Chains ERP
Chains-ERP & Global Finance
  • Explore Global Finance
  • POS
  • Logistics
  • Bitcoin
  • Pricing
  • Contact
    • Privacy Policy

    Privacy Policy — Chains- ERP & Global Finance

    This Privacy Policy ("Policy") explains how Chains- ERP & Global Finance and its operating entity ("Global Chains ERP," "we," "us," or "our") collects, uses, discloses, stores, and protects information in connection with our cloud software platform and related services (collectively, the "Service"). The Service is designed as financial and business operations infrastructure, including without limitation: smart invoicing; accounts payable and receivable; vendor and client records; treasury, wallet, and payment-orchestration tooling; multi-currency and reconciliation features; M-Pesa and other payment-channel integrations where enabled; subscription billing; organization and workspace management; roles and approvals; APIs, webhooks, and third-party integrations; document and logo uploads; optional blockchain or digital-asset-related workflows including BTCPay Server hosting for merchants; optional push notifications; ledger or accounting-oriented exports/sync where offered; and administrative or compliance-oriented logging.

    Important: This Policy is provided for transparency. It does not constitute legal advice. Financial, payroll, tax, sanctions, and data-protection requirements vary by jurisdiction and use case. Engage qualified counsel and, where applicable, execute a Data Processing Addendum (DPA) with us for enterprise deployments.

    Last updated: June 2026

    1. Who this Policy covers

    This Policy applies to visitors to our websites, registered users, organization administrators and members, payors or counterparties who interact with public or tokenized flows we host (such as hosted invoice or payment pages or vendor submission links), and individuals whose information is submitted into the Service by a customer (for example employees, vendors, or clients of our customers).

    If you interact with the Service only as an employee or contact of our customer, that customer is typically responsible for informing you about processing and for honoring privacy requests for business data they control. We may still process certain information as an independent controller for security, billing, and platform integrity.

    2. Controller and processor roles

    The Service is multi-tenant. In general:

    • Customer as controller: For data your organization inputs or connects—such as invoices, payables, clients, vendors, chart-of-account style references, payroll fields, files, treasury configurations, and business communications metadata—your organization is typically the controller, and we process such data as a processor to provide the Service, subject to your instructions, these terms, and any executed DPA.
    • We as controller: We act as a controller where we determine purposes and means—for example account creation and authentication events, subscription and billing with payment partners, fraud and abuse prevention, security monitoring, aggregated analytics, product and policy notices, certain cookie-based analytics where not solely on behalf of a customer, and compliance with legal process directed to us.

    Where laws require a lawful basis (such as under GDPR/UK GDPR or the Kenya Data Protection Act 2019), we rely on contract, legitimate interests (balanced against rights), legal obligation, or consent as appropriate to the activity.

    3. Information we collect

    Depending on how you use the Service, we may collect:

    3.1 Account, identity, and access

    • Name, email, phone, password or OAuth tokens, session identifiers, organization membership, roles
    • Workspace or organization identifiers, invitation and onboarding state
    • Security-related events (e.g. sign-in timestamps, device or IP indicators where logged)

    3.2 Billing and subscriptions

    • Plan, subscription status, usage metrics relevant to billing
    • Payment data: typically handled by payment processors (e.g. Paystack or other configured providers). We may receive limited tokens, last-four, receipt metadata, customer references, and transaction status—not full card data where the processor tokenizes it.

    3.3 Financial, ERP, and operational content

    • Invoices, line items, taxes, approvals, numbering, PDFs, and delivery history you configure
    • Payables, bills, vendor banking or payment instructions you store, approval chains, audit trails
    • Clients, vendors, counterparties, and contact directories you maintain
    • Bank account labels, payment method preferences, reconciliation notes, and similar operational fields

    3.4 Treasury, wallets, and blockchain-related data

    • Wallet addresses, chain identifiers, transaction hashes, Safe or multi-sig configurations, gas or fee settings, and provider references (including data returned by node providers or wallet-connection SDKs)
    • On-chain data is public by nature; we may index or display it to operate features you enable
    • Webhook or provider callbacks related to treasury movements may be logged for reconciliation and security

    3.5 Mobile money and regional payment channels

    • Where M-Pesa or similar channels are enabled, we may process phone numbers, transaction references, reconciliation keys, and status messages as you or integrations submit them

    3.6 HR, payroll, and workforce information

    • If you use payroll or HR-oriented fields: salaries or rates, deductions, tax identifiers, national IDs, bank details for wages, attendance or HR notes. Under the Kenya Data Protection Act 2019, section 25, employee salary data, national identification numbers, and similar HR records are classified as sensitive personal data requiring explicit consent and heightened protection. You must have a lawful basis—including written employee consent where required under Kenya DPA s.25—before processing such data. We process such data only to provide the Service per your instructions.

