Who we are

This Privacy Policy explains how Gee Capital Holdings Limited, a company incorporated in the Republic of Kenya (company registration number: PVT-8LUYB7E), trading as Aqilee, collects, uses, stores, and protects personal data.

In this Policy, "Aqilee", "we", "us", or "our" refers to Gee Capital Holdings Limited. "You" refers to any individual whose personal data we process, including visitors to our website, users of our platform, employees and representatives of our business customers, and end-customers of businesses that use our platform.

Our registered office is at Westlands, Nairobi, Kenya. If you have any questions about this Policy, or want to exercise your privacy rights, contact us at support@aqilee.com.

Our role under data protection law

Aqilee operates in two capacities:

As a data controller. When you visit our website, create an Aqilee account as a business customer, contact us, or interact with our marketing, we decide what data we collect and how it is used. In these cases, we are the data controller.

As a data processor. When a business customer uses Aqilee to communicate with their own customers, the business customer is the data controller of those end-customers' personal data. We process that data on their behalf and under their instructions, as their data processor. Our business customers are responsible for the lawful basis, consent, and notices relating to their end-customers.

This Policy primarily explains our role as a data controller. Section 11 explains our responsibilities as a data processor.

Personal data we collect

We collect different types of data depending on how you interact with us.

Information you give us directly:

Name, email address, and phone number

Business name, business registration number, and business address

Job title and role at your business

Login credentials (email and hashed password)

Payment information (processed by our payment partners; we do not store full card numbers)

Content you upload, including product information, knowledge base documents, and message templates

Communications with our support team

Information we collect automatically when you use the platform:

Device and browser information (type, operating system, browser version)

IP address and approximate location

Login times, pages visited, and features used

Cookies and similar tracking technologies (see Section 9)

Performance and error logs

Information we receive from third parties:

Authentication and account information from Meta (when you connect your WhatsApp Business Account, Instagram, or Facebook Messenger)

Payment status information from M-PESA, Paystack, and other payment processors

Information from identity verification services used during onboarding

Information from referral partners or integrations you authorise

Data from messaging channels (Meta-specific disclosure). When you connect your business messaging accounts to Aqilee, we access and process messages and associated metadata flowing through WhatsApp, Instagram, and Facebook Messenger, including:

Customer phone numbers and profile names

Message content, including text, voice notes, images, documents, and location data where shared

Message timestamps and delivery status

Interaction history between your business and your customers

This data belongs to you (our business customer) as the data controller of your end-customers. We process it on your behalf only to provide the Aqilee platform. We do not use this data for our own purposes, do not sell it, and do not share it with Meta except as required to operate the messaging channel itself.

Why we process your data

We process personal data for the following purposes, each with a lawful basis under the Kenya Data Protection Act 2019 and other applicable laws.

To provide the platform (contract performance):

Create and manage your account

Enable messaging, AI replies, payments, bookings, and other platform features

Process transactions and calculate fees

Provide customer support

To operate our business (legitimate interest):

Improve and develop new features

Monitor platform performance, security, and uptime

Detect, investigate, and prevent fraud, abuse, and security incidents

Enforce our Terms and resolve disputes

Conduct internal analytics

To communicate with you (consent or legitimate interest):

Send service notifications and security alerts

Respond to your support requests

Send onboarding and product education emails

Send marketing communications (where you have consented)

To comply with legal obligations (legal obligation):

Respond to lawful requests from courts, regulators, and law enforcement

Maintain records required by tax, anti-money laundering, and data protection law

Cooperate with audits and investigations

How we use AI and automated processing

Our platform uses artificial intelligence and machine learning to provide core features. Specifically:

Chatbot replies. AI models trained on your business's knowledge base generate suggested or automated replies to your customers.

Voice note understanding. Audio messages are transcribed and interpreted by speech-to-text and language models.

Semantic search and recommendations. Content is converted into embeddings to enable intelligent search across your knowledge base.

Language detection. The platform automatically detects English, Swahili, Sheng, and other supported languages.

These AI features use third-party model providers, including Anthropic, OpenAI, and other providers we may engage from time to time. Your data is processed under contractual terms that prohibit the provider from using your content to train their foundation models or for purposes beyond serving the platform. Inputs and outputs may be temporarily retained by these providers for abuse monitoring and service reliability, typically for up to 30 days, before being deleted.

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing without human involvement.

How we share data

We do not sell your personal data. We share data only in the following circumstances:

Service providers. We work with trusted third parties who help us run the platform. These include:

Cloud hosting and infrastructure: Contabo (Germany), Cloudflare (global), and others

Messaging channels: Meta Platforms (WhatsApp Business Platform, Instagram Messaging API, Messenger Platform)

Payment processing: Safaricom (M-PESA), Paystack

AI and machine learning: Anthropic, OpenAI

Logistics: Leta (for customers who enable logistics features)

Email and communications: Zoho Mail

Analytics and error monitoring: providers we engage to monitor platform performance

Each service provider processes data only under contractual obligations that restrict use to the purposes we specify.

Business customers. If you are an end-customer of a business using Aqilee, your data is shared with that business, which is the data controller. You should consult that business's own privacy policy for how they use your data.

Legal and safety. We may disclose data when required by law, court order, or a lawful request from a regulator, or when we believe in good faith that disclosure is necessary to protect our rights, the safety of users, or the public.

Corporate transactions. If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you before data is transferred and becomes subject to a different privacy policy.

With your consent. In any other case, we share data only with your explicit consent.

International data transfers

Aqilee operates in Kenya, but some of our service providers are based outside Kenya. This means your data may be transferred to, stored in, or processed in countries including Germany, the United States, and others. Where we transfer personal data outside Kenya, we rely on one or more of the following safeguards as required by Section 48 of the Kenya Data Protection Act 2019:

The receiving country has been assessed as providing adequate protection

Contractual clauses that require the recipient to protect your data to a standard equivalent to Kenyan law

Your explicit consent, where applicable

The transfer is necessary to perform the contract you have with us

In line with the Data Protection (General) Regulations 2021, we maintain at least one serving copy of personal data to which the Act applies on a server located in Kenya.

Data retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy or to meet legal, regulatory, or contractual obligations.

Account information: Duration of your subscription, plus 7 years for tax and audit records

Messages and conversation history: Duration of your subscription, plus 30 days after termination for export

Payment records: 7 years, as required by Kenyan tax law

Support correspondence: 3 years from last contact

Website analytics: 14 months

Marketing contact data: Until you unsubscribe, plus a reasonable suppression period

Security and audit logs: 12 months

After the retention period ends, we securely delete or irreversibly anonymise the data.

You can request earlier deletion at any time, subject to any legal obligations that require us to retain the data.

To request deletion of your personal data, email support@aqilee.com with the subject 'Data Deletion Request'. We will verify your identity and respond within 30 days. See Section 7 on Data Retention for information on retention obligations that may delay or prevent immediate deletion.

Cookies and tracking technologies

Our website and platform use cookies and similar technologies to:

Keep you logged in securely

Remember your preferences

Measure site performance and fix errors

Understand how our platform is used, so we can improve it

You can control cookies through your browser settings. If you disable essential cookies, some parts of the platform may not work.

We do not use cookies for third-party advertising or cross-site tracking.

Your rights

Under the Kenya Data Protection Act 2019, you have the following rights:

Right to be informed. To know how your data is being used (this Policy).

Right of access. To request a copy of the personal data we hold about you.

Right to rectification. To request correction of inaccurate or incomplete data.

Right to erasure. To request deletion of your data, subject to our legal and contractual obligations.

Right to restrict processing. To ask us to pause processing in certain circumstances.

Right to data portability. To receive your data in a structured, commonly used format.

Right to object. To object to processing based on legitimate interest, including direct marketing.

Right to withdraw consent. Where we rely on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

Right to complain. To lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya.

To exercise any of these rights, email support@aqilee.com. We will respond within 30 days. We may ask you to verify your identity before acting on your request.

If you are unsatisfied with our response, you may contact the ODPC:

Website: www.odpc.go.ke

Email: info@odpc.go.ke

Our obligations as a data processor

When our business customers use Aqilee to communicate with their own customers, those business customers are the data controllers of their end-customers' personal data, and we act as their data processor. In that role:

We process personal data only on the documented instructions of the business customer

We implement appropriate technical and organisational security measures

We require our sub-processors to meet equivalent data protection standards

We assist the business customer in responding to data subject requests

We notify the business customer of any personal data breach affecting their data within 48 hours of becoming aware of it

We return or delete personal data at the end of the contract, subject to any legal obligations requiring retention

Business customers are responsible for:

Obtaining a lawful basis to process their end-customers' data

Providing their own privacy notices to their end-customers

Obtaining opt-in consent where required by WhatsApp and Meta policies for marketing messages

Registering with the ODPC where required

Honouring data subject requests from their own end-customers

Security

We implement industry-standard technical and organisational measures to protect personal data, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)

Role-based access controls and least-privilege permissions

Multi-factor authentication for administrative access

Regular security reviews and penetration testing

Incident response procedures

Secure software development practices

Continuous monitoring of infrastructure and logs

No system is 100% secure. If you suspect a security issue with your account, contact us immediately at support@aqilee.com.

Data breach notification

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of affected individuals, we will:

Notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach, as required by the Kenya Data Protection Act 2019

Notify affected individuals without undue delay where the breach is likely to result in high risk

Notify our business customers within 48 hours where their data is affected, in our role as their data processor

Take immediate steps to contain the breach and prevent recurrence

Children

The Aqilee platform is intended for use by businesses and adults aged 18 or over. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, contact us at support@aqilee.com and we will delete it.

Business customers who use Aqilee to communicate with end-customers are responsible for ensuring they do not process children's data in a manner that violates applicable law.

Third-party links and services

Our platform may contain links to third-party websites or integrate with third-party services (including Meta's messaging channels, payment providers, and logistics partners). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before sharing data with them.

Specifically, when you use WhatsApp, Instagram, or Facebook Messenger through the Aqilee platform, Meta's own privacy practices apply to your use of those channels. See:

WhatsApp Business Privacy: https://www.whatsapp.com/legal/business-privacy-policy

Meta Privacy Policy: https://www.facebook.com/privacy/policy

Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you by email or in-platform notification at least 30 days before they take effect, except where shorter notice is required by law. The "Last updated" date at the top of this page indicates when the Policy was most recently revised.

Your continued use of the platform after a change takes effect constitutes acceptance of the updated Policy.

Contact

Gee Capital Holdings Limited (trading as Aqilee) Westlands, Nairobi, Kenya

Email: support@aqilee.com

Web: www.aqilee.com

Data Protection Officer / Privacy contact: support@aqilee.com

Regulator

If you believe we have not handled your personal data properly, you have the right to complain to the Kenyan data protection authority:

Office of the Data Protection Commissioner (ODPC) Website: www.odpc.go.ke Email: info@odpc.go.ke