Privacy Policy

1. Introduction

Welcome to Tuma AI ("we," "our," or "us"). We are committed to protecting your privacy and handling your personal data transparently and securely. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our business automation platform, including WhatsApp Business API integration, insurance quote services, CRM management, and AI-powered customer engagement tools.

This policy applies to all users of Tuma AI services, including business clients (B2B) and end customers (B2C). By using our services, you consent to the data practices described in this policy.

Please read this Privacy Policy carefully. If you have any questions or concerns, please contact us using the details provided in Section 20.

2. Data Controller Information

3. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
• "Data Subject" means the individual to whom personal data relates.
• "Controller" means the entity that determines the purposes and means of processing personal data.
• "Processor" means an entity that processes personal data on behalf of the controller.
• "WhatsApp Business API" refers to Meta's business messaging platform integrated into our services.
• "CRM" means Customer Relationship Management system.
• "AI Agent" refers to our artificial intelligence-powered chatbots and automated customer engagement tools.

4. Types of Personal Data We Collect

4.1 Personal Identification Information

• Full name (first name, last name)
• Email address
• Phone number
• Date of birth
• National ID number
• Physical address (street address, city, postal code)
• Marketing consent preferences

4.2 Vehicle and Insurance Information

• Vehicle type, make, model, and year of manufacture
• Vehicle Identification Number (VIN)
• Primary use of vehicle (personal, commercial, rideshare)
• Driver age and driving experience
• License county/region
• Accident history and traffic violation records
• Annual mileage estimates
• Insurance coverage preferences and requirements
• Deductible preferences
• Payment frequency preferences
• Insurance quote estimates and policy features

4.3 Documents and Media

• National ID card photographs (front and back)
• Kenya Revenue Authority (KRA) PIN certificates (PDF documents)
• Vehicle registration documents
• Driver's license information
• Other uploaded documents or images as requested for service provision

4.4 Communication Data

• WhatsApp messages and conversation history
• Chat transcripts and interaction logs
• Customer preferences and stated interests
• Purchase intent indicators and decision factors
• Communication style and language preferences
• Customer satisfaction feedback and ratings
• Support ticket information and resolution history

4.5 Technical and Usage Data

• Flow tokens and session identifiers
• User IDs and client IDs
• IP addresses and device identifiers
• Device information (type, operating system, browser)
• Browser type and version
• Timestamps and activity logs
• Service usage patterns and interaction frequency
• Error logs and diagnostic data
• Performance metrics and analytics data

4.6 AI and Machine Learning Data

• Conversation context and memory for personalized interactions
• Customer behavior patterns and preferences
• Product interests and purchase history
• Interaction history used for service improvement
• Sentiment analysis and engagement metrics
• AI model training data (aggregated and anonymized where possible)

5. How We Collect Your Data

We collect personal data through various methods:

• Directly from you: When you provide information through WhatsApp interactive flows, forms, surveys, or direct communication
• Document uploads: When you upload ID photos, KRA PIN certificates, or other documents through our platform
• Chat conversations: Through your interactions with our AI agents and customer support via WhatsApp messaging
• Automatically: Through cookies, log files, and tracking technologies when you use our services
• Third-party integrations: From WhatsApp Business API (Meta), payment processors, and other integrated services
• Business partners: From insurance partners, CRM integrations, and other business collaborators (with appropriate consent)
• Public sources: From publicly available databases and registries where legally permissible

6. Legal Basis for Processing

We process your personal data based on the following legal grounds under the Kenya Data Protection Act, 2019, and GDPR:

• Consent: You have given explicit consent for processing your personal data for specific purposes (e.g., marketing communications, sensitive data processing)
• Contractual Necessity: Processing is necessary to provide the services you requested (insurance quotes, CRM services, WhatsApp communication)
• Legal Obligation: We must process your data to comply with legal requirements (insurance regulations, tax compliance, KRA requirements)
• Legitimate Interests: Processing is necessary for our legitimate business interests (fraud prevention, service improvement, analytics) while respecting your rights
• Public Interest: Processing serves a public interest purpose where applicable

7. Purpose of Data Processing

We process your personal data for the following purposes:

7.1 Service Provision

• Processing insurance quote requests and connecting you with insurance providers
• Managing customer relationships through our CRM system
• Facilitating WhatsApp Business communications
• Providing AI-powered customer engagement and chatbot services
• Processing e-commerce transactions and product inquiries
• Managing interactive flows and customer journeys

7.2 Customer Support

• Responding to your inquiries and support requests
• Troubleshooting technical issues
• Providing personalized assistance
• Following up on service delivery

7.3 Service Improvement

• Analyzing usage patterns and customer behavior
• Improving AI conversation quality and accuracy
• Personalizing user experiences
• Developing new features and services
• Conducting research and analytics

