Privacy Policy
This policy applies to mandu360.com, the Mandu platform, and all associated services.The Mandu platform is jointly owned and operated by Mandu Goodz, a business entity registered under the laws of the Republic of Kenya, and EMMMW LLC, a limited liability company organized under the laws of the United States of America (together, “Mandu”, “we”, “us”, or “our”). Both entities are jointly responsible for the collection and use of personal data as described in this Policy.
This Privacy Policy applies to all personal data collected through: (a) the Mandu website at mandu360.com and all subdomains; (b) the Mandu platform and tenant environments; (c) the Partner Program and Partner Dashboard; (d) our support channels; and (e) any communications between you and Mandu.
Mandu is committed to processing personal data in compliance with all applicable data protection laws, including:
- The Kenya Data Protection Act, 2019 (KDPA) and regulations made thereunder;
- The EU General Data Protection Regulation (GDPR) — where we process personal data of individuals in the European Economic Area;
- The UK General Data Protection Regulation (UK GDPR) — where applicable;
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) — where applicable to California residents;
- Any other applicable national or regional data protection laws in jurisdictions where we operate.
Where multiple frameworks apply, Mandu will apply the standard that provides the greatest level of protection to you.
We collect personal data that you voluntarily provide when you:
- Register for an account or free trial — name, email address, phone number, business name, country, and password;
- Subscribe to a paid plan — billing name, billing address, and payment information (processed by our payment processors — we do not store full card details);
- Apply to the Partner Program — name, email, phone, organization details, and promotional channel information;
- Contact our support team — name, email, and the content of your communications;
- Use the support chat widget — name, email (if provided), and conversation content;
- Complete surveys, feedback forms, or marketing sign-ups.
When you use the Mandu platform, we automatically collect:
- Account and profile information — your user role, preferences, and account settings;
- Usage data — features accessed, pages viewed, actions taken, and time spent;
- Technical data — IP address, browser type, device type, operating system, and browser language;
- Log data — access logs, error logs, and security logs;
- Communication data — support tickets, chat conversations, and email communications with Mandu.
In the course of using the platform for your business, you may upload or process personal data relating to your own customers, employees, or suppliers (“Customer Data”). This data is processed by Mandu on your behalf as a data processor, in accordance with your instructions and our Customer Terms of Service. You remain the data controller for such data and are responsible for your own compliance obligations.
We may receive personal data about you from: (a) Partners who refer you through our Partner Program; (b) payment processors providing transaction confirmation; and (c) publicly available sources used to verify business information.
Mandu does not intentionally collect sensitive personal data (such as health data, biometric data, or data on racial or ethnic origin) through the platform. Please do not submit such data unless specifically requested for a compliance feature.
- Create and manage your account and Tenant Environment;
- Deliver the features of your Subscription Plan;
- Process payments and manage your subscription;
- Provide customer support and respond to your enquiries;
- Send transactional communications (account activation, password resets, payment confirmations).
- Process and evaluate your partner application;
- Track referrals and calculate Commissions;
- Process Commission payments;
- Communicate Partner Program updates.
- Analyse usage patterns to improve features and user experience;
- Conduct research and analytics (using aggregated or anonymized data where possible);
- Diagnose and fix technical issues.
We may send marketing emails about Mandu features and offers only where you have opted in or where permitted by applicable law. You may opt out at any time by clicking “Unsubscribe” in any marketing email or by contacting support@mandu360.com.
- Comply with applicable laws, regulations, and legal obligations;
- Respond to lawful requests from government authorities;
- Enforce our Terms of Service and other agreements;
- Prevent fraud, abuse, and unauthorized access.
Where the GDPR or KDPA applies, we process your personal data on the following legal bases: Performance of a contract (providing the Service); Legitimate interests (analytics, fraud prevention, security); Legal obligation (where required by law); and Consent (for marketing and non-essential cookies).
We share personal data with carefully selected third-party service providers who assist us in operating the Service, bound by data processing agreements. Categories include:
- Payment processors — to process subscription and commission payments;
- Customer support platforms — to facilitate support chat and ticketing;
- Cloud infrastructure and hosting providers — to host the Mandu platform;
- Email delivery services — to send transactional and marketing emails;
- Analytics providers — to understand platform usage;
- Compliance service providers — to facilitate regulatory compliance features.
