This Privacy Policy explains how Gee Capital Holdings Limited, a company incorporated in the Republic of Kenya (company registration number PVT-8LUYB7E), trading as Aqilee, collects, uses, stores, and protects personal data.

In this Policy, “Aqilee”, “we”, “us”, or “our” means Gee Capital Holdings Limited. “You” means any individual whose personal data we process, including visitors to our website, business customers using the platform, employees and representatives of those businesses, and end-customers of businesses that use the platform.

Our registered office is at Delta Towers, Westlands, Nairobi, Kenya.

For privacy questions or to exercise your rights, contact us at support@aqilee.com

Aqilee operates in two capacities:

As a data controller. When you visit our website, create an Aqilee account as a business customer, contact us, or interact with our marketing, we decide what data we collect and how it is used. In these cases, we are the data controller.

As a data processor. When a business customer uses Aqilee to communicate with their own customers, the business customer is the data controller of those end-customers’ personal data. We process that data on their behalf and under their instructions, as their data processor. Our business customers are responsible for the lawful basis, consent, and notices relating to their end-customers.

This Policy primarily explains our role as a data controller. Section 12 explains our responsibilities as a data processor.

Information you provide directly:

Account details (name, business name, email, phone, role)

Billing and payment information (limited to what payment processors require)

Knowledge base documents and content you upload

Configuration choices (chatbot tone, working hours, automation rules)

Support correspondence

Information we collect automatically:

Device, browser, and operating system information

IP address and approximate location

Login times, pages visited, and features used

Cookies and similar tracking technologies (see Section 10)

Performance and error logs.

Information we receive from third parties:

Authentication and account information from Meta (when you connect your WhatsApp Business Account, Instagram, or Facebook Messenger)

Payment status information from M-PESA, Paystack, and other payment processors

Information from identity verification services used during onboarding

Information from referral partners or integrations you authorise

Data from messaging channels (Meta-specific disclosure). When you connect your business messaging accounts to Aqilee, we access and process messages and associated metadata flowing through WhatsApp, Instagram, and Facebook Messenger, including:

Customer phone numbers and profile names

Message content, including text, voice notes, images, documents, and location data where shared

Message timestamps and delivery status

Interaction history between your business and your customers

This data belongs to you (our business customer) as the data controller of your end-customers. We process it on your behalf only to provide the Aqilee platform. We do not use this data for our own purposes, do not sell it, and do not share it with Meta except as required to operate the messaging channel itself.

We process personal data for the following purposes, each with a lawful basis under the Kenya Data Protection Act 2019.

To provide the platform (contract performance):

Create and manage your account

Enable messaging, AI replies, payments, bookings, and other platform features

Process transactions and calculate fees

Provide customer support

To operate our business (legitimate interest):

Improve and develop new features

Monitor platform performance, security, and uptime

Detect, investigate, and prevent fraud, abuse, and security incidents

Enforce our Terms and resolve disputes

Conduct internal analytics.

To communicate with you (consent or legitimate interest):

Send service notifications and security alerts

Respond to your support requests

Send onboarding and product education emails

Send marketing communications where you have consented

To comply with legal obligations (legal obligation):

Respond to lawful requests from courts, regulators, and law enforcement

Maintain records required by tax, anti-money laundering, and data protection law Cooperate with audits and investigations

Our platform uses artificial intelligence and machine learning to provide core features:

Chatbot replies. AI models trained on your business’s knowledge base generate suggested or automated replies to your customers.

Voice note understanding. Audio messages are transcribed and interpreted by speech-to-text and language models.

Semantic search and recommendations. Content is converted into embeddings to enable intelligent search across your knowledge base.

Language detection. The platform automatically detects English, Swahili, Sheng, and other supported languages.

These AI features use third-party model providers, currently Anthropic and OpenAI. Your data is processed under contractual terms that prohibit the provider from using your content to train their foundation models or for purposes beyond serving the platform. Inputs and outputs may be temporarily retained by these providers for abuse monitoring and service reliability, typically for up to 30 days, before being deleted.

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing without human involvement.

What we log. Every AI interaction processed through the platform is recorded in an audit log. A typical log entry contains the input message, the AI response, retrieved knowledge base context (if any), the model used, token counts, latency, the classified intent, and operational metadata such as timestamps and tenant identifier.

