ComfortChest Limited (“we,” “us,” or “our”) operates the SpendAnalysis mobile application (“App”). We are committed to protecting your personal data and respecting your privacy in accordance with the Kenya Data Protection Act, 2019 (“the Act”) and its regulations.

This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and what rights you have over it. Please read this policy carefully before using the App. By creating an account or using the App, you acknowledge that you have read and understood this policy.

Data Controller:
ComfortChest Limited
Chemilil Road, Nairobi, Kenya
Email: victor.mmuu@gmail.com
Phone: +254 758 973 766

We are the data controller responsible for the personal data you provide to us through the App. If you have any questions about how we handle your data, please contact us using the details above.

We collect only what is necessary to provide and improve the App. Here is a clear breakdown:

3.1 Account Information

When you create an account, we collect:

• Your name
• Your email address
• Your password (stored in hashed, encrypted form — we never store your password in plain text)

3.2 Subscription and Billing Information

When you subscribe to a paid tier, we collect:

• Your chosen subscription plan and status
• Payment confirmation references

Note: We do not directly handle or store your full payment card details. Payment processing is handled by Google Play Store, and is subject to their own privacy policy.

3.3 Device and Usage Data

We automatically collect certain technical data when you use the App, including:

• Device identifiers (such as your device ID or advertising ID)
• App usage data (such as features used, session duration, and crash reports)
• Error logs generated during your use of the App This data helps us diagnose issues, understand how the App is used, and improve performance.

3.4 What We Do NOT Collect

We want to be transparent about what we do not collect:

• We do not collect, transmit, or store your SMS messages
• We do not collect, transmit, or store your transaction data or spending summaries
• We do not collect, transmit, or store your transaction data or spending summaries
• All SMS processing and spending analysis happens entirely on your device

Your financial data never leaves your phone.

We collect your data in the following ways:

Directly from you — when you register an account, update your profile, or subscribe to a plan.

Automatically — through the App itself, which generates usage data and error logs as you interact with it.

From your device — device identifiers are collected automatically when you install and use the App.

Under the Kenya Data Protection Act, 2019, we must have a lawful basis for processing your personal data. The table below sets out what we collect, why, and our legal basis for doing so:

We will not use your personal data for any purpose that is incompatible with the purposes listed above without first obtaining your consent.

6.1 Storage Location

Your account, subscription, and error log data is stored on secure servers. We take appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure.

6.2 Security Measures

Our security practices include:

• Encryption of data in transit (using TLS/SSL)
• Encryption of data at rest
• Secure, hashed storage of passwords
• Access controls limiting who within our organisation can access your data
• Regular security reviews

6.3 Data Minimisation

We collect only the minimum data necessary to operate the App. We do not process your SMS messages or financial transaction data on our servers at any point.

We retain your personal data for as long as your account is active or as necessary to deliver our services. Specifically:

• Account information — retained for the duration of your account, and deleted within 30 days of account deletion
• Subscription and billing information — retained for up to 7 years as required by Kenyan tax and financial record-keeping obligations
• Device identifiers and usage data — retained for up to 12 months, after which it is anonymised or deleted
• Error logs — retained for up to 6 months for diagnostic purposes

When data is no longer needed, we securely delete or anonymise it.

We do not sell your personal data to any third party. We may share your data only in the following limited circumstances:

8.1 Service Providers

We work with trusted third-party service providers who help us operate the App, such as cloud hosting providers and payment processors. These providers are contractually required to process your data only on our instructions and in accordance with applicable data protection law.

8.2 Legal Obligations

We may disclose your data if required to do so by law, court order, or a request from a competent government authority in Kenya.

8.3 Business Transfers

In the event of a merger, acquisition, or sale of our business, your data may be transferred to the acquiring entity. We will notify you in advance if this occurs and ensure your data continues to be protected.

In all other cases, your data stays with us.

Right of Access — You may request a copy of the personal data we hold about you at any time.

Right to Rectification — If any of your personal data is inaccurate or incomplete, you may request that we correct it.

Right to Erasure — You may request that we delete your personal data. We will comply unless we have a legal obligation to retain it.

Right to Restrict Processing — You may ask us to limit how we use your data in certain circumstances.

Right to Object — You may object to our processing of your data where we rely on legitimate interests as our legal basis.

Right to Data Portability — You may request a copy of your data in a structured, commonly used format.

Right to Withdraw Consent — Where we process your data based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at victor.mmuu@gmail.com. We will respond within 21 days as required under the Act. We may need to verify your identity before processing your request.

The App itself does not use browser cookies. However, we may use device identifiers and analytics SDKs within the App to understand usage patterns and improve performance. You may be able to reset your device advertising ID through your device settings, which will limit our ability to associate usage data with your device over time.

SpendAnalysis is not intended for use by persons under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately at victor.mmuu@gmail.com and we will promptly delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. When we make material changes, we will notify you via the App or by email before the changes take effect. The updated policy will always be available within the App and on our website.

Your continued use of the App after the effective date of any changes constitutes your acceptance of the revised policy.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

Office of the Data Protection Commissioner
Website: www.odpc.go.ke
Email: info@odpc.go.ke

We encourage you to contact us first at victor.mmuu@gmail.com so we can try to resolve your concern directly before you escalate to the ODPC.

For any privacy-related questions, requests, or concerns, please reach out to us: