Privacy Policy

Last updated: 4 April 2026

This Privacy Policy describes how Qallio (“we,” “us,” or “our”) collects, uses, discloses, and safeguards personal information when you visit qallio.one, use our web application and related services (together, the “Services”), or otherwise interact with us (for example, by email, demo booking, or sales inquiries). It is intended to help you understand your privacy choices and your rights under applicable laws, including the EU/UK General Data Protection Regulation (“GDPR”) where it applies, and the Kenya Data Protection Act, 2019 (“Kenya DPA”) where relevant.

By accessing or using the Services, you acknowledge that you have read this notice. Where we rely on consent (for example, certain cookies or marketing), we will obtain it separately and you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

1. Who is responsible for your information?

Qallio is the data controller for personal information processed in connection with this website and our marketing, sales, and support activities, unless we state otherwise (for example, where we process personal information strictly as a processor on behalf of a business customer). If you use our product as part of an organization’s subscription, your organization may be the controller for certain workspace data; in that case, we process that information under contract with them and their privacy notice may also apply.

For privacy-related requests, contact us using the details in Section 15. Our operating presence includes Nairobi, Kenya; international users should read Section 7 on transfers.

2. Personal information we collect

We collect information that identifies, relates to, or could reasonably be linked with you, directly or indirectly, depending on how you use the Services. Categories include:

  1. Identity and contact details. Name, email address, phone number, job title, company name, country or time zone, and similar details you provide on forms, in email, or when booking a demo.
  2. Account and authentication data. If you create or use an account on our product, we process credentials, identifiers tied to your user profile, workspace or team membership, role, and security-related metadata (for example, session or device identifiers used to protect accounts).
  3. Communications and support content. Messages you send us, files you attach, call or meeting notes where applicable, and feedback or survey responses.
  4. Usage, device, and technical data. How you navigate and use our website and product (for example, pages viewed, feature usage, approximate location derived from IP, timestamps), IP address, browser type and version, operating system, referral source, and diagnostic logs needed for reliability and security.
  5. Cookies and similar technologies. We and our partners may use cookies, local storage, pixels, and analytics scripts to remember preferences, measure performance, and understand traffic patterns. Our site may use services such as Vercel Analytics and Microsoft Clarity for aggregated or session-based insights. Where required, we will ask for your consent before non-essential cookies or similar tools are used. See our Cookie Policy and the Cookies and similar technologies summary in this Privacy Policy.
  6. Information from third parties. We may receive data from analytics providers, advertising networks, integration partners, or publicly available sources, for example to enrich business contact information or to attribute inbound interest.

We do not intentionally collect special categories of personal data (such as health information) through this website. If you choose to include sensitive information in a free-text field, we will treat it in line with this Policy and applicable law.

3. How we use personal information

We process personal information for purposes that include:

  • Operating, delivering, securing, and improving the Services, including authentication, fraud prevention, abuse detection, backups, and technical support.
  • Communicating with you about your account, transactions, service changes, and (where permitted) products or events we think may be relevant.
  • Personalizing content and in-product experiences based on your settings and usage context.
  • Analytics and product development: understanding feature adoption, diagnosing errors, and planning improvements.
  • Marketing and lead generation, including measuring campaign effectiveness, where we have a lawful basis to do so.
  • Legal and compliance: complying with law, responding to lawful requests, enforcing our terms, protecting rights, safety, and property, and resolving disputes.
  • Business operations: accounting, audits, corporate transactions (such as a merger or acquisition), and internal reporting, subject to appropriate confidentiality safeguards.

4. Lawful bases for processing (GDPR and similar frameworks)

Where GDPR applies, we rely on one or more of the following legal bases:

  • Contract. Processing necessary to perform our agreement with you or to take steps at your request before entering a contract (for example, provisioning access you have signed up for).
  • Legitimate interests. Processing necessary for our legitimate interests — such as securing our systems, improving the Services, understanding how the website is used, and growing our business — where those interests are not overridden by your rights. You may object to certain processing on this ground as described in Section 11.
  • Consent. Where we ask for consent (for example, non-essential cookies or certain marketing), you may withdraw consent at any time via the cookie controls where available, unsubscribe links, or by contacting us.
  • Legal obligation. Processing necessary to comply with applicable laws or regulatory requests.