    3.7 Files, media, and documents

    • Uploaded logos, attachments, contracts, and PDFs you or your users provide
    • Where PDF or document parsing is used, extracted text and structure may be processed to populate fields you approve

    3.8 Communications

    • Email content metadata, delivery status, and SMTP or provider logs when we send system or product emails
    • If you connect WhatsApp Business API (Meta) or similar channels, message metadata and payloads may be processed according to your configuration and Meta's policies

    3.9 APIs, webhooks, and integrations

    • API keys or tokens you create, webhook URLs, request logs, error logs, and integration configuration
    • Payloads received from third-party systems you connect to the Service

    3.10 Public and unauthenticated flows

    • When counterparties use hosted invoice pay flows, vendor link tokens, or similar URLs, we may collect IP address, device/browser data, payment attempt metadata, and fraud signals as needed to operate and secure those flows

    3.11 Technical, cookies, and similar technologies

    • Cookies, local storage, or similar for sessions, preferences, security, and analytics
    • IP address, user agent, referrer, approximate location derived from IP

    3.12 Push notifications

    • If you opt in to web push, subscription endpoints and keys required for delivery may be stored in accordance with browser standards

    3.13 AI-assisted features

    • Inputs you provide and outputs generated may be processed by models or automation to deliver features you enable. Retention and subprocessors depend on configuration and provider terms.

    3.14 Support and abuse handling

    • Ticket content, correspondence, and investigation notes when you contact us or we investigate incidents

    4. Purposes of processing

    • Provide, maintain, debug, and improve the Service and its features
    • Authenticate users, enforce role-based access control, and maintain tenant isolation
    • Route or orchestrate payments, treasury actions, and notifications as you configure
    • Detect, prevent, and respond to fraud, abuse, security incidents, and illegal activity
    • Comply with law, regulations, court orders, and government requests
    • Perform sanctions and risk screening where required or prudent
    • Bill and collect fees; manage subscriptions and trials
    • Communicate about the Service, incidents, and policy updates
    • Analytics, product development, and benchmarking using aggregated or de-identified data where possible
    • Train or evaluate models only as permitted by applicable agreements and settings

    5. Automated processing and profiling

    We may use rules-based systems or machine learning for fraud scoring, risk flags, categorization, suggestions, or workflow routing. Such processing may produce recommendations only; it does not replace your judgment unless you explicitly configure automation. Where required, you may have rights to human review or to object.

    6. Legal bases

    Where GDPR, UK GDPR, the Kenya Data Protection Act 2019, Nigeria NDPA, South Africa POPIA, or comparable laws apply, we process personal data under one or more of: performance of a contract, legitimate interests (e.g. securing the Service, preventing fraud—balanced against individual rights), legal obligation, vital interests (rare), or consent where required (e.g. non-essential cookies, sensitive data processing under Kenya DPA s.25, or certain marketing).

    7. Disclosure, subprocessors, and categories of recipients

    We may disclose information to:

    • Infrastructure and database providers (e.g. document databases such as MongoDB in cloud regions you or we configure)
    • Application hosting and edge/CDN providers that serve our web application and assets
    • Authentication and identity services integrated with the platform
    • Payment processors (e.g. Paystack for subscriptions or other configured acquirers)
    • Treasury or banking-as-a-service partners you enable (e.g. providers receiving webhooks or settlement instructions)
    • Blockchain node, wallet, and smart-contract infrastructure (e.g. RPC providers, wallet connection SDKs, BTCPay Server infrastructure) as required to execute features you choose
    • Email delivery (SMTP relays or transactional email vendors) and messaging platforms (e.g. Meta/WhatsApp when connected)
    • Analytics, logging, observability, error reporting, and security vendors
    • Professional advisers, auditors, insurers, and due-diligence participants
    • Acquirers, successors, or affiliates in a merger, financing, or asset sale, subject to confidentiality and legal requirements
    • Law enforcement and regulators when we believe disclosure is required by law or necessary to protect rights, safety, and integrity

    A Subprocessor Disclosure may list names and purposes; the list may change. We will provide enterprise customers notice where contractually required before engaging a new subprocessor that processes personal data on their behalf.

