Privacy Policy

1. Who this policy covers

This policy explains how Rekava (“we”, “us”) handles personal and business information when you use the Rekava platform, our website, and related services.

It covers two groups: the businesses that hold a Rekava account, and the individuals — staff, customers, members, patients, guardians — whose details appear in a business's records.

2. Information we collect

Account data: business name, contact email and phone, the names and roles of team members, and login credentials (passwords are stored only as salted hashes).

Business records you enter or upload: customers, invoices, payments, inventory, and reconciliation statements.

Payment data: transaction references, amounts, channels, and payer details. Card and Mobile Money credentials are handled by our payment processor (Paystack) — Rekava never stores full card numbers.

Technical data: IP address, device and browser information, and audit logs of actions taken in your account.

3. How we use it

To provide the service: reconciling payments, generating invoices and reports, and showing your cash position.

To secure accounts: authentication, two-factor verification, fraud and abuse prevention, and the tamper-proof audit trail.

To support and improve the product, and to contact you about your account or material changes to the service.

We do not sell your data, and we do not use the business records you store for advertising.

4. How we share it

With service providers who run the platform on our behalf — hosting, database, payment processing (Paystack), and email delivery — under contractual confidentiality and security obligations.

When required by law, or to protect the rights, safety, and property of Rekava, our users, or the public.

As part of a merger, acquisition, or sale of assets, in which case we will notify affected account holders.

5. Data retention

We keep business records for as long as your account is active and as needed to provide the service. Audit-log entries are retained for the lifetime of the account and cannot be edited or deleted, by design.

When an account is closed, we delete or anonymise personal data within 90 days, except where longer retention is required by law or for legitimate accounting purposes.

6. Security

We protect data with encryption in transit, hashed passwords, role-based access control, rate limiting, account lockout, optional two-factor authentication, and a database-level tamper-proof audit log. See our Security page for detail.

7. Your rights

Account owners can access, correct, and export their data at any time from Settings, and can request deletion of the account.

Individuals whose details appear in a business's records should contact that business directly; where Rekava is the appropriate point of contact, write to privacy@rekava.africa.

8. Cookies

We use a small number of essential cookies and local storage to keep you signed in and remember preferences. We do not use third-party advertising cookies.

9. Changes & contact

We may update this policy as the service evolves; material changes will be communicated to account holders. Questions: privacy@rekava.africa.