Privacy Policy
Last updated: 15 June 2026
Azayon (“Azayon”, “we”, “us”, “our”) is operated by Peskaya Limited, a company registered in Kenya. Azayon is a WhatsApp-based assistant that helps businesses capture leads and reply to their customers automatically. This policy explains what personal data we handle (both data about you as an account holder and data about your customers that flows through Azayon): why we handle it, who we share it with, and the rights you have over it. It is written to align with the Kenya Data Protection Act, 2019 and its regulations.
If anything below is unclear, email us at hello@azayon.com and we'll get back to you.
1. Who we are & our two roles
The company behind Azayon is:
Peskaya Limited
Nairobi, Kenya
Email: hello@azayon.com
Azayon handles personal data in two different roles, and which one applies depends on whose data it is:
- Your account, and how you personally use Azayon: here Peskaya Limited is the data controller.
- Your own customers' data that passes through Azayon, for example, the people who message your WhatsApp business number: here you are the data controller and Peskaya Limited acts as your data processor. We handle that data only to provide the service to you, on your instructions. You are responsible for having a lawful basis (such as your customer's consent or your legitimate interest) to collect their data and message them.
For questions about this policy or your data, write to hello@azayon.com.
2. What data we collect
Account data
When you create an Azayon account we collect: your name, email address, phone number, the name of your business, and a password (stored hashed, never in plain text).
Your business profile
To set Azayon up, you give it details about your business: a description, your services and prices, frequently asked questions, business hours, and any documents or FAQs you upload to its knowledge base. The assistant uses these to answer your customers accurately.
Your customers' data (processed on your behalf)
Azayon's core job is to receive and respond to messages on your WhatsApp business number. When one of your customers messages that number, Azayon receives and stores, on your behalf:
- their WhatsApp phone number and WhatsApp profile name;
- the content of the messages they send and that are sent back to them;
- transcriptions of voice notes they send (converted to text so the assistant can understand them);
- descriptions of images they send (interpreted so the assistant can respond);
- message delivery and read status;
- and any qualifying details the assistant extracts from the conversation (for example a name, what they're interested in, budget, or appointment preference) which appear in your CRM.
For all of this data you are the controller; we process it only to provide Azayon to you.
Usage data
We log basic information about how you use Azayon (pages visited, actions taken, feature usage, IP address, browser, device) to operate the service, debug problems, and improve the product.
Payment data
If you subscribe to a paid Azayon plan, your subscription is processed by Paystack. Separately, if you turn on in-chat payments, Azayon can generate Paystack payment links so your customers can pay you directly. Those payments settle to your own Paystack account, not ours. In both cases we do not store or have access to full card numbers, M-Pesa PINs, or bank credentials. We do store: your subscription tier and billing status, a Paystack customer/payment reference, and the amount and description of any invoices raised through Azayon.
Communications
If you email us, we keep the message and your reply so we can follow up.
3. How we use your data
- To provide Azayon's features: receiving your customers' WhatsApp messages, understanding them, automatically replying on your behalf, capturing leads into your pipeline, booking appointments, generating payment links, and scheduling follow-ups.
- To transcribe voice notes and interpret images so the assistant can understand and respond to what your customers send.
- To authenticate you and keep your account secure.
- To send you transactional messages: password resets, billing notices, and account alerts. You can't opt out of these without closing your account, because they're how the service works.
- To send product updates and tips. You can opt out of these at any time from your account settings or by clicking “unsubscribe” in the email.
- To diagnose problems, prevent abuse, and improve performance.
- To comply with legal obligations (tax, accounting, lawful requests from authorities).
We don't sell your data or your customers' data, share it for advertising, or use it to train AI models that benefit other customers.
4. Legal basis
Under the Kenya Data Protection Act, we process your data on the following bases:
- Performance of a contract, to deliver the service you signed up for (s.30(b)).
- Legitimate interests, to operate, secure, and improve Azayon (s.30(f)).
- Consent, for optional things like marketing emails. You can withdraw consent at any time.
- Legal obligation, where the law requires us to keep records.
Where Azayon processes your customers' data, we do so as your processor. You are responsible for the lawful basis (such as their consent or your legitimate interest) for collecting their data and messaging them. Azayon honours opt-out requests: when a customer asks to stop (for example by replying “STOP”), the assistant marks them as opted out and stops messaging them.
5. Who we share data with
We share data only with companies that help us run Azayon (“subprocessors”). They process data on our instructions and are bound to keep it confidential. The current list:
- Railway: managed PostgreSQL database hosting; our primary database, where your account, business and customer data are stored. See railway.com/legal/privacy.
