Privacy Policy

Wayne Foundry Limited is the data controller for personal data we collect from visitors to this website, people who contact us, and businesses that sign up for our services. You can reach us at hello@waynefoundry.com.

For messages your customers send to your WhatsApp number, your business is normally the data controller and Wayne Foundry acts as your data processor. We process those messages on your instructions so the agent can reply, create orders, capture payment claims, and update the Console.

When you visit waynefoundry.com, we collect:

• Basic technical data such as IP address, browser type, device information, pages visited, and approximate location from your connection.
• Anything you send us by email or web form, including your name, email address, business details, and what you're trying to solve.

We use this to keep the site working, understand which pages are useful, respond to your enquiry, and protect the site from abuse. We do not use third-party advertising cookies.

When a business signs up for Shopfront Lite or a custom build, we may hold:

• Your business name, address, contact people, and phone number.
• Your WhatsApp Business number, M-Pesa till or paybill, delivery zones, opening hours, product list, and prices.
• Conversations the agent has with your customers, the orders it creates, and payment confirmations or claims submitted by customers.
• Audit logs showing what the agent did, when it happened, and which actions a human approved.

Where a business connects WhatsApp to Wayne Foundry, we may receive data from Meta and WhatsApp Business Platform, including WhatsApp message content, sender and recipient phone numbers, message IDs, timestamps, delivery and read status, WhatsApp Business Account identifiers, phone number IDs, template information, webhook events, and access tokens or technical credentials needed to operate the connection.

We use this data only to provide the Wayne Foundry service for the connected business. This includes routing messages to the correct business, displaying conversations in the Console, sending replies, creating orders, recording payment verification updates, managing message templates, diagnosing delivery issues, and keeping an audit trail.

Access tokens and platform credentials are stored server-side and are not shown to shop users. We do not sell WhatsApp or Meta Platform Data, and we do not use it for unrelated advertising.

We use personal data for the following purposes:

• To run the agent, Console, support, and related services.
• To show you conversations, orders, payments, stock, and audit events.
• To send invoices, service notices, and agreed product updates.
• To detect abuse, investigate payment issues, and keep the service secure.
• To improve the service using aggregated or anonymised information where practical.
• To comply with Kenyan law, including tax and record-keeping duties.

Our lawful bases include performance of a contract, compliance with legal obligations, legitimate interests such as security and service improvement, and consent where the law requires it. We do not sell personal data and we do not share it with advertisers.

To run the service, we use a small set of service providers. The exact providers can depend on the package or custom scope, but they may include:

• Cloud and database providers for hosting, storage, logging, backups, and security monitoring.
• Model providers such as Google Cloud or Gemini to generate replies and help the agent understand customer messages. We configure model use for the agreed service and do not sell or reuse customer messages as training data for other clients.
• WhatsApp or Meta where WhatsApp is the messaging channel. Their terms and privacy notices also apply to messages on their network.
• Safaricom M-Pesa and Daraja where your setup uses STK Push, Paybill, Till, Pochi la Biashara, Send Money, or payment reconciliation. On Shopfront Lite, customers may pay directly and paste the confirmation message for your staff to approve manually.

Examples of service providers we may use include Google Cloud or Gemini for hosting, storage, logs, security monitoring, and model services; our server or database hosting providers; email and support tools; Meta and WhatsApp where WhatsApp is the messaging channel; and Safaricom or payment infrastructure providers where a customer scope includes payment automation or reconciliation.

These providers process data only to provide, secure, monitor, support, or improve the Wayne Foundry service. We require service providers to protect the data they process for us and to use it only for the agreed service.

Some providers may process or store data outside Kenya. Where that happens, we rely on the safeguards required by Kenyan data protection law, provider contracts, and the agreed customer scope. We may also disclose information where required by Kenyan law, a court order, or a lawful request from a regulator.

When a customer messages your WhatsApp number, your business decides why that message is collected and what should happen next. We process it on your behalf: parse the request, look up stock or knowledge, send a reply, create an order, capture a payment claim, and log the action.

We keep customer message data for the period agreed with your business or for as long as needed to provide the service. If your customer asks you to access, correct, restrict, or delete their data, tell us and we will help you respond. If they ask us directly, we will route the request to you where you are the controller.

We keep business account data while you are a customer. After cancellation, we normally keep service data for 30 days so you can export anything you need or restore the account if cancellation was a mistake. After that, we delete or anonymise it unless we need to keep it for a legal, security, audit, dispute, or tax reason.

Kenyan tax law generally requires business tax records to be kept for five years from the end of the relevant reporting period, and longer where an assessment, dispute, investigation, or proceeding requires it. Backups and security logs are kept only as long as we need them for recovery, security, and audit purposes.

You can request deletion at any time via our data deletion page.

Depending on the data and the reason we hold it, you may have the right to:

• Know what data we hold about you.
• Ask for a copy of it in a portable format.
• Correct anything that's wrong.
• Ask us to restrict or stop certain processing.
• Ask us to delete data we are no longer allowed to keep.
• Object to direct marketing.
• Complain to the Office of the Data Protection Commissioner if you're not happy with how we've handled your request.

To exercise any of these, email hello@waynefoundry.com. We will verify your request and respond within the timelines set by Kenyan law. Erasure, correction, restriction, and objection requests are generally handled within 14 days. Access requests are generally handled within 7 days. Portability requests are generally handled within 30 days.

Our agents can draft replies, create orders, read business context, and prepare recommendations. For Shopfront Lite, customer-submitted M-Pesa confirmations are not treated as paid until your team approves them in the Console. For higher-risk custom workflows, the agreed scope should state where a human must approve the action.

Our website and Shopfront Lite are not aimed at children. Some custom builds, such as healthcare or legal intake, may involve sensitive personal data. We only process that kind of data under an agreed customer scope, with suitable confidentiality and security controls.

We encrypt data in transit and at rest, use access controls so only authorised staff can reach customer data, and keep audit logs for important actions. We test for vulnerabilities and patch issues quickly.

If a personal data breach creates a real risk of harm, we will notify the Office of the Data Protection Commissioner without delay and within 72 hours of becoming aware of it where required. If we are acting as your processor, we will notify you without delay and where reasonably practicable within 48 hours.

If we receive a request from a public authority for personal data, we review the request for legal validity before responding. Where a request is unlawful, unclear, or overbroad, we may challenge or narrow it. Where disclosure is legally required, we aim to disclose only the minimum information necessary and document the request, the decision, the response, and the people involved.

If we are acting as a processor for a business customer, we will notify that business where legally allowed.

If we change anything material, we will update the date at the top and notify customers where the change affects their service or data rights. The latest version is always on this page.