PII redaction. Personal data — phone numbers, full names, postal addresses, and payment references — is redacted at the time the log is written. Raw payment account numbers are never written to audit logs.

Why we keep them. Audit logs are used to:

Debug and improve AI behavior

Attribute platform costs and reconcile billing

Defend against complaints, chargebacks, and fraud claims

Detect abuse and security incidents

Improve the platform

Retention. Audit logs are retained for 6 months from the date of the interaction, regardless of whether the relevant tenant account remains active. After 6 months, audit logs are securely deleted or irreversibly anonymised.

Anonymised aggregated use. We may use anonymised, aggregated data derived from audit logs to improve the platform, build benchmarks, and inform our roadmap. Aggregated data does not identify any individual, business, or end-customer. Use is limited to anonymised, aggregated forms only. Tenants may opt out by emailing support@aqilee.com.

Access. Audit logs are not visible to other tenants. Authorised Aqilee personnel may access audit logs solely for the purposes set out in 6.3.

Enterprise export. Enterprise customers may request a one-time export of audit logs related to their tenant. We will provide the export within 30 days, in a structured format, subject to redaction of any third-party data. For the full contractual basis for audit logs, see Section 7 of the Terms of Service.

We do not sell your personal data. We share data only in the following circumstances:

Service providers. We work with trusted third parties who help us run the platform:

Cloud hosting and infrastructure: Contabo (Germany), Cloudflare (global content delivery)

Messaging channels: Meta Platforms (WhatsApp Business Platform, Instagram Messaging API, Messenger Platform)

Payment processing: Safaricom (M-PESA), Paystack

AI and machine learning: Anthropic, OpenAI

Logistics: Leta (for tenants who enable logistics features)

Email and communications: Zoho

Analytics and error monitoring: providers we engage to monitor platform performance

Each service provider processes data only under contractual obligations that restrict use to the purposes we specify.

Business customers. If you are an end-customer of a business using Aqilee, your data is shared with that business, which is the data controller. Consult that business’s own privacy policy for how they use your data.

Legal and safety. We may disclose data when required by law, court order, or a lawful request from a regulator, or when we believe in good faith that disclosure is necessary to protect our rights, the safety of users, or the public.

Corporate transactions. If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you before data is transferred and becomes subject to a different privacy policy.

With your consent. In any other case, we share data only with your explicit consent.

Aqilee operates in Kenya, but some of our service providers are based outside Kenya. This means your data may be transferred to, stored in, or processed in countries including Germany, the United States, and others.

Where we transfer personal data outside Kenya, we rely on one or more of the following safeguards as required by Section 48 of the Kenya Data Protection Act 2019:

The receiving country has been assessed as providing adequate protection

Contractual clauses that require the recipient to protect your data to a standard equivalent to Kenyan law

Your explicit consent, where applicable

The transfer is necessary to perform the contract you have with us

In line with the Data Protection (General) Regulations 2021, we maintain at least one serving copy of personal data to which the Act applies on a server located in Kenya.

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy or to meet legal, regulatory, or contractual obligations.

Account information: Duration of subscription, plus 7 years for tax and audit records

Messages and conversation history: Duration of subscription, plus 30 days after termination for export

AI interaction audit logs: 6 months from date of interaction (regardless of subscription status)

Payment records: 7 years, as required by Kenyan tax law

Support correspondence: 3 years from last contact

Website analytics: 14 months

Marketing contact data: Until you unsubscribe, plus a reasonable suppression period

Security and infrastructure logs: 12 months

After the retention period ends, we securely delete or irreversibly anonymise the data.

You can request earlier deletion at any time, subject to any legal or contractual obligations that require us to retain the data, including the audit log retention period in Section 6.4.

Our website and platform use cookies and similar technologies to:

Keep you logged in securely

Remember your preferences

Measure site performance and fix errors

Understand how our platform is used, so we can improve it

You can control cookies through your browser settings. If you disable essential cookies, some parts of the platform may not work.

We do not use cookies for third-party advertising or cross-site tracking.

Under the Kenya Data Protection Act 2019, you have the following rights:

Right to be informed. To know how your data is being used (this Policy).

