Cookie Policy

What Are Cookies and Similar Technologies?

A cookie is a small text file that a website or web application asks your browser to store on your device when you visit. Cookies are widely used to make websites function correctly, remember your preferences, and gather analytics about how services are used.

Beyond conventional cookies, web applications also rely on similar technologies that serve comparable purposes:

• Session storage — data stored in your browser that is erased when the browser tab or window is closed.
• Local storage — data stored in your browser that persists until explicitly cleared, even after the browser is closed.
• Service worker caches — files stored by a Progressive Web App (PWA) service worker to enable offline access and faster loading.
• Web beacons / pixels — invisible image files embedded in pages or emails that can signal when content has been opened or rendered.
• Fingerprinting — a technique that collects device and browser attributes to create a probabilistic identifier without storing anything on your device.

This policy covers all of these technologies, collectively referred to as "cookies" throughout this document for readability. It explains which of these PawaHR uses, why, and how you can control them.

Legal Basis for Cookie Use

Under the Kenya Data Protection Act, 2019 (No. 24 of 2019) ("DPA"), the processing of personal data — including data derived from cookies — must have a lawful basis. [DPA s.30]

PawaHR relies on the following legal bases for its cookie use:

PawaHR does not rely on implied or bundled consent for cookies. Continued use of the site, scrolling past a banner, or clicking away from a cookie notice does not constitute consent to optional cookies.

Where cookie data constitutes personal data, the processing is additionally governed by our Privacy Policy.

How PawaHR Uses Cookies — Categories and Purposes

PawaHR operates two distinct surfaces — the public marketing website at pawahr.com and the authenticated HR/payroll application at app.pawahr.com. Cookie usage differs between these surfaces.

Cookie Inventory — Detailed Register

The following table is our complete cookie register. We review and update this register whenever we add or change cookie use. [DPA General Regulations 2021 r.27 — Records of processing activities]

Cookie names prefixed with __ (double underscore) are typically set by infrastructure providers and not directly by PawaHR application code. Their presence reflects our use of Cloudflare as a security and CDN layer.

Third-Party and Sub-Processor Cookies

PawaHR uses a small number of third-party sub-processors whose infrastructure may set cookies or process cookie-derived data as part of delivering our service. We require all sub-processors to handle personal data in accordance with the DPA 2019 and our Data Processing Agreements.

Cloudflare, Inc.

PawaHR's domain (pawahr.com and api.pawahr.com) is protected by Cloudflare's CDN and WAF. Cloudflare processes HTTP request metadata — including IP address and request headers — for the purpose of security (bot mitigation, DDoS protection, rate limiting). Cloudflare sets the __cf_bm, _cfuvid, and cf_clearance cookies described in Section 4. These are security infrastructure cookies, not marketing cookies.

Cloudflare is a global service with servers in multiple jurisdictions. Data processed by Cloudflare's network may transit non-Kenyan infrastructure. Cloudflare is subject to Standard Contractual Clauses and is compliant with applicable international data transfer frameworks. See our Privacy Policy §8 for cross-border transfer details.

Cloudflare's own privacy notice: cloudflare.com/privacypolicy

Umami Software, Inc. (Optional Analytics)

Where you have consented to analytics, PawaHR uses Umami Cloud — a privacy-first, cookieless analytics service. Umami does not set cookies and does not use browser storage for tracking. It processes anonymised, aggregated usage data (page URL, referrer, country-level geography, browser and device type). Visitor identifiers are hashed and rotated daily, and no personal identifiers are stored.

Analytics data is processed and stored exclusively within the European Union (Germany), a jurisdiction whose data protection framework (GDPR) provides safeguards equivalent to or exceeding those of the Kenya Data Protection Act 2019. The analytics script loads only after you grant consent via our cookie banner, and consent may be withdrawn at any time. See our Privacy Policy §8 for cross-border transfer details.

Umami's own privacy notice: umami.is/privacy

Railway (Backend Hosting)

PawaHR's backend API runs on Railway. Railway does not set first-party cookies on your browser. HTTP requests to api.pawahr.com are proxied through Cloudflare before reaching Railway's infrastructure. Railway processes server-side request logs (IP addresses, request paths, timestamps) for operational purposes. No user-facing cookies are set by Railway directly.

Vercel (Frontend Hosting)

PawaHR's frontend application is hosted on Vercel. Vercel does not set first-party advertising or analytics cookies. Vercel may set infrastructure cookies (e.g. edge routing) as part of serving pages — these are transparent infrastructure cookies with no personal data significance. Vercel's privacy notice: vercel.com/legal/privacy-policy.

