Privacy Policy

1. Scope of this policy

This Privacy Policy explains how Spid ERP handles personal data and related business information when you visit our website, request a demo, subscribe to our services, or use our enterprise platform.

Where Spid ERP processes personal data on behalf of a customer, the customer remains the data controller for that business data and Spid ERP acts as a processor or service provider to the extent set out in the applicable service agreement.

2. Information we collect

We collect only the categories of information reasonably necessary to provide, secure, support, and improve the service.

• Identity and contact details such as names, work email addresses, phone numbers, company names, and job titles.
• Account and service data such as usernames, access logs, audit history, configuration settings, and support records.
• Commercial and transaction information relevant to subscriptions, invoices, implementation work, and service usage.
• Technical information such as IP address, browser type, device information, cookie identifiers, and system activity logs.
• Customer-submitted data stored within the ERP environment, which may include employee, supplier, customer, inventory, finance, payroll, or tax-related records depending on the modules in use.

3. How we use information

• To respond to enquiries, schedule demos, and onboard new customers.
• To deliver ERP services, maintain uptime, secure accounts, and provide customer support.
• To generate invoices, process payments, and manage commercial relationships.
• To comply with legal, regulatory, audit, tax, and anti-fraud obligations that apply in Kenya or in other jurisdictions where our customers operate.
• To improve system reliability, integrations, reporting, and user experience using aggregated or minimised operational data.

4. Legal basis for processing

Where Kenyan data protection law applies, we rely on lawful grounds including performance of a contract, legitimate interests in operating and securing the platform, compliance with legal obligations, and consent where consent is the appropriate basis.

If consent is relied upon for optional communications or non-essential cookies, you may withdraw that consent at any time, subject to the lawfulness of processing carried out before withdrawal.

5. When we share information

We do not sell personal data. We may share information only where it is necessary and proportionate for service delivery or legal compliance.

• Hosting, backup, analytics, email, and communications providers who support the platform under confidentiality and security obligations.
• Implementation, support, or integration partners acting on our instructions for a customer project.
• Payment processors, banks, mobile money providers, or invoicing partners where required to process subscriptions or setup fees.
• Regulators, courts, law enforcement agencies, or professional advisers where disclosure is required by law or reasonably necessary to establish, exercise, or defend legal claims.

6. Cross-border transfers

Some of our service providers may process data outside Kenya. Where cross-border transfers occur, we take reasonable steps to ensure the transfer is permitted under applicable law and protected by contractual, organisational, or technical safeguards.

7. Retention and deletion

We retain information only for as long as it is needed for the purpose for which it was collected, to meet contractual obligations, to maintain legitimate business records, and to comply with tax, audit, dispute, and statutory retention requirements.

Customer data is ordinarily returned, deleted, or anonymised after the applicable contract ends, subject to backup cycles, legal holds, or agreed transition periods.

8. Security measures

• Encryption in transit and access controls based on user roles and permissions.
• Operational logging, audit trails, and monitoring designed to detect misuse or unauthorised access.
• Reasonable backup, recovery, and incident-response procedures suitable for a business-critical ERP environment.

9. Your rights

Subject to applicable law, you may have the right to access, correct, update, delete, restrict, object to, or port personal data, and to lodge a complaint with the Office of the Data Protection Commissioner in Kenya where appropriate.

Requests should be sent to our contact address below. We may need to verify identity and authority before acting on a request, especially where business account data is involved.

10. Contact us

For privacy questions, data subject requests, or security concerns, contact us at hello@spid-erp.com. If you are a customer administrator, please channel platform-related requests through your authorised account contact where possible so we can validate instructions efficiently.