Legal

Wave CRM is a customer relationship management platform operated by Wave Agency, based in Eldoret, Kenya. We provide tools for businesses to manage contacts, leads, tasks, campaigns, and team communications. Contact us at: privacy@waveagency.co.ke Physical address: Eldoret, Uasin Gishu County, Kenya

We collect the following categories of data: Account Data: Your name, email address, phone number, company name, and password when you sign up for Wave CRM. Business Data: Contacts, leads, tasks, campaigns, messages, and pipeline data that you add to the CRM. Usage Data: How you use Wave CRM including pages visited, features used, and actions taken within the platform. Payment Data: M-Pesa transaction codes and payment records. We do not store full card details — card payments are processed by Stripe. Device Data: IP address, browser type, and device information for security purposes.

We use your data to: - Provide and operate Wave CRM services - Process payments and manage subscriptions - Send important account notifications (trial expiry, billing reminders) - Respond to support requests - Improve our platform based on usage patterns - Comply with legal obligations under Kenyan law - Detect and prevent fraud or security threats We do NOT sell your data to third parties. Ever.

Your data is stored on Supabase (PostgreSQL database) hosted in the EU West region. We implement the following security measures: - Row Level Security (RLS) ensuring your data is isolated from other organisations - Encrypted connections (HTTPS/TLS) for all data in transit - Bcrypt password hashing — we never store plain text passwords - Regular automated backups - Access controls limiting who can view your data Despite these measures, no system is 100% secure. We encourage you to use a strong password and keep it confidential.

We share your data only with trusted service providers necessary to operate Wave CRM: - Supabase — database and authentication hosting - Vercel — frontend hosting - Resend — transactional email delivery - Africa's Talking — SMS delivery (Kenya) - Meta (WhatsApp Business API) — WhatsApp messaging - Stripe — card payment processing - M-Pesa (Safaricom Daraja) — mobile money payments Each provider is bound by their own privacy policies and data processing agreements. We do not share your data with advertisers or data brokers.

Under the Kenya Data Protection Act 2019, you have the right to: - Access: Request a copy of all data we hold about you - Correction: Request correction of inaccurate or incomplete data - Deletion: Request deletion of your personal data ("right to be forgotten") - Portability: Receive your data in a portable format - Objection: Object to processing of your data for marketing purposes - Withdraw Consent: Withdraw consent at any time without affecting past processing To exercise any of these rights, contact us at privacy@waveagency.co.ke. We will respond within 21 days as required by law.

We retain your data for as long as your account is active. When you delete your account: - Your personal data is deleted within 30 days - Aggregated, anonymised usage statistics may be retained indefinitely - Payment records are retained for 7 years as required by Kenyan tax law - Backups are purged within 90 days If your account is suspended for non-payment, your data is retained for 60 days before permanent deletion.

Wave CRM uses essential cookies only: - Authentication cookies to keep you logged in (session management) - Security cookies to protect against CSRF attacks We do not use advertising cookies, tracking pixels, or third-party analytics that profile your behaviour.

Wave CRM is a business tool intended for use by adults aged 18 and above. We do not knowingly collect personal data from anyone under 18 years of age. If you believe a minor has provided us with personal data, please contact us immediately at privacy@waveagency.co.ke and we will delete it promptly.

Your data may be processed outside Kenya (e.g. on EU-based servers). When this occurs, we ensure appropriate safeguards are in place including standard contractual clauses and adequacy decisions as recognised under the Kenya Data Protection Act 2019.

We may update this Privacy Policy from time to time. We will notify you of significant changes by: - Sending an email to your registered email address - Displaying a prominent notice in Wave CRM Continued use of Wave CRM after changes take effect constitutes acceptance of the updated policy.

For privacy-related queries or to exercise your rights: Email: privacy@waveagency.co.ke Phone: +254 7XX XXX XXX Address: Wave Agency, Eldoret, Uasin Gishu County, Kenya You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya at www.odpc.go.ke if you believe we have violated your data protection rights.