Privacy Policy

1) Who We Are & Contact

Senovara Ltd (Nairobi, Kenya) designs and operates composable software platforms used by businesses across Africa and beyond. For most processing activities described here, Senovara is the data controller. For Customer Data that you upload or connect within our Services, we act as a data processor on your behalf.

Email: privacy@senovara.com

2) Scope & Applicability

This policy applies to visitors to our websites, prospective customers, and users of our Services—including our social media posting platform(s), AI chatbot products, and other digital tools and integrations. It does not apply to third‑party services you access through our integrations; those are governed by their own privacy terms.

3) Data We Collect

• Account & Identity Data: name, username, profile photo, company, role, authentication identifiers, and account preferences.
• Contact Data: email address, phone number, billing and support contact details.
• Content & Customer Data: posts, messages, prompts, files, schedules, drafts, chatbot conversations, and other information you submit or connect. You control what you provide. We process this as your processor.
• Technical & Device Data: IP address, device and browser type, operating system, language, referring/exit pages, timestamps, diagnostic logs, and crash data.
• Usage & Telemetry: feature usage, performance metrics, events, clickstream, and product analytics collected to improve reliability, security, and UX.
• Payment & Transaction Data: subscription details, payment status, invoices, and limited billing information handled via PCI‑compliant providers.
• Sensitive Data: we do not require sensitive personal data. If you choose to submit such data, you must have a lawful basis and ensure compliance with applicable law.

4) Sources of Data

• Directly from you when you create an account, use features, or contact support.
• Automatically through cookies, SDKs, and logs when you interact with our Services.
• From integrations you connect (for example, social networks, messaging platforms, file storage, or CRM systems).
• From service providers and partners who assist with hosting, analytics, fraud prevention, and support.

5) How We Use Data & Legal Bases

We process personal data to operate and improve the Services, provide support, ensure security, and comply with law. Where the GDPR/UK GDPR applies, our legal bases include: contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), consent (Art. 6(1)(a)), and legal obligation (Art. 6(1)(c)). Examples:

• Provide core features, authenticate users, and fulfill your subscription (contract).
• Improve performance, debug issues, and prevent abuse (legitimate interests).
• Send optional product updates or marketing with an unsubscribe option (consent/legitimate interests per region).
• Comply with tax, accounting, and regulatory requirements (legal obligation).

6) Product‑Specific Processing

6.1 Social Media Posting Platform

• Tokens & Permissions: When you connect accounts (e.g., to social networks), we store OAuth tokens/permissions securely and use them only to perform actions you authorize (such as scheduling and publishing posts).
• Content & Schedules: Drafts, media, captions, calendars, and posting history are stored to enable collaboration, approvals, and analytics.
• Revocation: You can disconnect integrations at any time; we will cease access and delete tokens. Historical logs may be retained per our retention section.

6.2 AI Chatbots & Assistants

• Prompts & Outputs: We process prompts, attachments, and conversation context to generate and improve responses, provide safety filtering, and combat abuse.
• Model Providers: Depending on configuration, we may route data to vetted AI model providers strictly as processors. We contractually restrict providers from using your data for their own model training where available, and we do not use your Customer Data to train Senovara’s proprietary models without your explicit consent.
• Controls: Admins may configure logging and retention of chatbot conversations. Avoid submitting sensitive or regulated data unless your plan and data processing addendum (DPA) explicitly permit it.

6.3 Other Digital Platforms & Integrations

• We process data from connected systems (e.g., storage, CRM, payments) only to provide the requested features and integrations you enable.
• API keys and secrets you provide are encrypted at rest and access‑controlled.

7) Cookies & Tracking

We use necessary cookies for authentication and security, functional cookies to remember preferences, and analytics to understand product usage. Where required, we obtain consent. You can manage preferences through your browser and, where available, an in‑product cookie banner.

8) How We Share Data

• Service Providers (Processors): hosting, storage, email delivery, analytics, logging, fraud prevention, and customer support tools.
• Integration Partners: if you connect third‑party platforms, we share only as necessary to provide the features you enable.
• Corporate Transactions: in the event of a merger, acquisition, or asset sale, data may transfer subject to this policy.
• Legal & Safety: to comply with legal obligations or protect rights, safety, and security.

We do not sell personal data. We do not share personal data for cross‑context behavioral advertising where prohibited by law.

9) International Transfers

Your information may be processed in countries other than where you reside. When we transfer personal data internationally, we use appropriate safeguards such as Standard Contractual Clauses and conduct transfer risk assessments as required.

10) Data Retention

We retain personal data only as long as necessary for the purposes described, including maintaining account records, providing Services, resolving disputes, enforcing agreements, and complying with legal obligations. Admins can request deletion of Customer Data; backups may persist for a limited period per our backup rotation.

11) Security

• Encryption in transit (TLS) and at rest for stored credentials and sensitive artifacts.
• Role‑based access controls (RBAC), least‑privilege access, and audit logging for administrative actions.
• Secure development practices, key management, and regular vulnerability patching.
• Incident response procedures and breach notification consistent with applicable law.

No method of transmission or storage is 100% secure. We continuously improve our safeguards to protect your data.

12) Your Privacy Rights

Depending on your location, you may have rights to access, rectify, delete, restrict, or object to processing of your personal data; to portability; and to withdraw consent where processing is based on consent. You also may have the right to lodge a complaint with a supervisory authority.

