Privacy Policy

This Privacy Policy applies to all services operated by Codevertex Africa Limited (also trading as Bengo Hub), a technology company registered in Kenya with its principal office at Pioneer House, 2nd Floor, Oginga Street, Kisumu, Kenya.

The services covered include, but are not limited to:

• Codevertex SSO — accounts.codevertexitsolutions.com (identity and authentication gateway)
• MarketFlow CRM — marketflow.codevertexitsolutions.com (AI marketing automation)
• Codevertex ERP, POS, ISP Billing, TruLoad, Books, Projects, Ordering App — all *.codevertexitsolutions.com subdomains
• Any mobile application, API endpoint, or service that links to this Privacy Policy

Where a specific product has its own supplementary privacy notice, that notice should be read alongside this policy.

We collect information that you provide directly, information collected automatically when you use our services, and information from third-party sources where you have authorised it.

2.1 Information You Provide

• Account Registration: Name, email address, and password (hashed; we never store plaintext passwords).
• Business Information: Business or organisation name, website URL, and industry, collected during onboarding for multi-tenant services such as MarketFlow.
• Contact & Support: Any information you send us via email, support tickets, or feedback forms.
• Billing & Payment: Payment method details (processed by PCI-DSS certified third parties; we do not store raw card numbers), billing address, and transaction history.
• Profile Data: Profile photo and display name you optionally provide.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, timestamps, session duration, and click-through events within our platform.
• Device & Browser Information: IP address, browser type and version, operating system, screen resolution, and preferred language.
• Authentication Logs: Login timestamps, IP addresses, device identifiers, and OAuth provider used (Google, Microsoft, or GitHub), retained for security and fraud prevention.
• API Usage Metrics: API call counts, response times, and error rates for monitoring and quota management purposes.

2.3 Information from Third-Party OAuth Providers

When you sign in via Google, Microsoft, or GitHub, we receive only the basic profile information you have permitted: your name, email address, and profile photo. We do not request access to your contacts, calendar, drive, or any other resource beyond identity verification.

2.4 Information from Third-Party Advertising APIs (MarketFlow Tenants)

MarketFlow tenants who voluntarily connect their advertising accounts grant us access to campaign performance metrics (impressions, clicks, cost, conversions) for reporting purposes only. See Section 5 for the Google Ads API data policy.

We use personal data only for the purposes disclosed to you at the time of collection:

• Service Delivery: Authenticating your identity across the Codevertex ecosystem; providing access to the applications you subscribe to.
• Security & Fraud Prevention: Detecting and preventing unauthorised access, credential stuffing, brute-force attacks, and abuse.
• Product Improvement: Understanding feature usage patterns (in aggregate or pseudonymous form) to prioritise development.
• Customer Support: Resolving technical issues, responding to enquiries, and maintaining audit trails for dispute resolution.
• Billing & Subscription Management: Processing payments, issuing invoices, and managing subscription lifecycle events.
• Marketing Communications: Sending product updates, security notices, and (where you have opted in) promotional content. You may opt out at any time.
• Legal Compliance: Complying with Kenyan law, responding to lawful requests from government authorities, and enforcing our Terms of Service.

We do not use your data to build profiles for sale to third parties, for political advertising, or for any purpose that has not been disclosed in this policy.

We do not sell, rent, or trade your personal data. We may share data only in the following limited circumstances:

4.1 Service Providers (Data Processors)

We engage trusted third-party vendors who process data on our behalf under strict data processing agreements:

• Infrastructure Hosting: Our services run on a self-managed Kubernetes cluster hosted on a dedicated Contabo VPS server located in their European data centre (Grand Est, France, EU). No customer data is shared with the hosting provider beyond what is inherent in running workloads on their hardware. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM).
• Payment Processing: Paystack and other PCI-DSS certified payment gateways process card transactions. We receive only a tokenized reference, not raw card data.
• Email Delivery: Transactional emails (password resets, security alerts) are sent via our Notifications Engine, which may relay to an SMTP provider.
• Error Monitoring: Aggregated, anonymised crash reports may be sent to internal monitoring tools (Prometheus, Grafana Loki) with PII stripped at log time.

4.2 Advertising APIs (MarketFlow Only)

For MarketFlow tenants who connect their accounts, data is shared with advertising platforms solely to fulfil the features the tenant has requested:

• Google Ads API: Campaign metrics are fetched for the tenant's own account. Offline conversion events are uploaded with the tenant's Google Click ID (gclid), monetary value, and conversion timestamp — no PII is attached.
• Meta Graph API: Lead and ad performance data for the tenant's own Meta Business account. No cross-tenant data sharing occurs.

4.3 Legal Disclosures

We may disclose your information where required by law, court order, or government authority, or where necessary to protect the rights, property, or safety of Codevertex, our users, or the public.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our assets, user data may be transferred. We will notify you by email and/or a prominent notice on our website at least 30 days before any such transfer and before your data becomes subject to a different privacy policy.