    7A. BTCPay Server and Bitcoin payment infrastructure

    Where we host or operate BTCPay Server instances on behalf of merchants, we provide server software infrastructure only. We are not a payment processor, payment service provider (PSP), money transmitter, virtual asset service provider (VASP), or custodian in relation to Bitcoin or any other digital asset transactions processed through BTCPay Server.

    BTCPay Server operates on a self-custodial model: merchants control their own Bitcoin private keys and wallets. We do not hold, custody, control, or have access to merchants' Bitcoin funds at any time.

    In connection with BTCPay Server hosting, we may process:

    • Server configuration data and instance settings you provide
    • Connection metadata, API credentials, and webhook configurations
    • Operational logs required for infrastructure maintenance and security
    • xpub (extended public key) data you configure for invoice generation — we do not have access to private keys

    On-chain transaction data is public by nature of the Bitcoin network. Transaction hashes, addresses, and amounts recorded on the blockchain are publicly visible and cannot be erased by us or by you. We may display or index this publicly available data to operate features you enable.

    You (the merchant or operator) are solely responsible for all compliance obligations arising from your acceptance of Bitcoin payments, including applicable VASP registration, KYC/AML program requirements, tax reporting, and any licensing required in your jurisdiction.

    8. International data transfers

    We may process and store data in the United States, European Economic Area, United Kingdom, Kenya, and other regions depending on deployment and vendor locations. Where transfers from the EEA, UK, Switzerland, or other restricted jurisdictions occur, we implement appropriate safeguards such as Standard Contractual Clauses, the UK Addendum, or other lawful mechanisms. Copies of transfer assessments or DPAs may be available to enterprise customers upon request.

    9. Data residency

    Unless a separate enterprise agreement specifies a region, data may be processed globally to operate the Service. Certain regulated workloads may require dedicated deployment; contact us for enterprise options.

    10. Security

    We implement commercially reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the Service, including access controls, encryption in transit where standard for the protocol, vulnerability management, logging, and vendor review. No system is perfectly secure. We do not represent that the Service is immune to compromise or free from defects. You are responsible for safeguarding credentials, API keys, and devices used to access the Service.

    11. Audit logs, monitoring, and financial traceability

    We may record events such as authentication, role changes, configuration edits, approvals, exports, treasury or payout instructions initiated through the Service, webhook receipts, and administrative actions. Logs support security monitoring, dispute resolution, regulatory inquiries, and forensic investigations. Retention follows operational and legal requirements and may extend beyond account deletion where mandated for accounting or anti-fraud purposes.

    12. Retention

    We retain personal data for as long as necessary to provide the Service, comply with law (including tax, AML, and bookkeeping retention), resolve disputes, and enforce agreements. Categories such as security logs, billing records, and accounting entries may have longer retention. Backups may persist for a limited period after deletion requests. Enterprise customers may negotiate schedules in a DPA.

    13. Deletion, export, and account closure

    You may request export or deletion subject to law and technical feasibility. Where we act as processor, requests may need to be routed through your organization's administrator. Some information must be retained by law or for legitimate interests (e.g. billing proofs, abuse prevention). Public blockchain records cannot be erased by us.

    14. Cookies and tracking

    We use essential, functional, analytics, and security-related cookies or similar technologies. A dedicated Cookie Policy or cookie banner may provide granular choices where required. Disabling certain cookies may impair functionality.

    15. Marketing

    We may send product updates or offers where permitted. You may opt out of marketing communications; transactional or security notices may continue.

    16. Children

    The Service is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children.

    17. Sanctions, AML, and restricted activity

    We prohibit use of the Service for sanctions evasion, money laundering, terrorist financing, fraud, or other illegal financial activity. We may screen data where required, block activity, freeze features, or terminate accounts consistent with law and risk policies.

