Privacy Policy
How Msharti collects, uses and protects your personal data.
1. Introduction
1.1 Our Commitment to Privacy
At Msharti, we take your privacy seriously. We are committed to protecting the personal data of our users, customers, and visitors in accordance with the Data Protection Act, 2019 of Kenya, the Data Protection (General) Regulations, 2021, and international best practices for data protection.
Outlook Innovations Limited is registered with the Office of the Data Protection Commissioner (ODPC) as both a Data Controller and a Data Processor under the Data Protection Act, 2019. Our registration confirms that we have implemented appropriate safeguards for the personal data we process on behalf of our customers and on our own account.
This Privacy Policy explains how Outlook Innovations Limited (“Msharti”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects your personal data when you use our MCP Gateway platform, website, dashboard, and related services (collectively, the “Service”).
1.2 Scope
This Privacy Policy applies to:
- Visitors to our website (msharti.dev)
- Registered users of our platform (apps.msharti.dev)
- Tenants and their authorised users
- Individuals whose data is processed through our Service
- Anyone who contacts us or interacts with us online
1.3 Your Rights
Under the Data Protection Act, 2019, you have the following rights regarding your personal data:
- Right to be informed — about what data we collect and how we use it
- Right of access — to request a copy of your personal data
- Right to rectification — to request correction of inaccurate data
- Right to erasure — to request deletion of your personal data
- Right to restrict processing — to limit how we use your data
- Right to data portability — to receive your data in a structured format
- Right to object — to object to certain types of processing
- Right to withdraw consent — to withdraw consent at any time
- Right not to be subject to automated decision-making — including profiling
- Right to lodge a complaint — with the ODPC
1.4 Consent
By accessing or using our Service, you consent to the collection, use, and processing of your personal data as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.
2. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to:
- Name, email address, phone number, and other contact details
- Login credentials and authentication tokens
- IP address, browser type, and device information
- Usage data and analytics
- Business data that may include personal identifiers (e.g., M-Pesa phone numbers, KRA PINs)
“Sensitive Personal Data” includes:
- Financial information (bank account details, M-Pesa transaction data)
- Tax information (KRA PINs, TCC details)
- Authentication credentials (API keys, passwords, tokens)
“Data Controller” means Outlook Innovations Limited, which determines the purposes and means of processing personal data.
“Data Processor” means any third party that processes personal data on our behalf, such as cloud hosting providers and API service providers.
“Data Subject” means any individual whose personal data is processed by us.
“Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
“Third-Party Service” means any external platform connected through our Service, such as Safaricom M-Pesa, KRA, Salesforce, or Microsoft 365.
“Tenant” means the organisation or individual that has created an Account on our Platform.
“Trial” means the 7-day free trial period available to new subscribers on any paid plan. Trial users are subject to this Privacy Policy in full and are treated identically to paid subscribers for the purposes of data collection, processing, and protection.
“User” means any individual authorised by a Tenant to access the Service.
3. What Personal Data We Collect
3.1 Data You Provide Directly
When you create an Account or use our Service, we collect:
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | Full name, job title, organisation name | Account creation, identification |
| Contact Data | Email address, phone number, physical address | Communication, support, billing |
| Account Data | Username, password, profile picture | Authentication, account management |
| Billing Data | Bank details, M-Pesa number, billing address | Payment processing, invoicing |
| Credentials | API keys, OAuth tokens, consumer keys/secrets | Connector authentication |
3.2 Data We Collect Automatically
When you use our Service, we automatically collect:
| Category | Examples | Purpose |
|---|---|---|
| Technical Data | IP address, browser type, operating system, device information | Security, analytics, troubleshooting |
| Usage Data | Tool calls made, connectors used, response times, error rates | Service improvement, billing, monitoring |
| Log Data | Timestamps, request URLs, HTTP status codes | Security auditing, troubleshooting |
| Location Data | Approximate location derived from IP address | Security (fraud detection), compliance |
3.3 Data from Third-Party Services
When you connect Third-Party Services to Msharti, we may receive:
| Source | Data Types | Purpose |
|---|---|---|
| M-Pesa Daraja | Transaction records, Paybill/Till numbers, phone numbers (redacted) | Financial queries via AI |
| KRA GavaConnect | KRA PINs, TCC status, taxpayer names, import certificate data | Tax compliance queries |
| Microsoft 365 | Email metadata, calendar events, file names (not content) | AI assistant queries |
| Salesforce | Opportunity names, account details, pipeline data | CRM queries |
| Other connectors | Data specific to each connected service | AI assistant queries |
Important: We do not collect or store the actual content of your emails, files, or messages unless you explicitly enable the Data Retention Service.
3.4 Data from Communications
When you contact us, we collect:
- Email content and attachments
- Chat transcripts
- Phone call recordings (with prior consent)
- Feedback and survey responses
4. How We Collect Your Data
We collect personal data through the following methods:
| Method | Description |
|---|---|
| Direct input | Data you enter when registering, setting up connectors, or updating your profile |
| Automated collection | Data collected via cookies, server logs, and analytics tools |
| Third-party APIs | Data received from connected services (M-Pesa, KRA, Salesforce, etc.) |
| Communications | Data from emails, support tickets, and phone calls |
| Referrals | Data provided by colleagues or partners who invite you to the platform |
5. Purpose and Legal Basis for Processing
We process your personal data for the following purposes and legal bases:
5.1 To Provide the Service (Performance of Contract)
We process your data to:
- Create and manage your Account
- Authenticate you and authorise access
- Connect your business systems to AI assistants
- Process tool calls and return results
- Provide customer support
Legal basis: Performance of a contract (Section 30(1)(a), Data Protection Act, 2019)
5.2 To Improve the Service (Legitimate Interest)
We process your data to:
- Monitor service performance and uptime
- Analyse usage patterns to improve features
- Detect and fix bugs and errors
- Develop new features and connectors
Legal basis: Legitimate interest (Section 30(1)(c), Data Protection Act, 2019)
5.3 For Security and Fraud Prevention (Legal Obligation / Vital Interest)
We process your data to:
- Detect and prevent prompt injection attacks
- Identify and block suspicious activity
- Maintain audit logs for compliance
- Protect against unauthorised access
Legal basis: Legal obligation and vital interest (Section 30(1)(d), Data Protection Act, 2019)
5.4 For Marketing and Communication (Consent)
With your consent, we may use your data to:
- Send product updates and newsletters
- Invite you to events and webinars
- Request feedback and testimonials
Legal basis: Consent (Section 30(1)(b), Data Protection Act, 2019)
You can withdraw consent at any time by:
- Clicking “Unsubscribe” in any marketing email
- Emailing legal@msharti.dev
- Updating preferences in your dashboard
5.5 For Billing and Payment (Performance of Contract)
We process your data to:
- Generate invoices
- Process payments
- Send payment reminders
- Handle billing disputes
Legal basis: Performance of a contract
5.6 For Data Retention Service (Consent / Contract)
If you subscribe to the Data Retention Service, we process historical data:
- To store M-Pesa transactions beyond 48 hours
- To archive emails or messages
- To enable historical queries
Legal basis: Consent (for historical storage) or performance of contract
6. How We Share Your Data
6.1 Within Msharti
Your data is accessible only to authorised Msharti employees who need it to perform their duties. All employees are bound by confidentiality agreements and data protection training.
6.2 With Third-Party Service Providers
We share data with the following categories of processors:
| Category | Provider | Purpose | Location |
|---|---|---|---|
| Cloud hosting | Amazon Web Services (AWS) | Infrastructure | South Africa |
| Database | Managed database service | Database hosting | United States (with data residency controls) |
| Authentication | OAuth 2.1 identity provider | Identity management | South Africa |
| Cache | Secure session cache | Token caching | South Africa |
| Transactional email provider | Email delivery | Various | |
| Analytics | Usage analytics provider | Usage analytics | United States / EU |
| Payment | Payment processing provider | Payment processing | Kenya / Various |
All third-party processors are bound by data processing agreements that comply with the Data Protection Act, 2019.
6.3 With Third-Party Services (Your Connected Systems)
When you use our Service, we transmit data to the Third-Party Services you have connected (e.g., Safaricom, KRA, Salesforce). These services are independent data controllers, and their privacy policies govern how they process your data.
6.4 For Legal Compliance
We may disclose your data when required by:
- A court order or subpoena
- A lawful request from law enforcement
- A regulatory requirement (e.g., ODPC, CBK, KRA)
- To protect our rights, property, or safety
6.5 In Case of Business Transfer
If Msharti is acquired, merged, or undergoes a change of control, your data may be transferred to the acquiring entity. We will notify you before this happens.
6.6 We Do NOT Sell Your Data
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
7. Data Retention
7.1 Retention Periods
We retain your personal data for as long as necessary to fulfil the purposes outlined in this Privacy Policy:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account Data | Duration of Account + 2 years | Legal obligations, dispute resolution |
| Credentials | Duration of Account + 30 days | Immediate deletion upon disconnection |
| Audit Logs | 7 years | Regulatory compliance, fraud investigation |
| Usage Data | 2 years | Service improvement, billing verification |
| Customer Data (real-time) | 24 hours (unless Data Retention enabled) | Real-time processing only |
| Data Retention Service | Per subscription (3, 12, or 24 months) | Contractual obligation |
| Marketing Data | Until consent withdrawn + 1 year | Consent management |
| Support Tickets | 3 years | Quality assurance, legal protection |
7.2 Data Retention Service
If you subscribe to the Data Retention Service, we store historical data for the duration specified in your subscription. You can:
- View what data is retained in your dashboard
- Export retained data at any time
- Request deletion of specific data
- Cancel the service at any time (data deleted within 30 days)
7.3 Anonymisation
After the retention period expires, we either delete your data or anonymise it so that it can no longer be associated with you. Anonymised data may be retained indefinitely for statistical and analytical purposes.
8. Data Security
8.1 Technical Measures
We implement the following technical security measures:
| Measure | Description |
|---|---|
| Encryption at rest | AES-256-GCM for all stored credentials and sensitive data |
| Encryption in transit | TLS 1.3 for all data transmitted over the internet |
| Tenant isolation | JWT-based access control with per-tenant scoping |
| Secret management | Encryption keys stored separately from application data, in an isolated key store |
| Injection detection | Automated scanning of all tool calls for prompt injection |
| Secret stripping | Automatic redaction of sensitive data from API responses |
| RBAC | Role-based access control for all users |
| Rate limiting | Per-tenant rate limiting to prevent abuse |
| Backup encryption | All backups encrypted and stored separately |
| Penetration testing | Annual third-party security assessments |
8.2 Organisational Measures
| Measure | Description |
|---|---|
| Staff training | Annual data protection training for all employees |
| Confidentiality agreements | All employees sign NDAs and data protection clauses |
| Access controls | Principle of least privilege — minimum access necessary |
| Incident response | Documented breach notification procedures |
| Regular audits | Internal and external audits of data processing |
8.3 Breach Notification
In the event of a personal data breach, we will:
- Notify the ODPC within 72 hours of becoming aware
- Notify affected data subjects without undue delay
- Provide details of the breach, its likely consequences, and measures taken
- Document the breach and our response
9. Data Subject Rights
9.1 How to Exercise Your Rights
To exercise any of your rights under the Data Protection Act, 2019, please contact us at legal@msharti.dev with the subject line “Data Subject Request”. We will respond within 7 days of receiving your request. Where a request is complex or we receive a number of simultaneous requests, we may extend this period by up to a further 30 days, and will notify you within the initial 7-day period explaining the reason for the extension.
9.2 Right to Access
You have the right to request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, and machine-readable format.
9.3 Right to Rectification
You have the right to request correction of any inaccurate or incomplete personal data.
9.4 Right to Erasure (“Right to be Forgotten”)
You have the right to request deletion of your personal data when:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent and there is no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
- The data must be deleted for legal compliance
Exceptions: We may retain data where required by law or for legitimate legal claims.
9.5 Right to Restrict Processing
You have the right to request that we limit how we use your data, for example:
- While we verify the accuracy of data you dispute
- When processing is unlawful but you oppose deletion
- When we no longer need the data but you need it for legal claims
9.6 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used format (e.g., JSON, CSV) and to transmit it to another controller.
9.7 Right to Object
You have the right to object to:
- Processing based on legitimate interests
- Direct marketing
- Processing for statistical purposes
9.8 Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
9.9 Right Not to Be Subject to Automated Decision-Making
Msharti is a data gateway — we route queries between AI assistants and business systems and do not generate decisions ourselves. We do not make decisions that produce legal or significant effects on individuals based solely on automated processing. No profiling for decision-making is carried out by Msharti as a controller.
9.10 Right to Lodge a Complaint
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with:
Office of the Data Protection Commissioner (ODPC)
Website: https://www.odpc.go.ke
Email: complaints@odpc.go.ke
Phone: +254 20 2677 000
Address: P.O. Box 474, 00100 Nairobi, Kenya
10. Cookies and Tracking Technologies
10.1 What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help us remember your preferences and understand how you use our Service.
10.2 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, account functionality | Session / 30 days |
| Preferences | Language, display settings | 1 year |
| Analytics | Usage patterns, feature adoption | 2 years |
| Marketing | Ad performance, campaign tracking | 1 year |
10.3 Third-Party Cookies
We use third-party analytics services that may set their own cookies. These help us understand how users interact with our Service.
10.4 Cookie Consent
When you first visit our website, we show a cookie consent banner. You can:
- Accept all cookies
- Accept only essential cookies
- Customise your preferences
- Change your preferences at any time via the footer link
10.5 How to Control Cookies
You can manage cookies through your browser settings:
- Chrome: Settings → Privacy and security → Cookies
- Firefox: Preferences → Privacy & Security → Cookies
- Safari: Preferences → Privacy → Cookies
- Edge: Settings → Cookies and site permissions
Note that disabling essential cookies may prevent you from using certain features.
11. Children’s Privacy
Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at legal@msharti.dev, and we will delete it promptly.
