Learn more
Privacy Protection

PRIVACY POLICY & DATA PROCESSING AGREEMENT

Effective Date: April 2, 2026

Company: Kyota.ai ("Company", "We", "Us", "Our")

Role: Data Processor

This Privacy Policy and Data Processing Agreement governs the relationship between Kyota.ai and the business entities ("Client", "Data Controller", "You") utilizing our software, integrations, and Meta/WhatsApp technical services.

1. Definitions and Roles

Under the Kenya Data Protection Act (2019) and global equivalents (e.g., GDPR):

  • Data Controller: The Client utilizing Kyota.ai to manage communications. The Client determines the purposes and means of processing personal data.
  • Data Processor: Kyota.ai. We process personal data solely on behalf of, and under the strict instructions of, the Data Controller.
  • Data Subject: The end-user or customer whose data (contacts, conversations) is being processed.

2. WhatsApp Integration & Conversation Syncing

Kyota.ai provides integrations with the WhatsApp Business API to sync conversations, metadata, and contact profiles.

Scope of Processing: We access, transmit, and temporarily store WhatsApp conversations strictly to provide the software functionality to the Client.

Compliance with Meta: Kyota.ai strictly adheres to Meta’s WhatsApp Business API terms. We do not use conversation data for our own machine learning, profiling, or direct marketing purposes.

3. Client-Imported Contacts and Liability Transfer

Kyota.ai provides functionality allowing the Client to import third-party contact lists into our software ecosystem.

3.1. Client Warranties (The Controller's Burden)

By uploading, syncing, or importing any contact data into Kyota.ai, the Client explicitly represents and warrants that:

  • They have obtained explicit, documented, and lawful consent (opt-in) from every Data Subject on the imported list prior to utilizing Kyota.ai’s messaging features.
  • The data collection methods comply entirely with the Kenya Data Protection Act 2019, the General Data Protection Regulation (GDPR), and Meta's WhatsApp Business messaging policies.
  • The Client maintains records of these opt-ins and will provide them to Kyota.ai, Meta, or regulatory authorities upon immediate request.

3.2. Limitation of Liability for Sourced Data

Kyota.ai has no visibility into, nor responsibility for, the origin of the contacts imported by the Client. Kyota.ai strictly disclaims any liability arising from the Client's failure to secure lawful consent.

4. Indemnification (Protecting Kyota.ai)

The Client agrees to fully indemnify, defend, and hold harmless Kyota.ai, its directors, employees, and affiliates from and against any and all claims, fines, penalties, damages, or legal fees (including those imposed by the Office of the Data Protection Commissioner in Kenya or Meta Platforms, Inc.) arising from:

  • The Client sending unsolicited communications (spam) via our infrastructure.
  • The Client uploading contacts without lawful consent.
  • The Client's breach of the Kenya DPA, GDPR, or WhatsApp Business Terms of Service.

5. Data Security and Incident Response

As a Data Processor, Kyota.ai implements appropriate technical and organizational measures to secure data against unauthorized access, loss, or destruction.

Data Breaches: In the event of a security breach compromising the Client's data, Kyota.ai will notify the Data Controller within 48 hours of becoming aware of the incident, allowing the Controller to fulfill their 72-hour reporting obligation to the Data Commissioner.

Data Retention: Kyota.ai retains processed data only for as long as the Client maintains an active account, or as required by law. Upon termination of the service, Kyota.ai will delete or anonymize all synced conversations and imported contacts within [Insert timeframe, e.g., 30 days].

6. Data Subject Rights

Because Kyota.ai acts as the Data Processor, we do not directly respond to Data Subject requests (e.g., requests to delete, access, or port data).

If a Data Subject contacts Kyota.ai directly regarding their privacy rights, we will forward the request to the respective Data Controller (the Client).

Kyota.ai provides the Client with the necessary technical tools within the software dashboard to fulfill their users' rights (e.g., deleting a contact or exporting a chat log).

7. Sub-Processors and Cross-Border Transfers

Kyota.ai utilizes third-party infrastructure (e.g., cloud hosting providers, Meta platforms) to deliver our services.

Data may be processed outside the Republic of Kenya. By using Kyota.ai, the Client consents to these cross-border data transfers, provided that Kyota.ai ensures the destination country holds adequate data security standards as mandated by Section 48 of the Kenya DPA.