1. Introduction
ChatPilot ("we", "our", "the platform") is operated by ChatPilot Ltd, a company registered in Kenya. This Data Processing Policy explains what data we collect, why we collect it, how we use it, who we share it with, and what rights you and your customers have over that data.
ChatPilot is a business-to-business (B2B) platform. We provide WhatsApp commerce automation services to businesses ("Tenants"). Those businesses in turn serve their own customers ("End Users") through the ChatPilot platform. This policy covers both relationships.
If you are a business using ChatPilot, this policy governs how we handle your business data and your customers' data on your behalf. If you are an end user who interacted with a business that uses ChatPilot, your primary relationship is with that business. This policy provides transparency about the infrastructure your data passed through.
2. Legal Framework
ChatPilot operates under and complies with:
- Kenya Data Protection Act, 2019 — the primary governing legislation for personal data in Kenya
- Kenya Data Protection (General) Regulations, 2021
- Meta Platform Terms of Service — governing use of the WhatsApp Cloud API
- Safaricom Daraja API Terms — governing M-Pesa payment data
- General Data Protection Regulation (GDPR) — where applicable to EU-resident data subjects
ChatPilot is registered with the Office of the Data Protection Commissioner (ODPC) of Kenya as a Data Processor and, in certain contexts, as a Data Controller.
3. Roles and Responsibilities
ChatPilot as Data Processor
When ChatPilot processes data on behalf of a Tenant (business customer), we act as a Data Processor. The Tenant is the Data Controller — they determine the purpose and means of processing their customers' data. ChatPilot processes that data only on the Tenant's documented instructions.
ChatPilot as Data Controller
ChatPilot acts as a Data Controller for:
- Data of Tenant users (the business owners and staff who use the ChatPilot dashboard)
- Platform analytics data aggregated across tenants for service improvement
- Data processed for our own billing, fraud prevention, and legal compliance purposes
Tenant Responsibilities
Tenants who use ChatPilot to communicate with their customers are themselves Data Controllers under Kenyan law. By using ChatPilot, Tenants represent that they have obtained appropriate consent from their end users to receive automated WhatsApp communications, have a lawful basis for processing end user data, and will handle data subject requests from their own customers in compliance with the Kenya Data Protection Act.
4. Data We Collect
4.1 Tenant Business Data
Data collected from businesses that register and use ChatPilot:
| Data Category | Specific Data | Purpose |
|---|---|---|
| Account identity | Business name, owner name, email address, phone number | Account creation, authentication, support |
| Business configuration | WhatsApp number, business type, bot name, product catalogue | Platform operation |
| Payment credentials | M-Pesa shortcode, passkey (encrypted), PayHero API key (encrypted) | Payment processing |
| Integration credentials | WooCommerce keys, Meta Pixel ID, HubSpot token, Google Ads credentials (all encrypted) | Integration operation |
| Billing data | Plan tier, GMV totals, platform fee totals, billing activation date | Revenue calculation, invoicing |
| Usage data | Login times, dashboard actions, feature usage | Product improvement, support |
4.2 End User Data (Customer Data)
Data collected from the customers of ChatPilot Tenants, processed on behalf of Tenants:
| Data Category | Specific Data | Source |
|---|---|---|
| Contact identity | Phone number, name (if provided) | WhatsApp conversation, Tenant input |
| Conversation data | Message content, timestamps, message direction, message type | WhatsApp Cloud API |
| Attribution data | ctwa_clid (Click-to-WhatsApp ad identifier), entry source | Meta WhatsApp referral object |
| Behavioural data | Opt-in status, tags, conversation state, last message timestamp | Platform logic |
| Payment data | Phone number used for M-Pesa, amount paid, M-Pesa receipt number, payment status | Safaricom Daraja callback |
| Order data | Items ordered, quantities, delivery address, order status | Tenant WooCommerce integration |
| Metadata | IP addresses (where applicable), device information from webhooks | System logs |
4.3 Technical and Platform Data
Data generated by the operation of the platform itself:
- Webhook events — inbound WhatsApp webhooks logged for idempotency and debugging
- Analytics events — conversation events, conversion events, campaign events
- Vector embeddings — semantic representations of Tenant content for AI retrieval (not personal data)
- Error logs — technical errors and exceptions for debugging and reliability
- API request logs — for rate limiting, abuse detection, and debugging
5. Legal Bases for Processing
For Tenant Data
| Processing Activity | Legal Basis |
|---|---|
| Providing the contracted platform service | Performance of contract (Kenya DPA Section 30) |
