Privacy Policy
Effective 16 May 2026
BIEMSI (“we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our website, register a workspace, or use the BIEMSI production workflow platform (the “Service”).
This policy is intended to align with the Kenya Data Protection Act, 2019 and applicable regulations. Enterprise customers may also execute a data processing agreement that supplements or replaces portions of this policy for their organization.
1. Who is responsible for your data
For account, billing, and platform operations data, BIEMSI acts as a data controller (or equivalent under local law).
For personal data your organization uploads about your customers, employees, or suppliers (for example order contacts, phone numbers, or job notes), your organization is generally the data controller and we act as a data processor, processing that data only on your documented instructions and to provide the Service.
2. What this policy covers
- Marketing site (for example biemsi.com): limited data such as cookies, server logs, and information you submit when contacting us.
- Application: registration details, user accounts, usage logs, support communications, and Customer Data stored in your Workspace.
- Integrationsyou enable (for example payment or SMS providers): data flows may also be governed by those providers' policies.
3. Personal data we collect
Account and registration: business name, subdomain, industry, subscription plan, administrator name, email, phone, country, timezone, currency, and authentication credentials (stored in hashed form).
Workspace usage: role assignments, actions in the application (such as stage changes on jobs), IP address, device/browser type, timestamps, and diagnostic logs needed for security and reliability.
Customer Data (processor role): content you and your Users enter, including customer names, contacts, order details, workflow notes, and related operational records.
Billing: where enabled, payment status and billing identifiers from payment processors (we do not aim to store full card numbers on our servers).
Communications: messages you send to support or sales, and our replies.
We do not intentionally collect sensitive categories of data (such as health or biometric data) unless you choose to enter them in free-text fields; you are responsible for ensuring such processing is lawful for your business.
4. How we use personal data
- Provide, maintain, and secure the Service and your Workspace.
- Authenticate Users and enforce role-based access.
- Process subscription and billing where applicable.
- Respond to support requests and improve documentation.
- Monitor usage, troubleshoot errors, and prevent fraud or abuse.
- Comply with legal obligations and enforce our Terms of Service.
- Send service-related notices (for example security alerts or material policy changes). Marketing email is sent only where permitted by law and your preferences.
5. Legal bases (Kenya)
Depending on context, we rely on one or more of the following:
- Contract: processing necessary to register your Workspace and deliver the Service you requested.
- Legitimate interests: securing the platform, improving features, and preventing misuse, balanced against your rights.
- Consent: where required for optional communications or non-essential cookies.
- Legal obligation: records we must retain for tax, regulatory, or law-enforcement requests.
Where we process Customer Data on your behalf, you are responsible for establishing an appropriate legal basis with your data subjects.
6. Workspace isolation
Each subscribing organization is provisioned a separate database workspace. We route requests using your subdomain so your Customer Data is not mingled with other customers' production data in the application layer. Access by our staff is limited to what is necessary for support, security, or legal compliance, and may be logged.
8. International transfers
Your data may be processed in Kenya and, where we use cloud providers, in other countries with appropriate safeguards (such as contractual clauses or provider certifications). We take steps to ensure an adequate level of protection consistent with applicable law.
9. Retention
We retain account and billing records for as long as your subscription is active and for a reasonable period afterward for legal, tax, and dispute resolution purposes.
Customer Data is retained according to your use of the Service and your plan (for example audit log retention on Professional or Business tiers). You may request export or deletion of your Workspace subject to technical and legal constraints.
Server and security logs are retained for a limited period unless longer retention is required for an investigation.
10. Security
We implement administrative, technical, and organizational measures appropriate to the risk, including access controls, encryption in transit (HTTPS), isolated tenant databases, and managed database migrations. No method of transmission or storage is completely secure; you must protect User credentials and devices.
11. Your rights
Subject to the Kenya Data Protection Act and applicable exceptions, you may have the right to:
- Be informed about processing (this policy).
- Access personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion or restriction of processing where applicable.
- Object to certain processing based on legitimate interests.
- Withdraw consent where processing is consent-based.
- Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya.
To exercise rights relating to your BIEMSI account, contact [email protected]. For data your organization controls as Customer Data, contact your employer or workspace administrator first.
12. Your responsibilities as a customer
If you use the Service for your business, you agree to:
- Provide privacy notices to your own customers, staff, and other data subjects.
- Collect and use personal data lawfully and only for legitimate operational purposes.
- Configure roles and access so Users see only what they need.
- Promptly notify us at [email protected] if you suspect a security incident involving the Service.
14. Children
The Service is intended for business use and is not directed at children under 18. We do not knowingly collect personal data from children. Contact us if you believe we have done so inadvertently.
15. Changes to this policy
We may update this Privacy Policy from time to time. The effective date at the top will change when we do. Material changes will be communicated via the Service, email, or the website where practicable. Continued use after the effective date constitutes acknowledgment of the updated policy.
16. Contact
Privacy enquiries: [email protected]
See also our Terms of Service. Return to the home page.
