1 Who We Are
JohnDigital OS is operated by JohnDigital, a technology business based in Kenya. We are the data controller for personal data collected through our platform at johndigital.ke and all associated subdomains (devlab.johndigital.ke, roasguard.johndigital.ke, studio.johndigital.ke, automations.johndigital.ke).
Data protection contact: hello@johndigital.ke
This Privacy Policy applies to all users of JohnDigital OS products and services. It complies with the EU General Data Protection Regulation (GDPR) and the Kenya Data Protection Act 2019.
2 Data We Collect
| Category | Data collected | Source |
|---|---|---|
| Account data | Name, email address, password (hashed) | You, on sign-up |
| Profile data | Phone number, business name, country | You, on profile setup |
| Payment data | Transaction ID, plan purchased, payment method type, amount, currency | Pesapal (payment processor) |
| Usage data | Pages visited, features used, session duration, button clicks, error logs | Automatically, via our platform |
| Device & technical data | IP address, browser type, OS, screen resolution, referrer URL | Automatically, on access |
| Content data | Files, briefs, prompts, and inputs you provide to our AI tools | You, during product use |
| Communication data | Emails and messages sent to our support team | You, via email |
| Ad account data (ROASGuard) | Ad performance metrics, ROAS data, campaign IDs from connected ad platforms | You, via OAuth integration |
We do not collect sensitive personal data (e.g. health data, racial/ethnic origin, political opinions, biometric data) and ask that you do not submit any such data through our platform.
3 Legal Bases for Processing (GDPR)
We process your personal data under the following legal bases:
- Contract performance: Processing necessary to provide the services you have subscribed to (e.g. activating your plan, processing payments)
- Legitimate interests: Improving our products, preventing fraud, maintaining platform security, and sending service-related communications
- Legal obligation: Complying with applicable laws, regulations, and court orders
- Consent: Sending marketing emails and newsletters (you can withdraw consent at any time)
4 How We Use Your Data
- To create and manage your account and deliver the services you have purchased
- To process payments via Pesapal and maintain billing records
- To personalise your experience and remember your preferences
- To provide AI-powered features (your inputs are processed by AI models to generate outputs)
- To send transactional emails (receipts, plan confirmations, password resets)
- To send product updates and marketing communications (with your consent)
- To detect, investigate, and prevent fraud, abuse, and security incidents
- To comply with legal obligations and respond to lawful requests
- To analyse usage patterns and improve our products (using aggregated, anonymised data)
We do not sell your personal data to third parties. We do not use your data to train AI models for external commercial purposes without your explicit consent.
5 AI Data Processing
When you use AI-powered features (e.g. generating websites in Dev Lab, analysing ad performance in ROASGuard, or submitting automation briefs), your inputs — including text, files, and business data — are processed by AI models to generate outputs. This processing is necessary to deliver the service.
Specifically regarding AI data handling:
- Your prompts and inputs may be sent to third-party AI model providers (e.g. Anthropic Claude) to generate outputs — these providers operate under their own privacy and data processing agreements
- We do not use your specific inputs or outputs to train our AI systems or third-party models without your explicit opt-in consent
- AI-generated outputs are stored in your account and may be retained for up to 12 months to support your usage history
- You can request deletion of your AI-generated content at any time (see Your Rights below)
- Do not submit sensitive personal data, confidential business secrets, or regulated data (financial, health, legal) through AI input fields unless you are satisfied with the data handling described here
6 Payment Data & Pesapal
All payment transactions are processed by Pesapal Limited, a licensed payment service provider. JohnDigital OS does not store, process, or have access to your full card numbers, M-Pesa PINs, or banking credentials.
We receive from Pesapal only:
- Transaction confirmation status (success/failure)
- Order tracking ID and merchant reference
- Amount and currency of the transaction
- The plan or product purchased
This payment record is stored in our database to activate and manage your subscription. Pesapal's own privacy policy governs the handling of your payment credentials. We recommend reviewing it at pesapal.com/privacy.
7 Cookies & Tracking
We use the following types of cookies and local storage:
- Essential cookies: Session tokens and authentication data required for you to log in and use the platform. Cannot be disabled.
- Functional storage (localStorage): We store your authentication session, plan status, and payment pending state in your browser's localStorage to maintain your session across pages.
- Analytics: We may use privacy-respecting analytics tools to understand how users interact with our platform. Where used, this data is aggregated and not linked to individual identities.
- No advertising cookies: We do not place advertising or cross-site tracking cookies.
You can clear cookies and localStorage at any time through your browser settings. Clearing authentication tokens will log you out.
8 Data Sharing & Third Parties
We share your data only in the following circumstances:
- Pesapal: Payment processing (transaction data only)
- Supabase: Our database and authentication infrastructure provider (stores account and usage data under a data processing agreement)
- AI model providers (e.g. Anthropic): Processing AI inputs to generate outputs
- Email service providers: Sending transactional and marketing emails
- Legal authorities: Where required by law, court order, or to protect our rights and the safety of others
All third-party processors are bound by data processing agreements and are required to protect your data to standards equivalent to or greater than this policy.
We do not transfer your personal data outside Kenya or the European Economic Area (EEA) without appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable.
9 Data Retention
- Account data: Retained for as long as your account is active, plus 3 years after closure for legal and accounting purposes
- Payment records: Retained for 7 years as required by Kenyan tax and financial regulations
- Usage and analytics data: Retained in aggregated form for up to 2 years
- AI inputs and outputs: Retained for up to 12 months from creation, unless you request earlier deletion
- Support communications: Retained for 2 years from last interaction
Upon account deletion, we will delete or anonymise your personal data within 30 days, except where we are required to retain it by law.
10 Your Rights
Under GDPR and the Kenya Data Protection Act, you have the following rights:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
Right to Restriction
Request that we limit processing of your data in certain circumstances.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent
Withdraw marketing consent at any time via unsubscribe link or email.
Lodge a Complaint
Complain to the Office of the Data Protection Commissioner (Kenya) or your local supervisory authority.
To exercise any of these rights, email hello@johndigital.ke with the subject line "Data Request". We will respond within 30 days. We may need to verify your identity before processing your request.
11 Security
We implement industry-standard security measures including:
- HTTPS/TLS encryption for all data in transit
- Encrypted storage for sensitive data at rest
- Password hashing using bcrypt or equivalent
- Access controls limiting data access to authorised personnel only
- Regular security reviews of our infrastructure
No system is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR.
12 Children's Privacy
JohnDigital OS is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, contact us immediately at hello@johndigital.ke and we will delete it promptly.
13 Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform at least 14 days before taking effect. The "Last updated" date at the top of this page always reflects the most recent revision.
Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated policy.
14 Contact & Data Requests
- Email: hello@johndigital.ke
- Subject line for data requests: "Data Request — [your name]"
- Response time: Within 30 days (GDPR mandated)
- Supervisory authority (Kenya): Office of the Data Protection Commissioner — odpc.go.ke
This Privacy Policy was last reviewed on 22 May 2026 and is compliant with the EU GDPR and the Kenya Data Protection Act 2019.