Privacy Policy · SingularERP

SINGULARERP

How We Collect, Use, and Protect Personal Data · COWRIETECH LIMITED

Registration No. PVT-KAUZJ29 · Registered with the Office of the Data Protection Commissioner
Jahazi, Lavington, Nairobi · P.O. Box 49484-00100 GPO, Nairobi, Kenya
www.singularerp.com · privacy@cowrietech.com
Effective Date: 13th June 2026 · Version 1.0 · Document Ref: CWT/LEG/PP/2026/001

Cowrietech Limited (“Cowrietech”, “we”, “us”, or “our”) is committed to protecting the privacy and personal data of all individuals whose information we handle. This Privacy Policy explains how we collect, use, disclose, store, and protect Personal Data in connection with the SingularERP suite of products and services and our website at www.singularerp.com (collectively, the “Service”). This Policy is issued in accordance with the Constitution of Kenya, 2010 and the Data Protection Act, 2019, and the regulations made thereunder. We are registered with the Office of the Data Protection Commissioner (ODPC) of Kenya. By using the Service or providing us with Personal Data, you acknowledge that you have read and understood this Privacy Policy.

Our Dual Role: Controller and Processor

As a Data Processor: When our business customers use the Service to manage their own employees, customers, students, members, suppliers, or other individuals, those customers are the data controllers, and we process that Personal Data as a data processor strictly on their behalf and on their instructions. In those cases, the customer’s own privacy policy governs that data, and questions about it should be directed to them.
As a Data Controller: When we collect Personal Data directly for our own purposes — for example, when you register an account, contact us, visit our website, or enter into a contract with us — we act as a data controller. This Policy primarily describes how we handle data in that capacity.

1. Who We Are 2. Definitions 3. Data We Collect 4. How We Collect 5. How & Why We Use 6. Sharing 7. Transfers 8. Retention 9. Cookies 10. Your Rights 11. Data We Process for Customers 12. How We Protect Data 13. Breach Notification 14. Children’s Data 15. Changes 16. Contact & Complaints

1. Who We Are

Cowrietech Limited is a private limited company incorporated in Kenya (Registration No. PVT-KAUZJ29), carrying on the business of software development and the provision of the SingularERP suite of cloud-based business applications. Our registered office is at Jahazi, Lavington, Nairobi, P.O. Box 49484-00100 GPO, Nairobi, Kenya. For the purposes of the Data Protection Act, 2019, Cowrietech is the data controller in respect of the Personal Data described in this Policy that we collect for our own purposes.

2. Key Definitions

2.1 “Personal Data” means any information relating to an identified or identifiable natural person, as defined under the Data Protection Act, 2019.

2.2 “Sensitive Personal Data” means data revealing a person’s health, ethnic or racial origin, religious beliefs, biometric data, and other categories defined as sensitive under the Act.

2.3 “Data Controller” means a person who determines the purpose and means of processing Personal Data.

2.4 “Data Processor” means a person who processes Personal Data on behalf of a data controller.

2.5 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

2.6 “Processing” means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or erasure.

3. Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of Personal Data when we act as a data controller:

3.1 Account and Identity Data

Name, business name, job title, email address, telephone number, postal address, and login credentials when you register for or administer an account.

3.2 Billing and Transaction Data

Billing details, M-Pesa or mobile money references, bank or payment information, subscription plan, invoices, and payment history. We do not store full payment card numbers; card payments, where offered, are handled by third-party payment processors.

3.3 Communications Data

Records of your correspondence with us, including support requests, enquiries, feedback, and the content of emails, calls, or messages exchanged with our team.

3.4 Usage and Technical Data

Information about how you access and use the Service, including IP address, device and browser type, log data, pages visited, time and date of access, and similar diagnostic data collected automatically.

3.5 Cookies and Similar Technologies

Data collected through cookies and similar technologies on our website, as described in clause 9 below.

3.6 Customer Data Processed on Behalf of Customers

When acting as a data processor, we process Personal Data that our customers submit to the Service about their own data subjects (for example, employees, students, members, or customers). We process this data only as described in clause 11.

4. How We Collect Personal Data

Directly from you, when you register, subscribe, contact us, or otherwise interact with the Service;
Automatically, through your use of the Service and our website, using cookies and similar technologies;
From our customers, where you are an Authorised User or data subject of a customer using the Service;
From third parties, such as payment processors and analytics providers, where applicable and lawful.

5. How and Why We Use Personal Data

We process Personal Data for the following purposes, relying on the lawful bases set out below as required by the Data Protection Act, 2019:

Purpose	Lawful Basis
To create and administer your account and provide the Service	Performance of a contract
To process payments, issue invoices, and manage billing	Performance of a contract; legal obligation
To provide customer support and respond to enquiries	Performance of a contract; legitimate interest
To maintain the security, integrity, and availability of the Service	Legitimate interest; legal obligation
To improve and develop our products and services	Legitimate interest
To send service-related and administrative communications	Performance of a contract; legitimate interest
To send marketing communications about our products	Consent; legitimate interest
To comply with legal, tax, and regulatory obligations	Legal obligation
To establish, exercise, or defend legal claims	Legitimate interest

6. How We Share and Disclose Personal Data

We do not sell, rent, or trade Personal Data. We may share Personal Data only in the following circumstances:

Service providers and sub-processors: With trusted third parties who provide services on our behalf, such as cloud hosting infrastructure providers, payment processors, and communication tools. These parties are bound by contractual obligations to protect the data and process it only on our instructions.
Legal and regulatory authorities: Where required to comply with a legal obligation, court order, or lawful request by a public authority, including the Office of the Data Protection Commissioner and the Kenya Revenue Authority.
Business transfers: In connection with a merger, acquisition, or sale of assets, in which case Personal Data may be transferred subject to the protections of this Policy.
With your consent: Where you have given us consent to share your Personal Data with a specified third party.