Resend (Transactional Email)

PawaHR uses Resend to deliver transactional emails (password resets, payslip notifications, leave approvals). Resend may embed a single transparent pixel in HTML emails to track whether an email was opened (email read receipt). This pixel is used only to monitor email deliverability and is not used for advertising profiling. If you prefer emails without tracking pixels, you can disable remote image loading in your email client. Resend's privacy notice: resend.com/legal/privacy-policy.

Safaricom M-Pesa (Daraja B2C)

PawaHR integrates with Safaricom's Daraja API for salary disbursement via M-Pesa. This integration is server-to-server (API call from PawaHR's backend to Safaricom's API) and does not involve any browser cookies. Safaricom does not set cookies on your browser through PawaHR's platform.

Cookies We Do Not Use

For clarity and to assist users in understanding PawaHR's data minimisation approach, the following cookie types are explicitly not used on any PawaHR surface:

Session Storage and Local Storage

In addition to cookies, PawaHR's application uses browser session storage and local storage for functionality that does not require server-side persistence. Although these technologies are not "cookies" in the strict sense, they are similar in that they store data in your browser.

Local Storage — What We Store

PawaHR's frontend application (React + Vite) uses browser local storage via the Zustand state management library for the following purposes:

• Authentication state: The current user's ID, name, role, and a flag indicating whether they are logged in. This mirrors information already encoded in the session JWT and is stored locally to avoid unnecessary API calls on page reload. Cleared on logout.
• UI preferences: Sidebar collapsed/expanded state. This is a purely cosmetic preference and contains no personal data.

Local storage data is stored on your device only and is not transmitted to PawaHR's servers. It is cleared when you log out or clear your browser data.

Session Storage

PawaHR does not currently use session storage for any persistent data. Certain in-flight form states (such as an unsaved leave request form) may be stored temporarily in React component state (in-memory only, not in the browser's sessionStorage API). These are not persisted beyond the current browser tab and contain no sensitive data.

Progressive Web App (PWA) Service Worker Cache

PawaHR is a Progressive Web App (PWA), meaning it can be installed on your device and provides limited offline functionality. The PWA functionality is implemented using a service worker registered by the browser when you visit the application.

The service worker manages a browser cache (distinct from cookies) that stores the following:

• The application's static assets — HTML, CSS, JavaScript, fonts, and images — to enable fast loading and offline splash screen display.
• No personal data — API responses containing employee records, payslips, leave data, or payroll information are fetched network-first and are not cached by the service worker.

The service worker cache is a performance and offline capability mechanism. It does not transmit any data to third parties and does not track user behaviour.

You can inspect and clear the service worker cache at any time via your browser's developer tools (Application tab → Cache Storage) or by clearing your browser's site data for pawahr.com.

Cross-Border Considerations for Cookie Data

Some data derived from cookies — specifically, Cloudflare security cookies — may be processed outside Kenya as part of Cloudflare's global network operations. Cloudflare operates data centres across Africa, Europe, and the Americas. HTTP request data (IP addresses, request headers, timing) associated with Cloudflare security cookies may transit or be stored on infrastructure outside Kenya. [DPA s.48 — Restriction on transfer of personal data outside Kenya]

PawaHR addresses this cross-border transfer as follows:

• We have a Data Processing Agreement (DPA) with Cloudflare that incorporates Standard Contractual Clauses.
• The processing of security cookie data by Cloudflare is necessary for the protection of the platform and its users — a legitimate interest that overrides the inconvenience of cross-border transfer in this limited context.
• Cloudflare's processing is strictly limited to security, routing, and availability functions — no marketing or profiling use is permitted.

No other cookie data generated on PawaHR's platform is transferred outside Kenya.

Managing and Withdrawing Consent

You have several options for controlling cookie use on PawaHR. Note that disabling strictly necessary cookies will prevent you from logging in or using the platform.

A. Cookie Preferences Panel

On your first visit to pawahr.com, a cookie consent banner allows you to accept or decline optional performance cookies. You can revisit your preferences at any time by clicking "Cookie Preferences" in the website footer. Your consent choice is stored in local storage (not a cookie) with a timestamp and is valid for 12 months, after which you will be asked again.