7.4 Marketing and Communications

• Sending promotional materials (with your consent)
• Providing service updates and announcements
• Conducting customer satisfaction surveys
• Sharing relevant product information

7.5 Legal Compliance and Security

• Complying with legal and regulatory requirements
• Preventing fraud and unauthorized access
• Enforcing our terms of service
• Protecting our rights and property
• Ensuring platform security and integrity

8. Data Sharing and Third-Party Disclosures

We may share your personal data with third parties in the following circumstances:

8.1 Service Providers

8.2 Business Partners

• Insurance Providers: We share necessary information with insurance underwriters and brokers to process your quote requests and policy applications
• Business Clients: If you interact with our platform as an end customer, we may share your data with the business you're communicating with

8.3 Legal Requirements

• Government authorities and regulators when required by law
• Law enforcement agencies in response to valid legal requests
• Courts and legal advisors in connection with legal proceedings
• Kenya Revenue Authority (KRA) for tax compliance purposes
• Office of the Data Protection Commissioner (ODPC) when requested

8.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and the choices you may have.

8.5 With Your Consent

We may share your data with other third parties when you have provided explicit consent for such sharing.

9. Data Storage and Security

9.1 Storage Location

Your personal data is primarily stored on secure servers provided by Google Cloud Storage. We strive to keep data within African data centers where possible, with backup storage in secure international locations for redundancy.

9.2 Security Measures

We implement comprehensive security measures to protect your data:

• Encryption: Data is encrypted both in transit (using TLS/SSL) and at rest (using AES-256 encryption)
• Access Controls: Role-based access control (RBAC) ensures only authorized personnel can access sensitive data
• Authentication: Multi-factor authentication (MFA) for administrative access
• Monitoring: 24/7 security monitoring and intrusion detection systems
• Regular Audits: Periodic security audits and vulnerability assessments
• Data Backups: Regular automated backups with secure storage and disaster recovery procedures
• Employee Training: Regular security awareness training for all staff members
• Secure Development: Security-by-design principles in our software development lifecycle

9.3 Document Storage Security

Sensitive documents such as National ID photos and KRA PIN certificates receive additional protection:

• Stored in encrypted format with restricted access
• Access logged and monitored
• Automatically deleted after retention period expires
• Separate storage infrastructure with enhanced security controls

10. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy or as required by law. Specific retention periods include:

You may request early deletion of your data by contacting us, subject to legal and contractual obligations that may require continued retention.

11. Your Rights

Under the Kenya Data Protection Act, 2019, and GDPR (where applicable), you have the following rights regarding your personal data:

12. Children's Privacy

Our services are not intended for children under the age of 18. We do not knowingly collect personal data from children without parental consent.

If you are under 18 years old, you may only use our services with the involvement and consent of a parent or legal guardian. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

For insurance-related services, additional age restrictions may apply based on regulatory requirements and insurance provider policies.

If you believe we have collected information from a child without proper consent, please contact us immediately at privacy@tumaai.africa.

13. International Data Transfers

As an African-focused technology company, we primarily process and store data within Africa, specifically in Kenya. However, some data may be transferred to other jurisdictions where our service providers operate, including:

• United States (Google Cloud Storage, OpenAI, Meta/WhatsApp)
• European Union (various cloud service providers)
• Other countries where our third-party service providers maintain infrastructure

13.1 Safeguards

When transferring data internationally, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses for transfers to countries without adequacy decisions
• Data Processing Agreements: Comprehensive agreements with all service providers ensuring appropriate data protection
• Encryption: All international transfers are encrypted using industry-standard protocols
• Adequacy Assessments: Regular reviews of third-party data protection practices

13.2 Kenya Data Protection Act Compliance

All international transfers comply with Section 48 of the Kenya Data Protection Act, 2019, which requires:

• Authorization from the Data Protection Commissioner where required
• Adequate level of protection in the recipient country
• Appropriate contractual safeguards
• Your explicit consent for transfers of sensitive personal data

14. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and improve our services.

14.1 Types of Cookies We Use

14.2 Managing Cookies

You can control cookies through:

• Browser settings (most browsers allow you to refuse or delete cookies)
• Our cookie preference center (if implemented)
• Third-party opt-out tools for advertising cookies

Note: Disabling certain cookies may limit functionality and affect your user experience.

15. Marketing Communications

We may send you marketing communications about our services, special offers, and updates if you have:

• Provided explicit consent to receive marketing messages
• Entered into a business relationship with us (soft opt-in for similar products/services)

15.1 Marketing Channels

We may contact you through:

• Email
• WhatsApp Business messaging (with consent)
• SMS/text messages
• Push notifications (if enabled)

15.2 Opt-Out Options

You can opt-out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Replying "STOP" to WhatsApp marketing messages
• Contacting us at info@tumaai.africa
• Updating your preferences in your account settings

Note: Opting out of marketing communications does not affect transactional messages (service updates, account notifications, support communications).

