Privacy Policy
Effective date: 15 May 2026 · Governing law: Republic of Kenya
1. Introduction
StdioX Labs ("StdioX", "we", "us", or "our") operates StdioX Comms, a cloud-based communications infrastructure platform ("Service") accessible at stdiox.com and via API. This Privacy Policy describes what data we collect, why we collect it, how we use and share it, and your choices. By using the Service you agree to the practices described in this Policy.
This Policy applies to data about you as a platform user (account holder, API consumer). It does not govern how our customers handle their own end-recipients' data — customers are responsible for their own messaging compliance.
2. Data We Collect
Account data: Name, work email address, company name, phone number, role or title, and a cryptographic hash of your password. Collected at registration and updated as you modify your profile.
Usage & telemetry: IP addresses, browser type, operating system, referring URLs, pages visited, time on page, feature interactions, and session timestamps. Collected automatically via server logs, cookies, and analytics libraries.
Messaging data: Message content, recipient identifiers (phone numbers, email addresses), send timestamps, delivery status, carrier responses, open events, click events, and unsubscribe/bounce records. Retained to provide the Service and to generate your delivery reports.
Contact data: Contact lists, groups, tags, merge fields, and suppression lists you upload or create on the platform.
API telemetry: API key identifiers (stored as hashed values), request timestamps, HTTP methods, endpoints, response codes, and error payloads. Used for rate-limiting, abuse detection, and billing reconciliation.
Payment data: Billing name, billing address, and tokenised payment identifiers. Full card numbers are processed exclusively by our payment processors (including M-Pesa, Visa/Mastercard networks) and are never stored on our servers.
Support communications: Content of emails, chats, or tickets you submit to our support team, retained for quality assurance, dispute resolution, and regulatory compliance.
Device & location: Coarse geographic location derived from IP address (country and city level), device type, and screen resolution. We do not collect precise GPS coordinates.
3. How We Use Your Data
We process your data to:
- Create, maintain, and operate your account and provide all features of the Service
- Authenticate your identity, detect and prevent unauthorised access, fraud, and abuse
- Process credit purchases, issue receipts, and reconcile billing records
- Generate delivery reports, analytics dashboards, and billing statements visible in your portal
- Monitor platform health, diagnose technical issues, and optimise performance
- Enforce our Terms of Service and Acceptable Use Policy
- Comply with legal obligations including tax reporting, regulatory requirements, and lawful authority requests
- Send transactional communications — account alerts, security notices, invoices, and service announcements
- With your express consent, send marketing communications about new features, integrations, or promotions
- Produce anonymised, aggregated statistical insights for internal product development, research, and public reporting — in a form that cannot be used to identify you
We do not sell your personal data. We do not use your contact lists or the content of messages you send for our own marketing or profiling purposes.
4. Legal Bases for Processing
We rely on the following legal bases under applicable data-protection law:
Contract performance: Processing necessary to deliver the Service you have contracted for — account management, messaging, billing, API access.
Legitimate interests: Security monitoring, abuse prevention, fraud detection, platform analytics, product improvement, and direct marketing to existing customers (where permitted). We balance these interests against your rights.
Legal obligation: Tax reporting, regulatory compliance, responding to lawful government requests.
Consent: Optional marketing communications and non-essential analytics cookies. You may withdraw consent at any time.
5. Data Sharing & Disclosure
We may share data with:
Infrastructure & cloud providers: Hosting, database, storage, and CDN services who process data on our behalf under data-processing agreements, using data only as directed by us.
Telecommunications carriers & aggregators: To route SMS messages, recipient phone numbers and message content are transmitted to telecoms partners in the destination country. These partners operate under their own regulatory obligations and privacy frameworks.
Payment processors: Credit-card networks and M-Pesa for payment processing. These processors are independently bound by PCI-DSS and applicable regulations.
Analytics & monitoring tools: Third-party services for error tracking, performance monitoring, and usage analytics. These tools receive pseudonymised usage data.
Legal & regulatory authorities: When required by a court order, subpoena, warrant, or applicable law — or when we in good faith believe disclosure is necessary to prevent fraud, protect rights, or ensure safety.
Business transfers: In connection with a merger, acquisition, restructuring, or sale of all or part of StdioX's assets. We will provide reasonable notice before your data becomes subject to a materially different privacy policy.
Professional advisers: Lawyers, accountants, auditors, and insurers who are bound by professional confidentiality obligations.
6. Data Retention
We retain data only as long as necessary for the purpose it was collected, or as required by law:
Account data: Retained for the life of your account and for 7 years after closure, for legal, tax, and audit purposes.
Message logs & delivery records: Retained for 12 months in your portal, then archived for up to 36 months for compliance and dispute resolution, then deleted.
Contact data: Retained until you delete it or close your account, plus 90 days to allow recovery from accidental deletion.
Payment records: Retained for 7 years in accordance with Kenyan tax law.
Support tickets: Retained for 3 years after ticket closure.
Anonymised aggregate data: May be retained indefinitely as it cannot be used to identify individuals.
7. Cookies & Tracking
We use the following categories of cookies and similar technologies:
Strictly necessary: Session tokens and authentication cookies required for the portal to function. Cannot be disabled without breaking the Service.
Functional: Preference cookies that remember your settings (e.g., theme, language). Session-scoped or persistent up to 12 months.
Analytics: Aggregate usage data to understand which features are used and how performance can be improved. You may opt out without affecting Service functionality.
You can manage cookie preferences in your browser settings. Blocking strictly necessary cookies will impair Service functionality.
8. Data Security
We implement technical and organisational measures proportionate to the risks involved, including: TLS 1.2+ encryption for all data in transit; AES-256 encryption for sensitive data at rest; hashed storage of passwords and API keys using industry-standard algorithms; role-based access controls limiting employee data access to a need-to-know basis; regular internal security reviews; and automated anomaly detection.
No security measure is absolute. In the event of a data breach materially affecting your rights, we will notify you within 72 hours of becoming aware of it, to the extent required by applicable law.
9. International Transfers
StdioX is based in Kenya. Some of our infrastructure and sub-processors operate in other jurisdictions, including the European Economic Area, United States, and other regions. Where personal data is transferred outside Kenya, we rely on appropriate safeguards — including standard contractual clauses — to ensure an adequate level of protection.
10. Your Rights
Subject to applicable law, you have the right to:
- Access — obtain a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data, subject to our legal retention obligations
- Restriction — ask us to restrict processing in certain circumstances
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests, including direct marketing
- Withdraw consent — at any time, without affecting the lawfulness of prior processing
Submit requests to privacy@stdiox.com. We will respond within 30 days. We may need to verify your identity before acting on a request.
11. Children's Privacy
The Service is directed exclusively at businesses and individuals aged 18 or older. We do not knowingly collect personal data from anyone under 18. If we discover that a minor has provided data, we will delete it promptly. If you believe a minor's data has been submitted, contact us at privacy@stdiox.com.
12. Third-Party Links
The Service may contain links to third-party websites or services. We have no control over, and accept no responsibility for, the privacy practices or content of those third parties. We encourage you to review their privacy policies before providing any personal data.
13. Changes to This Policy
We may update this Policy at any time. For material changes we will provide at least 14 days' advance notice via email or an in-portal banner before the changes take effect. The "Effective date" at the top of this page reflects the date of the most recent revision. Continued use of the Service after the effective date constitutes acceptance. If you disagree, you must stop using the Service before the effective date and may request deletion of your account.
14. Contact & DPO
StdioX Labs · Nairobi, Kenya
Privacy enquiries: privacy@stdiox.com
General support: support@stdiox.com