Privacy Policy

1. Who we are

This Privacy Policy applies to Elona CRM, a software product operated by Elona Group Limited, incorporated and operating in Nairobi, Kenya. Our registered office is at Raja Building, 3rd Floor, Moi Avenue, Nairobi CBD, P.O. Box 00100, Nairobi GPO.

For purposes of the Kenya Data Protection Act, No. 24 of 2019 (the “DPA”), Elona Group Limited is the Data Controller in respect of personal data collected through the Elona CRM platform at elonacrm.com and elonacrm.co.ke.

Questions about this policy or your personal data may be directed to: legal@elonacrm.com

2. What data we collect

We collect only the data necessary to provide the Elona CRM service. We do not collect more than we need.

Account and identity data

• Your full name, business name, and email address at registration
• Phone number (used for WhatsApp support and account verification)
• Business type and industry (used to personalise your experience)
• Payment information: processed by Paystack, not stored by us

Business data you create inside Elona CRM

• Client records, contact details, and notes you enter into the CRM
• Invoices, payments, expenses, and financial records you create
• Lead pipeline data, proposals, and communications you log
• Any documents or files you upload to your account

Technical and usage data

• IP address and browser type (for security and fraud prevention)
• Pages visited and features used within the platform (for product improvement)
• Error logs (for diagnosing technical issues)

Contact form data

When you submit a contact form on elonacrm.com, we collect your name, business name, email, phone number, and the content of your message. This data is recorded as a lead in our internal CRM system and used solely to respond to your enquiry.

3. Why we collect it (lawful basis)

Under the Kenya Data Protection Act, 2019, we must have a lawful basis for processing your personal data. The grounds we rely on are:

• Contractual necessity: processing your account data, invoices, and CRM records is necessary to deliver the service you have signed up for.
• Legitimate interests: processing technical and usage data to maintain security, prevent fraud, and improve the platform, balanced against your privacy rights.
• Consent: where you have expressly agreed, for example when subscribing to product updates. You may withdraw consent at any time.
• Legal obligation: where we are required by Kenyan law to retain or disclose data, including KRA eTIMS compliance obligations.

4. How we use your data

• Providing, maintaining, and improving the Elona CRM platform
• Processing your subscription payments via Paystack
• Transmitting your invoices to the Kenya Revenue Authority eTIMS system for compliance
• Sending transactional emails: account confirmations, invoice notifications, password resets
• Providing customer support when you contact us
• Sending product update communications, where you have consented
• Understanding how visitors use elonacrm.com through Google Analytics, as described in the Cookies section
• Detecting and preventing fraud, abuse, or security incidents

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We do not use your data for advertising.

5. How we store and protect your data

Your account data is stored on servers located in Kenya, in compliance with Section 41 of the Kenya Data Protection Act, 2019, which requires data controllers to maintain at least one serving copy of personal data on a server or data centre in Kenya.

Each Elona CRM customer account is provisioned with a dedicated, isolated database. Your data does not share database tables with any other customer's data. This architecture (per-tenant isolation) provides a significantly higher level of data security than shared-database SaaS platforms.

Security measures we apply

• Encrypted connections (HTTPS/TLS) for all data in transit
• Password hashing using industry-standard algorithms
• Automated database backups four times daily: 6am, 12pm, 6pm, midnight EAT
• Offsite backup copies stored in a Backblaze B2 data centre in the EU
• Role-based access controls limiting staff access to customer data
• Regular security reviews of the platform

In the event of a data breach affecting your personal data, we will notify you and the Office of the Data Protection Commissioner (ODPC) within the timeframe required by the DPA.

6. Data retention

We retain your personal data for as long as your account is active or as needed to provide the service. If you cancel your subscription:

• Your account data is retained for 90 days after cancellation, during which you may request a full data export
• After 90 days, your data is permanently deleted from our active systems
• Backup copies containing your data are rotated and deleted within 30 days following active deletion
• Financial transaction records may be retained for up to 7 years to comply with Kenyan tax and accounting regulations

7. Your rights under the Kenya DPA 2019

The Kenya Data Protection Act, 2019 grants you the following rights in respect of your personal data. To exercise any of these rights, email us at legal@elonacrm.com. We will respond within 21 days.

If you believe your rights have been violated, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at Britam Towers, 12th Floor, Hospital Road, Upper Hill, Nairobi, or at odpc.go.ke.

8. Third parties and data processors

We share your data with the following third parties only to the extent necessary to deliver the service:

• Paystack: payment processing for subscriptions and M-Pesa transactions. Paystack's privacy policy governs their handling of payment data.
• Kenya Revenue Authority (KRA): invoice data is transmitted to the KRA eTIMS system as required for VAT compliance. This is a legal obligation.
• Backblaze B2: encrypted offsite backup storage. Backups are encrypted before transfer and Backblaze cannot read your data.
• Brevo (formerly Sendinblue): transactional email delivery for account notifications and invoices.
• Cloudflare: DNS, CDN, and DDoS protection for the elonacrm.com and elonacrm.co.ke domains.
• Google LLC (Google Analytics): website analytics on elonacrm.com to understand how visitors use our marketing pages. Google may process limited technical and usage data according to its privacy policy at policies.google.com/privacy.

We do not sell your personal data for third-party marketing. We do not use social media advertising pixels to track you across the web for ads. All third-party processors are bound by arrangements consistent with the requirements of the Kenya DPA 2019.

Regarding cross-border transfers: certain processors (Backblaze, Brevo, Cloudflare, Google) are based outside Kenya. These transfers are made with appropriate safeguards including contractual clauses consistent with Section 48–50 of the Kenya Data Protection Act.

9. Cookies

The elonacrm.com marketing website uses the following types of cookies:

• Strictly necessary cookies: required for the site to function, including session management and security tokens. These cannot be disabled.
• Analytics cookies: we use Google Analytics (Google LLC) on elonacrm.com to measure traffic, page views, and how visitors move through the site. Google may set cookies and process data as described on policies.google.com/privacy. Where Kenyan law requires consent for non-essential cookies, we ask for your consent before enabling analytics cookies.

The elonacrm.co.ke application portal uses session cookies to keep you logged in. These are strictly necessary and cannot be disabled while using the application.

We do not use third-party advertising or remarketing pixels (for example Meta or Google Ads remarketing) on our domains beyond the analytics described above. We do not use social media tracking scripts for advertising purposes.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Elona CRM platform, or applicable law. When we make a material change, we will notify you by email to the address registered with your account at least 14 days before the change takes effect.

The effective date at the top of this document indicates when the current version came into force. Previous versions are available on request.