Privacy Policy

Who We Are and How to Contact Us

PawaHR Limited ("PawaHR", "we", "us", or "our") is a company incorporated in Kenya. We operate a cloud-based human resource and payroll management platform for small and medium-sized enterprises (SMEs) in Kenya. Our platform enables employers to manage employee records, process payroll, calculate statutory deductions (PAYE, NSSF, SHIF, Housing Levy, NITA), generate payslips, manage leave, and disburse salaries via M-Pesa.

Our Data Protection Officer (DPO) is responsible for overseeing compliance with this policy and the Kenya Data Protection Act, 2019. [DPA s.29(e)]

Scope and Applicable Law

This Privacy Policy applies to all personal data processed by PawaHR through our website at pawahr.com and our application at app.pawahr.com, including data processed on behalf of our business clients.

This policy is issued pursuant to the following legal instruments:

• The Constitution of Kenya, 2010 — Article 31 (Right to Privacy)
• The Data Protection Act, 2019 (No. 24 of 2019) — the primary governing statute
• The Data Protection (General) Regulations, 2021 (Legal Notice No. 46 of 2021)
• The Data Protection (Complaints Handling Procedure and Enforcement) Regulations, 2021
• The Income Tax Act (Cap. 470) — governing payroll data retention obligations

By using PawaHR's services, you acknowledge that you have read and understood this policy. If you do not agree, please discontinue use and contact our DPO at privacy@pawahr.com.

Our Dual Role — Data Controller and Data Processor

PawaHR operates in two distinct legal capacities under the DPA 2019, depending on context. PawaHR is registered with the Office of the Data Protection Commissioner (ODPC) in both capacities. [DPA s.18]

Complaints relating to employee data processed on behalf of a client should be directed first to the employer (Data Controller). Where unresolved, complaints may be escalated to the ODPC. [DPA s.56]

What Personal Data We Collect

We collect only personal data that is adequate, relevant, and limited to what is necessary for the purposes set out in this policy. [DPA s.25(c)] The following sets out the categories of data collected and the manner of collection. [DPA s.29(b)]

A. Data you provide directly (Client / Account Data)

• Full name and job title
• Business email address and phone number
• Company name and business address
• Username and hashed password (we never store passwords in plain text)
• Billing address and M-Pesa phone number for subscription payments
• Contact preferences

B. Employee data processed on behalf of clients (Payroll Data)

When clients use PawaHR to process payroll, they provide employee data. This may include:

• Full name, national ID number, KRA Personal Identification Number (PIN)
• Bank account details or M-Pesa number for salary disbursement
• Gross salary, allowances, deductions, and net pay
• NSSF member number and contribution records
• SHIF (Social Health Insurance Fund) member number and contributions
• Housing Levy and NITA deduction records
• Leave records, employment commencement date, and employment terms
• P9A annual tax deduction certificates

PawaHR processes this data as Data Processor on the client's instructions. See Section 3 above.

C. Data collected automatically

• Device data: IP address, browser type and version, operating system, device model
• Log data: pages accessed, timestamps, actions performed, error reports and crash logs
• Location data: approximate geographic location inferred from IP address
• Session data: authentication tokens and session identifiers (see Section 10 on Cookies)

Sensitive Personal Data

The DPA 2019 identifies specific categories of data as sensitive personal data requiring heightened protection and additional lawful grounds for processing. [DPA ss.44–47]

PawaHR processes the following sensitive data categories in the course of payroll operations:

We apply additional safeguards to sensitive data including access controls, encryption at rest, and strict data minimisation. We do not process sensitive data beyond what is required to discharge statutory payroll obligations. [DPA s.45]

Why We Collect Data — Purposes and Legal Basis

We process personal data only where we have a valid lawful basis under Section 30 of the DPA 2019. The following table sets out our processing purposes and corresponding lawful bases. [DPA s.29(c), s.30]

Who We Share Data With — Sub-Processors and Third Parties

We do not sell your personal data. We share data only with the sub-processors listed below, strictly for the purposes described, and subject to data processing agreements ensuring equivalent data protection standards. [DPA s.29(d)]

Infrastructure and Hosting

• Railway App (US) — Backend API hosting and PostgreSQL database. Data processed under Railway's data processing terms. Privacy Policy
• Vercel Inc. (US) — Frontend hosting for pawahr.com and app.pawahr.com. Privacy Policy

Email and Communications

• Resend Inc. (US) — Transactional email delivery (payslips, notifications, alerts). Privacy Policy

Analytics (Optional — Consent-Based)

• Umami Software, Inc. (EU — Germany) — Privacy-first, cookieless website analytics, loaded only after you consent via our cookie banner. Processes anonymised, aggregated usage data (page views, referrers, country-level geography, browser type). Visitor identifiers are hashed and rotated daily; no personal identifiers are stored. All analytics data is processed and stored within the European Union, whose GDPR framework provides protections equivalent to or exceeding the Kenya DPA 2019. Privacy Policy

Payments

• Safaricom PLC — M-Pesa Daraja API (Kenya) — Salary disbursement and subscription payment processing. PawaHR does not store M-Pesa wallet credentials or transaction PINs. Privacy Policy

Other disclosures

• Regulatory and legal authorities: We may disclose data to the Kenya Revenue Authority (KRA), ODPC, courts, or other government bodies where required by law, court order, or regulatory obligation.
• Business transfers: In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity. We will notify affected users and the ODPC in advance as required.

Cross-Border Data Transfers

Section 48 of the DPA 2019 governs the transfer of personal data outside Kenya. Several of our sub-processors (Railway, Vercel, Resend) are based in the United States, meaning data transits outside Kenya. Optional analytics data (Umami) is processed exclusively within the European Union (Germany), a jurisdiction whose GDPR framework provides data protection safeguards equivalent to or exceeding those of the DPA 2019. [DPA s.48, s.49]

We ensure that all cross-border transfers are protected through the following safeguards:

• Contractual safeguards: We maintain data processing agreements with all sub-processors that impose data protection obligations equivalent to those under the Kenya DPA 2019.
• Adequacy assessment: We have assessed each sub-processor's jurisdiction and applicable privacy framework prior to engagement.
• Purpose limitation: Data transferred outside Kenya is used solely for the purpose for which it was collected and is not further processed beyond those purposes.
• Encryption in transit: All data transferred to sub-processors is encrypted using TLS 1.2 or higher.

Data Localisation

Section 50 of the DPA 2019 and Regulation 25 of the General Regulations 2021 provide that the Cabinet Secretary may require certain categories of personal data to be processed only through servers or data centres located in Kenya.

No specific data localisation order has been issued by the Cabinet Secretary applicable to HR and payroll SaaS platforms as at the date of this policy. PawaHR's primary data currently resides on servers operated by Railway (US) and Vercel (US).

PawaHR is committed to transitioning to Kenya-based or East Africa-based server infrastructure as viable providers meeting our security and availability requirements become available. We will update this section when localisation measures are implemented and will comply with any Cabinet Secretary directives on data localisation when issued. [DPA s.50; General Regulations 2021, Reg. 25]

Cookies and Tracking Technologies

PawaHR uses cookies and similar technologies for the following purposes:

• Essential/session cookies: Required for authentication and maintaining your logged-in session. These expire when you close your browser or when your session token expires. These cannot be disabled without preventing use of the platform.
• Security cookies: CSRF (Cross-Site Request Forgery) protection tokens to prevent unauthorised actions. Essential and non-optional.
• Preference cookies: Store your interface preferences between sessions (optional).
• Analytics cookies: Anonymous usage data to understand how the platform is used and improve it (optional; may be declined). Where enabled, analytics is provided by Umami — a cookieless, privacy-first service processed in the EU (Germany). See Section 7 for details.

You may control cookie preferences through your browser settings. Disabling essential cookies will prevent access to the PawaHR application. For full details see our Cookie Policy.

How Long We Keep Your Data

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. [DPA s.25(e), s.39]

When retention periods expire, data is securely and permanently deleted or irreversibly anonymised. Where immediate deletion is not technically feasible (e.g. encrypted backup archives), data is logically isolated from active processing until deletion is completed at the next scheduled backup cycle.

How We Protect Your Data

We implement appropriate technical and organisational measures to protect personal data in accordance with the principle of integrity, confidentiality, and availability. [DPA s.25(f), s.41, s.42]

Technical measures

• HTTPS/TLS encryption on all data in transit (TLS 1.2 minimum)
• Encryption of sensitive data at rest in the database
• Hashed and salted password storage (bcrypt) — plaintext passwords are never stored
• JWT-based authentication with configurable token expiry
• Role-based access control (RBAC) — users access only data relevant to their assigned role
• SQL parameterised queries and input validation to prevent injection attacks
• HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)

Organisational measures

• Data protection by design — privacy considered at every stage of product development [DPA s.41]
• Access to production data is restricted to authorised personnel only
• Regular security reviews and dependency auditing
• Isolated staging and production environments
• Record of Processing Activities (ROPA) maintained internally

Data Protection Impact Assessment (DPIA)

Section 31 of the DPA 2019 requires that a Data Protection Impact Assessment be conducted before processing that is likely to result in high risk to the rights and freedoms of data subjects. [DPA s.31; General Regulations 2021, Reg. 24]

PawaHR processes sensitive financial data and government identification numbers (KRA PINs, National IDs) at scale on behalf of multiple employers. This constitutes high-risk processing under the DPA. PawaHR has conducted a DPIA covering:

• Identification and assessment of data flows within the platform
• Risk assessment for processing of sensitive payroll and government ID data
• Evaluation of technical and organisational measures to mitigate identified risks
• Assessment of cross-border transfer risks (see Section 8)
• Review of sub-processor data protection standards

The DPIA is reviewed whenever there is a material change to processing activities or platform architecture. Where residual risk remains high following mitigation, we consult the ODPC prior to commencing processing. [General Regulations 2021, Reg. 24(3)]

Personal Data Breach Notification

In the event of a personal data breach, PawaHR will comply with the mandatory notification obligations under Section 43 of the DPA 2019. [DPA s.43]

We maintain an internal breach register recording all actual and suspected incidents, their nature, impact, and remediation steps taken. This register is available for ODPC inspection upon request.

