Privacy Policy

Last updated: January 9, 2026 | Version 1.2

1. Data Controller

KudiFlow AI ("we", "us", "our") is the data controller for your personal data.

Company: KudiFlow AI

Address: PMB CT 112, Cantonments, Accra, Ghana

Email: privacy@kudiflow.online

DPO: dpo@kudiflow.online

2. Data We Collect

Account & Identity Data

  • Phone number (verified via SMS OTP) — primary identifier
  • Full name, business name, business type
  • Ghana Card number / National ID (for KYC on paid plans with MoMo)
  • Email address (optional, for notifications)

Business & Transaction Data

  • Sales, expenses, debts, inventory records you enter
  • Customer names, phone numbers, debt amounts
  • Supplier details, payout records
  • MoMo transaction references, amounts, timestamps (via Moolre webhooks)

Usage & Technical Data

  • IP address, device type, browser, OS (anonymized for analytics)
  • App interactions: pages visited, features used, errors
  • USSD session logs (menu choices, timestamps)
  • AI prompts & parsed results (to improve parser accuracy)

Communication Data

  • Support tickets, chat messages, emails
  • SMS delivery receipts (for debt reminders you send)

3. Purposes & Legal Basis (GDPR Art. 6 / Act 843)

PurposeData CategoriesLegal Basis
Provide core Service (ledger, dashboard, USSD)Account, Business, TransactionContract (Art. 6(1)(b))
Process MoMo payments & payoutsAccount, Transaction, KYCContract + Legal obligation (BoG AML)
AI parsing & business insightsTransaction, AI promptsLegitimate interest (Art. 6(1)(f))
Send SMS debt reminders (at your request)Customer, TransactionContract + Your instruction
Security, fraud prevention, abuse detectionUsage, Technical, TransactionLegitimate interest + Legal obligation
Product analytics (PostHog, Vercel)Usage, Technical (anonymized)Consent (Art. 6(1)(a))
Marketing emails (opt-in only)Account, EmailConsent
Comply with law (tax, AML, court orders)All categoriesLegal obligation (Art. 6(1)(c))

4. Data Sharing & Processors

We do not sell your data. We share only as follows:

  • Moolre Technology Ltd (Payment Processor): Phone, transaction amount, reference, callback URL. DPA in place. Licensed by Bank of Ghana.
  • Mobile Network Operators (MTN, Telecel, AirtelTigo): For USSD routing and MoMo settlement. Governed by MNO agreements.
  • Supabase (Database & Auth): Hosted on EU infrastructure (Frankfurt). ISO 27001, SOC 2, GDPR-ready. DPA signed.
  • Vercel (Hosting & Analytics): Logs, analytics. EU data residency. DPA signed.
  • PostHog (Product Analytics): Anonymized events. EU hosting. DPA signed.
  • Cloudinary (Asset Delivery): Logo/images only. No personal data.
  • SMS Gateway (Arkesel/mNotify): Phone numbers + message content for debt reminders YOU initiate. DPA signed.
  • Legal Authorities: When compelled by court order, BoG directive, or Data Protection Commission.
  • Business Transfers: In a merger/acquisition, data transfers under same protections. You will be notified.

5. International Transfers

Primary storage: EU (Germany/Frankfurt) via Supabase/Vercel. Adequacy decision applies.

Subprocessors in US (if any) rely on Standard Contractual Clauses (SCCs) + UK Addendum. No data goes to countries without adequate safeguards.

6. Data Retention

  • Account data: Retained while account active + 2 years after closure (tax/AML).
  • Transaction/ledger data: 7 years (Ghana Revenue Authority requirement).
  • KYC documents: 5 years after relationship ends (AML Act 2020).
  • Analytics events: 13 months (anonymized).
  • Support tickets: 3 years.
  • USSD logs: 12 months.
  • Marketing data: Until you unsubscribe.

You may request earlier deletion where no legal retention obligation applies.

7. Your Rights (GDPR Chapter III / Act 843 Sections 18-25)

  • Access: Get a copy of your data (JSON/CSV).
  • Rectification: Correct inaccurate data via Settings or email us.
  • Erasure ("Right to be Forgotten"): Request deletion where no legal basis to retain.
  • Restriction: Limit processing (e.g., during dispute).
  • Portability: Receive machine-readable export (Settings → Export Data).
  • Object: Object to legitimate-interest processing (analytics, AI training).
  • Withdraw Consent: For analytics/marketing, anytime in Settings.
  • Automated Decision-Making: No solely automated decisions with legal effect.
  • Complain: To Data Protection Commission (Ghana): dataprotection.gov.gh

To exercise rights: email privacy@kudiflow.online. We respond within 30 days (extendable to 60 for complex requests).

8. Security Measures

  • Encryption in transit: TLS 1.3 everywhere
  • Encryption at rest: AES-256 (Supabase/PostgreSQL)
  • Auth: SMS OTP + secure HttpOnly cookies, CSRF tokens
  • API: Rate limiting, input validation, parameterized queries
  • Access: Role-based, least privilege, MFA for admin
  • Monitoring: Audit logs, anomaly detection, incident response plan
  • Backups: Daily encrypted, geo-replicated, tested quarterly
  • Penetration testing: Annual by certified firm

No system is 100% secure. We notify you and DPC within 72 hours of any breach likely to risk your rights (GDPR Art. 33 / Act 843).

9. Children's Privacy

Service is for adults (18+) running businesses. We do not knowingly collect data from children. If you believe a child provided data, contact us for immediate deletion.

10. Changes to This Policy

Material changes: 30 days' notice via email + in-app banner. Non-material: updated "Last updated" date. Continued use = acceptance.

11. Contact Us

KudiFlow AI — Data Protection

Email: privacy@kudiflow.online

DPO: dpo@kudiflow.online

Phone/WhatsApp: 0203663708

Post: PMB CT 112, Cantonments, Accra, Ghana