Privacy Policy

Last Updated: October 31, 2025

1. INTRODUCTION

Techara Limited ("we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Point of Sale (POS) system, M-Pesa Till Integration, and eTIMS Integration services available at chara.ke (collectively, the "Services").

This Privacy Policy complies with the Data Protection Act, 2019 of Kenya and other applicable data protection laws. By using our Services, you consent to the data practices described in this policy.

2. DEFINITIONS

"Personal Data" means any information relating to an identified or identifiable natural person.

"Merchant" refers to the business or individual that uses our Services.

"Customer" refers to the end-users who make purchases from Merchants using our Services.

"Processing" means any operation performed on personal data, including collection, storage, use, and disclosure.

"Data Controller" means the entity that determines the purposes and means of processing personal data.

"Data Processor" means the entity that processes personal data on behalf of the data controller.

3. DATA CONTROLLER AND PROCESSOR RELATIONSHIPS

3.1 Techara Limited as Data Controller

For Merchant account information and service usage data, Techara Limited acts as the Data Controller.

3.2 Techara Limited as Data Processor

For Customer transaction data and information collected by Merchants through our POS system, Techara Limited acts as a Data Processor on behalf of the Merchant (who is the Data Controller).

3.3 Merchant Responsibilities

As a Merchant using our Services, you are responsible for:

• Complying with all applicable data protection laws regarding your Customers' data
• Obtaining necessary consents from your Customers for data collection and processing
• Having your own privacy policy that governs your relationship with your Customers
• Ensuring the accuracy and legality of data you input into our system

4. INFORMATION WE COLLECT

4.1 Merchant Information

When you register for our Services, we collect:

• Account Information: Business name, owner name, email address, phone number, physical address
• Business Details: Business registration number, KRA PIN, eTIMS credentials, M-Pesa Till Number
• Financial Information: Bank account details, billing information, payment history
• Identification Documents: ID/Passport copies, business registration certificates
• Login Credentials: Username, password (encrypted), security questions

4.2 Transaction Data

Through the POS system, we process:

• Sales Information: Transaction amounts, dates, times, products/services sold
• Payment Data: Payment method, M-Pesa transaction codes, payment status
• Customer Information: Names, phone numbers, email addresses (when provided by Merchant)
• Invoice Data: Tax invoices, receipt information, invoice numbers

4.3 M-Pesa Integration Data

• M-Pesa transaction references and confirmations
• Customer phone numbers making M-Pesa payments
• Payment timestamps and amounts
• Till Number and paybill information
• Transaction reconciliation data

4.4 eTIMS Integration Data

• Tax invoice details submitted to KRA
• Product tax classifications and rates
• Invoice control unit (ICU) data
• Tax compliance records and reports
• Communication with KRA systems

4.5 Usage and Technical Data

• Device Information: Device type, operating system, browser type, IP address
• Usage Data: Features accessed, time spent on platform, user actions
• Log Data: System logs, error reports, access logs
• Location Data: IP-based location, business location

4.6 Communications

• Support tickets and customer service interactions
• Email correspondence
• Chat messages and feedback
• Survey responses and testimonials

5. HOW WE USE YOUR INFORMATION

5.1 To Provide Our Services

• Process and facilitate sales transactions
• Enable M-Pesa payment acceptance and reconciliation
• Generate and transmit tax invoices to KRA via eTIMS
• Provide inventory management and reporting features
• Manage your account and authenticate access

5.2 For Business Operations

• Process payments and manage billing
• Verify your identity and business legitimacy
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations and regulatory requirements
• Resolve disputes and enforce our agreements

5.3 To Improve Our Services

• Analyze usage patterns and system performance
• Develop new features and functionality
• Conduct research and testing
• Generate aggregated and anonymized statistics
• Train our support team and improve customer service

5.4 For Communication

• Send service-related notifications and updates
• Respond to inquiries and provide customer support
• Send account alerts and security notifications
• Communicate about system maintenance and downtime
• Send marketing communications (with your consent)

5.5 Legal Basis for Processing (Data Protection Act, 2019)

We process your personal data based on:

• Contract Performance: Processing necessary to provide our Services
• Legal Obligation: Compliance with tax laws, KRA requirements, and other regulations
• Consent: Where you have given explicit consent for specific processing activities
• Legitimate Interests: Fraud prevention, security, and business improvement

6. INFORMATION SHARING AND DISCLOSURE

6.1 Third-Party Service Providers

We share data with trusted third parties who help us deliver our Services:

• Safaricom (M-Pesa): Payment processing and transaction data
• Kenya Revenue Authority (KRA): Tax invoice data via eTIMS
• Cloud Hosting Providers: Data storage and infrastructure
• Payment Processors: Subscription billing and payments
• Analytics Services: Anonymized usage statistics
• Customer Support Tools: Support ticket management

All third-party service providers are contractually bound to protect your data and use it only for specified purposes.

6.2 Legal and Regulatory Requirements

We may disclose your information when required by law:

• To comply with court orders, subpoenas, or legal processes
• To respond to government or regulatory authority requests
• To comply with KRA audits and tax investigations
• To enforce our Terms of Service and protect our rights
• To protect against fraud, security threats, or illegal activity

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and the choices you may have.

6.4 With Your Consent

We may share your information with other parties when you have given us explicit consent to do so.

6.5 What We Do NOT Do

• We do NOT sell your personal data to third parties
• We do NOT share your data for third-party marketing purposes
• We do NOT provide Customer data to other Merchants

7. DATA SECURITY

7.1 Security Measures

We implement industry-standard security measures to protect your data:

• Encryption: Data is encrypted in transit (SSL/TLS) and at rest (AES-256)
• Access Controls: Role-based access with multi-factor authentication
• Network Security: Firewalls, intrusion detection, and monitoring systems
• Secure Infrastructure: Data centers with physical and logical security controls
• Regular Audits: Security assessments and vulnerability testing
• Employee Training: Staff trained on data protection and security practices

7.2 Data Backup and Recovery

• Regular automated backups of all data
• Geographically distributed backup storage
• Disaster recovery and business continuity plans
• Regular testing of backup restoration procedures

7.3 Incident Response

In the event of a data breach affecting your personal data, we will:

• Notify you within 72 hours of becoming aware of the breach
• Notify the Office of the Data Protection Commissioner as required by law
• Take immediate steps to contain and remediate the breach
• Provide you with information about the breach and steps you can take

7.4 Your Responsibilities

• Keep your login credentials confidential
• Use strong, unique passwords
• Enable multi-factor authentication when available
• Promptly report any suspected security incidents
• Keep your contact information up to date

8. DATA RETENTION

8.1 Retention Periods

We retain your data for different periods based on legal requirements and business needs:

• Transaction Records: Minimum 5 years (as required by Kenyan tax laws)
• Tax Invoice Data: Minimum 5 years (KRA requirement)
• Account Information: Duration of your account plus 1 year
• Financial Records: 7 years (accounting and audit requirements)
• Support Communications: 3 years
• System Logs: 90 days to 1 year

8.2 Data Deletion

After retention periods expire, we will:

• Securely delete or anonymize personal data
• Retain only aggregated, non-personally identifiable data for analytics
• Continue to retain data required by law (e.g., tax records)

8.3 Account Closure

When you close your account:

• You can request export of your data before closure
• Account access is immediately terminated
• Non-essential data is deleted within 90 days
• Legally required records are retained per applicable laws

9. YOUR RIGHTS UNDER THE DATA PROTECTION ACT, 2019

As a data subject in Kenya, you have the following rights:

9.1 Right to Access

You have the right to request:

• Confirmation of whether we process your personal data
• Access to your personal data
• Information about how we use and share your data
• A copy of your data in a commonly used format

9.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. You can update most information directly through your account dashboard.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

• The data is no longer necessary for the purposes collected
• You withdraw consent (where consent was the basis for processing)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

Note: We cannot delete data that we are legally required to retain (e.g., tax records).

9.4 Right to Restriction of Processing

You can request that we limit how we use your data while:

• Verifying the accuracy of disputed data
• Determining whether our legitimate grounds override your objection
• The processing is unlawful but you prefer restriction over deletion

9.5 Right to Data Portability

You can request a copy of your data in a structured, commonly used, machine-readable format and have it transmitted to another service provider.

9.6 Right to Object

You can object to:

• Processing based on legitimate interests
• Direct marketing communications (you can opt-out at any time)
• Automated decision-making and profiling

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time. This will not affect the lawfulness of processing before withdrawal.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Office of the Data Protection Commissioner if you believe your data protection rights have been violated:

9.9 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: privacy@chara.ke or support@chara.ke
• Through your account dashboard (for access and rectification)
• By written request to our physical address

We will respond to your request within 30 days and may request verification of your identity before processing.

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 Types of Cookies We Use

• Essential Cookies: Required for the Services to function (e.g., authentication, security)
• Performance Cookies: Help us understand how visitors use our Services
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Collect aggregated usage statistics

10.2 Managing Cookies

You can control cookies through:

• Your browser settings (to block or delete cookies)
• Our cookie consent banner
• Account preferences for certain tracking features

Note: Blocking essential cookies may affect the functionality of our Services.

11. INTERNATIONAL DATA TRANSFERS

Your data is primarily stored and processed within Kenya. If we transfer data outside Kenya, we ensure:

• The receiving country has adequate data protection laws
• Appropriate safeguards are in place (e.g., standard contractual clauses)
• Compliance with the Data Protection Act, 2019 requirements
• You are informed of such transfers

12. CHILDREN'S PRIVACY

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately, and we will delete such information.

13. THIRD-PARTY LINKS AND SERVICES

Our Services may contain links to third-party websites or integrate with third-party services (e.g., M-Pesa, KRA eTIMS). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

14. MARKETING COMMUNICATIONS

14.1 Types of Communications

With your consent, we may send you:

• Product updates and new feature announcements
• Educational content and best practices
• Promotional offers and discounts
• Newsletter and industry insights

14.2 Opting Out

You can opt-out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Contacting us at support@chara.ke

Note: You cannot opt-out of essential service communications (e.g., security alerts, billing notifications).

15. AUTOMATED DECISION-MAKING

We may use automated systems to:

• Detect and prevent fraudulent transactions
• Analyze business patterns for reporting purposes
• Provide personalized recommendations

You have the right to request human review of any automated decisions that significantly affect you.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New legal or regulatory requirements
• New features or services
• Feedback from users or regulators

When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email or prominent notice on our platform
• Provide you with 30 days' notice before changes take effect
• Request your consent for material changes where required by law

Your continued use of our Services after changes take effect constitutes acceptance of the updated policy.

17. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer to oversee our data protection practices:

18. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: