? Back to home

Privacy Policy - Sediact

Last updated: 16 August 2025

1. Introduction

This Privacy Policy explains how Sediact ("Sediact", "we", "us", or "our") collects, uses, shares, and safeguards personal data in accordance with the Data Protection Act, 2019 of Kenya and subsidiary regulations (the "Kenyan DPA"). It applies to your use of our websites, applications, products, and services (collectively, the "Services").

2. Data Controller and Contact

Sediact is the data controller for personal data processed under this Policy. For any privacy request, please contact us at privacy@sediact.io.

You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC): https://www.odpc.go.ke/.

3. What Personal Data We Collect

  • Identification and contact data (name, email, phone, company, role).
  • Account data (login identifiers, settings, support tickets).
  • Transactional and financial data you choose to connect (e.g., bank, wallet, or accounting integrations).
  • Usage, device and log data (IP address, browser type, pages viewed, timestamps, crash logs).
  • Marketing preferences and communication history.
  • Any other data you provide to us voluntarily.

4. How We Collect Data

  • Directly from you (forms, onboarding, support).
  • Automatically through our Services (cookies, SDKs, logs, analytics).
  • From third-party connectors you authorize (e.g., financial institutions and platforms).
  • From publicly available sources and service providers acting on our behalf.

5. Why We Use Your Data (Purposes)

  • To provide, operate, and improve the Services.
  • To authenticate users and secure accounts.
  • To provide analytics, cash-flow insights, and recommendations you request.
  • To communicate with you (service messages, product updates, marketing with your consent).
  • To comply with legal obligations and enforce our terms.

6. Our Legal Bases (Kenyan DPA)

  • Consent (e.g., connecting external data sources, marketing).
  • Performance of a contract (providing requested Services).
  • Legal obligation (e.g., tax, accounting, regulator requests).
  • Legitimate interests (security, product improvement, preventing fraud), balanced with your rights.

7. Cookies and Similar Technologies

We use necessary cookies to deliver the Services and optional analytics/advertising cookies with your consent. You may manage preferences via your browser or device settings. See Annex C for illustrative cookie categories.

8. How We Use Customer Data

We use Customer Data to provide Insights, dashboards, alerts, and other outputs. We do not sell your personal data. We anonymise and aggregate data for product development and benchmarking purposes.

9. Sharing Personal Data

  • Service providers assisting us with hosting, analytics, communications, and support.
  • Financial connectors you authorise (e.g., banks, mobile money operators).
  • Professional advisers (legal, compliance, accounting) bound by confidentiality.
  • Regulators, law enforcement, or courts where required by law.

10. International Transfers

We store data in secure cloud infrastructure. When transferring personal data outside Kenya, we implement safeguards such as standard contractual clauses, equivalent legal protection, or your explicit consent.

11. Data Retention

We retain personal data only as long as necessary for the purposes described or as required by law. See Annex B for summary retention periods.

12. Security

We implement technical and organisational measures such as encryption in transit and at rest, access controls, monitoring, and secure development practices. While no system is completely secure, we continuously improve our protections.

13. Your Rights

  • Right to access and obtain a copy of your data.
  • Right to correct inaccurate data.
  • Right to delete data (subject to legal obligations).
  • Right to withdraw consent where processing is based on consent.
  • Right to object to processing for direct marketing or where based on legitimate interests.

To exercise any right, contact us at privacy@sediact.io with sufficient detail for identification. We may need to verify your identity before fulfilling requests.

14. Children's Privacy

The Services are not directed to children under 18. If we learn that we have collected personal data from a child without parental consent, we will delete it promptly.

15. Marketing Communications

We send service communications that are necessary to deliver the Services. For optional marketing, we rely on consent and provide unsubscribe mechanisms in every email.

16. Third-Party Links

Our Services may link to external sites and services. We are not responsible for the privacy practices of those third parties, and we encourage you to review their policies.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If a change is material, we will provide notice (for example, by email or in-product notification). Continued use after the effective date constitutes acceptance of the updated policy.

18. Contact

For questions or to exercise your rights, contact privacy@sediact.io.

Annex A - Data Subject Rights Summary

  • Right to be informed: this policy fulfils that obligation.
  • Right of access: request a copy of your personal data.
  • Right to rectification: request correction of inaccurate data.
  • Right to erasure: request deletion subject to legal limits.
  • Right to data portability: request data in structured, commonly used format.

Annex B - Retention Schedule (Summary)

  • Account records: life of account and up to 7 years after closure.
  • Support communications: up to 3 years from last interaction.
  • Analytics data: 26 months or less, then aggregated or deleted.

Annex C - Cookies (Illustrative)

  • Strictly necessary: session management, authentication.
  • Analytics: usage metrics to improve product performance.
  • Preferences: remember choices such as theme or language.