Privacy Policy

Last updated: June 22, 2026

Read time: 8 min

1. Introduction

Michaelsoft Procurement ("we", "us", or "our") operates the procurement management platform available at procurement.michaelsoft.co.ke. We are committed to protecting the personal data of every person who uses our platform.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the Kenya Data Protection Act 2019 (DPA 2019) and other applicable privacy laws. By accessing or using the platform, you confirm that you have read and understood this policy.

2. Data We Collect

We collect the following categories of personal data:

  • Identity Data: Full name, profile photo (from your Google account), and account username.
  • Contact Data: Email address, phone number, and alternative phone number.
  • Business Data: Supplier names and contacts, purchase orders, product catalogues, pricing history, and expenditure records you enter into the platform.
  • Financial Data: M-Pesa transaction references and payment confirmation codes used to activate license keys. We do not store your M-Pesa PIN, card numbers, or full payment credentials.
  • Technical Data: IP address, browser type, device type, operating system, pages visited, and session timestamps collected automatically when you use the platform.
  • Usage Data: Feature interactions, audit log entries (e.g. order edits, closures), and in-app activity for product improvement purposes.
  • Communications Data: WhatsApp messages sent or received through our WhatsApp Business integration, where applicable.

3. How We Use Your Data

We process your personal data on the following lawful bases under DPA 2019:

  • Contract performance: To create and manage your account, activate your license key, and provide you with access to the platform features you have subscribed to.
  • Legitimate interests: To monitor platform usage, detect fraud, maintain security audit logs, and improve our service.
  • Legal obligation: To comply with applicable Kenyan laws and regulations, including tax and anti-money-laundering obligations where relevant.
  • Consent: To send you product update emails and promotional communications. You may withdraw this consent at any time by contacting us.

4. Third-Party Services & Data Processors

We use the following trusted third-party services to operate the platform. Each acts as a data processor on our behalf and is bound by appropriate data protection agreements:

  • Supabase (PostgreSQL database & authentication): Your account credentials, profile data, orders, supplier records, and all platform data are stored on Supabase-managed infrastructure. Supabase may store data on servers located outside Kenya. We rely on standard contractual clauses and Supabase's compliance certifications to safeguard cross-border transfers. See supabase.com/privacy.
  • Google (Sign-In with Google, Google Analytics): We use Google OAuth for authentication. We also use Google Analytics (GA4) to measure platform usage patterns. Google Analytics uses cookies and may transfer data to Google's servers in the United States. See policies.google.com/privacy.
  • Safaricom M-Pesa (Daraja API): When you pay for a license key via M-Pesa, your phone number and transaction reference are processed by Safaricom's Daraja payment API. We only receive a confirmation reference — not your M-Pesa PIN or credentials. See safaricom.co.ke/terms.
  • Meta / WhatsApp Business API: If you connect WhatsApp notifications, message content may be processed by Meta Platforms in accordance with their privacy policy. See whatsapp.com/legal/privacy-policy.

5. Cookies & Tracking

We use the following types of cookies and similar technologies:

  • Essential cookies: Required for authentication (session tokens) and security. These cannot be disabled without breaking the platform.
  • Analytics cookies: Google Analytics (GA4) places cookies (_ga, _gid) to track page views and feature usage. You can opt out using the Google Analytics Opt-out Add-on.
  • Local storage: We store your theme preference (dark/light mode) and certain UI states in your browser's local storage. This is not used for tracking.

6. Data Retention

We retain your data for as long as necessary to provide the service and comply with our legal obligations:

  • Account & profile data: Retained for the duration of your subscription and for up to 1 year after account closure, unless you request earlier deletion.
  • Order, supplier & pricing data: Retained for 5 years from the date of creation to support business records and dispute resolution.
  • Audit logs: Retained for 3 years for security and compliance purposes.
  • Payment references: Retained for 7 years as required by Kenyan tax and financial record-keeping laws.
  • Analytics data: Google Analytics data is retained for 14 months as configured in our GA4 property.

7. Data Security

We implement industry-standard security measures including TLS encryption in transit, row-level security (RLS) on our database, and server-side authentication token validation on all API requests. Access to production data is restricted to authorised personnel only. Despite these measures, no transmission over the internet is 100% secure. We will notify you as required by DPA 2019 if a data breach is likely to result in risk to your rights and freedoms.

8. Cross-Border Data Transfers

Some of our third-party processors (Supabase, Google) may store or process your data outside Kenya, including in the United States and the European Union. Where such transfers occur, we ensure they are governed by appropriate safeguards — including standard contractual clauses or adequacy decisions — consistent with DPA 2019 requirements.

9. Your Rights Under DPA 2019

As a data subject under the Kenya Data Protection Act 2019, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data where there is no lawful basis for continued processing.
  • Objection: Object to processing based on legitimate interests or for direct marketing purposes.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Lodge a complaint: File a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya.

To exercise any of these rights, contact us at the address below. We will respond within 21 days as required by DPA 2019.

10. Children's Privacy

Michaelsoft Procurement is intended for users aged 16 years and above. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the platform dashboard and updating the "Last updated" date at the top of this page. Continued use of the platform after changes take effect constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact our Data Protection Officer: