Privacy Policy

How Msharti collects, uses and protects your personal data.

1. Introduction

1.1 Our Commitment to Privacy

At Msharti, we take your privacy seriously. We are committed to protecting the personal data of our users, customers, and visitors in accordance with the Data Protection Act, 2019 of Kenya, the Data Protection (General) Regulations, 2021, and international best practices for data protection.

Outlook Innovations Limited is registered with the Office of the Data Protection Commissioner (ODPC) as both a Data Controller and a Data Processor under the Data Protection Act, 2019. Our registration confirms that we have implemented appropriate safeguards for the personal data we process on behalf of our customers and on our own account.

This Privacy Policy explains how Outlook Innovations Limited (“Msharti”, “we”, “us”, or “our”) collects, uses, stores, shares, and protects your personal data when you use our MCP Gateway platform, website, dashboard, and related services (collectively, the “Service”).

1.2 Scope

This Privacy Policy applies to:

  • Visitors to our website (msharti.dev)
  • Registered users of our platform (apps.msharti.dev)
  • Tenants and their authorised users
  • Individuals whose data is processed through our Service
  • Anyone who contacts us or interacts with us online

1.3 Your Rights

Under the Data Protection Act, 2019, you have the following rights regarding your personal data:

  • Right to be informed — about what data we collect and how we use it
  • Right of access — to request a copy of your personal data
  • Right to rectification — to request correction of inaccurate data
  • Right to erasure — to request deletion of your personal data
  • Right to restrict processing — to limit how we use your data
  • Right to data portability — to receive your data in a structured format
  • Right to object — to object to certain types of processing
  • Right to withdraw consent — to withdraw consent at any time
  • Right not to be subject to automated decision-making — including profiling
  • Right to lodge a complaint — with the ODPC

By accessing or using our Service, you consent to the collection, use, and processing of your personal data as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.


2. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person, including but not limited to:

  • Name, email address, phone number, and other contact details
  • Login credentials and authentication tokens
  • IP address, browser type, and device information
  • Usage data and analytics
  • Business data that may include personal identifiers (e.g., M-Pesa phone numbers, KRA PINs)

“Sensitive Personal Data” includes:

  • Financial information (bank account details, M-Pesa transaction data)
  • Tax information (KRA PINs, TCC details)
  • Authentication credentials (API keys, passwords, tokens)

“Data Controller” means Outlook Innovations Limited, which determines the purposes and means of processing personal data.

“Data Processor” means any third party that processes personal data on our behalf, such as cloud hosting providers and API service providers.

“Data Subject” means any individual whose personal data is processed by us.

“Processing” means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

“Third-Party Service” means any external platform connected through our Service, such as Safaricom M-Pesa, KRA, Salesforce, or Microsoft 365.

“Tenant” means the organisation or individual that has created an Account on our Platform.

“Trial” means the 7-day free trial period available to new subscribers on any paid plan. Trial users are subject to this Privacy Policy in full and are treated identically to paid subscribers for the purposes of data collection, processing, and protection.

“User” means any individual authorised by a Tenant to access the Service.


3. What Personal Data We Collect

3.1 Data You Provide Directly

When you create an Account or use our Service, we collect:

CategoryExamplesPurpose
Identity DataFull name, job title, organisation nameAccount creation, identification
Contact DataEmail address, phone number, physical addressCommunication, support, billing
Account DataUsername, password, profile pictureAuthentication, account management
Billing DataBank details, M-Pesa number, billing addressPayment processing, invoicing
CredentialsAPI keys, OAuth tokens, consumer keys/secretsConnector authentication

3.2 Data We Collect Automatically

When you use our Service, we automatically collect:

CategoryExamplesPurpose
Technical DataIP address, browser type, operating system, device informationSecurity, analytics, troubleshooting
Usage DataTool calls made, connectors used, response times, error ratesService improvement, billing, monitoring
Log DataTimestamps, request URLs, HTTP status codesSecurity auditing, troubleshooting
Location DataApproximate location derived from IP addressSecurity (fraud detection), compliance

3.3 Data from Third-Party Services

When you connect Third-Party Services to Msharti, we may receive:

SourceData TypesPurpose
M-Pesa DarajaTransaction records, Paybill/Till numbers, phone numbers (redacted)Financial queries via AI
KRA GavaConnectKRA PINs, TCC status, taxpayer names, import certificate dataTax compliance queries
Microsoft 365Email metadata, calendar events, file names (not content)AI assistant queries
SalesforceOpportunity names, account details, pipeline dataCRM queries
Other connectorsData specific to each connected serviceAI assistant queries

Important: We do not collect or store the actual content of your emails, files, or messages unless you explicitly enable the Data Retention Service.

3.4 Data from Communications

When you contact us, we collect:

  • Email content and attachments
  • Chat transcripts
  • Phone call recordings (with prior consent)
  • Feedback and survey responses

4. How We Collect Your Data

We collect personal data through the following methods:

MethodDescription
Direct inputData you enter when registering, setting up connectors, or updating your profile
Automated collectionData collected via cookies, server logs, and analytics tools
Third-party APIsData received from connected services (M-Pesa, KRA, Salesforce, etc.)
CommunicationsData from emails, support tickets, and phone calls
ReferralsData provided by colleagues or partners who invite you to the platform

We process your personal data for the following purposes and legal bases:

5.1 To Provide the Service (Performance of Contract)

We process your data to:

  • Create and manage your Account
  • Authenticate you and authorise access
  • Connect your business systems to AI assistants
  • Process tool calls and return results
  • Provide customer support

Legal basis: Performance of a contract (Section 30(1)(a), Data Protection Act, 2019)

5.2 To Improve the Service (Legitimate Interest)

We process your data to:

  • Monitor service performance and uptime
  • Analyse usage patterns to improve features
  • Detect and fix bugs and errors
  • Develop new features and connectors

Legal basis: Legitimate interest (Section 30(1)(c), Data Protection Act, 2019)

We process your data to:

  • Detect and prevent prompt injection attacks
  • Identify and block suspicious activity
  • Maintain audit logs for compliance
  • Protect against unauthorised access

Legal basis: Legal obligation and vital interest (Section 30(1)(d), Data Protection Act, 2019)

With your consent, we may use your data to:

  • Send product updates and newsletters
  • Invite you to events and webinars
  • Request feedback and testimonials

Legal basis: Consent (Section 30(1)(b), Data Protection Act, 2019)

You can withdraw consent at any time by:

  • Clicking “Unsubscribe” in any marketing email
  • Emailing legal@msharti.dev
  • Updating preferences in your dashboard

5.5 For Billing and Payment (Performance of Contract)

We process your data to:

  • Generate invoices
  • Process payments
  • Send payment reminders
  • Handle billing disputes

Legal basis: Performance of a contract

If you subscribe to the Data Retention Service, we process historical data:

  • To store M-Pesa transactions beyond 48 hours
  • To archive emails or messages
  • To enable historical queries

Legal basis: Consent (for historical storage) or performance of contract


6. How We Share Your Data

6.1 Within Msharti

Your data is accessible only to authorised Msharti employees who need it to perform their duties. All employees are bound by confidentiality agreements and data protection training.

6.2 With Third-Party Service Providers

We share data with the following categories of processors:

CategoryProviderPurposeLocation
Cloud hostingAmazon Web Services (AWS)InfrastructureSouth Africa
DatabaseManaged database serviceDatabase hostingUnited States (with data residency controls)
AuthenticationOAuth 2.1 identity providerIdentity managementSouth Africa
CacheSecure session cacheToken cachingSouth Africa
EmailTransactional email providerEmail deliveryVarious
AnalyticsUsage analytics providerUsage analyticsUnited States / EU
PaymentPayment processing providerPayment processingKenya / Various

All third-party processors are bound by data processing agreements that comply with the Data Protection Act, 2019.

6.3 With Third-Party Services (Your Connected Systems)

When you use our Service, we transmit data to the Third-Party Services you have connected (e.g., Safaricom, KRA, Salesforce). These services are independent data controllers, and their privacy policies govern how they process your data.

We may disclose your data when required by:

  • A court order or subpoena
  • A lawful request from law enforcement
  • A regulatory requirement (e.g., ODPC, CBK, KRA)
  • To protect our rights, property, or safety

6.5 In Case of Business Transfer

If Msharti is acquired, merged, or undergoes a change of control, your data may be transferred to the acquiring entity. We will notify you before this happens.

6.6 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes.


7. Data Retention

7.1 Retention Periods

We retain your personal data for as long as necessary to fulfil the purposes outlined in this Privacy Policy:

Data CategoryRetention PeriodRationale
Account DataDuration of Account + 2 yearsLegal obligations, dispute resolution
CredentialsDuration of Account + 30 daysImmediate deletion upon disconnection
Audit Logs7 yearsRegulatory compliance, fraud investigation
Usage Data2 yearsService improvement, billing verification
Customer Data (real-time)24 hours (unless Data Retention enabled)Real-time processing only
Data Retention ServicePer subscription (3, 12, or 24 months)Contractual obligation
Marketing DataUntil consent withdrawn + 1 yearConsent management
Support Tickets3 yearsQuality assurance, legal protection

7.2 Data Retention Service

If you subscribe to the Data Retention Service, we store historical data for the duration specified in your subscription. You can:

  • View what data is retained in your dashboard
  • Export retained data at any time
  • Request deletion of specific data
  • Cancel the service at any time (data deleted within 30 days)

7.3 Anonymisation

After the retention period expires, we either delete your data or anonymise it so that it can no longer be associated with you. Anonymised data may be retained indefinitely for statistical and analytical purposes.