7. Storage Location & International Transfers

7.1 Personal Data is stored on cloud infrastructure which may be located within or outside Kenya. Where data is transferred outside Kenya, we take steps to ensure that an adequate level of protection is afforded to it, consistent with the requirements of the Data Protection Act, 2019.

7.2 Such safeguards may include ensuring the recipient country has commensurate data protection laws, or putting in place appropriate contractual data protection clauses with the recipient.

8. Data Retention

8.1 We retain Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, tax, or reporting obligations.

8.2 Account and transaction data is generally retained for the duration of your subscription and for a reasonable period thereafter, in line with statutory retention requirements (including tax records, which Kenyan law generally requires to be kept for at least five years).

8.3 Where we act as a data processor, retention of Customer Data is governed by our agreement with the relevant customer. Following termination, Customer Data is handled as set out in our Terms of Service.

8.4 When Personal Data is no longer required, we securely delete, anonymise, or destroy it.

9. Cookies & Similar Technologies

9.1 Our website and Service use cookies and similar technologies to enable core functionality, remember your preferences, maintain your session, and understand how the Service is used.

9.2 We use the following broad categories of cookies: strictly necessary cookies (required for the Service to function), functional cookies (to remember your settings), and analytics cookies (to understand usage and improve the Service).

9.3 You can control or disable cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.

10. Your Rights as a Data Subject

Under the Data Protection Act, 2019, you have the following rights in relation to your Personal Data:

Right to be informed: To be told how your Personal Data is being used.
Right of access: To request a copy of the Personal Data we hold about you.
Right to rectification: To request correction of inaccurate or incomplete data.
Right to erasure: To request deletion of your Personal Data where there is no lawful reason for us to continue holding it.
Right to object and restrict: To object to or restrict certain processing of your Personal Data, including for direct marketing.
Right to data portability: To receive your Personal Data in a structured, commonly used format where applicable.
Right to withdraw consent: To withdraw your consent at any time where processing is based on consent.

To exercise any of these rights, please contact us using the details in clause 16. We will respond within the timeframe required by law. Where we act as a data processor, requests should be directed to the relevant customer who is the data controller, and we will assist that customer in responding.

11. Personal Data We Process on Behalf of Customers

11.1 When our customers use the Service to process Personal Data about their own data subjects, the customer is the data controller and Cowrietech is the data processor.

11.2 In that capacity, we process Customer Data only on the documented instructions of the customer, for the purpose of providing the Service, and in accordance with our Terms of Service and any data processing terms agreed with the customer.

11.3 We implement appropriate technical and organisational measures to protect such data, assist customers in meeting their own obligations under the Act, and do not use Customer Data for our own independent purposes.

11.4 If you are a data subject of one of our customers and wish to exercise your rights, please contact that customer directly, as they are responsible for that data.

12. How We Protect Personal Data

We implement appropriate technical and organisational security measures to protect Personal Data against unauthorised access, alteration, disclosure, loss, or destruction. These measures include, among others:

Encryption of data in transit using SSL/TLS, and encryption of sensitive data and backups where applicable;
Role-based access controls and least-privilege access on a need-to-know basis;
Secure authentication, including multi-factor authentication on administrative accounts;
Regular automated backups with secure offsite storage and tested recovery procedures;
Secure software development practices, regular patching, and activity logging and monitoring;
Confidentiality obligations and security awareness measures for our personnel.

While we take all reasonable steps to protect Personal Data, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

13. Data Breach Notification

13.1 In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we shall notify the Office of the Data Protection Commissioner and affected data subjects without undue delay, in accordance with the Data Protection Act, 2019.

13.2 Where we act as a data processor, we shall notify the relevant customer (data controller) without undue delay upon becoming aware of a breach affecting their Customer Data.

14. Children’s Data

Certain products, such as our school management module, may involve the processing of data relating to children on behalf of educational institutions. Where this occurs, we act as a data processor on behalf of the institution, which is responsible for obtaining the necessary parental or guardian consent. We do not knowingly collect Personal Data directly from children for our own purposes.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The latest version will always be published on our website with its effective date. Where changes are material, we will take reasonable steps to notify you. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Contact Us & Complaints

If you have any questions, requests, or complaints regarding this Privacy Policy or our handling of your Personal Data, please contact us:

Cowrietech Limited
Attention: Data Protection Contact
Jahazi, Lavington, Nairobi
P.O. Box 49484-00100 GPO, Nairobi, Kenya
Email: privacy@cowrietech.com · Web: www.singularerp.com

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner if you believe your data protection rights have been infringed:
Office of the Data Protection Commissioner · Website: www.odpc.go.ke

This Privacy Policy should be read together with the SingularERP Terms of Service.