Privacy Policy

Last updated: April 21, 2026

1. Data Controller

KiboERP SA (“KiboERP”, “we”, “us”) is the controller of your personal data under Regulation (EU) 2016/679 (GDPR) and applicable local laws.

DPO contact: privacy@kiboerp.com

2. Data We Collect

Identity data: name, email address, phone number, country, company name.
Connection data: IP address (stored in active sessions only, not retained in application logs), browser, login timestamp, subdomain.
Business data: content you enter in the platform (products, clients, invoices, accounting entries, etc.). This data belongs to your organisation (tenant) and is processed by KiboERP as a data processor under Art. 28 GDPR.
Payment data: Mobile Money transaction references, Paddle order identifiers. We never store full card numbers or banking credentials.
Technical data: activity logs (user actions, timestamps), JWT session tokens.

3. Legal Bases

Purpose	Legal basis (GDPR)	Retention
Providing the SaaS service	Art. 6(1)(b) — contract performance	Contract duration + 90 days
Billing and accounting	Art. 6(1)(c) — legal obligation	10 years (OHADA)
Security and fraud prevention	Art. 6(1)(f) — legitimate interest	12 months max
Product analytics	Art. 6(1)(a) — consent	26 months (GA4)
Marketing communications	Art. 6(1)(a) — consent	Until unsubscribe

4. Sub-processors and Transfers

KiboERP does not sell, rent or share your personal data for commercial purposes. The following sub-processors handle personal data on our behalf:

Sub-processor	Purpose	Location	Safeguards
Vercel	Application hosting (CDN, compute)	EU (Frankfurt) + US	SCCs, SOC 2 Type II
Neon / Supabase	PostgreSQL database	EU (Frankfurt)	SCCs, at-rest encryption
Resend	Transactional email	US (AWS)	SCCs, DPA available
Upstash Redis	Session cache and rate-limiting	EU / US	SCCs, TLS encryption
Cloudflare R2	File storage (DMS, media)	EU (region choice)	SCCs, SOC 2
Sentry	Error monitoring	US	SCCs, anonymised data
Paddle	EU/international payments (Merchant of Record)	UK / EU	DPA, PCI-DSS
Google Analytics 4	Product analytics (consent required)	US	SCCs, IP anonymised

Standard Contractual Clauses (SCCs) are in place for all transfers outside the EU. The full DPA is available at Data Processing Agreement.

5. Your Rights (GDPR)

If you are located in the European Union or Switzerland, you have the following rights:

Right of access (Art. 15): obtain a copy of your personal data via GET /api/gdpr/export.
Right to rectification (Art. 16): correct inaccurate data via profile settings.
Right to erasure (Art. 17): request deletion of your account via POST /api/gdpr/delete or account settings.
Right to data portability (Art. 20): receive your data in JSON or CSV format.
Right to object (Art. 21): object to processing based on legitimate interest.
Right to restrict processing (Art. 18): request restriction in certain circumstances.
Withdraw consent: update your cookie preferences at any time via the cookie banner.

To exercise these rights: privacy@kiboerp.com — Response within 30 days (Art. 12 GDPR). You may also lodge a complaint with your national supervisory authority (CNIL in France, etc.).

6. Security

Data in transit encrypted via HTTPS/TLS 1.3.
Passwords hashed with bcrypt (cost factor 12).
2FA secrets encrypted with AES-256-GCM.
JWT sessions with httpOnly cookies and automatic expiry.
RBAC with 9 permission levels.
Brute-force protection: 5 attempts max, 15-minute lockout.

7. Data Breach Notification

In the event of a personal data breach likely to result in risk to your rights and freedoms, KiboERP will notify the competent supervisory authority within 72 hours (Art. 33 GDPR) and affected individuals without undue delay (Art. 34 GDPR).

8. Contact

Data Protection Officer: privacy@kiboerp.com
Address: KiboERP SA, c/o [Registered address], Switzerland.

Legal notices Terms of Service Data Processing Agreement Politique de confidentialite (FR)