Legal

Privacy Policy

Effective date: 1 June 2026 · Last updated: 1 June 2026

XYRA TECH(“we”, “us”, “our”) respects your privacy. This Privacy Policy explains what personal data we collect, how we use it, and the rights you have under the Kenya Data Protection Act, 2019 (“DPA”). It applies to all our services including Xyra Bulk SMS, Xyra Airtime, and the marketing website at xyratechnology.co.ke.

1. Scope

This policy covers personal data we process as a data controller (e.g. account holders) and, where applicable, as a data processor (e.g. contact lists you upload to send SMS to your customers).

2. Data We Collect

  • Account data: name, email, phone number, business name, password hash.
  • Billing data: M-Pesa / card transaction references, top-up history. We do not store full card numbers.
  • Usage data: messages sent, campaigns, sender IDs, delivery reports, login timestamps, IP address, browser/device info.
  • Customer contact data: recipient phone numbers and message content you provide for delivery (processed on your behalf).
  • Support data: any information you share when contacting support.

3. How We Use Your Data

  • Provide, operate, and improve the Services.
  • Deliver SMS, process airtime top-ups, and produce delivery reports.
  • Bill, invoice, prevent fraud, and meet legal/regulatory obligations.
  • Send service announcements and (with consent) product news.
  • Provide customer support.

We rely on one or more of the following legal bases:

  • Contract — to deliver the Services you signed up for.
  • Consent — for optional marketing and cookies that are not strictly necessary.
  • Legal obligation — tax, anti-fraud, telecoms compliance.
  • Legitimate interests — securing our platform and improving features, balanced against your rights.

5. Sharing & Third Parties

We share data only with:

  • Our licensed SMS aggregator and the Kenyan mobile network operators (Safaricom, Airtel, Telkom) to route messages and produce delivery reports.
  • Payment providers (M-Pesa Daraja, card processors) to handle top-ups.
  • Infrastructure providers (hosting, email, monitoring) under written data-processing agreements.
  • Authorities when required by law, regulation, or a valid court order — including the Communications Authority of Kenya and the Office of the Data Protection Commissioner.

6. Data Retention

  • Account data: while your account is active, plus 7 years after closure (tax/accounting).
  • Message content & delivery reports: 12 months by default, longer if required by law.
  • Server logs: 90 days.

7. Security

We use TLS for all data in transit, encrypted storage for credentials and backups, role-based access controls, and regular security reviews. No system is perfectly secure; we will notify the Office of the Data Protection Commissioner and affected users of any qualifying breach within 72 hours.

8. Your Rights

Under the DPA you have the right to:

  • Access a copy of the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion (subject to legal retention).
  • Object to or restrict certain processing.
  • Withdraw consent at any time (without affecting prior lawful processing).
  • Lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

To exercise any of these rights, email privacy@xyratechnology.co.ke. We respond within 30 days.

9. Cookies

We use strictly-necessary cookies to keep you signed in and remember preferences. We use anonymous analytics cookies only with your consent. You can clear or block cookies in your browser settings.

10. International Transfers

Some of our service providers operate outside Kenya. Where data leaves Kenya we rely on adequacy decisions or appropriate safeguards (e.g. Standard Contractual Clauses) as required by the DPA.

11. Children's Privacy

Our Services are not directed to children under 18. We do not knowingly collect personal data from children. Contact us if you believe we have, and we will delete it.

12. Changes

We may update this Policy from time to time. Material changes will be notified by email or in-app at least 14 days before they take effect.

13. Contact & DPO

Privacy questions or data-subject requests: privacy@xyratechnology.co.ke. General queries: hello@xyratechnology.co.ke. Postal: XYRA TECH, Nairobi, Kenya.

See also: Terms of Service.