8. Data Security

8.1 Technical Measures

We implement the following technical security measures:

MeasureDescription
Encryption at restAES-256-GCM for all stored credentials and sensitive data
Encryption in transitTLS 1.3 for all data transmitted over the internet
Tenant isolationJWT-based access control with per-tenant scoping
Secret managementEncryption keys stored separately from application data, in an isolated key store
Injection detectionAutomated scanning of all tool calls for prompt injection
Secret strippingAutomatic redaction of sensitive data from API responses
RBACRole-based access control for all users
Rate limitingPer-tenant rate limiting to prevent abuse
Backup encryptionAll backups encrypted and stored separately
Penetration testingAnnual third-party security assessments

8.2 Organisational Measures

MeasureDescription
Staff trainingAnnual data protection training for all employees
Confidentiality agreementsAll employees sign NDAs and data protection clauses
Access controlsPrinciple of least privilege — minimum access necessary
Incident responseDocumented breach notification procedures
Regular auditsInternal and external audits of data processing

8.3 Breach Notification

In the event of a personal data breach, we will:

  1. Notify the ODPC within 72 hours of becoming aware
  2. Notify affected data subjects without undue delay
  3. Provide details of the breach, its likely consequences, and measures taken
  4. Document the breach and our response

9. Data Subject Rights

9.1 How to Exercise Your Rights

To exercise any of your rights under the Data Protection Act, 2019, please contact us at legal@msharti.dev with the subject line “Data Subject Request”. We will respond within 7 days of receiving your request. Where a request is complex or we receive a number of simultaneous requests, we may extend this period by up to a further 30 days, and will notify you within the initial 7-day period explaining the reason for the extension.

9.2 Right to Access

You have the right to request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, and machine-readable format.

9.3 Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data.

9.4 Right to Erasure (“Right to be Forgotten”)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purpose it was collected
  • You withdraw consent and there is no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed
  • The data must be deleted for legal compliance

Exceptions: We may retain data where required by law or for legitimate legal claims.

9.5 Right to Restrict Processing

You have the right to request that we limit how we use your data, for example:

  • While we verify the accuracy of data you dispute
  • When processing is unlawful but you oppose deletion
  • When we no longer need the data but you need it for legal claims

9.6 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used format (e.g., JSON, CSV) and to transmit it to another controller.

9.7 Right to Object

You have the right to object to:

  • Processing based on legitimate interests
  • Direct marketing
  • Processing for statistical purposes

Where processing is based on consent, you may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

9.9 Right Not to Be Subject to Automated Decision-Making

Msharti is a data gateway — we route queries between AI assistants and business systems and do not generate decisions ourselves. We do not make decisions that produce legal or significant effects on individuals based solely on automated processing. No profiling for decision-making is carried out by Msharti as a controller.

9.10 Right to Lodge a Complaint

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with:

Office of the Data Protection Commissioner (ODPC)
Website: https://www.odpc.go.ke
Email: complaints@odpc.go.ke
Phone: +254 20 2677 000
Address: P.O. Box 474, 00100 Nairobi, Kenya


10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help us remember your preferences and understand how you use our Service.

10.2 Types of Cookies We Use

Cookie TypePurposeDuration
EssentialAuthentication, security, account functionalitySession / 30 days
PreferencesLanguage, display settings1 year
AnalyticsUsage patterns, feature adoption2 years
MarketingAd performance, campaign tracking1 year

10.3 Third-Party Cookies

We use third-party analytics services that may set their own cookies. These help us understand how users interact with our Service.

When you first visit our website, we show a cookie consent banner. You can:

  • Accept all cookies
  • Accept only essential cookies
  • Customise your preferences
  • Change your preferences at any time via the footer link

10.5 How to Control Cookies

You can manage cookies through your browser settings:

  • Chrome: Settings → Privacy and security → Cookies
  • Firefox: Preferences → Privacy & Security → Cookies
  • Safari: Preferences → Privacy → Cookies
  • Edge: Settings → Cookies and site permissions

Note that disabling essential cookies may prevent you from using certain features.


11. Children’s Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at legal@msharti.dev, and we will delete it promptly.


12. International Data Transfers

12.1 Where Your Data is Stored

Our primary infrastructure is hosted on AWS in South Africa. Some data may be processed by our sub-processors in other jurisdictions:

Sub-ProcessorLocationSafeguard
AWS EC2South AfricaData residency controls
SupabaseUnited StatesData Processing Agreement
Transactional email providerUnited StatesStandard Contractual Clauses
Usage analytics providerUnited States / EUStandard Contractual Clauses

12.2 Transfer Safeguards

When we transfer personal data outside Kenya, we ensure appropriate safeguards are in place. Kenya’s ODPC has not yet published a list of countries with adequate data protection levels, nor approved a set of standard contractual clauses. In the absence of these instruments, we rely on the following safeguards:

  • Data Processing Agreements (DPAs) binding all sub-processors to confidentiality, security, and data-minimisation obligations consistent with the Data Protection Act, 2019
  • Contractual protections incorporating data protection obligations at least equivalent to those required under Kenyan law, drawing on internationally recognised frameworks where applicable
  • Technical measures — AES-256 encryption at rest and TLS 1.3 in transit — for all cross-border data flows
  • Purpose limitation — data transferred internationally is limited to what is strictly necessary to provide the Service

We keep these safeguards under review and will update them as the ODPC publishes formal instruments for international transfers.

12.3 Data Residency for Enterprise

For Enterprise customers with data residency requirements, we offer:

  • Self-hosted deployment on your own infrastructure in Kenya
  • Dedicated cloud instances in a jurisdiction of your choice
  • Custom data processing agreements

13. Special Categories of Data

13.1 Financial Data

When you connect M-Pesa or banking systems, we process transaction data. We:

  • Encrypt all transaction data at rest
  • Strip phone numbers and account numbers from responses
  • Do not store transaction content beyond what is necessary for real-time processing
  • Log access to financial data for audit purposes

13.2 Tax Data

When you connect KRA, we process KRA PINs and tax compliance data. We:

  • Encrypt KRA credentials with AES-256-GCM
  • Mask KRA PINs in audit logs
  • Do not share KRA data with unauthorised parties
  • Comply with KRA’s data usage policies

13.3 Biometric Data

We do not collect, store, or process biometric data (fingerprints, facial recognition, etc.).


14. Data Retention Service — Additional Terms

If you subscribe to the Data Retention Service, the following additional terms apply:

14.1 What We Store

We store historical data from connected services as specified in your subscription. For example:

  • M-Pesa transactions (beyond the 48-hour Daraja window)
  • Email metadata (not content, unless explicitly enabled)
  • Support ticket history
  • Analytics data

14.2 How Long We Store It

Retention PlanDurationExtension
Standard3 monthsNo
Extended12 months+50% surcharge
Long-term24 monthsCustom pricing

14.3 Your Controls

You can:

  • View all retained data in your dashboard
  • Export data in JSON or CSV format
  • Request deletion of specific records
  • Pause the retention service (new data not stored)
  • Cancel the service (all retained data deleted within 30 days)

When you enable Data Retention, we record:

  • Your explicit consent
  • Timestamp and IP address
  • What data types are retained
  • Retention duration
  • Your right to withdraw consent

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

  • Post the updated policy on our website
  • Update the “Last Updated” date at the top
  • Notify you of material changes by email at least 30 days in advance
  • For significant changes, require renewed consent where necessary

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.


16. Contact Us

16.1 Data Protection Officer

Name: Data Protection Officer, Msharti
Email: legal@msharti.dev
Role: Responsible for overseeing data protection compliance and handling data subject requests.

16.2 General Inquiries

Company: Outlook Innovations Limited
Trading as: Msharti
Email: support@msharti.dev
Website: https://msharti.dev
Address: Nairobi, Kenya
Business Hours: Monday–Friday, 08:00–17:00 EAT

16.3 Complaints

If you are not satisfied with our response to your data protection concerns, you may lodge a complaint with:

Office of the Data Protection Commissioner (ODPC)
Website: https://www.odpc.go.ke
Email: complaints@odpc.go.ke
Phone: +254 20 2677 000
Address: P.O. Box 474, 00100 Nairobi, Kenya


17. Governing Law

This Privacy Policy is governed by the laws of the Republic of Kenya, including:

  • The Data Protection Act, 2019
  • The Data Protection (General) Regulations, 2021
  • The Computer Misuse and Cybercrimes Act, 2018
  • The Kenya Information and Communications Act, 1998

Any dispute arising from this Privacy Policy shall be resolved in accordance with the dispute resolution provisions in our Terms and Conditions.


END OF PRIVACY POLICY

For our Terms and Conditions, see https://msharti.dev/terms