1. Data Processor
Kazisafi Limited is the data processor responsible for the personal data processed through our Service.
2. Data We Collect
We collect and process the following categories of personal data:
Company Data
- Company name and registration details
- KRA PIN
- NSSF and SHIF employer numbers
- Business address and contact information
- Bank account details for reference
Employee Data
- Full name and contact details (email, phone number)
- National ID or passport number
- KRA PIN
- NSSF and SHIF member numbers
- Date of birth and gender
- Employment details (job title, department, employment date)
- Salary and compensation information
- Bank account details for payroll
- Leave balances and requests
- Next of kin information (if provided)
Usage Data
- Login timestamps and IP addresses
- Features accessed and actions taken
- Device and browser information
- USSD session data (for employee access)
3. Legal Basis for Processing
Under the Data Protection Act, 2019, we process personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide the payroll service you have subscribed to
- Legal Obligation: Processing required by Kenya tax laws, employment laws, and statutory requirements (KRA, NSSF, SHIF)
- Legitimate Interest: Processing for service improvement, security, and fraud prevention
- Consent: Where required, such as for marketing communications
4. Purpose of Processing
We process personal data for the following purposes:
- Calculating salaries, allowances, and statutory deductions
- Generating payslips and P9 tax certificates
- Producing compliance reports for KRA, NSSF, and SHIF
- Managing leave requests and balances
- Enabling USSD access for employees
- Sending service notifications and payroll alerts
- Providing customer support
- Maintaining security and preventing fraud
- Complying with legal and regulatory requirements
5. Data Sharing
We do not sell personal data. We share data only in the following circumstances:
- Statutory Bodies: Data included in reports you generate for submission to KRA, NSSF, and SHIF
- Banks: Data included in payment files you generate for bank transfers
- Service Providers: Trusted providers who help us operate the Service (hosting, email delivery), bound by strict data protection agreements
- Legal Requirements: When required by law, court order, or government authority
We ensure all third parties receiving data provide adequate protection in compliance with the Data Protection Act, 2019.
6. Data Storage and Security
We implement appropriate technical and organizational measures to protect personal data:
- Encryption: Data is encrypted in transit (TLS) and at rest
- Access Controls: Role-based access ensures only authorized personnel can access data
- Secure Infrastructure: Data is stored on secure cloud infrastructure with industry-standard protections
- Regular Backups: Automated backups protect against data loss
- Monitoring: We monitor for unauthorized access and security threats
7. Data Retention
We retain personal data for as long as necessary to:
- Provide the Service to you
- Comply with legal obligations
- Resolve disputes and enforce agreements
Retention periods:
- Payroll records: 7 years after the tax year (as required by Kenya tax law)
- Employment records: 7 years after employment ends
- Account data: Duration of account plus 2 years
- Usage logs: 12 months
After the retention period, data is securely deleted or anonymized.
8. Your Rights
Under the Data Protection Act, 2019 (Section 26), you have the following rights:
- Right to Access: Request a copy of personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your data (subject to legal retention requirements)
- Right to Data Portability: Receive your data in a structured, commonly used format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time
- Right to Lodge a Complaint: File a complaint with the Office of the Data Protection Commissioner
To exercise your rights, contact us at [email protected]. We will respond within 30 days as required by law.
Note: Some data cannot be deleted while you have an active account or where retention is required by law (e.g., tax records).
9. Cross-Border Transfers
Where data is transferred outside Kenya (for example, to cloud service providers), we ensure adequate safeguards are in place as required by the Data Protection Act, 2019, including:
- Transfers to countries with adequate data protection laws
- Standard contractual clauses approved by the ODPC
- Other appropriate safeguards ensuring equivalent protection
10. Cookies
We use essential cookies required for the Service to function:
- Session cookies: Maintain your login session
- Security cookies: Prevent cross-site request forgery
We do not use advertising or tracking cookies. You can configure your browser to refuse cookies, but this may affect your ability to use the Service.
11. Children's Data
Kazisafi is a business-to-business service not intended for use by children under 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates when changes were made.
For questions about this Privacy Policy or to exercise your data protection rights:
14. Office of the Data Protection Commissioner
If you are not satisfied with our response to your data protection concerns, you have the right to lodge a complaint with the Office of the Data Protection Commissioner: