LEGAL

Privacy Policy

How ProductSafi — a product of PesaStream Limited — collects, uses, and protects personal data, under Kenya’s Data Protection Act, 2019.

🇰🇪 Kenya · DPA 2019 Web & mobile v1.0 · 27 June 2026

📌 In short. We collect only what running your store needs — your account, your catalogue, your sales, and (if you enable it) delivery details. We don’t sell your data. By using ProductSafi you agree to this policy; you can reach us any time at privacy@pesastream.com.

Who we are

ProductSafi is a video-commerce platform — turn a product into a shareable marketing video and a pay link with a scannable QR, take payment by M-Pesa or card, and coordinate delivery over WhatsApp. ProductSafi is a product of PesaStream Limited, a company incorporated in Kenya (the “Company”, “we”, “us”).

For the personal data described here, PesaStream Limited is the data controller for our own account holders (the businesses that use ProductSafi). Where a business uses ProductSafi to sell to and serve its own buyers, that business is the controller of its buyers’ data and we act as its data processor.

Company details: PesaStream Limited · Nairobi, Kenya · privacy@pesastream.com

What data we collect

Information you give us (merchants)

  • Identity & login: your name, email address, and a password (stored only as a PBKDF2-SHA256 hash with a per-user salt — never in plain text).
  • Business profile: business name, contact email and phone, logo, and brand settings (colours, voice, template).
  • Settlement details: bank name and code, settlement account number and name, and the Paystack subaccount used to pay out your sales.
  • Catalogue: product names, descriptions, prices, SKUs, categories, images, and any video clips you upload.

Information about buyers and deliveries

When someone pays one of your links, we process the data needed to complete the sale and (if you enable delivery) to coordinate fulfilment:

  • Buyer contact: name, phone number, and email — whatever the pay link is set to collect. The phone number identifies a returning customer.
  • Delivery details: recipient name, phone, a free-text location (Kenya is landmark-based, not a structured address), and any delivery instructions.
  • Payment record: the Paystack reference, amount, currency, and status. We do not store full card numbers — card data is handled by Paystack.

Riders

If you add your own delivery riders, we store each rider’s name, phone, vehicle, and notes, plus a hashed access code (PBKDF2-SHA256) so a rider can sign in to see assigned orders.

Information we collect automatically

  • Usage & link analytics: pay-link views, the channel a visit came from (e.g. WhatsApp, Instagram), referrer, and device type.
  • Approximate location: country, derived from your network by our hosting provider (Cloudflare) — used for analytics and fraud prevention, not precise tracking.
  • Essential cookies: a session cookie that keeps you signed in to the dashboard. See our Cookie Policy.
Data minimisation. We collect only what a sale, a video, a notification, or a delivery actually needs. Buyer checkout collects only the fields a merchant turns on.

How we use your data

  • Run the service: create and secure your account, generate marketing videos and animated promos, mint pay links, take payment, send receipts, and coordinate delivery.
  • Payments & settlement: process charges through Paystack and pay your share to your bank, applying our fee (see Terms).
  • Notifications: send transactional WhatsApp messages — receipts, sale alerts, delivery hand-offs, and order nudges.
  • Analytics & improvement: understand how links and features perform so we can improve the product. Aggregated or de-identified wherever possible.
  • Safety & compliance: prevent fraud and abuse, and meet our legal and tax obligations in Kenya.

Lawful basis (Kenya DPA 2019 / GDPR-aligned)

  • Performance of a contract — to provide the service you signed up for.
  • Legal obligation — to keep financial and tax records.
  • Legitimate interest — to secure, debug, and improve the platform.
  • Consent — for any optional marketing communications; you can withdraw it at any time.

Who we share data with

We do not sell your data. We share it only with the processors needed to run ProductSafi, under data-processing agreements:

  • Cloudflare, Inc. — hosting and edge compute (Workers), database (D1), object storage (R2), CDN and security. Data is stored and processed across Cloudflare’s global network.
  • Paystack — payment processing (M-Pesa & card) and settlement to your bank. They receive transaction and settlement data.
  • Meta Platforms (WhatsApp Cloud API) — to deliver order and receipt notifications. They receive the recipient’s phone number and message content.
  • AI providers — only where AI-generated video scripts or voiceovers are used. (Most promos today are rendered in the browser with no third-party AI processing.)

Other disclosures

  • Legal requirements — when required by Kenyan law, regulation, or a valid court order.
  • Business transfers — if PesaStream is involved in a merger, acquisition, or asset sale, subject to this policy.
  • With your consent — in any other case where you ask us to.

Security & retention

How we protect data

  • In transit: TLS/HTTPS on every request.
  • At rest: encrypted by our hosting provider (Cloudflare D1 & R2).
  • Passwords & access codes: PBKDF2-SHA256 with per-record salts — we can never see your password.
  • Secrets & webhooks: API keys are stored hashed; inbound webhooks (Paystack, WhatsApp) are verified with HMAC signatures before we trust them.

How long we keep it

  • Active accounts: for as long as you use ProductSafi.
  • After deletion: a 30-day grace period, then permanent deletion of personal data.
  • Financial records: transaction and settlement records are retained as required by Kenyan tax and anti-money-laundering law (generally up to 7 years).
Your part: keep your login credentials private and tell us immediately atprivacy@pesastream.comif you suspect unauthorised access.

Your rights

Under Kenya’s Data Protection Act, 2019, you have the right to:

  • Access — get a copy of the personal data we hold about you.
  • Rectify — correct data that is wrong or out of date.
  • Erase — ask us to delete your data (the “right to be forgotten”), subject to our legal retention duties.
  • Restrict or object — limit how we use your data, or opt out of marketing.
  • Portability — receive your data in a portable format.
  • Complain — lodge a complaint with the Office of the Data Protection Commissioner.
To exercise a right, emailprivacy@pesastream.com. We respond within 30 days. If you are a buyer of one of our merchants, contact that merchant first — they control your data and we will assist them.

International transfers

ProductSafi runs on Cloudflare’s global edge network, so your data may be processed in data centres outside Kenya to deliver the service quickly and reliably. Our payment and messaging processors (Paystack, Meta) may likewise process data outside Kenya.

We rely on our processors’ data-protection agreements and recognised safeguards (such as standard contractual clauses) to protect data wherever it is processed.

Children

ProductSafi is a tool for businesses and is not directed at children under 18. We do not knowingly collect data from minors; if we learn we have, we delete it.

Changes & contact

We may update this policy from time to time. For significant changes we will notify you by email or an in-app notice. The “Last updated” date below always reflects the current version.

Contact us

Not satisfied? You can contact theOffice of the Data Protection Commissioner (ODPC)in Kenya.

Version 1.0 · Last updated 27 June 2026 · © 2026 PesaStream Limited