• EEA/UK: rights under GDPR/UK GDPR.
• California: rights under CCPA/CPRA (including the right to know, delete, and correct).
• Kenya and other jurisdictions: rights under applicable national data protection laws.

To exercise these rights or submit a data subject request, contact privacy@senovara.com. We will verify your request and respond within the timelines required by law.

13) Children’s Privacy

Our Services are not directed to children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us to request deletion.

14) Third‑Party Services & Integrations

Our Services may link to or integrate with platforms operated by others (for example, social networks, messaging tools, analytics, payment processors, or AI model providers). We are not responsible for the privacy practices of those third parties. Review their policies to understand how they process your data.

15) Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice (for example, via the Service or email) and update the “Last updated” date above.

16) How to Contact Us

Questions about this Privacy Policy or our data practices? Contact our privacy team: privacy@senovara.com.

17) Data Minimization & Pseudonymization

• We collect only the data necessary to deliver and secure the Services.
• Where feasible, logs and analytics are aggregated or pseudonymized to reduce identifiability.
• We avoid collecting sensitive data unless strictly required by a feature you enable and permitted by law.

18) Automated Decision‑Making & Profiling

Our Services may include automated features (for example, content suggestions, scheduling optimization, or AI chatbot responses). We do not engage in solely automated decisions that produce legal or similarly significant effects without appropriate human oversight where required by law. You may opt out of non‑essential analytics‑based personalization where available in settings.

19) Subprocessors & Vendor Risk

We use vetted service providers (subprocessors) for hosting, storage, analytics, communications, support, and AI model execution where configured. We require contractual commitments, confidentiality, and appropriate security measures. A current list of key subprocessors is available upon request or at our designated page.

Notice of material changes to subprocessors will be provided where required by your agreement; you may object on reasonable grounds as set out in the DPA.

20) Government & Law Enforcement Requests

We scrutinize all data requests for legal sufficiency and scope. We will notify affected customers before disclosing their data unless legally prohibited or there is a clear, preventable risk of harm. We seek to narrow requests to specific, necessary information and object to overly broad demands.

21) Security Program Overview

• Access Controls: role‑based access, least privilege, and periodic access reviews.
• Encryption: TLS in transit; encryption at rest for credentials, secrets, and sensitive artifacts.
• Key Management: segregation of duties and rotation practices for critical secrets.
• Logging & Monitoring: centralized logging with anomaly detection and audit trails for administrative actions.
• Secure Development: code review, dependency hygiene, and security testing integrated into the SDLC.
• Staff Practices: privacy and security training; confidentiality obligations for personnel with data access.

22) Vulnerability Management & Testing

• We track and remediate vulnerabilities based on severity and risk.
• We perform routine dependency scanning and apply security patches on a prioritized schedule.
• We welcome responsible disclosure; contact security@senovara.com.

23) Business Continuity, Backup & Disaster Recovery

We maintain backup and recovery procedures to support service continuity. Backups are encrypted and retained for limited periods consistent with operational needs and legal requirements. Recovery time and point objectives may vary by service tier and deployment configuration.

24) Deletion, Portability & Account Closure

24.1 Data Deletion Instructions (Step‑by‑Step)

1. Initiate your request:
   • In‑app (where available): Settings → Privacy → Delete My Data.
   • Or email: privacy@senovara.com with subject “Data Deletion Request”.
2. Include in your request: your registered email, organization/workspace name, and whether you want (a) data deletion only or (b) full account closure.
3. Verification: we’ll verify identity/authority (e.g., reply‑to email check and, for organizations, admin confirmation).
4. Integrations: we will revoke tokens and disconnect third‑party connections (e.g., social networks or messaging platforms) relevant to your account. You may also remove Senovara from your third‑party account settings (e.g., Facebook → Settings → Apps and Websites) for added assurance.
5. Processing timeline: we begin processing within 7 days and complete deletion within 30 days, except where retention is required by law or to resolve disputes, enforce agreements, or meet security obligations.
6. Backups: residual encrypted copies may persist in backups and will be overwritten per our backup rotation schedule.
7. Confirmation: we will email you when the deletion is complete (and account closure, if requested).

24.2 Portability (Export)

• Data exports may be available via product features (e.g., CSV/JSON) or by contacting support.
• We aim to provide a structured, commonly used, machine‑readable format.

24.3 Account Closure

• Upon closure, access is removed, integrations are disconnected, and remaining personal data is deleted as above.
• Certain transactional records may be retained to comply with tax, accounting, and regulatory obligations.

25) Data Residency & Regional Disclosures

• EEA/UK: Transfers are supported by appropriate safeguards (e.g., Standard Contractual Clauses) and supplementary measures as needed.
• Kenya & other jurisdictions: We comply with applicable data protection laws and guidance issued by regulators.
• Data residency options may be available for enterprise deployments subject to technical feasibility and contract.

26) Data Protection Addendum (DPA) & Controller/Processor Terms

For customers processing personal data, our DPA sets out the respective roles and obligations, including subprocessors, security measures, and international transfer safeguards. A copy is available upon request from privacy@senovara.com.

27) Definitions

• Personal Data: information relating to an identified or identifiable natural person.
• Processing: any operation performed on personal data (collection, storage, use, disclosure, etc.).
• Controller: the party determining purposes and means of processing personal data.
• Processor: the party processing personal data on behalf of the controller.
• Customer Data: data that you or your users submit to the Services, including content, files, and configurations.