Privacy Policy

This Privacy Policy explains how Vector Automation Systems Ltd ("VAS", "we", "us", or "our") operating the SFA Platform("Platform", "Service") collects, uses, shares, and protects your personal information. It applies to all users of the Platform — including organization administrators, authorized users, mobile field agents, and visitors to www.vasmetering.com.

We are committed to compliance with the Kenya Data Protection Act, 2019 ("DPA"), the EU General Data Protection Regulation ("GDPR") where applicable, and other relevant data-protection legislation. Please read this policy alongside our Terms and Conditions and Cookie Policy.

1. Data Controller

Vector Automation Systems Ltdis the data controller for personal data processed through the Platform. For data relating to a customer organization's employees and customers (for example field agents and the clients they serve), the organization acts as a joint controller alongside VAS, and is responsible for the lawful basis on which it processes that data.

• Company: Vector Automation Systems Ltd
• Website: www.vasmetering.com
• Data Protection Contact: info@vasmetering.com
• Phone: +254 700 877 949
• Address: Nairobi, Republic of Kenya

2. Information We Collect

2.1 Account and Registration Data

• Full name, email address, phone number
• Organization name, industry, and approximate size
• Password (stored only in hashed and saltedform via Firebase Authentication — we never see or store your password in plaintext)
• Role and permission level within your organization
• Profile photo (optional, stored as base64-encoded data)

2.2 Business and Operational Data

• Client and customer records (names, contact details, addresses, GPS coordinates where captured)
• Sales orders, product catalogs, inventory levels, and warehouse data
• CRM pipeline deals, stages, and forecasted values
• Field visit logs, check-in/check-out records, and visit notes
• Route plans and beat plans (recurring visit schedules)
• Expense claims, approvals, and supporting evidence
• Customer health-score signals and credit-management data (credit limits, outstanding balances, aging buckets)
• Geofence configurations and any recorded violations
• KRA eTIMS invoice submission records and tax-compliance metadata
• Notification delivery records (email, SMS, WhatsApp, push, webhook)
• Survey responses, campaign data, and competitor-intelligence records

2.3 Location Data

We collect geolocation data (latitude, longitude, accuracy) only at specific action points, never as continuous tracking:

• Client enrollment (capturing the client's business location)
• Order creation (confirming field-agent presence at the moment of the order)
• Visit check-in and check-out (verifying field activity)
• Geofence validation (comparing agent position to client-location radius)

We do notperform live or continuous GPS surveillance. When the device's GPS sensor is unavailable, we may use IP-based geolocation as a fallback which provides only approximate (city-level) location. Some location-based features are listed in Section 12 (Roadmap Features).

2.4 Device and Technical Data

• Browser type and version, operating system, device model
• IP address and approximate location derived from IP
• Device identifiers used for push-notification delivery (FCM tokens)
• Service worker and PWA installation status
• Firebase Analytics identifiers (anonymized)
• Crash reports, exception traces, and performance metrics

2.5 Payment Data

Subscription billing is currently handled through manual invoicingissued by VAS. The only payment data we record today is the minimum necessary to reconcile your invoice:

• Subscription plan, billing cycle, and payment history (paid / outstanding / overdue)
• Manual payment references and confirmation receipts you share with us by email

Once automated payment integrations enter general availability (see Section 12), we will additionally process:

• M-Pesa transaction references, confirmation codes, and payer phone numbers
• Bank-transfer references and reconciliation confirmations

We do not store credit-card numbers, M-Pesa PINs, bank-account passwords, or any other payment credentials. Payment processing is performed by the respective banking institutions and (when available) Safaricom (M-Pesa).

3. How We Use Your Information

We process personal data for the purposes set out below.

4. Organizational Data Isolation

Your organization's data is logically isolated from every other organization on the Platform through the following layered controls:

• Workspace-scoped storage: all business data is stored under organization-specific paths in the database, gated by the organization identifier.
• Server-side authentication checks:every API request validates the authenticated user's organization membership before any data is read or written.
• Role-based access control (RBAC):hierarchical permissions (Administrator → Manager → Supervisor → Sales Rep → Viewer) determine what each user can see and do within their workspace.
• Database security rules: Firestore Security Rules and Realtime Database Rules enforce isolation at the storage layer as a last line of defence.
• Encrypted API tokens:session tokens are short-lived and scoped to the user's organization.

No organization can access, view, or modify another organization's data through the Platform.

5. Data Sharing and Third Parties

We share personal data with the following categories of third parties, only to the extent necessary to deliver the Service:

• Google Firebase— authentication, Cloud Firestore database, Realtime Database, Analytics, Crashlytics, and Cloud Messaging. Data is processed under Google Cloud's Data Processing Terms.
• OpenStreetMap / Leaflet— map-tile rendering and geocoding (Nominatim). Receives only the coordinates needed to render tiles, not personal identifiers. See the OpenStreetMap Foundation Privacy Policy.
• Safaricom (M-Pesa Daraja API)— mobile-money payment processing. Activated only when M-Pesa payments enter general availability (see Section 12) and when a Tenant configures M-Pesa credentials.
• Africa's Talking— SMS delivery for the East African market. Phone numbers and message content are shared for delivery only.
• Twilio— SMS delivery (optional provider). Phone numbers and message content are shared when configured.
• KRA eTIMS (VSCU API)— invoice data, tax amounts, and buyer information are submitted to the Kenya Revenue Authority for electronic tax compliance when configured by the organization.
• Webhook recipients— if you configure outbound webhooks, event payloads (which may include business data) are sent to your specified endpoints. You are responsible for the security of those endpoints.
• Email service providers— for transactional notifications and system emails (chosen and configured via the in-app provider settings).