Under the Kenya DPA, we process personal data fairly, lawfully, and in a transparent manner, for specified purposes, and we implement appropriate security and organizational measures. Where the law requires a lawful ground compatible with the above, we will apply it consistently with this Policy.

5. Cookies and similar technologies

We use cookies and similar technologies to operate the site, remember preferences, analyze traffic, and improve user experience. You can control many cookies through your browser settings; blocking some cookies may affect functionality. Where we use consent-based tools in regulated regions, we will align deployment with your choices. A dedicated Cookie Policy may describe specific cookies, retention, and partners in more detail.

6. How we share personal information

We do not sell your personal information. We may disclose it as follows:

  • Service providers and processors. Trusted vendors that host infrastructure, provide email delivery, customer relationship tools, analytics, security monitoring, payments, or professional services, bound by confidentiality and data-processing terms where required.
  • Professional advisers. Lawyers, auditors, or insurers where necessary and subject to professional obligations.
  • Legal and safety. When we believe disclosure is required by law, court order, or governmental request, or to protect the rights, property, or safety of Qallio, our users, or the public.
  • Business transfers. In connection with a merger, acquisition, financing, or sale of assets, your information may be transferred as a business asset; we will require the successor to honor commitments consistent with this Policy or notify you of material changes.
  • With your direction. When you ask us to share information or integrate with a third-party service you authorize.

7. International data transfers

We may process and store information in Kenya and in other countries where we or our providers operate. If we transfer personal data from the European Economic Area, Switzerland, or the United Kingdom to countries not recognized as providing adequate protection, we will implement appropriate safeguards such as Standard Contractual Clauses or other mechanisms approved under applicable law, unless an exception applies. You may contact us for more information on those safeguards.

8. Retention

We retain personal information only as long as necessary for the purposes described in this Policy, including satisfying legal, accounting, or reporting requirements. Retention periods vary by data type: for example, marketing contacts may be retained until you unsubscribe or object; account data for the duration of the relationship plus a reasonable period to resolve disputes or enforce agreements; logs for security and troubleshooting for a shorter, rolling window unless a longer period is justified. When retention ends, we delete, anonymize, or securely archive data in line with our internal policies.

9. Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures may include access controls, encryption in transit where appropriate, monitoring, and staff training. No method of transmission over the internet or electronic storage is completely secure; we encourage you to use strong passwords, enable multi-factor authentication where offered, and notify us promptly of any suspected compromise.

10. Automated decision-making and profiling

We do not use fully automated decision-making that produces legal or similarly significant effects solely based on automated processing without human review, unless we clearly disclose otherwise and provide any rights required by law. We may use automated tools for analytics, personalization, or security scoring in support of human-led decisions.

11. Your privacy rights

Depending on your location, you may have rights such as:

  • Access to the personal information we hold about you and certain details about how we process it.
  • Correction of inaccurate or incomplete data.
  • Deletion (“right to be forgotten”) where applicable, subject to legal exceptions.
  • Restriction of processing in specific circumstances.
  • Data portability, where technically feasible and required by law.
  • Objection to processing based on legitimate interests or for direct marketing.
  • Withdrawal of consent where processing is consent-based.
  • Lodging a complaint with a supervisory authority (for example, in the EU/EEA or UK) or with the Office of the Data Protection Commissioner in Kenya, if you believe our processing infringes applicable law.

To exercise these rights, contact us at sales@qallio.one. We may need to verify your identity before fulfilling certain requests. You will not be discriminated against for exercising your privacy rights.

12. Children’s privacy

The Services are not directed to children under 16 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will take steps to delete it promptly.

13. Third-party sites and integrations

Our Services may contain links to third-party websites, widgets, or integrations. Their privacy practices are governed by their own policies. We are not responsible for the content or practices of third parties; we encourage you to read their notices before providing personal information.

14. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, or legal requirements. We will post the revised version on this page and update the “Last updated” date. If changes are material, we will provide additional notice as appropriate (for example, by email or an in-product notification). Continued use of the Services after the effective date constitutes acceptance of the updated Policy, except where your consent is required for new processing.

15. Contact us

Questions, concerns, or requests regarding this Privacy Policy or our data practices may be sent to sales@qallio.one. We aim to respond within a reasonable time and in line with applicable legal deadlines.