| Billing and revenue calculation | Performance of contract |
| Platform improvement and analytics | Legitimate interests (improving service reliability and features) |
| Legal compliance (tax, regulatory) | Legal obligation |
| Fraud prevention and abuse detection | Legitimate interests |
| Marketing to existing Tenants about new features | Legitimate interests / consent where required |
For End User Data
| Processing Activity | Legal Basis |
|---|---|
| Routing and responding to WhatsApp messages | Tenant's instruction under Data Processing Agreement; Tenant's legal basis is typically consent (opt-in to WhatsApp communication) |
| Payment processing via M-Pesa | Performance of contract between end user and Tenant; necessary for payment execution |
| Sending broadcast campaigns | Tenant's instruction; Tenant is responsible for holding valid opt-in consent |
| Analytics and conversion reporting | Tenant's instruction; Tenant's legitimate interest in business analytics |
6. How We Use Data
AI and Conversation Processing
WhatsApp message content is processed by the ChatPilot AI system to:
- Classify the intent of incoming messages (e.g. product inquiry, complaint, payment query)
- Retrieve relevant responses from Tenant content using vector similarity search
- Generate or select an appropriate response
- Determine whether a human hand-off is required
Message content used for AI response generation is processed in real time and is not used to train shared AI models across tenants. Each Tenant's content and conversation history is isolated to their account.
We use Claude (Anthropic) as our AI provider for conversation classification. Message content may be transmitted to Anthropic's API for this purpose. Anthropic's data processing terms apply. Anthropic does not use API-submitted data to train their models.
We use Cohere multilingual models for generating vector embeddings of Tenant content. Tenant content text is transmitted to Cohere's API for embedding generation. Cohere's data processing terms apply.
Payment Processing
Payment data flows through the following path:
- Customer phone number is transmitted to Safaricom Daraja to initiate an STK Push
- Safaricom processes the payment entirely on their infrastructure — ChatPilot never receives or stores PIN data
- Safaricom sends a callback to ChatPilot confirming the outcome — containing receipt number, amounts, and transaction identifiers
- ChatPilot stores the callback data, links it to the conversation and order, and sends a confirmation message to the customer
M-Pesa shortcodes, passkeys, and API credentials are stored encrypted at rest. They are decrypted only in memory, only at the point of initiating a payment request, and are never logged.
Ad Attribution and Conversion Reporting
When a customer clicks a Click-to-WhatsApp ad and subsequently makes a purchase:
- The
ctwa_clidparameter from Meta's referral object is captured at conversation start and stored against the contact record - On payment confirmation, ChatPilot fires a
Purchaseconversion event to Meta's Conversions API, including hashed customer data (phone number), purchase value, and product category - The same purchase event is optionally reported to Google Ads, depending on Tenant configuration
This reporting is performed on behalf of the Tenant and for the Tenant's benefit (optimising their ad campaigns). The Tenant is responsible for ensuring their ad platform terms and applicable data protection requirements are met for these conversions.
7. Data Sharing
ChatPilot does not sell personal data. We share data only in the following circumstances:
Sub-processors
We use the following sub-processors to deliver the platform. All sub-processors are bound by data processing agreements:
| Sub-processor | Role | Data Shared | Location |
|---|---|---|---|
| Meta Platforms (WhatsApp Cloud API) | Message delivery infrastructure | Message content, phone numbers, templates | USA (EU SCCs / adequacy applied) |
| Anthropic | AI conversation classification | Message content (real time, not stored) | USA |
| Cohere | Multilingual embeddings | Tenant content text (not personal data) | Canada |
| Safaricom (Daraja API) | M-Pesa payment processing | Customer phone, payment amount | Kenya |
| Amazon Web Services | Cloud infrastructure and database hosting | All platform data (encrypted at rest) | Kenya / EU region |
| Inngest | Workflow orchestration | Event metadata, workflow state | USA |
Integration Partners (Tenant-directed)
When Tenants configure integrations, data is shared with those platforms on Tenant instruction:
- Meta Conversions API — purchase events with hashed customer data, on Tenant instruction
- Google Ads — conversion events with hashed customer data, on Tenant instruction
- HubSpot — contact and deal data, on Tenant instruction
- WooCommerce — order data, customer data, on Tenant instruction
Legal Disclosure
We may disclose data to government authorities, law enforcement, or regulators where required by Kenyan law or court order. We will notify affected Tenants of any such request unless legally prohibited from doing so.
8. Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Conversation messages | 24 months from creation | Tenant operational needs; Tenant may request earlier deletion |
| Payment records | 7 years | Kenyan tax and financial regulation requirements |
| Contact records | Duration of Tenant account + 12 months | Tenant operational needs |
| Analytics events | 24 months | Product improvement and Tenant reporting |
| Webhook event logs | 90 days | Debugging and idempotency |
| Technical error logs | 30 days | System reliability |
| Tenant account data | Duration of Tenant account + 36 months | Legal and contractual obligations |
| Vector embeddings | Until deleted by Tenant | Tenant-controlled content |
Tenants may request earlier deletion of end user data for their account at any time through the dashboard or by contacting support. Payment records are retained for the legally required minimum regardless of account deletion requests.
9. Data Security
See the full Security Policy for technical and organisational measures in detail.
Summary of measures applied to personal data:
- All data encrypted at rest using AES-256
- All data in transit encrypted via TLS 1.2 minimum
- Payment credentials (M-Pesa passkeys, API keys) encrypted at the field level — never logged, decrypted only in memory
- Access to production databases restricted to authorised personnel via MFA-protected access
- Tenant data is logically isolated by
tenant_id— one Tenant cannot access another Tenant's data - Regular security reviews and penetration testing
10. Data Subject Rights
Rights of End Users (Customers of ChatPilot Tenants)
If you are a customer who interacted with a business using ChatPilot, your data rights under the Kenya Data Protection Act should be exercised with that business directly — they are your Data Controller.
If you cannot reach that business or have concerns about how ChatPilot processed your data as a Data Processor, you may contact us at privacy@chatpilot.biz. We will work with the relevant Tenant to address your request or, where ChatPilot is directly responsible, respond directly.
Rights available under the Kenya Data Protection Act 2019:
- Right of access — to confirm whether we hold your personal data and receive a copy
- Right to rectification — to correct inaccurate personal data held about you
- Right to erasure — to request deletion of your personal data (subject to legal retention requirements)
- Right to object — to object to processing based on legitimate interests
- Right to restrict processing — to limit how your data is used while a concern is resolved
- Right to data portability — to receive your data in a structured, machine-readable format
Rights of Tenant Users
Business owners and staff who use the ChatPilot platform may exercise the same rights in relation to their own personal data by contacting privacy@chatpilot.biz.
Response Timeframes
We will confirm receipt of all data subject requests within 3 business days and respond substantively within 21 calendar days, in accordance with the Kenya Data Protection Act.
11. International Data Transfers
ChatPilot is based in Kenya. Some data is processed outside Kenya by our sub-processors (see Section 7). Where data is transferred internationally, we ensure appropriate safeguards are in place, including:
- Data Processing Agreements with sub-processors
- Standard Contractual Clauses where required by the receiving country's regulatory framework
- Adequacy assessments where transfers are to jurisdictions with comparable data protection standards
12. Children's Data
ChatPilot services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that data from a minor has been collected, we will delete it promptly. Tenants are responsible for ensuring their use of ChatPilot to communicate with their customers does not involve the collection of data from minors without appropriate legal basis.
13. Changes to This Policy
We may update this policy as the platform evolves, as new integrations are added, or as legal requirements change. Material changes will be communicated to Tenants via email at least 14 days before taking effect. Continued use of ChatPilot after the effective date constitutes acceptance of the revised policy.
14. Contact
For data protection queries, subject access requests, or concerns:
Data Protection Officer ChatPilot Ltd Email: privacy@chatpilot.biz Address: Nairobi, Kenya
To lodge a complaint with the Kenyan data protection authority: Office of the Data Protection Commissioner (ODPC) Website: www.odpc.go.ke Email: info@odpc.go.ke