This Privacy Policy explains how Gephra Ltd processes personal data when you use Gephra KAYE.

Gephra KAYE helps artisans and small businesses manage customer records, body measurements, jobs, payments, notifications, and reporting.

Gephra KAYE is operated by Gephra Ltd, a private technology company registered in the Republic of Rwanda.

Contact details: info@gephra.com, privacy@gephra.com, dpo@gephra.com, +250 739 927 950, KG 65 ST, Kimironko, Gasabo, Kigali, Rwanda.

Gephra Ltd acts as a data controller for personal data processed to operate Gephra KAYE, including account, security, billing, support, and compliance-related processing.

For customer records, measurements, job records, and payment records entered by business users in their workspaces, the relevant business user generally determines the purposes of processing and Gephra typically processes that data on the business user's behalf in order to provide the service.

Third-party vendors such as hosting, messaging, support, and infrastructure providers act as processors or subprocessors on Gephra's behalf under applicable legal and contractual arrangements.

The data processed through Gephra KAYE may include account details, phone numbers, recovery numbers, business profile information, customer records, body measurements, job cards, payment records, device/session data, notification preferences, support requests, audit logs, and consent records.

We collect data directly from users, from business users entering operational records, automatically through app and device usage, and from service providers that support authentication, hosting, messaging, or payments.

We use personal data to create and manage accounts, verify users, operate workspaces, store customer records and measurements, support jobs and payment tracking, send OTPs and service notifications, manage subscriptions, protect the service, respond to support requests, and comply with law.

Legal bases include performance of a contract, steps taken at the user's request before entering a contract, legitimate interests in securing and operating the service, legal obligations, and consent where consent is required for optional communications.

We apply enhanced safeguards to tailoring measurement data because it relates to an individual's body and is collected only for tailoring and related service purposes within Gephra KAYE.

Gephra may share personal data with hosting providers, messaging providers, payment providers, support or security vendors, professional advisers, and public authorities where required by law.

Gephra does not sell personal data in a manner contrary to applicable law.

Gephra may store or process personal data through Supabase and related cloud infrastructure providers, including providers whose infrastructure may be located outside Rwanda.

Where personal data is stored or processed outside Rwanda, Gephra does so only in accordance with applicable legal requirements and with appropriate contractual, technical, and organizational safeguards.

Where required by applicable law, Gephra will obtain any necessary authorization, registration, or other legal basis for such storage or transfer.

Gephra retains personal data for no longer than is necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by applicable law.

Financial, tax, billing, and accounting records, including subscription revenue data, billing events, and payment ledger records, may be retained for up to ten (10) years, or longer where required for audit, tax, bookkeeping, dispute resolution, or legal claims purposes.

Authentication and OTP metadata, sync diagnostics, and report export metadata are generally retained for limited operational, security, and support periods and are subject to automated cleanup, except where continued retention is required for incident investigation, legal hold, or another lawful basis.

Customer records and measurement records are retained according to the relevant business purpose and are not kept indefinitely by default. Review processes may identify stale records for further action, and deletion or restriction may be deferred where recent job activity, financial links, disputes, legal holds, or other lawful retention grounds apply.

Privacy, consent, retention-management, and other compliance records are retained for accountability, audit, and legal compliance purposes.

Subject to applicable law, you may request access, rectification, erasure, restriction, objection, portability, and withdrawal of consent where consent is the legal basis.

Privacy requests can be sent to privacy@gephra.com or info@gephra.com.

Gephra may request information needed to verify identity or authority before acting on a privacy request, and requests are handled subject to applicable legal deadlines.

Gephra KAYE is not intended to make decisions based solely on automated processing that produce legal or similarly significant consequences for individuals without appropriate safeguards.

As of the effective date of this policy, Gephra KAYE does not use solely automated decision-making or profiling to make credit, employment, insurance, or similarly significant legal decisions about users or customers.

Gephra uses reasonable technical and organizational measures, including access controls, tenant separation, authentication and session controls, and audit logging, to protect personal data.

No system can guarantee absolute security, and users are responsible for keeping devices, passcodes, and account credentials secure.

Gephra KAYE is intended for business and professional use and is not designed as a general service for direct use by children under the age of sixteen (16).

Where Gephra knows that personal data belongs to a child under the age required by applicable law, processing must occur only with the consent, authorization, or other lawful basis required by applicable law.

For customer records relating to individuals under sixteen (16), the relevant business user must record measurements and related service details under the name and contact details of a parent or legal guardian rather than the direct contact details of the minor. Gephra KAYE is not designed to collect direct contact details for minors, and business users are responsible for ensuring that any parental or guardian consent required before recording a child's details has been obtained.

Business Performance Reports are generated from records stored in the service and are not credit scores, lending advice, or credit guarantees.

Support access is intended to be limited, role-based, need-based, and auditable.

Gephra may update this Privacy Policy from time to time. When we do, we will revise the effective date and last updated date at the top of this Privacy Policy.

If you have concerns about how Gephra processes your personal data, we encourage you to contact Gephra first so that we can try to resolve the issue. You also have the right to lodge a complaint with the competent supervisory authority in Rwanda. Information about complaint channels is available through the Data Protection & Privacy Office at dpo.gov.rw.

For support, privacy requests, or questions about this Privacy Policy, contact Gephra Ltd at KG 65 ST, Kimironko, Gasabo, Kigali, Rwanda, by email at info@gephra.com, privacy@gephra.com, or dpo@gephra.com, or by phone at +250 739 927 950.