Privacy Policy

01 Overview

This Privacy Policy applies to FlareSend. ("we", "us", "our") and describes how we collect, process, store, and protect personal data when you use the FlareSend platform, including our website, dashboard, and REST API.

By creating an account or otherwise using our services, you acknowledge that you have read and understood this policy. If you do not agree, please discontinue use of the Service.

FlareSend is governed by the Kenya Data Protection Act, 2019 (KDPA) and aligns its practices with GDPR principles for users in the European Economic Area.

02 Data We Collect

We collect only the data necessary to provide and improve the Service. Here is a breakdown of what we collect and why:

Category	Data Points	Purpose
Account data	Name, email address, password (hashed)	Account creation and authentication
Billing data	M-Pesa phone number, transaction reference	Payment processing and subscription management
Usage metadata	Recipient number, message type, timestamp, delivery status, character count	Delivery tracking, billing, abuse prevention
Technical data	IP address, browser type, device type, session tokens	Security, fraud detection, debugging
Communications	Support emails and chat transcripts	Customer support and service improvement

Message content is never stored. We only retain metadata (who, when, what type, status) — never the body text, images, or media you send.

03 How We Use Your Data

We process your data on the following legal bases: contract performance, legitimate interest, legal obligation, and where required, consent.

Provide, operate, and maintain the FlareSend platform and your account.
Process payments and manage your subscription via M-Pesa.
Send transactional emails (account confirmation, password reset, payment receipts).
Send service announcements and important policy updates.
Detect, prevent, and investigate fraud, abuse, and security incidents.
Analyse aggregate usage patterns to improve platform performance.
Comply with legal obligations including tax records and law enforcement requests.
Respond to support requests and resolve disputes.

We only send marketing emails if you have opted in. You can unsubscribe at any time via the link in any email we send.

04 Data Retention

We retain your data only as long as necessary for the purposes described in this policy or as required by law.

Active accounts: Data is retained for the lifetime of your account.
Closed accounts: Personal data is deleted within 90 days of account closure, except where legal obligations require longer retention.
Message metadata: Retained for up to 12 months for billing and abuse-prevention purposes, then permanently deleted.
Billing records: Retained for 7 years to comply with Kenyan tax regulations.
Support communications: Retained for 2 years then deleted.

You may request early deletion of your data at any time. See Section 8 for your rights.

05 Sharing & Disclosure

We do not sell your personal data. We only share it in the following limited circumstances:

Safety: To protect the rights, property, or safety of FlareSend, our users, or the public.
Business transfer: In the event of a merger, acquisition, or asset sale, your data may be transferred. We will notify you before this occurs.

All third-party processors are contractually required to handle your data in compliance with applicable data protection laws and only for the specified purpose.

06 Cookies & Tracking

We use cookies and similar technologies to operate the platform and understand how it is used. We do not use third-party advertising or behavioural tracking cookies.

Cookie Type	Purpose	Duration
Session cookies	Maintain your logged-in state across page loads	Until browser is closed
CSRF token	Protect forms from cross-site request forgery	Session
Remember me	Keep you logged in across sessions if opted in	30 days
Analytics (first-party)	Understand feature usage to improve the dashboard	12 months

You can disable cookies in your browser settings; however, doing so may prevent some features of the platform from functioning correctly.

07 Security

We implement industry-standard technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction.

All data in transit is encrypted using TLS 1.2+.
Passwords are hashed using bcrypt and never stored in plain text.
API keys are hashed at rest and are only displayed once at generation.
Access to production systems is limited to authorised personnel only.
We conduct periodic security reviews and vulnerability assessments.

No system is 100% secure. If you discover a vulnerability, please disclose it responsibly to security@flaresend.com before making it public.

08 Your Rights

Under the Kenya Data Protection Act (and GDPR where applicable) you have the following rights regarding your personal data:

Access Request a copy of all personal data we hold about you.

Rectification Correct inaccurate or incomplete personal data.

Erasure Request deletion of your data ("right to be forgotten").

Restriction Restrict processing of your data in certain circumstances.

Portability Receive your data in a machine-readable format.

Objection Object to processing based on legitimate interests or marketing.

To exercise any of these rights, contact us at privacy@flaresend.com. We will respond within 30 days. We may need to verify your identity before processing a request.

09 Third-Party Services

The FlareSend platform integrates with third-party services to function. Each has its own privacy policy:

Safaricom M-Pesa — payment processing. Safaricom's privacy policy governs the handling of your M-Pesa transaction data.
WhatsApp (Meta) — message delivery infrastructure. Your use of WhatsApp through our platform is also subject to WhatsApp's Terms of Service and Privacy Policy.
Email delivery provider — for transactional emails (password resets, receipts). Only your email address and name are shared for this purpose.

We are not responsible for the privacy practices of third-party services. We encourage you to review their policies independently.

10 Children's Privacy

FlareSend is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected data from a child under 18, we will take immediate steps to delete that data. If you believe a child has provided us with personal information, please contact us at privacy@flaresend.com.

11 International Data Transfers

FlareSend is based in Kenya. If you access our services from outside Kenya, your data may be transferred to and processed in Kenya or in other countries where our service providers operate.

We ensure that any such transfers comply with applicable data protection law and that adequate safeguards are in place, such as standard contractual clauses or equivalent protections.

For users in the EEA or UK, transfers to Kenya are governed by appropriate standard contractual clauses to ensure your data receives equivalent protection.

12 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes we will:

Send an email notification to your registered address at least 7 days before changes take effect.
Display a prominent notice in the dashboard.
Update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of those changes.

13 Contact & Data Protection Officer

For privacy-related requests, questions, or concerns — including exercising your data rights — please reach out through the channels below:

General Privacy Enquiries privacy@flaresend.com — data access, deletion, corrections

Email

Security & Vulnerability Reports security@flaresend.com — responsible disclosure only

Email

We aim to respond to all privacy requests within 30 days.

← Back to Sign In View Terms of Service →

Your Privacy Matters