📌 In short. We collect only what running your store needs — your account, your catalogue, your sales, and (if you enable it) delivery details. We don’t sell your data. By using ProductSafi you agree to this policy; you can reach us any time at privacy@pesastream.com.
Who we are
ProductSafi is a video-commerce platform — turn a product into a shareable marketing video and a pay link with a scannable QR, take payment by M-Pesa or card, and coordinate delivery over WhatsApp. ProductSafi is a product of PesaStream Limited, a company incorporated in Kenya (the “Company”, “we”, “us”).
For the personal data described here, PesaStream Limited is the data controller for our own account holders (the businesses that use ProductSafi). Where a business uses ProductSafi to sell to and serve its own buyers, that business is the controller of its buyers’ data and we act as its data processor.
What data we collect
Information you give us (merchants)
- Identity & login: your name, email address, and a password (stored only as a PBKDF2-SHA256 hash with a per-user salt — never in plain text).
- Business profile: business name, contact email and phone, logo, and brand settings (colours, voice, template).
- Settlement details: bank name and code, settlement account number and name, and the Paystack subaccount used to pay out your sales.
- Catalogue: product names, descriptions, prices, SKUs, categories, images, and any video clips you upload.
Information about buyers and deliveries
When someone pays one of your links, we process the data needed to complete the sale and (if you enable delivery) to coordinate fulfilment:
- Buyer contact: name, phone number, and email — whatever the pay link is set to collect. The phone number identifies a returning customer.
- Delivery details: recipient name, phone, a free-text location (Kenya is landmark-based, not a structured address), and any delivery instructions.
- Payment record: the Paystack reference, amount, currency, and status. We do not store full card numbers — card data is handled by Paystack.
Riders
If you add your own delivery riders, we store each rider’s name, phone, vehicle, and notes, plus a hashed access code (PBKDF2-SHA256) so a rider can sign in to see assigned orders.
Information we collect automatically
- Usage & link analytics: pay-link views, the channel a visit came from (e.g. WhatsApp, Instagram), referrer, and device type.
- Approximate location: country, derived from your network by our hosting provider (Cloudflare) — used for analytics and fraud prevention, not precise tracking.
- Essential cookies: a session cookie that keeps you signed in to the dashboard. See our Cookie Policy.
How we use your data
- Run the service: create and secure your account, generate marketing videos and animated promos, mint pay links, take payment, send receipts, and coordinate delivery.
- Payments & settlement: process charges through Paystack and pay your share to your bank, applying our fee (see Terms).
- Notifications: send transactional WhatsApp messages — receipts, sale alerts, delivery hand-offs, and order nudges.
- Analytics & improvement: understand how links and features perform so we can improve the product. Aggregated or de-identified wherever possible.
- Safety & compliance: prevent fraud and abuse, and meet our legal and tax obligations in Kenya.
Lawful basis (Kenya DPA 2019 / GDPR-aligned)
- Performance of a contract — to provide the service you signed up for.
- Legal obligation — to keep financial and tax records.
- Legitimate interest — to secure, debug, and improve the platform.
- Consent — for any optional marketing communications; you can withdraw it at any time.
Security & retention
How we protect data
- In transit: TLS/HTTPS on every request.
- At rest: encrypted by our hosting provider (Cloudflare D1 & R2).
- Passwords & access codes: PBKDF2-SHA256 with per-record salts — we can never see your password.
- Secrets & webhooks: API keys are stored hashed; inbound webhooks (Paystack, WhatsApp) are verified with HMAC signatures before we trust them.
How long we keep it
- Active accounts: for as long as you use ProductSafi.
- After deletion: a 30-day grace period, then permanent deletion of personal data.
- Financial records: transaction and settlement records are retained as required by Kenyan tax and anti-money-laundering law (generally up to 7 years).
Your rights
Under Kenya’s Data Protection Act, 2019, you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectify — correct data that is wrong or out of date.
- Erase — ask us to delete your data (the “right to be forgotten”), subject to our legal retention duties.
- Restrict or object — limit how we use your data, or opt out of marketing.
- Portability — receive your data in a portable format.
- Complain — lodge a complaint with the Office of the Data Protection Commissioner.
International transfers
ProductSafi runs on Cloudflare’s global edge network, so your data may be processed in data centres outside Kenya to deliver the service quickly and reliably. Our payment and messaging processors (Paystack, Meta) may likewise process data outside Kenya.
We rely on our processors’ data-protection agreements and recognised safeguards (such as standard contractual clauses) to protect data wherever it is processed.
Children
ProductSafi is a tool for businesses and is not directed at children under 18. We do not knowingly collect data from minors; if we learn we have, we delete it.
Changes & contact
We may update this policy from time to time. For significant changes we will notify you by email or an in-app notice. The “Last updated” date below always reflects the current version.
Contact us
- Privacy & data requests: privacy@pesastream.com
- General legal: legal@pesastream.com
- Post: PesaStream Limited, Nairobi, Kenya
Version 1.0 · Last updated 27 June 2026 · © 2026 PesaStream Limited