Privacy Policy
Last updated: July 15, 2026
This Privacy Policy explains how Open Crafts Interactive [, a company registered in Kenya under registration number [Company Registration Number]] ("Open Crafts Interactive", "we", "us", "our"), the provider of Rizzit (the "Service"), collects, uses, shares, and protects personal data, in line with Kenya's Data Protection Act, 2019 ("DPA") and its regulations.
Rizzit is business-to-business software. Most of the personal data we process belongs to the Authorized Users of our business customers ("Customers") and to individuals named on the receipts Customers submit (for example, a merchant's staff member). If you are an Authorized User, your organization's administrator controls your Account and may be able to access, restrict, or remove it - contact them first for Account-specific requests, and see Section 8 for how to reach us directly.
1. Who We Are
Open Crafts Interactive is the data controller for Account, billing, and usage data described below, and generally acts as a data processor on behalf of our Customers for the Receipt Data those Customers submit to the Service. [Open Crafts Interactive is registered / in the process of registering as a data controller and data processor with the Office of the Data Protection Commissioner (ODPC), Kenya, under registration number [ODPC Registration Number].]
2. Data We Collect
Account and identity data. Name, email address, phone number, avatar, bio, timezone, and locale, collected when you or your organization creates an Account or invites you as an Authorized User.
Organization data. Your business's legal name, KRA PIN / tax ID, incorporation date, registered address, website, and (if provided) annual revenue, collected from your organization's administrator during account setup.
Receipt Data. Receipt images and scans, and the data extracted from them: merchant name, branch, address, phone number, and KRA PIN; transaction details (date, time, amounts, currency, payment method and reference, line items); eTIMS compliance fields (KRA trader and buyer PIN, VAT rate, CU invoice number, and validation status); and extraction confidence scores.
Approval and workflow data. Who submitted, approved, or rejected a receipt, when, and any notes or reasons recorded in that process.
Billing data. Your subscription plan, invoices, charge history, and the phone number used for M-Pesa payments. We do not store your full M-Pesa PIN, card number, or bank credentials - those are handled directly by our payment processors (Safaricom's Daraja platform, and our card/bank payment provider).
Usage and device data. Log data such as IP address, browser and device type, pages visited, and timestamps, collected automatically as you use the Service, primarily for security, debugging, and service reliability.
Cookies. We use only the essential cookies needed to keep you signed in and to operate the Service securely. We do not currently use advertising or third-party analytics cookies; if that changes, we will update this Policy first.
3. How We Use Your Data
We process personal data to:
- provide the Service, including receipt capture, storage, and organization workspace features;
- validate receipts against KRA's eTIMS system via GavaConnect, and run fraud- and duplicate-detection checks;
- extract structured data from receipt images, including through third-party AI models (see Section 5);
- process subscription billing and payments;
- authenticate users and secure Accounts;
- provide customer support and respond to inquiries;
- send service, security, and billing notifications (and, where you've agreed, product updates);
- generate and email requested receipt data exports to the Authorized User who requested them;
- comply with our legal obligations, including tax, accounting, and record-keeping requirements; and
- maintain and improve the Service's reliability and features.
Legal basis. Under the DPA, we rely on: performance of our contract with Customer (providing the Service, billing); our or a third party's legitimate interests (fraud prevention, service security and improvement), balanced against your rights; compliance with a legal obligation (tax and accounting records); and, where applicable, your consent (for example, optional product update emails, which you can opt out of at any time).
4. eTIMS Validation and GavaConnect
To validate a receipt, we send the relevant receipt and tax data (such as the eTIMS QR content and merchant KRA PIN) to KRA's systems through GavaConnect, and receive back a validation result. This necessarily shares that data with KRA, over which we have no control once received. Open Crafts Interactive is an approved GavaConnect API consumer, not KRA, and is not affiliated with, endorsed by, or acting as an agent of KRA.
5. AI-Assisted Extraction
Receipt images are processed by a third-party machine learning model (currently Google's Gemini) to extract structured data (merchant details, amounts, line items, and similar). This means receipt images and the data on them are transmitted to that provider for processing. We do not permit that data to be used to train the provider's general-purpose models beyond what is necessary to deliver the extraction, to the extent our agreement with the provider allows us to restrict that.
6. How We Share Data
We share personal data with:
- Sub-processors who help us run the Service, currently: Supabase (database, authentication, and file storage), Google (AI-assisted receipt data extraction, described in Section 5), our email delivery provider (for account, billing, and export-notification emails), and our payment processors (Safaricom Daraja for M-Pesa, and our card/bank payment provider).
- KRA, via GavaConnect, as described in Section 4.
- Other members of your organization, according to the role your administrator assigns you (for example, an accountant role can see receipts submitted by field agents).
- Professional advisors, regulators, or authorities, where required by law, to protect our rights, or to investigate fraud or security incidents.
- A successor entity, if we are involved in a merger, acquisition, or asset sale - we will require the data to continue to be protected consistently with this Policy.
We do not sell personal data.
7. Cross-Border Data Transfers
Some of our sub-processors (Section 6) may store or process data outside Kenya. Where we transfer personal data outside Kenya, we do so on a basis permitted by the DPA - such as your consent, a legal requirement to perform our contract with you, or appropriate contractual safeguards with the recipient - and we take reasonable steps to ensure the data continues to receive a comparable standard of protection.
8. Your Rights Under the Data Protection Act, 2019
Subject to the DPA's conditions and exceptions, you have the right to:
- be informed of how your personal data is used (this Policy is part of that);
- access the personal data we hold about you;
- request correction of inaccurate or outdated personal data;
- request deletion of your personal data;
- object to, or request restriction of, certain processing;
- request a copy of your data in a portable format; and
- lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya, if you believe we have not handled your data lawfully.
Where you are an Authorized User, some of these requests may need to go through your organization's administrator, since they control the Account. To exercise these rights directly with us, contact [email protected].
9. Data Retention
- Account and organization data is kept for as long as the Account is active, and for a reasonable period after closure to meet legal, accounting, and dispute-resolution needs.
- Receipt and billing records are generally kept for the periods required by Kenyan tax and accounting law (typically several years), even after an Account closes, unless earlier deletion is requested and permitted by law.
- Generated export files (spreadsheets built from a receipt export request) are automatically deleted from storage 7 days after completion; the underlying Receipt Data used to build them is retained per the paragraph above.
- Where you have exercised a deletion right under Section 8, we will delete or anonymize the relevant personal data unless we are required or permitted by law to keep it.
10. Data Security
We use industry-standard safeguards, including encryption in transit, role-based access controls scoped to your organization and your assigned role, and restricted internal access to production data. No system is completely secure, and we cannot guarantee absolute security, but we maintain a program of technical and organizational measures designed to protect personal data against unauthorized access, loss, or misuse, and to detect and respond to incidents.
11. Children's Privacy
The Service is intended for business use by adults acting on behalf of their organization. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this Policy from time to time. For material changes, we will provide at least 14 days' notice (by email or in-Service notice) before the change takes effect. The "Last updated" date at the top of this page reflects the most recent version.
13. Contact Us
For questions about this Policy, or to exercise a right described in Section 8, contact us at [email protected]. You may also lodge a complaint with the Office of the Data Protection Commissioner, Kenya, at odpc.go.ke.
