Privacy Policy

Node Nest Digital Limited ("NodePoint", "we", "us"), based in Nairobi, Kenya, operates the NodePoint platform (the "Service"). This policy explains what data we collect, how we use it, how we protect it, and the rights you have. We comply with the Kenya Data Protection Act, 2019 and the directions of the Office of the Data Protection Commissioner (ODPC).

For data about your account and billing, we act as the data controller. For the business and customer records you enter into the Service ("Customer Data") — such as your sales, inventory, guests, and your customers’ details — you are the controller and we act only as your processor, handling that data on your instructions to provide the Service.

Account information: the name, email, phone number, business name, and login credentials you provide when you sign up.

Billing information: the subscription, plan, and payment records needed to invoice you and take payment.

Customer Data: the operational and transaction data you choose to store in the Service to run your business.

Limited technical data: basic security and diagnostic logs (such as sign-in events and error logs) needed to keep the Service secure and reliable.

We use your account and billing information to operate your account, provide the Service, process invoicing and billing, prevent abuse, and meet legal obligations.

We process Customer Data solely to deliver the Service to you — principally invoicing and billing. We do not use, analyse for our own ends, profile, sell, rent, or share the personal data of your customers for marketing, advertising, or any purpose unrelated to operating the Service for you.

We never sell your data. We share data only with the providers strictly needed to deliver the Service — for example, mobile-money and card payment processors to complete transactions, the Kenya Revenue Authority for eTIMS tax compliance where you use that feature, and our secure hosting providers. These parties are bound to protect the data and use it only to provide their service to us.

We may disclose data where required by law or to protect rights, safety, and the integrity of the Service.

Your data is encrypted in transit and at rest, stored on secure infrastructure, and protected with role-based access controls, audit logging, and regular encrypted backups. Access by our team is limited to what is necessary to operate and support the Service.

You can access and export your data at any time while your subscription is active. If your subscription expires or is not renewed, your data remains available to you for one (1) month, after which it is permanently and irreversibly deleted from active systems. We retain limited billing records only as required by law.

Under the Kenya Data Protection Act, you may request to access, correct, delete, or export your personal data, object to or restrict certain processing, and withdraw consent where processing relies on it. To exercise these rights, contact us using the details below. You also have the right to lodge a complaint with the ODPC.

Where data is processed outside Kenya by our providers, we ensure appropriate safeguards consistent with the Kenya Data Protection Act are in place.

Our marketing site uses only essential cookies required for the site to function. We do not run third-party advertising or cross-site tracking on it.

The Service is intended for businesses and is not directed at children. We do not knowingly collect personal data from children.

We may update this policy from time to time; material changes will be notified through the Service or by email. For privacy questions or to exercise your rights, email privacy@nodepoint.co.ke.