Specific providers may change over time. Current sub-processors are available upon written request.
In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you prior to such a transfer as required by applicable law.
We may disclose personal data where required by applicable law, court order, or governmental request. We will notify you where legally permitted.
Mandu operates globally and your personal data may be transferred to and processed in countries other than your country of residence, including Kenya and the United States. These countries may have data protection laws that differ from those in your jurisdiction.
Where we transfer personal data from the EEA or UK, we implement appropriate safeguards including Standard Contractual Clauses approved by the European Commission or UK ICO, and adequacy decisions where applicable. For transfers from Kenya, we comply with the KDPA cross-border transfer requirements.
- Account and subscription data: Retained for the duration of your subscription plus three (3) years, then deleted or anonymized;
- Customer Data in Tenant Environments: Retained for thirty (30) days after subscription termination for export, then permanently deleted within ninety (90) days from backups;
- Financial and billing records: Retained for a minimum of seven (7) years for tax and financial reporting obligations;
- Support and communication data: Retained for three (3) years;
- Marketing data: Opt-out records retained indefinitely; contact data deleted within thirty (30) days of opt-out;
- Legal hold: Data may be retained beyond standard periods where necessary to comply with legal obligations or pursue or defend legal claims.
Depending on your location and applicable law, you may have the following rights:
🔍 Access
Request a copy of the personal data we hold about you.
✏️ Rectification
Request correction of inaccurate or incomplete data.
🗑️ Erasure
Request deletion of your personal data, subject to legal requirements.
⚙️ Restriction
Request that we limit processing in certain circumstances.
📤 Portability
Receive your data in a structured, machine-readable format.
✋ Object
Object to processing based on legitimate interests or for direct marketing.
🔒 Withdraw Consent
Withdraw consent at any time where processing is consent-based.
🤖 Automated Decisions
Not be subject to decisions based solely on automated processing.
If you are a California resident, you have additional rights including: (a) the right to know what personal information is collected, used, shared, or sold; (b) the right to delete personal information; (c) the right to opt-out of the sale or sharing of personal information (Mandu does not sell personal information); (d) the right to non-discrimination for exercising privacy rights; and (e) the right to correct inaccurate personal information.
Contact us at support@mandu360.com with the subject line “Privacy Rights Request”, providing sufficient information to identify yourself and the right you wish to exercise. We will respond within thirty (30) days. We may request proof of identity before processing your request.
If you believe we have not handled your personal data in accordance with applicable law, you may lodge a complaint with the relevant supervisory authority. In Kenya: the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke. In the EU: your local Data Protection Authority. In the UK: the Information Commissioner’s Office (ICO) at ico.org.uk.
Cookies are small text files placed on your device when you visit a website. We also use similar technologies including pixel tags and local storage. We refer to all such technologies collectively as “cookies”.
- Strictly necessary: Essential for the website and platform to function (e.g., session management, authentication). These cannot be disabled;
- Functional: Remember your preferences and settings to improve your experience;
- Analytics: Help us understand how users interact with our website and platform. Used only with your consent where required;
- Support chat: Used by our support chat widget to maintain chat session state.
You can manage cookies through your browser settings. Disabling certain cookies may affect the functionality of the Mandu website and platform. Where consent is required for cookies, we will request it via a cookie consent mechanism.
Mandu implements commercially reasonable technical, administrative, and physical security measures to protect your personal data, including encryption of data in transit and at rest, access controls, regular security assessments, logical isolation of Tenant Environments, and staff training on data protection.
No method of electronic transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you in accordance with applicable law.
The Mandu Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us immediately at support@mandu360.com and we will take steps to delete such data promptly.
The Mandu website and platform may contain links to third-party websites, services, and integrations. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services before providing them with your personal data. Mandu is not responsible for the privacy practices or content of third-party websites.
We may update this Privacy Policy from time to time. The updated version will be posted at mandu360.com/privacy with a revised “Effective Date”. For material changes that significantly affect how we process your personal data, we will provide not less than thirty (30) days’ advance notice by email or via a prominent notice within the Service.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any update constitutes your acceptance of the revised Policy.
For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data:
Mandu Privacy Team
Kenya ODPC: odpc.go.ke · EU: Your local Data Protection Authority · UK ICO: ico.org.uk