Privacy Policy

Last updated: 6 May 2026

Azayon ("Azayon", "we", "us", "our") is operated by Peskaya Limited, a company registered in Kenya. This policy explains what personal data we collect when you use Azayon, why we collect it, who we share it with, and the rights you have over it. It is written to align with the Kenya Data Protection Act, 2019 and its regulations.

If anything below is unclear, email us at hello@azayon.com and we'll get back to you.

1. Who we are

The data controller is:

Peskaya Limited
Nairobi, Kenya
Email: hello@azayon.com

For questions about this policy or your data, write to hello@azayon.com.

2. What data we collect

Account data

When you create an Azayon account we collect: your name, email address, phone number, the name of your business, and a password (stored hashed, never in plain text).

Business data you put into Azayon

You use Azayon to manage your customers and sales pipeline. The data you store in Azayon — contacts, deals, tasks, invoices, notes, attached documents — belongs to you. We process it on your behalf so we can show it back to you and provide the features you've signed up for. We don't sell it, share it for advertising, or use it to train AI models that benefit other customers.

Usage data

We log basic information about how you use Azayon — pages visited, actions taken, feature usage, IP address, browser, device — to operate the service, debug problems, and improve the product.

Payment data

If you subscribe to a paid plan, payment is processed by Paystack. We do not store or have access to your full card number, M-Pesa PIN, or bank account credentials. We do receive and store: your subscription tier, billing status, and a Paystack customer reference.

Communications

If you email us, we keep the message and your reply so we can follow up.

3. How we use your data

• To provide Azayon's features (pipeline, contacts, automations, invoicing).
• To authenticate you and keep your account secure.
• To send transactional messages — password resets, billing notices, task reminders, invitation emails. You can't opt out of these without closing your account, because they're how the service works.
• To send product updates and tips. You can opt out of these at any time from your account settings or by clicking "unsubscribe" in the email.
• To diagnose problems, prevent abuse, and improve performance.
• To comply with legal obligations (tax, accounting, lawful requests from authorities).

4. Legal basis

Under the Kenya Data Protection Act, we process your data on the following bases:

• Performance of a contract — to deliver the service you signed up for (s.30(b)).
• Legitimate interests — to operate, secure, and improve Azayon (s.30(f)).
• Consent — for optional things like marketing emails. You can withdraw consent at any time.
• Legal obligation — where the law requires us to keep records.

5. Who we share data with

We share data only with companies that help us run Azayon ("subprocessors"). They process data on our instructions and are bound to keep it confidential. The current list:

• MongoDB Atlas — primary database hosting.
• Paystack — subscription billing, M-Pesa, card and bank-transfer payments. See paystack.com/privacy.
• Cloudinary — file uploads (avatars, document attachments). See cloudinary.com/privacy.
• Resend — transactional email delivery (sign-up confirmations, password resets, task reminders). See resend.com/legal/privacy-policy.
• Meta (WhatsApp Business Platform) — task reminders and deal notifications sent over WhatsApp, only to phone numbers you've opted in. See WhatsApp Business policy.
• Anthropic (Claude API) — AI features (drafting emails, summarising notes). When you use these features, the relevant text is sent to Anthropic for processing. Anthropic does not train its models on this data.

We will also share data when legally required — for example, in response to a valid court order — and we will tell you when we do so unless legally prohibited from doing so.

We never sell your data. We never share customer data with advertising networks.

6. How long we keep it

• Account data — for as long as your account is active. If you close the account, we delete personal data within 30 days, except where the law requires us to keep it longer (e.g. tax records, kept for 7 years per the Kenya Revenue Authority).
• Business data you stored — yours to export at any time. Deleted alongside the account, unless you've asked us to keep it.
• Backups — encrypted backups are retained for 90 days for disaster recovery; deleted records purge from backups within that window.
• Logs — application logs are kept for 30 days.

7. Your rights

Under the Kenya Data Protection Act you have the right to:

• Access the data we hold about you.
• Correct data that is inaccurate or incomplete.
• Delete data ("right to be forgotten") — subject to legal retention obligations.
• Object to processing based on legitimate interests, or for marketing.
• Restrict processing in certain circumstances.
• Data portability — export your data in a machine-readable format. Azayon includes CSV export for contacts, deals and tasks; for anything else email us.
• Withdraw consent — where we relied on consent.
• Lodge a complaint with the Office of the Data Protection Commissioner (Kenya) — odpc.go.ke — or with the data protection authority in your country if you live elsewhere.

To exercise any of these rights, email hello@azayon.com. We respond within 7 days for access and correction requests, and in any case within the 30 days required by the DPA.

8. Security

We protect your data with measures appropriate to its sensitivity:

• All traffic is encrypted in transit (HTTPS / TLS 1.2+).
• Data at rest is encrypted on our database hosts.
• Passwords are hashed with bcrypt — we never see your plaintext password.
• Access to production systems is limited to engineers who need it, behind 2FA.
• Backups are encrypted.

No system is impenetrable. If we ever discover a personal-data breach we will notify you and the ODPC within 72 hours of becoming aware of it, as required by section 43 of the DPA.

9. Cookies

We use a small number of cookies, all strictly necessary:

• Authentication cookies — to keep you signed in.
• Session cookies — to remember your preferences within a session.

We do not use advertising cookies. We do not embed Facebook Pixel, Google Analytics 4 with PII, or similar tracking scripts on the application.

10. International transfers

Some of our subprocessors operate outside Kenya. Where data leaves Kenya we rely on the safeguards required by section 49 of the DPA — including ensuring the recipient country offers adequate protection, or putting standard contractual clauses in place. Data may be processed in the United States (Cloudinary, Anthropic, Resend), Europe (MongoDB Atlas), and Nigeria (Paystack), depending on the feature in use.

11. Children

Azayon is a tool for businesses and is not intended for anyone under 18. We don't knowingly collect data from children. If you believe a child has provided us with personal data, email hello@azayon.com and we'll delete it.

12. Changes to this policy

If we change this policy materially, we'll email registered users and post the change on this page at least 14 days before it takes effect. The "Last updated" date at the top always reflects the current version.

13. Contact

Questions, complaints, or rights requests:

Peskaya Limited — Data Protection
Email: hello@azayon.com