Legal
Privacy Policy
Effective date: 1 July 2026. Last reviewed: 1 July 2026.
1. Who We Are (Data Controller)
Codec8 ("Codec8", "we", "us") is the data controller for personal data processed through the Codec8 platform at codec8.africa. We are registered in Kenya and operate subject to the Kenya Data Protection Act 2019 (DPA 2019) and the Data Protection (General) Regulations 2021.
Our Data Protection Officer can be reached at dpo@codec8.africa.
2. Data We Collect
2.1 Account and Organisation Data
- Name and email address of account holders and invited staff members.
- Organisation name, sector, and country.
- Subscription tier and billing information (payment tokens processed by Paystack / Flutterwave — we do not store raw card numbers).
2.2 Readiness Check Data
- Answers to the 18-question Cyber Insurance Readiness Check questionnaire.
- Derived readiness score (0–100) and gap summary.
- Optional: name and email submitted for a score report delivery.
2.3 Verify (Payment Verification) Data
- Payment details submitted for verification: paybill numbers, till numbers, bank account numbers, invoice numbers, phone numbers associated with WhatsApp payment requests, recipient name, and transaction amount.
- Risk rating and evidence trail generated by the deterministic scoring engine.
- AI-generated advisory commentary (stored alongside the evidence trail; advisory is non-deterministic and never overrides the deterministic verdict).
2.4 Security Posture and Protect/Desk Signal Data
- Device posture check results (OS version, patch status, MFA enabled — submitted by the user).
- Email domain health signals (MX, SPF, DMARC, DKIM records queried from public DNS).
- Backup readiness and staff training completion status.
- Supplier profiles submitted for monitoring (company name, email domain, payment details).
- Monthly Codec8 Score history and remediation progress.
2.5 Usage and Technical Data
- IP address, browser type, and referrer URL logged for security and abuse prevention.
- Server error logs and performance metrics.
- Cookies: session cookies (essential) and analytics cookies (where consent is obtained).
3. Legal Basis for Processing (DPA 2019, s.30)
We process your data under the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the Service (account, checks, subscriptions) | Performance of a contract (DPA s.30(b)) |
| Billing and payment processing | Performance of a contract; legal obligation (DPA s.30(b), (c)) |
| Security monitoring and fraud prevention | Legitimate interest (DPA s.30(f)) — prevention of financial crime |
| Improving signal accuracy and scoring models | Legitimate interest (DPA s.30(f)) — aggregated, de-identified data only |
| Sending transactional emails (results, alerts) | Performance of a contract |
| Sending marketing emails | Consent (DPA s.30(a)) — you may opt out at any time |
| Retaining records for tax and regulatory compliance | Legal obligation (DPA s.30(c)) |
4. Data Residency
Codec8 stores production data in Supabase PostgreSQL databases provisioned in the Africa (Cape Town, aws-af-south-1) region by default. Where a Tenant is provisioned in a specific region (e.g. Nigeria), data is stored in the nearest available Supabase region.
Background job queues (BullMQ via Redis / Upstash) may temporarily hold task payloads outside the primary region; these payloads are processed and purged within 24 hours and contain no raw financial account numbers.
Outbound data transfers to sub-processors (Section 5) may involve processing outside Kenya. Each sub-processor is bound by data-processing agreements and adequate safeguards consistent with DPA 2019 international-transfer requirements.
5. Sub-Processors
We share data with the following sub-processors to operate the Service:
| Sub-processor | Role | Data processed | Location |
|---|---|---|---|
| Supabase | Database hosting and authentication | All structured data including user accounts, checks, scores | Cape Town (primary); region-specific per Tenant |
| Paystack | Payment processing (KES / NGN) | Billing email, subscription tier, payment tokens | Nigeria / Kenya |
| Flutterwave | Mobile-money payment processing (fallback) | Billing email, payment tokens | Nigeria |
| Resend | Transactional email delivery | Recipient email address and email body | United States (adequacy safeguards applied) |
| Anthropic (Claude API) | AI-generated advisory commentary | Payment verification context (type, recipient, amount, risk signals — no full account numbers) | United States (adequacy safeguards applied) |
| Vercel | Application hosting and edge CDN | HTTP request logs, IP addresses | United States / global edge (no persistent storage) |
| Upstash / Redis | Background job queue (BullMQ) | Ephemeral task payloads (processed within 24 h) | Region-matched where available |
We do not sell your personal data to third parties. We do not use your data to train AI models beyond the Anthropic API's standard data-handling terms.
6. Data Retention
| Data type | Retention period | Reason |
|---|---|---|
| Account and profile data | Duration of account + 90 days after closure | Service provision; grace period for recovery |
| Verify check results and evidence trail | 3 years | Audit trail; fraud investigation support |
| Billing and payment records | 7 years | Kenya tax and financial-records obligations |
| Readiness Check results | 2 years or until account closure | Score trend history for the user |
| Security posture signals (Protect/Desk) | 13 months of rolling history | Trend analysis; monthly Score |
| Server error logs | 90 days | Security incident investigation |
On expiry, data is deleted or anonymised. You may request earlier deletion under your rights in Section 8.
7. Cookies
We use:
- Essential cookies — session management and CSRF protection. Cannot be disabled without breaking the Service.
- Analytics cookies — aggregate usage data (page views, feature adoption). We do not set analytics cookies without your consent.
We do not use advertising or cross-site tracking cookies.
8. Your Rights Under DPA 2019
As a data subject, you have the right to:
- Access — request a copy of personal data we hold about you (DPA s.26).
- Rectification — correct inaccurate or incomplete data (DPA s.27).
- Erasure — request deletion of your data, subject to legal-retention obligations (DPA s.28).
- Restriction — request that we limit processing in certain circumstances (DPA s.29).
- Data portability — receive your data in a structured, machine-readable format (DPA s.38).
- Object to processing — particularly where we rely on legitimate interest (DPA s.37).
- Withdraw consent — at any time where processing is consent-based, without affecting prior processing.
To exercise any right, email dpo@codec8.africa. We will respond within 21 days as required by the DPA 2019 Regulations. You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.
9. Security Measures
We apply security controls appropriate to a data-protection SaaS: TLS encryption in transit; AES-256 encryption at rest (via Supabase); tenant-level Row Level Security (RLS) enforced at the database layer; role-based access control (Admin / Viewer); and regular dependency audits.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ODPC within 72 hours and affected users without undue delay, as required by DPA 2019 s.43.
10. Children's Data
The Service is not directed at children under 18 and we do not knowingly collect personal data from children. If you believe a child has submitted data, contact dpo@codec8.africa and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to active subscribers at least 30 days before taking effect. The effective date at the top of this page indicates the current version.
12. Contact and DPO
Codec8 — Data Protection OfficerNairobi, Kenya
Email: dpo@codec8.africa
General enquiries: legal@codec8.africa
See also our Terms of Service for the contractual basis of your use of Codec8.