Other Websites

Our Service may contain links to other websites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third party sites or services.

5. Data Subject Rights and International Transfers

Depending on your location and applicable law (including the Kenya Data Protection Act), you may have the right to access, correct, delete, object to, or restrict processing of your Personal Data, and to request data portability. You may also withdraw consent where processing is based on consent. To exercise these rights, contact us at support@uwazo.com. We will respond within the timelines required by law.

You may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya or your local data protection authority if you believe we have not complied with applicable data protection laws.

We may transfer Personal Data outside Kenya to our service providers. Where we do so, we ensure appropriate safeguards such as contractual clauses and access controls. For BYOB deployments, the Organization controls the geographic location of its Supabase instance and related data residency.

For Organization accounts, the Organization is the data controller of Customer Content. We act as a data processor and process Customer Content only on the Organization’s instructions and in accordance with a Data Processing Addendum (available on request). For individual accounts, we are the data controller.

6. Changes to this Privacy Policy

We may update this Privacy Policy from time to time as we introduce new features or as legal requirements change. We will notify you of any material changes by posting the new Privacy Policy on this page and, where feasible, by email or a prominent notice on our Service prior to the change becoming effective. We will also update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.