Privacy Policy

Account Information: Name, email address, phone number, and authentication credentials when you create an account or accept a portal invite.

Employee Data: When your employer uses QaliSuite for HR management, we process employee information including personal details (name, national ID, KRA PIN, NSSF/SHIF numbers), employment details (department, designation, hire date), compensation and payroll data, leave balances and requests, attendance records, and uploaded documents (ID copies, certificates).

Financial Data: Invoice, expense, bill, and payment records created by your organisation in the course of business operations.

Usage Data: IP address, browser type, device information, and interaction patterns to maintain security and improve the service.

We use the information collected to:

• Provide and operate the QaliSuite platform and its modules (inventory, invoicing, accounting, HR, payroll, projects)
• Process payroll, calculate statutory deductions (PAYE, NSSF, SHIF, AHL), and generate compliance reports
• Manage employee records, leave requests, attendance, and benefits
• Generate financial reports, tax filings, and audit trails
• Send transactional notifications (portal invites, password resets, payslip availability)
• Maintain security, prevent fraud, and enforce our terms of service

We do not sell your personal data to third parties. We do not use your data for advertising.

We process your personal data under the following legal bases as defined by the Kenya Data Protection Act, 2019:

• Contractual necessity: To provide the services your organisation has subscribed to
• Legal obligation: To comply with Kenyan tax, employment, and statutory reporting requirements (KRA, NSSF, SHIF, AHL)
• Legitimate interest: To maintain platform security, prevent fraud, and improve our services
• Consent: For optional communications and marketing, which you may withdraw at any time

We share your data only in the following circumstances:

• Your employer: Employee data is accessible to authorised users within your organisation based on their role (Admin, HR, Manager)
• Service providers: We use trusted third-party providers for hosting (Hetzner/Vercel), database (MongoDB Atlas), email delivery (Resend), file storage (Cloudinary), and authentication (Google OAuth). These providers are bound by data processing agreements
• Statutory authorities: When required by Kenyan law (e.g., KRA for PAYE/P9A reporting, NSSF, SHIF remittance data)
• Legal requirements: If compelled by court order or to protect our legal rights

We implement appropriate technical and organisational measures to protect your data:

• All data transmitted over HTTPS with TLS encryption
• Passwords are hashed using bcrypt — we never store plain-text passwords
• Role-based access control — employees only see their own data; HR/Admin access is gated by role
• Multi-tenant data isolation — each company's data is scoped by company ID
• Database access restricted by IP whitelist
• Sensitive fields (bank account numbers, M-Pesa numbers) are masked in exports

No system is 100% secure. If we discover a data breach affecting your personal data, we will notify affected users and the Office of the Data Protection Commissioner as required by the Kenya Data Protection Act.

We retain your data for as long as your organisation maintains an active QaliSuite account, plus:

• Payroll and tax records: 7 years after the relevant tax year (KRA requirement)
• Employment records: 7 years after termination of employment
• Financial records: 7 years (Companies Act, 2015)
• Account data: Deleted within 90 days of account closure upon request

Under the Kenya Data Protection Act, 2019, you have the right to:

• Access your personal data held by us
• Rectify inaccurate or incomplete data
• Delete your data (subject to legal retention requirements)
• Object to processing of your data for specific purposes
• Data portability — receive your data in a structured, machine-readable format
• Withdraw consent for optional processing at any time

To exercise these rights, contact us at privacy@qalisuite.com. We will respond within 30 days.

QaliSuite uses essential cookies for authentication and session management. We do not use tracking cookies, advertising cookies, or analytics cookies. No cookie consent banner is required as we only use strictly necessary cookies.

QaliSuite is a business platform not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

Your data may be processed on servers located outside Kenya (cloud infrastructure in Europe and the United States). Where data is transferred outside Kenya, we ensure appropriate safeguards are in place as required by the Kenya Data Protection Act, including contractual obligations with our service providers.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification. The "Last Updated" date at the top of this page indicates when the policy was last revised. Continued use of QaliSuite after changes constitutes acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data:

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya if you believe your data protection rights have been violated.