Privacy Policy

Tranzo POS ("Tranzo POS", "we", "us", "our") provides point-of-sale and business-management software to merchants in Kenya and across Africa. This policy explains what personal data we collect, why we collect it, who we share it with, and your rights. It applies to anyone who uses our web portal, mobile app, desktop app, or any feature we offer.

We take data protection seriously. This policy is written to reflect the requirements of the Kenya Data Protection Act, 2019, and we follow the guidance issued by the Office of the Data Protection Commissioner (ODPC).

1. Who we are

Tranzo POS is operated from Nairobi, Kenya. For any question about this policy, data processing, or your rights, contact us at hello@tranzopos.com.

For the purposes of the Data Protection Act, Tranzo POS acts as a data controller in relation to merchant account holders (the people who sign up with us), and as a data processor in relation to the end-customers of those merchants (people whose details a merchant records in their own POS, e.g. for loyalty or receipts).

2. What data we collect

2.1 Merchant account data

• Name, email address, phone number of the account owner and any staff they invite
• Business name, address, country, KRA PIN (where provided), eTIMS device details
• Payment method details for subscription billing (processed by our payment partners — we never store card numbers)
• Authentication data such as password hashes and session tokens

2.2 Operational data you enter

• Products, prices, stock levels, suppliers, purchases, transfers
• Sales transactions, receipts, cashier shifts, refunds, voids
• End-customer records you choose to save — typically name, phone number, email (optional), date of birth (optional), and loyalty points balance

2.3 Technical data

• IP address, browser or device type, operating system, app version
• Log entries when you or your staff perform actions (who, what, when) — used for audit and fraud prevention
• Device identifiers for Tranzo POS devices enrolled for offline sync

2.4 Communications

If you contact support, we store the content of those messages and any attachments you send.

3. Lawful basis for processing

Under the Data Protection Act, we rely on one of the following lawful bases for each category of processing:

• Performance of a contract — to operate your Tranzo POS account, process your transactions, and deliver the features you have subscribed to
• Legal obligation — to comply with tax law (e.g. eTIMS invoice submission to KRA), anti-money-laundering rules, and lawful orders from Kenyan regulators
• Legitimate interest — for fraud prevention, product improvement, security monitoring, and to send you service announcements
• Consent — for optional features such as marketing emails. You can withdraw consent at any time

4. How we use your data

• To provide and operate the Tranzo POS service
• To send transactional communications — receipts, trial reminders, password resets, subscription invoices, security alerts
• To detect and prevent fraud, abuse, and security incidents
• To comply with tax and other legal obligations
• To improve our product — aggregated, de-identified analytics only; never selling individual data
• With your opt-in consent, to offer new features, insights, or promotions

5. Who we share data with

We only share data with third parties where necessary to operate the service. Our subprocessors are:

• Google Cloud Platform — hosting and storage (Kenya/EU regions)
• Google Cloud Storage — product and receipt image storage
• Google Gemini API — powering the Tranzo AI assistant. Only aggregated business metrics are sent; never raw customer PII
• Resend — transactional email delivery
• Pesapal — online card and mobile-money payment processing
• Safaricom M-Pesa — mobile-money payment processing
• Kenya Revenue Authority (KRA) / eTIMS — tax invoice submission where your business is registered for VAT

Each subprocessor is bound by a data processing agreement that restricts their use of data to the services they provide to Tranzo POS. We do not sell your data to anyone, ever.

6. Cross-border transfers

Some of our subprocessors store data outside Kenya (for example, Google Cloud regions in Europe). Where this happens, we rely on the transfer mechanisms permitted by the Data Protection Act — in most cases this means the processor is certified under a recognised data-protection framework, or we have contractual safeguards in place. You can request a copy of those safeguards at any time.

7. How long we keep data

• Active account data — while your account is active
• Transaction records — seven (7) years after the transaction date, to comply with Kenyan tax law
• Backups — up to 90 days after deletion from primary storage
• Closed accounts — we delete or anonymise merchant account data within 180 days of account closure, except where law requires longer retention

8. Security

We use industry-standard measures to protect data: TLS encryption in transit, encrypted storage at rest, role-based access controls, regular security patching, and tenant isolation so one merchant's data is never accessible to another. No system is perfectly secure; if a breach occurs that affects your data, we will notify the ODPC within 72 hours as required by law, and notify you without undue delay.

9. Your rights

Under the Data Protection Act, you have the right to:

• Access the personal data we hold about you
• Correct data that is inaccurate or incomplete
• Delete your data, subject to our legal retention obligations
• Object to certain kinds of processing (e.g. marketing)
• Withdraw consent where we rely on consent as the lawful basis
• Portability — receive your data in a structured, machine-readable format
• Lodge a complaint with the ODPC at www.odpc.go.ke

To exercise any of these rights, email hello@tranzopos.com. We will respond within 30 days.

10. Cookies and similar technologies

We use cookies and equivalent browser storage to keep you signed in, remember your theme preference (day/night), and measure how the product is used. You can clear cookies at any time in your browser or device settings. Blocking essential cookies will prevent the service from working.

11. Children

Tranzo POS is intended for use by businesses and their staff. We do not knowingly collect data from anyone under 18. If you believe we have done so, contact us and we will delete it.

12. Changes to this policy

We may update this policy as the product evolves or as law changes. When we make material changes, we will notify account owners by email at least 14 days before the changes take effect, and update the "Last updated" date at the top of this page.