Right of access. To request a copy of the personal data we hold about you.

Right to rectification. To request correction of inaccurate or incomplete data.

Right to erasure. To request deletion of your data, subject to our legal and contractual obligations, including the audit log retention period in Section 6.

Right to restrict processing. To ask us to pause processing in certain circumstances.

Right to data portability. To receive your data in a structured, commonly used format.

Right to object. To object to processing based on legitimate interest, including direct marketing.

Right to withdraw consent. Where we rely on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

Right to complain. To lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya.

To exercise any of these rights, email support@aqilee.com with the subject “Data Subject Request”. We will verify your identity and respond within 30 days.

How to request deletion of your data. To request deletion of personal data we hold about you, email support@aqilee.com with the subject 'Data Deletion Request'. Include enough information for us to identify you (for example, the email address, phone number, or WhatsApp number associated with the data). We will verify your identity and respond within 30 days. If your data was collected by a business using the Aqilee platform — for example, through a WhatsApp conversation with that business — we will forward your request to that business as the data controller and assist them in honouring it. See Section 9 (Data retention) and Section 6.4 (AI audit log retention) for legal and contractual obligations that may delay or prevent immediate deletion.

If you are unsatisfied with our response, you may contact the ODPC:

Website: www.odpc.go.ke

Email: info@odpc.go.ke

When our business customers use Aqilee to communicate with their own customers, those business customers are the data controllers of their end-customers’ personal data, and we act as their data processor. In that role:

We process personal data only on the documented instructions of the business customer

We implement appropriate technical and organisational security measures

We require our sub-processors to meet equivalent data protection standards

We assist the business customer in responding to data subject requests

We notify the business customer of any confirmed personal data breach affecting their data within 72 hours of becoming aware of it

We return or delete personal data at the end of the contract, subject to any legal obligations requiring retention and the audit log retention period in Section 6.4

Business customers are responsible for:

Obtaining a lawful basis to process their end-customers’ data

Providing their own privacy notices to their end-customers

Obtaining opt-in consent where required by WhatsApp and Meta policies for marketing messages

Registering with the ODPC where required

Honouring data subject requests from their own end-customers

We implement industry-standard technical and organisational measures to protect personal data, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)

Role-based access controls and least-privilege permissions

Multi-factor authentication for administrative access

Regular security reviews and penetration testing

Incident response procedures

Secure software development practices

Continuous monitoring of infrastructure and logs

No system is 100% secure. If you suspect a security issue with your account, contact us immediately at support@aqilee.com.

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of affected individuals, we will:

Notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach, as required by the Kenya Data Protection Act 2019

Notify affected individuals without undue delay where the breach is likely to result in high risk

Notify our business customers within 72 hours where their data is affected, in our role as their data processor

Take immediate steps to contain the breach and prevent recurrence

The Aqilee platform is intended for use by businesses and adults aged 18 or over. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact us at support@aqilee.com and we will delete it.

Business customers who use Aqilee to communicate with end-customers are responsible for ensuring they do not process children’s data in a manner that violates applicable law.

Our platform may contain links to third-party websites or integrate with third-party services (including Meta’s messaging channels, payment providers, and logistics partners). We are not responsible for the privacy practices of those third parties.

When you use WhatsApp, Instagram, or Facebook Messenger through the Aqilee platform, Meta’s own privacy practices apply to your use of those channels:

WhatsApp Business Privacy: https://www.whatsapp.com/legal/business-privacy-policy

Meta Privacy Policy: https://www.facebook.com/privacy/policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you by email or in-platform notification at least 30 days before they take effect, except where shorter notice is required by law. The “Last updated” date at the top of this page indicates when the Policy was most recently revised.

Your continued use of the platform after a change takes effect constitutes acceptance of the updated Policy.

Gee Capital Holdings Limited (Trading as Aqilee), Delta Towers, Westlands, Nairobi, Kenya

Email: support@aqilee.com Web: aqilee.com

Privacy contact: support@aqilee.com

If you believe we have not handled your personal data properly, you have the right to complain to the Kenyan data protection authority:

Office of the Data Protection Commissioner (ODPC) Website: www.odpc.go.ke Email: info@odpc.go.ke