Privacy Policy

We collect information you provide directly when you create an account or use our services:

• Account data: Name, email address, phone number, KRA PIN
• Tax documents: P9 forms, MPESA statements, bank statements, rental schedules (uploaded voluntarily)
• Financial data: Income figures, deductions, and tax computations you enter
• Payment data: M-Pesa transaction references or card last-4 digits (full card numbers are never stored)
• Usage data: Pages visited, features used, and device type (anonymised)

• To provide tax filing, optimization, and eTIMS invoicing services
• To extract structured data from uploaded documents using AI/OCR
• To calculate accurate tax figures using our deterministic tax engine
• To send filing deadline reminders and account notifications
• To process subscription payments via M-Pesa and card providers
• To improve product accuracy and user experience (anonymised only)

We do not use your data for advertising, profiling, or any purpose beyond providing ZidiTax services.

All data is stored on Google Cloud Platform (GCP) Africa region (africa-south1). We use:

• AES-256 encryption for all stored documents and sensitive fields
• HTTPS/TLS 1.3 for all data in transit
• Zero-knowledge architecture — your KRA PIN is encrypted and cannot be read by staff
• Role-based access controls — staff access is logged and audited

Uploaded documents (P9 forms, bank statements, MPESA exports) are retained for a maximum of 2 years from upload date, then permanently deleted. You may request earlier deletion at any time from your Document Vault or by contacting us. Generated IT1 files are retained for 5 years to assist with future filings or audits, unless you request deletion.

We share data only with service providers required to operate ZidiTax:

• Anthropic (Claude API) — AI chatbot and document extraction. Data is processed under Anthropic's data processing agreement and not used for model training.
• Google Cloud Platform — Cloud hosting (Cloud Run), database (Cloud SQL), encrypted document storage (GCS), and OCR (Document AI)
• Safaricom (M-Pesa Daraja API) — M-Pesa Buy Goods payment processing. No financial data shared beyond transaction confirmation.
• Paystack — Card payment processing. PCI DSS compliant. We never see or store card numbers.
• Africa's Talking — SMS OTP delivery for 2FA authentication.

We do not share data with KRA, other government agencies, advertisers, or data brokers.

Under Kenyan data protection law (Data Protection Act, 2019) and GDPR principles, you have the right to:

• Access all personal data we hold about you
• Correct inaccurate data
• Request deletion of your account and all associated data
• Export your data in a portable format
• Withdraw consent for any optional processing
• Lodge a complaint with the Office of the Data Protection Commissioner (ODPC)

To exercise any right, email privacy@ziditax.co.ke or use the Settings → Privacy section in your account.

We use only essential cookies required for authentication and session management. We do not use tracking, advertising, or analytics cookies. You cannot opt out of essential cookies as they are required for the platform to function.

We will notify users by email at least 14 days before any material changes to this Privacy Policy. Continued use after the effective date constitutes acceptance of the updated policy.

For privacy enquiries: privacy@ziditax.co.ke
Data Protection Officer: dpo@ziditax.co.ke
Postal: P.O. Box 12345-00100, Nairobi, Kenya