Privacy Policy

Last updated: April 9, 2026 — This privacy policy explains what data we collect, why we collect it, how we use and protect it, and the choices you have. It applies to all BrainBee / Rizzline products and services (the “Service”) unless otherwise stated. 👇

1. Quick summary

  • We collect only the data necessary to run the Service and deliver features.
  • We never sell your personal information to third parties.
  • You can request data export or deletion anytime — see “Your rights” below.
  • Payments are processed by M-PESA/Daraja; we store only minimal payment metadata. 💳

2. Data we collect

Account & profile data

Name, phone number (required for M-PESA), email, username, and any profile information you provide when you sign up or edit your profile.

Authentication & security

Hashed passwords (if applicable), cookie-based JWTs for sessions, and login metadata (timestamps, IPs) to help secure your account.

Payments & billing

We use M-PESA (Daraja) for payments. We do not store card data. We store minimal payment metadata necessary to confirm and reconcile payments: transaction ID, timestamp, amount, and the phone/till involved.

Usage & diagnostics

Anonymous/aggregated analytics (feature usage, session length, error logs) to improve the product. We may also log device, browser, and IP for security and diagnostics.

Messages, uploads & content

Anything you send through the service (chat messages, uploaded files, images). We keep the minimum required to provide the feature (e.g., to continue a conversation or rebuild a session).

3. How we use your data

  • To provide, operate, and maintain the Service (authentication, sessions).
  • To process payments and send receipts/confirmations (M-PESA / Daraja webhooks).
  • To analyse and improve features (product analytics, error reports).
  • To communicate (email receipts, critical account messages, support).
  • To comply with legal obligations and respond to lawful requests.

4. Sharing & third parties

We do not sell user data. We may share or transfer data to trusted service providers who process data on our behalf. Examples include:

  • Payment processors: M-PESA / Daraja (for C2B/STK, paybills) — we transmit payment metadata needed to settle transactions.
  • Hosting & databases: cloud hosting and database providers (e.g., MongoDB Atlas, Vercel) — they store and serve your data under our account.
  • Communications: email providers (e.g., SendGrid), SMS/voice providers (e.g., Africa's Talking, Twilio/Meta Cloud for WhatsApp) when you opt into those channels.
  • Analytics & crash reporting: third-party tools for improving the product; we limit what is sent and anonymize where possible.

We only share the minimum necessary with these providers, under contract, and we require them to follow appropriate security and confidentiality standards.

5. Cookies & local storage

We use cookies (including HTTP-only cookies for our JWT sessions) and local storage for session state and preferences. You can manage cookie preferences via your browser; note disabling cookies may affect functionality.

6. Security

We protect data in transit using TLS. We follow industry best practices for security (hashed passwords, limited access controls, regular dependency updates, and secure hosting). For encryption at rest, we rely on our cloud providers' controls and configurations.

No system is 100% secure — if we discover a security incident that affects your personal data, we will notify you and the relevant authorities when required.

7. Data retention

We retain personal data only as long as necessary to provide the Service, meet legal obligations, resolve disputes, and enforce agreements. When data is no longer required, we securely delete or anonymize it.

8. International transfers

Our providers and servers may be located in countries outside your own (including Kenya and other jurisdictions). Where required, we implement safeguards for international data transfers in accordance with applicable law.

9. Minors / children

Our Service is not intended for children under 5. If you are under 18, please use the Service only with parental or guardian consent. If we learn we have collected data from a child without consent, we will take steps to delete it.

10. Your rights & choices

Depending on your jurisdiction, you may have rights to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to fix inaccurate or incomplete data.
  • Deletion — request deletion of your personal data (subject to legal limits).
  • Portability — request your data in a machine-readable format.
  • Opt-out — opt out of marketing emails or analytics tracking where applicable.

To exercise any of these rights, contact us at rizzline@protonmail.com. We may ask for proof of identity before fulfilling certain requests to protect your data.

11. How to request data export or deletion

  1. Email rizzline@protonmail.com with the subject Data export or Account deletion.
  2. Include your account email/phone and a short description of your request.
  3. We’ll acknowledge within 5 business days and aim to complete most requests within 30 days.

Note: we may retain anonymized records for operational or legal reasons.

12. Changes to this policy

We may update this policy from time to time. When we do, we'll post the revised policy with the updated “Last updated” date. For major changes, we'll try to give notice by email or in-app.

13. Contact & DPO

For privacy questions, requests, or to report a concern, contact:

Operational address: Rizzline / BrainBot — support & legal team

14. Practical examples (TL;DR)

  • Sign up with phone → we store phone to manage your login and M-PESA payments.
  • Make a payment via M-PESA → we store the transaction ID, amount and timestamp to confirm your purchase and unlock features.
  • Chat/upload content → we store those messages/files so your session can continue and to improve the product (we do not share them publicly).