Data Protection Policy
Effective Date: 1 Jan 2025
MtejaLink is committed to protecting the privacy and security of all data processed through our platform. This policy outlines how we handle, store and protect data for both our business customers and their end customers.
1. Who We Are
MtejaLink is a product of Lolla Technologies Ltd, part of the ABNO Group. We operate in compliance with:
- • Kenya Data Protection Act, 2019
- • General Data Protection Regulation (GDPR) (EU)
- • Other applicable international data privacy laws
2. Scope of This Policy
This policy applies to:
- • Data collected from businesses that use MtejaLink.
- • Data collected from end customers through QR codes, subdomains, the MtejaLink app, or embedded widgets.
3. Types of Data We Process
Business Account Data
- • Contact information (name, email, phone).
- • Business details (name, industry, website).
- • Login credentials (encrypted).
- • Billing details (for paid accounts).
End-Customer Data
- • Feedback responses.
- • Service requests and tickets.
- • Menu selections and orders.
- • Time, date and location (when location services are enabled).
- • No personal details unless voluntarily provided by the customer (e.g., for follow-up).
4. Privacy by Design - Anonymous Customer IDs (MIDs)
- • Every customer interaction is assigned an Anonymous Customer ID (MID).
- • This allows businesses to track and respond to feedback without knowing the customer’s personal identity.
- • MIDs prevent unauthorized identification and protect customer anonymity.
For End-Customer Data:
- • To deliver feedback and service requests to the business.
- • To provide analytics so businesses can improve their service.
- • To ensure location-aware features (when enabled).
5. How We Protect Data
We apply industry-standard security measures:
- • Encryption: All data is encrypted in transit (TLS/SSL) and at rest.
- • Access Control: Role-based permissions to ensure only authorized staff can view or process data.
- • Secure Hosting: Data stored on compliant cloud infrastructure with regular security audits.
- • Activity Monitoring: Logging and monitoring of all access to sensitive data.
6. Data Retention
- • Business account data is stored for the lifetime of the account and up to 12 months after closure.
- • End-customer interaction data is anonymized after 12 months for historical analytics.
- • Businesses can request deletion at any time.
7. Data Sharing
We do not sell or rent any data. Data may only be shared with:
- • Service providers who help us deliver MtejaLink (bound by confidentiality agreements).
- • Legal authorities if required by law.
8. International Data Transfers
If data is transferred outside your country, we ensure it is protected using:
- • Standard Contractual Clauses (SCCs).
- • Hosting in regions with adequate data protection laws.
9. Breach Response Plan
If a data breach occurs:
- 1. We will notify affected businesses within 72 hours of detection.
- 2. We will provide details of the breach, potential impact and mitigation steps.
- 3. We will work with the affected business to minimize damage and restore security.
10. Your Rights
You can:
- • Request a copy of the data we hold about you.
- • Ask for corrections or deletions.
- • Withdraw consent at any time (where applicable).
To exercise these rights, email info@lollatechnologies.com.
11. Staff Training & Compliance
- • All MtejaLink staff undergo regular data protection and security training.
- • Compliance with this policy is mandatory for all employees and contractors.
12. Policy Updates
We may update this policy to reflect legal changes or improvements in our security practices. We will notify you before major changes take effect.