    17A. Cryptocurrency and virtual asset compliance

    If you use Bitcoin, cryptocurrency, or other virtual asset features of the Service (including BTCPay Server hosting), you are solely responsible for complying with all applicable laws and regulations in your jurisdiction, including:

    • VASP registration and licensing: Virtual Asset Service Provider registration or licensing obligations that may apply to your business under the laws of Kenya, your country of incorporation, and any jurisdiction where you operate or have customers
    • AML/CFT obligations: Anti-money laundering and counter-financing of terrorism program requirements, including customer due diligence, transaction monitoring, and suspicious activity reporting
    • Tax reporting: KRA (Kenya Revenue Authority) guidance on the tax treatment of virtual assets and cryptocurrency transactions, including capital gains, income characterization, and VAT implications
    • CBK regulations: Central Bank of Kenya regulations and guidance on virtual assets and digital currencies, as updated from time to time, apply to your use of cryptocurrency features where applicable

    We screen for sanctioned addresses where technically feasible using available screening tools, but we make no representation that our screening is exhaustive or complete. You remain responsible for your own sanctions compliance program. We reserve the right to block, restrict, or report transactions associated with sanctioned addresses or persons.

    18. Regional privacy rights

    Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to processing, and to lodge a complaint with a supervisory authority. Under the Kenya Data Protection Act 2019, data subjects in Kenya have rights to be informed, access their data, object to processing, correction, deletion, and to complain to the Office of the Data Protection Commissioner (ODPC). California residents may have rights under CCPA/CPRA. We will verify requests as permitted by law.

    19. Breach notification

    If we determine a personal data breach requires notification under applicable law, we will notify regulators and affected individuals as required. Under the Kenya Data Protection Act 2019, we are required to notify the ODPC of certain breaches within prescribed timeframes. Customers acting as controllers are responsible for notifying their own data subjects where their business data is affected.

    20. Third-party links and embedded services

    The Service may link to third-party sites or embed widgets. Their privacy practices are governed by their own policies. Wallet extensions, banking portals, or social login providers may collect data independently.

    21. Changes to this Policy

    We may update this Policy to reflect product, legal, or operational changes. We will post the updated Policy with a new “Last updated” date and, where required, provide additional notice. Continued use after changes may constitute acceptance where permitted.

    22. Contact

    Privacy questions, data subject requests, and legal notices:

    • Privacy inquiries: privacy@chains-erp.com
    • Data Protection Officer: dpo@chains-erp.com
    • Legal notices: legal@chains-erp.com
    • Address: Nairobi, Kenya. Full registered address available upon written request to legal@chains-erp.com.

    Data Retention Schedule

    CategoryExamplesPurposeRetention PeriodAccess Control
    Account & identityName, email, roles, session tokensAuthentication and platform accessAccount lifetime + 30 days post-deletionRole-based; user-controlled
    Financial recordsInvoices, bills, payables, reconciliation dataAccounting, invoicing, compliance7 years (or as required by applicable law)Finance roles; restricted
    Payroll & HR dataSalaries, national IDs, bank details, tax identifiersSalary processing, statutory reporting7 years (Kenya Employment Act / KRA requirements)HR-restricted; sensitive category
    M-Pesa transaction recordsPhone numbers, transaction refs, status messagesReconciliation, dispute resolution5 years (or as required by CBK regulations)Finance roles; restricted
    BTCPay / Bitcoin infrastructure logsServer config, connection metadata, operational logsInfrastructure maintenance, security, audit90 days operational; longer if required for legal holdInternal infrastructure team only
    Blockchain / on-chain dataWallet addresses, transaction hashes, xpub referencesFeature operation, reconciliationIndefinite (public blockchain data; cannot be erased)Publicly visible on blockchain; internal display restricted by role
    Billing & subscription recordsPlan, invoices, payment tokens, receiptsRevenue, tax, dispute resolution7 yearsBilling team; restricted
    Security & audit logsLogin events, role changes, approvals, webhook receiptsSecurity monitoring, incident response, forensics2 years minimum; longer if required for legal holdInternal security team only
    Usage logsFeature interactions, API requests, error logsPerformance, debugging, product development90 days rollingInternal engineering; aggregated for analytics
    Support correspondenceTicket content, chat logs, investigation notesSupport, dispute resolution3 years from ticket closureSupport team; restricted
    Files & documentsUploaded PDFs, logos, contracts, attachmentsService operation, document managementAccount lifetime + 30 days post-deletion (unless legal hold applies)Workspace-level role-based access
    Why Teams Choose Chains ERP
    • Saves hours every week
    • Reduces financial errors
    • Improves visibility and accuracy
    • Replaces multiple tools with one system

    Software that works for the business — not the other way around.

    Book a call Features