This section supplements the Google API Services User Data Policy. MarketFlow uses the Google Ads API exclusively on behalf of tenants who explicitly authorise access via Google OAuth 2.0. The following principles govern how we handle Google Ads data:

• Authorisation is explicit and tenant-initiated. We never silently link or access a Google Ads account. The tenant must complete a Google OAuth consent screen that clearly lists the requested scope (https://www.googleapis.com/auth/adwords).
• Data is used only for tenant-facing features. Campaign metrics, conversion data, and ad performance are displayed only in the connecting tenant's own MarketFlow dashboard. We never combine data across tenants' accounts.
• We do not sell Google Ads data. Data retrieved via the Google Ads API is never shared with third parties for advertising or any commercial purpose beyond providing the contracted MarketFlow features.
• Refresh tokens are encrypted. Google OAuth refresh tokens are encrypted with AES-256-GCM and stored in a private PostgreSQL database with no public ingress. They are never logged and never accessible to Codevertex staff.
• Revocation is immediate. When a tenant disconnects their Google Ads account, the refresh token is deleted and the row is marked inactive within the same request. No further API calls are made.
• Conversion Uploads contain no PII. Offline conversion uploads include only the Google Click ID (gclid), a conversion timestamp, a monetary value, and a currency code — all provided or approved by the tenant.

MarketFlow's use of Google Ads API data conforms to the Google API Services User Data Policy and the Google Ads API Terms of Service. We do not use Google Ads data for profiling, remarketing outside the tenant's account, or any secondary purpose.

We use the following types of cookies and similar technologies:

We do not use third-party tracking pixels, social media tracking widgets, or behavioural advertising cookies. You can configure cookie preferences in your browser settings; disabling essential cookies will prevent authentication from functioning.

We implement a security-first architecture. Our key technical and organisational measures include:

• Encryption at Rest: All sensitive fields (OAuth tokens, API keys, secrets) are encrypted with AES-256-GCM using a 32-byte key managed via Kubernetes SealedSecrets.
• Encryption in Transit: All communication between your browser and our services uses TLS 1.2+ (enforced; HTTP is redirected to HTTPS). Inter-service communication uses TLS with API key authentication.
• Authentication Standards: Our SSO gateway implements OAuth 2.0, OpenID Connect, and optional WebAuthn (passkey) multi-factor authentication.
• Access Controls: Role-based access control (RBAC) with a platform_owner claim required for all administrative operations. Tenant users cannot access other tenants' data by design.
• Audit Logging: All administrative actions, authentication events, and provider setting changes are recorded in an append-only audit_logs table. Audit entries cannot be modified or deleted by users.
• Vulnerability Management: Regular dependency scanning and security reviews. We have a documented incident response procedure.
• No-Log Policy for Secrets: Bearer tokens, refresh tokens, and passwords are never written to application logs. Structured logs (zap) strip PII at emit time.

While we apply industry-leading security practices, no system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to developers@codevertexitsolutions.com.

We retain your data only as long as necessary for the purpose it was collected:

Depending on your jurisdiction, you may have the following rights regarding your personal data. We honour all reasonable requests within 30 days:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data. You can update most information directly in your account settings.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data. Note that some data may be retained for legal compliance (see Section 8).
• Right to Restriction: Request that we restrict processing of your data while a dispute is resolved.
• Right to Data Portability: Request an export of your account data in a machine-readable format (JSON or CSV).
• Right to Object: Object to processing based on legitimate interests, including any direct marketing.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting prior processing.
• Right to Disconnect Integrations: You may revoke access to any third-party integration (Google Ads, Meta, GitHub) at any time from your account settings. Revocation takes effect immediately.

To exercise any of these rights, contact our Data Protection at info@codevertexitsolutions.com with the subject line "Data Rights Request — [Your Name]".

Codevertex is headquartered in Kisumu, Kenya. Our production infrastructure runs on a dedicated Contabo VPS server physically located in the European Union (Grand Est, France), which means your data at rest is stored within EU jurisdiction and is subject to EU data protection standards, including GDPR-compliant practices enforced by Contabo GmbH as the infrastructure provider. Where data is transmitted to or from Kenya for operational purposes, we apply appropriate contractual and technical safeguards. We do not knowingly transfer personal data to jurisdictions without an adequate level of data protection without appropriate safeguards.

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a minor, please contact us immediately at info@codevertexitsolutions.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. Material changes will be:

• Posted on this page with an updated "Last updated" date.
• Communicated to active account holders by email at least 14 days before the changes take effect.
• Presented as an in-product notice requiring acknowledgement where the change significantly affects how we process your data.

Your continued use of our services after the effective date constitutes acceptance of the revised policy.

If you have questions about this Privacy Policy, wish to exercise your rights, or wish to report a concern, please contact us: