Privacy Policy

1. Who We Are (Data Controller)

Kanisalink is a Software-as-a-Service (SaaS) church communication platform registered and certified in Tanzania under the Personal Data Protection Commission (PDPC).
Email: info@kanisalink.co.tz
Country: Tanzania

For data processing carried out on behalf of a registered church, that church acts as the Data Controller and Kanisalink acts as the Data Processor. A Data Processing Agreement (DPA) governs that relationship and is available on request.

2. Data We Collect

2.1 Church Administrators

• Full name, email address, and password (hashed — we never store plain-text passwords)
• Church name, phone number, address, and timezone
• WhatsApp Business API credentials (encrypted at rest)
• Billing and payment reference information

2.2 Congregation Members

• Full name, WhatsApp phone number, and optionally email address
• Membership application details (address, application status)
• Prayer requests submitted via WhatsApp or web chat
• Conversation history with the church bot (messages and timestamps)

2.3 Visitors & Web Chat Users

• Phone number entered to use the web chat
• Chat messages and bot responses
• Browser type and IP address (server logs, retained for 30 days)

2.4 Automatically Collected Data

• Session identifiers and authentication tokens (stored in encrypted, HTTP-only cookies)
• Log data: timestamps, page visits, errors — used only for system maintenance and security

3. Lawful Basis for Processing

We process personal data only when we have a lawful basis under the PDPA 2022:

• Contract performance — to provide the Kanisalink service to your church
• Legitimate interests — to prevent fraud, secure the platform, and improve the service
• Consent — for optional features such as AI-powered replies and WhatsApp notifications to congregation members; consent may be withdrawn at any time
• Legal obligation — to comply with applicable Tanzanian law

4. How We Use Your Data

• To create and manage church and user accounts
• To deliver WhatsApp chatbot responses to congregation members on behalf of the church
• To generate AI-assisted replies using your church's own content (sermons, FAQs, announcements)
• To process Ministry Credit orders and maintain billing records
• To send service-critical communications (security alerts, downtime notices)
• To detect and prevent abuse, spam, and unauthorised access
• To comply with legal obligations and respond to lawful authority requests

We do not sell, rent, or trade your personal data to third parties. We do not use your data for targeted advertising.

5. Data Sharing & Third Parties

We share data only as strictly necessary to operate the service:

• Meta / WhatsApp Business API — messages sent or received through WhatsApp are processed by Meta Platforms Inc. under their own Privacy Policy and Business Terms.
• OpenAI — when AI replies are enabled, anonymised conversation context and church knowledge-base content are sent to OpenAI's API. No personal identifiers (names, phone numbers) are included in AI prompts. This transfer is covered by appropriate contractual safeguards.
• Hosting & Infrastructure — our servers are hosted by reputable cloud providers bound by data processing agreements.
• Payment processing — reference codes and amounts are shared as necessary to confirm credit orders. We do not store card or mobile money credentials.
• Legal authorities — we will disclose data when required by a court order, warrant, or other lawful demand from Tanzanian authorities.

6. International Data Transfers

Some sub-processors (including OpenAI) are located outside Tanzania. When personal data is transferred internationally, we ensure adequate safeguards are in place — such as Standard Contractual Clauses — in line with Part VI of the PDPA 2022 and the guidance of the PDPC.

7. Data Retention

• Account data — retained for the lifetime of the church account, then deleted within 90 days of account closure
• Conversation history — retained for 12 months, then permanently deleted
• AI logs — retained for 6 months for quality and billing purposes
• Server logs — retained for 30 days
• Payment records — retained for 7 years as required by Tanzanian financial regulations
• Prayer requests — deleted 12 months after submission unless the church retains them under their own policy

8. Your Rights Under the PDPA 2022

As a data subject under Tanzanian law you have the right to:

• Access — obtain confirmation of whether we process your data and receive a copy
• Rectification — correct inaccurate or incomplete personal data
• Erasure — request deletion where there is no legal obligation to retain it
• Restriction — limit how we process your data in certain circumstances
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing

To exercise any of these rights, email us at info@kanisalink.co.tz. We will respond within 14 days.

9. Security Measures

We implement technical and organisational measures to protect personal data, including:

• All data in transit is encrypted using TLS 1.2+ (HTTPS enforced)
• Passwords are hashed using bcrypt — we cannot recover plain-text passwords
• WhatsApp API credentials are encrypted at rest
• Access to personal data is restricted to authorised personnel on a need-to-know basis
• CSRF tokens protect all form submissions against cross-site request forgery
• SQL injection is prevented through parameterised queries (Laravel Eloquent ORM)
• Rate limiting is applied to login, chat, and API endpoints
• All admin actions are logged with user identity and timestamp
• Regular dependency and security updates are applied

Despite these measures, no system is 100% secure. In the event of a data breach affecting your rights, we will notify you and the PDPC within 72 hours of becoming aware, as required by law.

10. Children's Privacy

Kanisalink is not directed to children under the age of 16. We do not knowingly collect personal data from children without verifiable parental consent. Where a church runs a children's ministry, the church (as Data Controller) is responsible for obtaining appropriate parental consent before processing any child's data through the platform.

11. Cookies

We use only strictly necessary cookies:

• Session cookie — keeps you logged in (expires on browser close or after inactivity)
• CSRF token cookie — protects form submissions from forgery (HTTP-only, secure)

We do not use analytics, advertising, or tracking cookies of any kind.

12. Church Responsibilities (Data Controllers)

If your church uses Kanisalink to communicate with congregation members, your church is the Data Controller for that member data. You are responsible for:

• Informing congregation members that their WhatsApp interactions are processed through the Kanisalink platform
• Obtaining appropriate consent before collecting member data through the platform
• Handling prayer requests and sensitive personal information with care and strict confidentiality
• Complying with the PDPA 2022 in your own data processing activities
• Registering with the PDPC where required by Tanzanian law

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered church administrators by email and display a notice in the dashboard at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

14. How to Complain

If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with Tanzania's data protection authority:

We encourage you to contact us first at info@kanisalink.co.tz — we are committed to resolving concerns promptly and fairly.

15. Contact Us