Privacy Policy

1. Introduction

MapIQ Studio ("MapIQ," "we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Platform.

We are registered with the Office of the Data Protection Commissioner of Kenya and comply with the Data Protection Act, 2019, and Article 31 of the Constitution of Kenya, 2010, which guarantees every person the right to privacy.

By using the MapIQ Platform, you consent to the collection, use, and processing of your personal data as described in this Privacy Policy.

2. Key Definitions

Under this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in the Data Protection Act, 2019.
• "Data Subject" means an identified or identifiable living person to whom personal data relates.
• "Data Controller" means a person who, alone or jointly with others, determines the purposes and means of processing personal data.
• "Data Processor" means a person who processes personal data on behalf of a data controller.
• "Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.
• "Platform" means the MapIQ web application, mobile applications, and all related services.

3. Data Controller Information

MapIQ Studio is the Data Controller for personal data collected through the Platform. Our contact details are:

4. Personal Data We Collect

4.1 Business User Information

When you register as a Business User, we collect:

• Identity Information: Full name, business name, business registration number (if applicable), national ID or passport number
• Contact Information: Email address, phone number, physical business address, postal address
• Financial Information: Bank account details, mobile money numbers (M-Pesa), tax identification number (PIN), payment card information (processed by third-party payment processors)
• Business Information: Business type, industry category, number of employees, subscription plan details
• Authentication Data: Username, password (encrypted), two-factor authentication settings

4.2 Client User (Staff) Information

When Business Users add staff members, we collect:

• Full name and employee ID
• Email address and phone number
• Role and permission level
• Shift schedules and attendance records
• Sales and transaction data associated with the staff member

4.3 End Customer Information

When Business Users collect customer information through the Platform, we process:

• Name and contact details (phone number, email address)
• Shipping/delivery address
• Order history and transaction details
• Payment information (processed by third-party payment gateways)

Important: For end customer data, the Business User acts as the Data Controller, and MapIQ acts as the Data Processor. Business Users are responsible for obtaining valid consent from their customers.

4.4 Content and Media

We collect and process:

• Videos, images, and multimedia content uploaded for creation and publishing
• Product catalogs, descriptions, and pricing information
• Social media content and captions
• Marketing materials and promotional content

4.5 Automatically Collected Information

When you use the Platform, we automatically collect:

• Device Information: Device type, operating system, browser type and version, device identifiers
• Usage Data: Pages viewed, features used, time spent on Platform, click patterns, search queries
• Location Data: IP address, geographic location (with consent)
• Log Data: Access times, error logs, system events
• Cookies and Tracking Technologies: Session cookies, analytics cookies, preference cookies (see Section 12)

4.6 Third-Party Integration Data

When you connect third-party services, we may receive:

• Social Media: Profile information, follower counts, engagement metrics, content performance data from TikTok, Instagram, YouTube
• E-commerce Platforms: Product data, order information, inventory levels from Shopify, WooCommerce
• Payment Gateways: Transaction confirmations, payment status (payment card details are NOT stored by us)

5. How We Use Your Personal Data

5.1 Lawful Basis for Processing

We process personal data on the following lawful bases under the Data Protection Act, 2019:

• Consent: Where you have given specific, informed, and unambiguous consent
• Contractual Necessity: To perform our contract with you (Terms and Conditions)
• Legal Obligation: To comply with Kenyan laws and regulations
• Legitimate Interests: For our legitimate business interests that do not override your rights

5.2 Specific Purposes

We use your personal data to:

a) Provide and Operate the Platform

• Create and manage your account
• Provide content creation, editing, and publishing services
• Enable business operations (inventory, orders, payments, POS)
• Facilitate staff management and collaboration
• Process transactions and payments
• Publish content to third-party platforms on your behalf

b) Communication and Support

• Send service-related notifications and updates
• Provide customer support and respond to inquiries
• Send subscription renewal and payment reminders
• Notify you of Platform changes, new features, or updates

c) Analytics and Improvement

• Analyze Platform usage and performance
• Generate business analytics and reports for Business Users
• Improve Platform features and user experience
• Develop new services and functionalities

d) Security and Fraud Prevention

• Detect and prevent fraud, abuse, and security incidents
• Verify identity and authenticate users
• Monitor for suspicious activities
• Protect the rights and safety of users and third parties

e) Legal Compliance

• Comply with legal obligations under Kenyan law
• Respond to lawful requests from authorities
• Maintain records required by tax and financial regulations
• Enforce our Terms and Conditions

f) Marketing (with your consent)

• Send promotional emails about new features or offers
• Provide personalized recommendations
• Conduct surveys and market research

Note: You can opt out of marketing communications at any time by clicking "unsubscribe" in emails or contacting us.

6. How We Share Your Personal Data

6.1 Our Commitment

MapIQ does NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

6.2 When We Share Data

a) Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf:

• Cloud Hosting: Amazon Web Services (AWS), Google Cloud Platform for data storage and hosting
• Payment Processors: Stripe, Paystack, M-Pesa (Safaricom) for payment processing
• Email Services: SendGrid, Mailgun for transactional emails
• Analytics: Google Analytics, Mixpanel for usage analytics
• Customer Support: Zendesk, Intercom for support services

All service providers are contractually obligated to protect your data and use it only for specified purposes.

b) Third-Party Integrations (with your authorization)

• Social Media: TikTok, Instagram, YouTube to publish your content
• E-commerce: Shopify, WooCommerce to sync products and orders
• CRM and Marketing: Tools you integrate with for business operations

You control these integrations and can disconnect them at any time.

c) Business Transfers

If MapIQ is involved in a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change.

d) Legal Requirements

We may disclose personal data when required by Kenyan law or in response to:

• Valid legal processes (court orders, subpoenas, warrants)
• Requests from law enforcement or regulatory authorities
• National security or public interest requirements
• Protection of our rights, property, or safety
• Protection of rights and safety of users or the public

6.3 Customer Data Isolation

End customer data collected by Business Users is only accessible to that specific Business User. We do not share customer data between different Business Users.

7. Cross-Border Data Transfers

Some of our service providers and third-party integrations are located outside Kenya. When we transfer personal data internationally, we ensure adequate safeguards are in place, including Standard Contractual Clauses approved by data protection authorities, Privacy Shield frameworks or equivalent certifications, and ensuring the recipient country has adequate data protection laws.

By using the Platform and connecting third-party integrations, you consent to the transfer of personal data outside Kenya where necessary to provide the Services.

8. Data Security and Protection

We implement industry-standard technical and organizational measures to protect personal data including TLS/SSL encryption in transit, AES-256 encryption at rest, role-based access control, multi-factor authentication, firewalls, intrusion detection, DDoS protection, logical data isolation between Business Users, automated daily backups, regular security audits, and an established incident response process.

In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner within 72 hours and notify affected data subjects without undue delay if the breach poses a high risk.

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your personal data.

9. Data Retention

• Active Accounts: Personal data is retained while your account is active
• Suspended Accounts: Data is retained during suspension (30-day grace period for payment issues)
• Closed Accounts: Data is retained for 90 days for recovery purposes, then permanently deleted unless legally required to retain
• Financial Records: Transaction and payment data is retained for 7 years to comply with Kenyan tax and accounting laws
• Backups: Backup copies are retained for 90 days and then automatically deleted

When data is no longer needed, we securely delete or anonymize it using industry-standard methods.

10. Your Data Subject Rights

Under the Data Protection Act, 2019, and the Constitution of Kenya, you have the following rights: the right to be informed, right of access (we respond within 7 days as required by Kenyan law), right to rectification (we respond within 14 days), right to erasure, right to restriction of processing, right to data portability, right to object, and right to withdraw consent.

10.1 Right to Lodge a Complaint

10.2 How to Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer:

• Email: dpo@mapiqstudio.com
• Subject Line: "Data Subject Rights Request"
• Include: Your name, email address, account details, and specific request

11. Consent Management

Where we rely on consent to process personal data, we ensure that consent is freely given, specific, informed, and unambiguous (requires affirmative opt-in action). We maintain records of consents given.

You can manage consent preferences in your account settings or by contacting us — including opting out of marketing emails, disabling specific cookies, disconnecting third-party integrations, and adjusting location sharing settings.

12. Cookies and Tracking Technologies

We use essential cookies (required for authentication and session management), performance cookies (Google Analytics), functional cookies (preferences and settings), and marketing cookies (campaign effectiveness, with consent). You can control cookies through your browser settings, our cookie consent banner, or cookie preferences in your account settings.

Note: Disabling essential cookies may affect Platform functionality.

13. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children under 18.

If we discover that we have collected personal data from a child under 18, we will promptly delete such information. If you believe we have collected data from a child, please contact us immediately at dpo@mapiqstudio.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date, send an email notification to registered users, and display a prominent notice on the Platform. Changes will take effect 30 days after notice is provided.

Continued use of the Platform after changes constitutes acceptance of the updated Policy.

15. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

16. Acknowledgment

By using the MapIQ Platform, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal data as described in this Privacy Policy.

Last Updated: April 15, 2026