B. Browser Settings

All major browsers allow you to view, manage, and delete cookies. Below are direct links to cookie management instructions for common browsers:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Edge
• Opera

You may also configure your browser to block all third-party cookies or to notify you before any cookie is set. Be aware that blocking strictly necessary cookies from pawahr.com and api.pawahr.com will prevent authentication and platform access.

C. Cloudflare Cookie Opt-Out

Cloudflare's security cookies (__cf_bm, _cfuvid, cf_clearance) are set by Cloudflare's infrastructure rather than by PawaHR's application code. They cannot be disabled without disabling Cloudflare's security layer, which would expose the platform to security risks. These cookies are strictly necessary infrastructure cookies and do not require consent under DPA s.30.

D. Withdrawing Consent by Email

If you wish to withdraw previously given consent to optional analytics cookies and cannot access the preferences panel, you may email our DPO at privacy@pawahr.com with the subject line "Cookie Consent Withdrawal". We will update your preference record within 5 business days.

Do Not Track and Global Privacy Control

Some browsers allow you to send a Do Not Track (DNT) signal or a Global Privacy Control (GPC) signal to websites indicating that you do not wish to be tracked across sites. [DPA General Regulations 2021 — data subject rights]

PawaHR's response to these signals:

• Do Not Track (DNT): Because PawaHR does not engage in cross-site tracking by default for any user, a DNT signal has no additional practical effect on our behaviour. We do not use third-party tracking cookies regardless of the DNT signal state.
• Global Privacy Control (GPC): PawaHR respects GPC signals. If your browser sends a GPC signal, our cookie preferences panel will default to rejecting all optional cookies. Any existing consent to optional cookies on your device will be treated as withdrawn until you affirmatively re-enable optional cookies.

Cookies and Children

PawaHR is a professional HR and payroll platform designed exclusively for use by employers, HR professionals, and employees of organisations operating in Kenya and East Africa. PawaHR's services are not directed at, and should not be used by, persons under the age of 18.

We do not knowingly set cookies on the devices of children under 18 or process personal data of children. If you become aware that a person under 18 has accessed PawaHR, please contact us at privacy@pawahr.com so we can take appropriate action. [DPA s.34 — Processing of children's personal data]

Retention and Deletion of Cookie Data

The retention period for each individual cookie is set out in the cookie register in Section 4. As a summary:

• Session cookies (e.g. pawahr_session, pawahr_csrf, _cfuvid, cf_clearance) — deleted automatically when your browser session ends or when you log out. The maximum lifetime of an authenticated PawaHR session cookie is 24 hours of inactivity.
• Short-lived Cloudflare security cookies (e.g. __cf_bm) — typically expire within 30 minutes of being set.
• Consent record — stored in browser local storage for 12 months, then you will be asked to re-confirm your cookie preferences.

You may delete all cookies associated with PawaHR at any time using your browser's site data management tools. Deleting your session cookie will log you out of the application.

When you delete your PawaHR account, any server-side session records are also purged. Browser-side cookies and local storage data on your devices must be cleared manually using your browser's settings, as PawaHR cannot remotely delete data stored on your device. [DPA s.26(1)(c) — Right to erasure]

Changes to This Cookie Policy

We may update this Cookie Policy when we introduce new features, change technology providers, or in response to changes in the DPA 2019 or ODPC guidance. Material changes to this policy will be communicated as follows:

• The "Last updated" date at the top of this page will be revised.
• Where a change involves setting a new type of cookie that was not previously disclosed, we will re-present the cookie consent banner to all existing users before setting the new cookie.
• We will notify active subscribers by email at least 14 days before any material change to our cookie practices takes effect.
• A notice will be displayed within the PawaHR application for 30 days following any material update.

For minor, non-material changes (corrections, updated hyperlinks, clarifications that do not alter cookie behaviour), the policy will be updated without prior notice. We recommend bookmarking this page and reviewing it periodically. The current version is always available at pawahr.com/cookie-policy.

Contact and Complaints

If you have any questions about this Cookie Policy, wish to exercise your rights in relation to cookie data, or believe PawaHR is setting a cookie not disclosed in this policy, please contact our Data Protection Officer:

We will acknowledge your enquiry within 7 days and aim to resolve it within 30 days. If you remain dissatisfied after engaging with our DPO, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) free of charge: [DPA s.56]

This Cookie Policy is governed by the laws of Kenya. Any disputes arising from this policy that cannot be resolved through the ODPC process shall be subject to the jurisdiction of the High Court of Kenya. [Constitution of Kenya, Article 165]