Your Rights as a Data Subject

Under Section 26 of the DPA 2019, you have the following rights in respect of your personal data held by PawaHR. [DPA s.26, s.27]

How to exercise your rights

Submit your request to our Data Protection Officer at privacy@pawahr.com. Please include your full name, the nature of your request, and sufficient information to verify your identity. We will acknowledge receipt and respond within 30 days of receiving a valid request. [DPA s.27; ODPC Enforcement Regulations 2021]

Where a right is exercised on behalf of a minor or a person with a disability, it may be exercised by a parent, guardian, or duly authorised representative. [DPA s.27(2)]

We will not charge a fee for exercising these rights except where requests are manifestly unfounded, excessive, or repetitive, in which case a reasonable administrative fee may be levied.

Consequences of Not Providing Data

Pursuant to Section 29(g) and (h) of the DPA 2019, we are required to inform you whether the provision of personal data is voluntary or mandatory, and the consequences of failing to provide it. [DPA s.29(g)(h)]

• Account registration data (name, email, phone, company) — mandatory. Without this data, we cannot create your account or provide access to PawaHR's platform.
• Payroll and employee data (national ID, KRA PIN, salary, bank details) — mandatory for payroll processing. Without this data, we cannot calculate statutory deductions, generate payslips, or disburse salaries. Incomplete statutory data may result in non-compliant payroll filings.
• Billing data (M-Pesa number, billing address) — mandatory for paid subscriptions. Without this, subscription payments cannot be processed.
• Marketing preferences — voluntary. Declining marketing communications has no effect on your access to PawaHR's core services.
• Analytics and preference cookies — voluntary. Declining these cookies does not affect core platform functionality (see Section 10).

Children's Data

PawaHR is a business platform intended solely for adults (18 years and above) acting in a professional capacity. We do not knowingly collect personal data from individuals under 18 years of age. [DPA s.33]

If you believe that a minor's data has been submitted to PawaHR without appropriate consent, please notify our DPO immediately at privacy@pawahr.com. We will investigate and delete any such data promptly upon verification.

Automated Decision-Making

Section 35 of the DPA 2019 regulates automated individual decision-making, including profiling, that produces legal or similarly significant effects on data subjects. [DPA s.35]

PawaHR does not engage in automated decision-making that produces legal or significant effects on individuals. All payroll calculations (PAYE, NSSF, SHIF, Housing Levy, NITA) are rule-based computations applied deterministically to data provided by the employer. These are not AI-driven or profiling-based decisions — they are mathematical applications of statutory rates defined by Kenyan law.

Should PawaHR introduce any automated decision-making features in future, this policy will be updated and affected users will be notified in advance.

Commercial Use of Data

Section 37 of the DPA 2019 restricts the use of personal data for commercial purposes. [DPA s.37]

PawaHR does not use your personal data — or the personal data of your employees — to advance any commercial or economic interest beyond delivering the services described in this policy. We do not sell, licence, or otherwise commercialise personal data. We do not use personal data to target advertising to data subjects on PawaHR's platform or on third-party platforms.

Third-Party Links

Our platform may contain links to external services including the KRA iTax portal, NSSF self-service portal, SHIF member portal, and others. This Privacy Policy does not apply to those third-party services. We are not responsible for their data practices. We encourage you to review the privacy policies of any external services you access.

Updates to This Policy

We may update this Privacy Policy to reflect changes in our processing activities, applicable law, or ODPC guidance. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify all active subscribers by email at least 14 days before changes take effect
• Display a prominent notice within the PawaHR application

For non-material changes (typographical corrections, clarifications that do not alter your rights), we will update the policy without prior notice but will reflect the updated date. Continued use of PawaHR after the effective date of any update constitutes acknowledgement of the revised policy.

We recommend reviewing this policy periodically. The current version is always available at pawahr.com/privacy-policy.

Complaints and Escalation

If you have any concern about how PawaHR handles your personal data, we encourage you to contact our DPO in the first instance:

We will acknowledge your complaint within 7 days and aim to resolve it within 30 days. If we are unable to resolve it within 30 days, we will notify you of the extended timeline and reason. [ODPC Complaints Regulations 2021]

If you remain dissatisfied after engaging with our DPO, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) free of charge: [DPA s.56]

This Privacy Policy is governed by the laws of Kenya. Any disputes arising from this policy that cannot be resolved through the ODPC process shall be subject to the jurisdiction of the High Court of Kenya. [Constitution of Kenya, Article 165]