Privacy Policy

Effective date: 26 May 2026

This policy explains what personal information StockIt collects, why we collect it, who we share it with, and what rights you have under the Kenya Data Protection Act, 2019 (the “DPA”). By signing in to StockIt you confirm that you have read and understood this policy.

1. Who we are

StockIt is an inventory and sales management application for small and medium businesses in Kenya. It is operated by Mw Technologies (“we”, “us”, “our”). For DPA purposes:

  • StockIt as data controller. When you create a StockIt account, sign in, or pay a subscription, we are the controller of that information.
  • StockIt as data processor.The business data you add inside StockIt — your customers, employees, sales, inventory, and expenses — belongs to your organization. We process it on your organization’s behalf under your instructions.

2. Information we collect

We collect information from three sources:

From you, directly

  • Account profile: name, email address, and avatar from your Google sign-in.
  • Organization details you provide during onboarding (business name, currency, tax rate, branches).
  • Business records you enter or upload: products, customers, employees, suppliers, sales, invoices, payments, receipts, stock movements, expenses, and receipt attachments (images / PDFs).
  • Subscription payment information: the M-Pesa till receipt code or the phone number you authorize an STK push from.

Automatically, while you use the service

  • Session cookies (described in Section 8).
  • Server logs: timestamps, IP address, browser user-agent, and the URL you requested.
  • An internal audit log of changes made by each user inside your organization.
  • Error-monitoring traces (stack trace and the URL where an error occurred — no form values).

From third parties

  • Google: your basic profile when you use “Continue with Google”.
  • Safaricom M-Pesa: the result of an STK push that you initiated (transaction code, amount, paying phone number, status).

3. How we use your information

We use the information above to:

  • Provide the StockIt service — authentication, multi-tenant data isolation, document generation, dashboard analytics.
  • Send transactional emails such as invitations, password-reset links, and billing reminders.
  • Keep the service secure: detect abuse, prevent unauthorized access, and investigate incidents.
  • Verify and reconcile subscription payments through M-Pesa Daraja.
  • Improve the product: aggregated, non-identifying usage patterns inform what we build next.
  • Comply with our legal obligations, including the DPA and tax law.

We do not sell personal information, and we do not use your business data to train machine-learning models.

4. How we share your information

We share information only with service providers that help us run StockIt. We have written agreements with each requiring them to handle personal information consistently with this policy:

  • Supabase — managed Postgres database and file storage for receipt attachments.
  • Vercel — application hosting and edge networking.
  • Google — authentication (OAuth) and email delivery to Gmail addresses.
  • Resend — transactional email delivery.
  • Sentry — error monitoring and crash reporting.
  • Safaricom — M-Pesa Daraja API for subscription payments.

We may also disclose information if required by a Kenyan court order, the Office of the Data Protection Commissioner, or another lawful demand from a competent authority.

5. Where your data is stored

Most of our infrastructure providers store data outside Kenya (typically in the European Union, the United Kingdom, or the United States). Where personal information is transferred outside Kenya we rely on the safeguards permitted by Section 48 of the DPA, including the provider’s adequacy decisions and contractual data-protection commitments.

6. How long we keep it

We retain account and organization records for as long as the account is active and for up to 12 months after closure, so we can handle disputes, tax queries, or your right to reactivate. We retain financial records (invoices, payments, receipts) for at least seven years to comply with Kenyan tax law. Audit-log entries are kept for three years. Receipt attachments are deleted when the expense they belong to is deleted, or on account closure.

7. Your rights

Under Sections 26 and 40 of the DPA you have the right to:

  • Be informed of how we use your data (this policy).
  • Access the personal information we hold about you.
  • Correct inaccurate or out-of-date information.
  • Have your personal information deleted (subject to retention obligations above).
  • Restrict or object to specific processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time, where processing relies on consent.
  • Lodge a complaint with the Office of the Data Protection Commissioner (odpc.go.ke).

To exercise any of these rights, email us at the address in Section 11. We respond within 30 days.

8. Cookies and similar technologies

StockIt uses only first-party functional cookies:

  • stockit_current_org — remembers which organization you have switched into.
  • stockit_ref — temporarily stores a sales-rep referral code so the rep is credited if you sign up.
  • Supabase auth cookies — required to keep you signed in. Set by our authentication provider.

We do not use advertising or cross-site tracking cookies, and we do not embed third-party analytics on the application.

9. Children

StockIt is not intended for individuals under the age of 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Changes to this policy

We update this policy when our practices change or when the law requires it. The “Effective date” above always reflects the latest version. Material changes are notified to the email address on file for your account at least 14 days before they take effect.

11. Contact us

For any privacy-related question, request, or complaint, email info@mw-labs.com. If you do not receive a response within 14 days, you may also escalate to the Office of the Data Protection Commissioner of Kenya.