16. AI and Automated Processing

Tuma AI uses artificial intelligence and machine learning technologies to provide intelligent customer engagement and automation services.

16.1 How We Use AI

• Conversation Management: AI-powered chatbots handle customer inquiries, provide information, and guide users through processes
• Personalization: AI analyzes conversation history to provide personalized recommendations and responses
• Memory and Context: Conversation memory systems (via Mem0 AI) store interaction context to improve future engagements
• Natural Language Processing: Understanding and responding to customer messages in natural language
• Service Improvement: Analyzing aggregated data to improve AI model accuracy and service quality

16.2 Automated Decision-Making

Our AI systems may make automated decisions in the following scenarios:

• Conversation Routing: Determining which department or agent should handle your inquiry
• Response Generation: Providing automated answers to common questions
• Preliminary Insurance Quotes: Calculating initial quote estimates based on provided information (subject to human review for final quotes)

16.3 Your Rights Regarding AI

You have the right to:

• Be informed when you're interacting with an AI agent vs. a human
• Request human intervention in automated processes
• Contest automated decisions that significantly affect you
• Understand the logic behind automated decisions
• Opt-out of AI-powered personalization

16.4 AI Training Data

We may use aggregated and anonymized conversation data to improve our AI models. Identifiable personal data is not used for training third-party AI models without your explicit consent. You can opt-out of having your data used for AI improvement by contacting us.

17. WhatsApp Business Integration

Our platform integrates with WhatsApp Business API (provided by Meta) to facilitate customer communications.

17.1 WhatsApp Data Processing

When you communicate via WhatsApp:

• Messages are transmitted through Meta's WhatsApp Business infrastructure
• WhatsApp provides end-to-end encryption for message content
• Message metadata (timestamps, sender information) is processed by both Meta and Tuma AI
• We store conversation history on our servers for service delivery and quality assurance
• Media files (images, documents) you share are processed and stored by our systems

17.2 Meta's Privacy Policy

WhatsApp communications are also subject to Meta's privacy policies and WhatsApp's Terms of Service. We recommend reviewing:

• Meta Privacy Policy: facebook.com/privacy/policy
• WhatsApp Privacy Policy: whatsapp.com/legal/privacy-policy

17.3 WhatsApp Consent

By initiating a WhatsApp conversation with us, you consent to:

• Receiving messages from Tuma AI via WhatsApp Business
• Processing of your messages and shared content
• Storage of conversation history for service delivery
• Use of WhatsApp for transactional communications related to your requests

17.4 Opt-Out

You can stop WhatsApp communications by:

• Sending "STOP" or "UNSUBSCRIBE" via WhatsApp
• Blocking our WhatsApp Business number
• Contacting us at info@tumaai.africa

18. Data Breach Procedures

Despite our best security efforts, data breaches can occur. We have established procedures to detect, respond to, and notify affected parties of any data breach.

18.1 Detection and Response

In the event of a suspected data breach:

• Our security team investigates immediately to determine scope and impact
• We contain the breach and secure systems to prevent further unauthorized access
• We assess what data was affected and which individuals are impacted
• We document the incident and our response actions

18.2 Notification

If a data breach poses a risk to your rights and freedoms, we will:

• Notify the ODPC: Report to the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach
• Notify Affected Users: Inform you without undue delay if the breach is likely to result in high risk to your personal data
• Provide Details: Explain the nature of the breach, likely consequences, and measures taken
• Offer Guidance: Advise on steps you can take to protect yourself

18.3 Remediation

Following a breach, we will:

• Conduct a thorough post-incident analysis
• Implement additional security measures to prevent recurrence
• Update our security policies and procedures
• Provide affected users with appropriate support and resources

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

19.1 Notification of Changes

When we make material changes to this policy, we will:

• Update the "Effective Date" at the top of this policy
• Post the revised policy on our website
• Notify you via email or WhatsApp if you have an active account with us
• For significant changes, request your renewed consent where required by law

19.2 Your Responsibility

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes are posted constitutes acceptance of the updated policy, unless the changes require explicit consent under applicable law.

19.3 Version History

Previous versions of this Privacy Policy are available upon request by contacting privacy@tumaai.africa.

20. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Jurisdiction and Governing Law

This Privacy Policy is governed by the laws of Kenya, including the Data Protection Act, 2019. Any disputes arising from this policy or our data practices shall be subject to the exclusive jurisdiction of Kenyan courts.

For users in the European Union, this policy also complies with the General Data Protection Regulation (GDPR) where applicable.

Thank you for trusting Tuma AI with your personal data. We are committed to protecting your privacy and handling your information responsibly.