- Anthropic (Claude API): the AI that understands incoming messages, drafts and sends replies, extracts CRM details, and interprets images. The relevant message text and images are sent to Anthropic for processing. Anthropic does not train its models on this data. See anthropic.com/legal/privacy.
- Groq: transcribes voice notes your customers send into text. See groq.com/privacy-policy.
- Voyage AI: turns your knowledge-base content into embeddings so the assistant can search it to answer questions.
- Meta (WhatsApp Business Platform), the channel itself: receiving and sending messages on your WhatsApp business number. See WhatsApp Business policy.
- Paystack: subscription billing, and the in-chat M-Pesa/card/bank payment links your customers use. See paystack.com/privacy.
- Resend: transactional email delivery (sign-up confirmations, password resets, account alerts). See resend.com/legal/privacy-policy.
- Google (Calendar): if you connect your Google Calendar, appointments booked through Azayon are synced to it. See policies.google.com/privacy.
- Sentry: error monitoring, to detect and fix faults. See sentry.io/privacy.
We will also share data when legally required (for example, in response to a valid court order) and we will tell you when we do so unless legally prohibited from doing so.
We never sell your data. We never share customer data with advertising networks.
6. How long we keep it
- Account data: for as long as your account is active. If you close the account, we delete personal data within 30 days, except where the law requires us to keep it longer (e.g. tax records, kept for 7 years per the Kenya Revenue Authority).
- Your customers' data and conversations: processed on your behalf for as long as your account is active. Azayon lets you set a retention window that automatically deletes stored message content after a period you choose; contact and pipeline records are kept until you delete them or close the account. You can export or erase this data at any time.
- Backups: encrypted backups are retained for 90 days for disaster recovery; deleted records purge from backups within that window.
- Logs: application logs are kept for 30 days.
7. Your rights
Under the Kenya Data Protection Act you have the right to:
- Access the data we hold about you.
- Correct data that is inaccurate or incomplete.
- Delete data (“right to be forgotten”), subject to legal retention obligations.
- Object to processing based on legitimate interests, or for marketing.
- Restrict processing in certain circumstances.
- Data portability: export your data in a machine-readable format. Azayon includes a full data export (contacts, conversations, appointments, and invoices) from your settings; for anything else email us.
- Withdraw consent, where we relied on consent.
- Lodge a complaint with the Office of the Data Protection Commissioner (Kenya), odpc.go.ke, or with the data protection authority in your country if you live elsewhere.
To exercise any of these rights, email hello@azayon.com. We respond within 7 days for access and correction requests, and in any case within the 30 days required by the DPA. If you are one of our customer's customers and want to exercise rights over data they hold in Azayon, please contact that business directly. They are the controller of that data, and we will help them respond.
8. Security
We protect your data with measures appropriate to its sensitivity:
- All traffic is encrypted in transit (HTTPS / TLS 1.2+).
- Data at rest is encrypted on our database hosts.
- Passwords are hashed with scrypt and a unique salt, so we never see your plaintext password.
- Webhook traffic from WhatsApp and Paystack is verified by cryptographic signature before we act on it.
- Access to production systems is limited to engineers who need it, behind 2FA.
- Backups are encrypted.
No system is impenetrable. If we ever discover a personal-data breach we will notify you and the ODPC within 72 hours of becoming aware of it, as required by section 43 of the DPA.
9. Cookies
We use a small number of cookies, all strictly necessary:
- Authentication cookies, to keep you signed in.
- Session cookies, to remember your preferences within a session.
We do not use advertising cookies. We do not embed Facebook Pixel, Google Analytics 4 with PII, or similar tracking scripts on the application.
10. International transfers
Some of our subprocessors operate outside Kenya. Where data leaves Kenya we rely on the safeguards required by section 49 of the DPA, including ensuring the recipient country offers adequate protection, or putting standard contractual clauses in place. Depending on the feature in use, data may be processed in the United States (Anthropic, Groq, Voyage AI, Resend, Google, Sentry), Nigeria (Paystack), and other countries where Meta operates the WhatsApp Business Platform.
11. Children
Azayon is a tool for businesses and is not intended for anyone under 18. We don't knowingly collect data from children. If you believe a child has provided us with personal data, email hello@azayon.com and we'll delete it.
12. Changes to this policy
If we change this policy materially, we'll email registered users and post the change on this page at least 14 days before it takes effect. The “Last updated” date at the top always reflects the current version.
13. Contact
Questions, complaints, or rights requests:
Peskaya Limited, Data Protection
Email: hello@azayon.com