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We do not use your business data to train artificial-intelligence models without explicit opt-in.

6. Data Storage and Retention

6.1. Data is stored on Google Cloud / Firebase infrastructure in regions selected for performance and compliance. We use a Redis/Valkey cache for session state and rate-limiting (Redis is volatile and not used for persistent storage of personal data).

6.2. Active account data is retained for the duration of your subscription.

6.3. After account termination, data is retained for 90 daysin a read-only state to allow data export, after which it is permanently deleted — except where retention is legally required.

6.4. Payment records and tax invoices may be retained for up to seven (7) years to comply with Kenya Revenue Authority record-keeping requirements.

6.5. Anonymized analytics and aggregate usage data may be retained indefinitely for service-improvement purposes.

6.6. Logs (server logs, access logs, audit logs) are retained for up to 180 days for security and operational purposes.

7. Data Security

We implement the following technical and organizational measures:

• Encryption in transit: all traffic between your device and our servers uses TLS 1.2+.
• Encryption at rest: Firestore and Realtime Database data are encrypted at rest using Google-managed encryption keys.
• Authentication: Firebase Authentication with secure token-based sessions and short token lifetimes (auto-refreshed).
• API security: API keys are SHA-256 hashed at rest; webhook payloads are signed with HMAC-SHA256 to allow receivers to verify authenticity.
• Input validation: server-side schema validation (Zod) on every mutation endpoint.
• Soft deletion: business data uses soft-delete (a deletedAt timestamp) so accidental deletions can be recovered within the retention window.
• Audit logging: administrative actions and sensitive data access are logged for review.
• Principle of least privilege: internal access to systems is restricted to personnel who require it to deliver the Service.

No system can be guaranteed 100% secure. We continually review our security practices and will notify affected users of any data breach in accordance with the DPA breach notification requirements.

8. Your Rights

Under the Kenya Data Protection Act, 2019, and where applicable the GDPR, you have the following rights:

• Right of access: request a copy of the personal data we hold about you.
• Right to rectification: request correction of inaccurate or incomplete data.
• Right to erasure: request deletion of your personal data, subject to legal retention obligations.
• Right to data portability: request your data in a structured, commonly-used, machine-readable format (CSV / JSON).
• Right to object: object to processing based on legitimate interest.
• Right to restrict processing: request limitation of processing in certain circumstances.
• Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right not to be subject to automated decision-making: the Platform does not use solely automated decision-making with legal or similarly significant effects on you.

To exercise any of these rights, contact us at info@vasmetering.com or by phone at +254 700 877 949. We will respond within 30 days as required by the DPA.

9. Offline Data and PWA

The Platform operates as a Progressive Web App (PWA) with offline-first capabilities. While offline:

• Data is cached locally on your device using IndexedDB (up to ~500 MB) and the service-worker cache.
• New records created offline are stored in a local queue and synchronised automatically when connectivity is restored.
• Cached data remains on your device until you sign out, clear browser data, or the service worker rotates the cache.

You can clear locally cached data at any time via your browser's "Clear site data" option or by signing out of the Platform. See the Cookie Policy for full details on browser storage.

10. Children's Privacy

The Platform is intended for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it without undue delay.

11. International Data Transfers

Your data may be processed in countries outside Kenya where Google Cloud / Firebase infrastructure is located. Where such transfers occur, we ensure appropriate safeguards are in place, including:

• Google's Standard Contractual Clauses (SCCs) for international transfers.
• Compliance with the DPA's cross-border transfer provisions.
• Encryption of data in transit and at rest throughout the transfer and storage lifecycle.

12. Roadmap Features and Privacy Notes

Some Platform capabilities are scaffolded but not yet in general availability. Where these features rely on additional personal data or third-party processing, this section sets out our commitments in advance:

• GPS tracking and geofencing: when activated for an organization, captures location only at action points (Section 2.3) and never continuously. Field agents will be informed by their organization administrators before activation.
• Automated M-Pesa payments: when activated, will share transaction references, amounts, and payer phone numbers with Safaricom under the Daraja API. We will not store M-Pesa PINs or handset credentials.
• Automated bank-transfer reconciliation:when activated, will process bank-transfer references received from I&M Bank (Kenya) for subscription renewal and in-app customer payment collection.
• AI route optimization: will compute optimal stop sequences using client coordinates that are already part of your business data; no personal data will be sent to external AI providers without explicit organization-administrator opt-in and updated notice.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform and/or by email at least 30 daysbefore they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Complaints

If you believe your data-protection rights have been violated, we encourage you to contact us first at info@vasmetering.com so we can investigate and resolve the matter. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya:

• Website: www.odpc.go.ke
• Email: complaints@odpc.go.ke

15. Contact Us

For privacy-related inquiries or to exercise any of your rights:

• Company:Vector Automation Systems Ltd ("VAS")
• Website: www.vasmetering.com
• Email: info@vasmetering.com
• Phone: +254 700 877 949
• Registered address: Nairobi, Republic of Kenya