12. International Data Transfers
12.1 Where Your Data is Stored
Our primary infrastructure is hosted on AWS in South Africa. Some data may be processed by our sub-processors in other jurisdictions:
| Sub-Processor | Location | Safeguard |
|---|---|---|
| AWS EC2 | South Africa | Data residency controls |
| Supabase | United States | Data Processing Agreement |
| Transactional email provider | United States | Standard Contractual Clauses |
| Usage analytics provider | United States / EU | Standard Contractual Clauses |
12.2 Transfer Safeguards
When we transfer personal data outside Kenya, we ensure appropriate safeguards are in place. Kenya’s ODPC has not yet published a list of countries with adequate data protection levels, nor approved a set of standard contractual clauses. In the absence of these instruments, we rely on the following safeguards:
- Data Processing Agreements (DPAs) binding all sub-processors to confidentiality, security, and data-minimisation obligations consistent with the Data Protection Act, 2019
- Contractual protections incorporating data protection obligations at least equivalent to those required under Kenyan law, drawing on internationally recognised frameworks where applicable
- Technical measures — AES-256 encryption at rest and TLS 1.3 in transit — for all cross-border data flows
- Purpose limitation — data transferred internationally is limited to what is strictly necessary to provide the Service
We keep these safeguards under review and will update them as the ODPC publishes formal instruments for international transfers.
12.3 Data Residency for Enterprise
For Enterprise customers with data residency requirements, we offer:
- Self-hosted deployment on your own infrastructure in Kenya
- Dedicated cloud instances in a jurisdiction of your choice
- Custom data processing agreements
13. Special Categories of Data
13.1 Financial Data
When you connect M-Pesa or banking systems, we process transaction data. We:
- Encrypt all transaction data at rest
- Strip phone numbers and account numbers from responses
- Do not store transaction content beyond what is necessary for real-time processing
- Log access to financial data for audit purposes
13.2 Tax Data
When you connect KRA, we process KRA PINs and tax compliance data. We:
- Encrypt KRA credentials with AES-256-GCM
- Mask KRA PINs in audit logs
- Do not share KRA data with unauthorised parties
- Comply with KRA’s data usage policies
13.3 Biometric Data
We do not collect, store, or process biometric data (fingerprints, facial recognition, etc.).
14. Data Retention Service — Additional Terms
If you subscribe to the Data Retention Service, the following additional terms apply:
14.1 What We Store
We store historical data from connected services as specified in your subscription. For example:
- M-Pesa transactions (beyond the 48-hour Daraja window)
- Email metadata (not content, unless explicitly enabled)
- Support ticket history
- Analytics data
14.2 How Long We Store It
| Retention Plan | Duration | Extension |
|---|---|---|
| Standard | 3 months | No |
| Extended | 12 months | +50% surcharge |
| Long-term | 24 months | Custom pricing |
14.3 Your Controls
You can:
- View all retained data in your dashboard
- Export data in JSON or CSV format
- Request deletion of specific records
- Pause the retention service (new data not stored)
- Cancel the service (all retained data deleted within 30 days)
14.4 Consent Record
When you enable Data Retention, we record:
- Your explicit consent
- Timestamp and IP address
- What data types are retained
- Retention duration
- Your right to withdraw consent
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:
- Post the updated policy on our website
- Update the “Last Updated” date at the top
- Notify you of material changes by email at least 30 days in advance
- For significant changes, require renewed consent where necessary
Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.
16. Contact Us
16.1 Data Protection Officer
Name: Data Protection Officer, Msharti
Email: legal@msharti.dev
Role: Responsible for overseeing data protection compliance and handling data subject requests.
16.2 General Inquiries
Company: Outlook Innovations Limited
Trading as: Msharti
Email: support@msharti.dev
Website: https://msharti.dev
Address: Nairobi, Kenya
Business Hours: Monday–Friday, 08:00–17:00 EAT
16.3 Complaints
If you are not satisfied with our response to your data protection concerns, you may lodge a complaint with:
Office of the Data Protection Commissioner (ODPC)
Website: https://www.odpc.go.ke
Email: complaints@odpc.go.ke
Phone: +254 20 2677 000
Address: P.O. Box 474, 00100 Nairobi, Kenya
17. Governing Law
This Privacy Policy is governed by the laws of the Republic of Kenya, including:
- The Data Protection Act, 2019
- The Data Protection (General) Regulations, 2021
- The Computer Misuse and Cybercrimes Act, 2018
- The Kenya Information and Communications Act, 1998
Any dispute arising from this Privacy Policy shall be resolved in accordance with the dispute resolution provisions in our Terms and Conditions.
END OF PRIVACY POLICY
For our Terms and Conditions, see https://msharti.dev/terms