1. Data Controller
KudiFlow AI ("we", "us", "our") is the data controller for your personal data.
Company: KudiFlow AI
Address: PMB CT 112, Cantonments, Accra, Ghana
Email: privacy@kudiflow.online
DPO: dpo@kudiflow.online
2. Data We Collect
Account & Identity Data
- Phone number (verified via SMS OTP) — primary identifier
- Full name, business name, business type
- Ghana Card number / National ID (for KYC on paid plans with MoMo)
- Email address (optional, for notifications)
Business & Transaction Data
- Sales, expenses, debts, inventory records you enter
- Customer names, phone numbers, debt amounts
- Supplier details, payout records
- MoMo transaction references, amounts, timestamps (via Moolre webhooks)
Usage & Technical Data
- IP address, device type, browser, OS (anonymized for analytics)
- App interactions: pages visited, features used, errors
- USSD session logs (menu choices, timestamps)
- AI prompts & parsed results (to improve parser accuracy)
Communication Data
- Support tickets, chat messages, emails
- SMS delivery receipts (for debt reminders you send)
3. Purposes & Legal Basis (GDPR Art. 6 / Act 843)
| Purpose | Data Categories | Legal Basis |
|---|---|---|
| Provide core Service (ledger, dashboard, USSD) | Account, Business, Transaction | Contract (Art. 6(1)(b)) |
| Process MoMo payments & payouts | Account, Transaction, KYC | Contract + Legal obligation (BoG AML) |
| AI parsing & business insights | Transaction, AI prompts | Legitimate interest (Art. 6(1)(f)) |
| Send SMS debt reminders (at your request) | Customer, Transaction | Contract + Your instruction |
| Security, fraud prevention, abuse detection | Usage, Technical, Transaction | Legitimate interest + Legal obligation |
| Product analytics (PostHog, Vercel) | Usage, Technical (anonymized) | Consent (Art. 6(1)(a)) |
| Marketing emails (opt-in only) | Account, Email | Consent |
| Comply with law (tax, AML, court orders) | All categories | Legal obligation (Art. 6(1)(c)) |
5. International Transfers
Primary storage: EU (Germany/Frankfurt) via Supabase/Vercel. Adequacy decision applies.
Subprocessors in US (if any) rely on Standard Contractual Clauses (SCCs) + UK Addendum. No data goes to countries without adequate safeguards.
6. Data Retention
- Account data: Retained while account active + 2 years after closure (tax/AML).
- Transaction/ledger data: 7 years (Ghana Revenue Authority requirement).
- KYC documents: 5 years after relationship ends (AML Act 2020).
- Analytics events: 13 months (anonymized).
- Support tickets: 3 years.
- USSD logs: 12 months.
- Marketing data: Until you unsubscribe.
You may request earlier deletion where no legal retention obligation applies.
7. Your Rights (GDPR Chapter III / Act 843 Sections 18-25)
- Access: Get a copy of your data (JSON/CSV).
- Rectification: Correct inaccurate data via Settings or email us.
- Erasure ("Right to be Forgotten"): Request deletion where no legal basis to retain.
- Restriction: Limit processing (e.g., during dispute).
- Portability: Receive machine-readable export (Settings → Export Data).
- Object: Object to legitimate-interest processing (analytics, AI training).
- Withdraw Consent: For analytics/marketing, anytime in Settings.
- Automated Decision-Making: No solely automated decisions with legal effect.
- Complain: To Data Protection Commission (Ghana): dataprotection.gov.gh
To exercise rights: email privacy@kudiflow.online. We respond within 30 days (extendable to 60 for complex requests).
8. Security Measures
- Encryption in transit: TLS 1.3 everywhere
- Encryption at rest: AES-256 (Supabase/PostgreSQL)
- Auth: SMS OTP + secure HttpOnly cookies, CSRF tokens
- API: Rate limiting, input validation, parameterized queries
- Access: Role-based, least privilege, MFA for admin
- Monitoring: Audit logs, anomaly detection, incident response plan
- Backups: Daily encrypted, geo-replicated, tested quarterly
- Penetration testing: Annual by certified firm
No system is 100% secure. We notify you and DPC within 72 hours of any breach likely to risk your rights (GDPR Art. 33 / Act 843).
9. Children's Privacy
Service is for adults (18+) running businesses. We do not knowingly collect data from children. If you believe a child provided data, contact us for immediate deletion.
10. Changes to This Policy
Material changes: 30 days' notice via email + in-app banner. Non-material: updated "Last updated" date. Continued use = acceptance.
11. Contact Us
KudiFlow AI — Data Protection
Email: privacy@kudiflow.online
DPO: dpo@kudiflow.online
Phone/WhatsApp: 0203663708
Post: PMB CT 112, Cantonments, Accra, Ghana