Privacy Policy
1. Introduction and Scope
Brrng Digital Limited, trading as Helloduty (“Helloduty”, “we”, “us”, or “our”), operates the Sautikit programmable voice and telephony API platform. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with the Sautikit platform, website, dashboard, APIs, SDKs, and related services (collectively, the “Service”).
This Policy applies to all users of the Service, including developers who integrate the Sautikit API into their own applications (“Customers”), and visitors to our website. Where Customers use the Service to process personal data on behalf of their own end users, Helloduty acts as a data processor for that personal data, and the Customer acts as the controller. This Policy primarily describes our practices as a data controller in respect of information we collect directly about Customers and visitors. If you are an end user of an application built by one of our Customers, requests and questions about your personal data — including call recordings — should be directed to that Customer as the controller; we will refer any such requests we receive to the relevant Customer.
We are committed to complying with the Kenya Data Protection Act, 2019 (“KDPA”) and comparable data protection laws in the other markets where we operate. By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Information We Collect
We collect the following categories of information in connection with your use of the Service:
Account and identity information. When you register for an account, we collect your name, email address, company name (if applicable), and a password or, where you use Google Sign-In, authentication tokens provided by Google OAuth. We may also collect a phone number for account verification purposes.
Wallet and transaction records. We maintain records of top-ups you make to your prepaid wallet, including the amount, payment method, date, and transaction reference. We store payment identifiers (such as Paystack payment references or, once supported, M-Pesa transaction codes) but do not store full card numbers or other sensitive financial credentials — those are processed and tokenized by our payment partners.
Call metadata. For each call placed or received through your account, we record associated metadata including the originating and destination phone numbers, call direction (inbound or outbound), start and end timestamps, call duration, cost, and the outcome (e.g., answered, busy, no answer).
Call recordings.If you enable call recording for a call, the audio content of that call is stored in Google Cloud Storage, subject to your workspace's storage allowance and retention window (see Section 7). Call recordings are associated with your account and treated as content you have uploaded. You are the controller of any personal data within recordings; we are a processor acting on your behalf.
API usage and log data. We collect logs of API requests made using your credentials, including endpoint called, request timestamp, HTTP status, and the IP address from which the request was made. This data is used for debugging, security monitoring, and billing.
Device and browser information. When you access our website or dashboard, we automatically collect information about your device and browser, including IP address, browser type and version, operating system, referring URL, and pages visited.
Cookies and analytics. We use cookies and similar tracking technologies on our website. See Section 11 (Cookies) for further details.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing and operating the Service: to create and manage your account, provision phone numbers, route and record calls, process wallet top-ups, generate invoices, and provide API access;
- Billing and financial record-keeping: to charge your wallet for usage, maintain accurate ledger records, and comply with tax and financial reporting obligations;
- Security and fraud prevention: to detect, prevent, and investigate fraudulent activity, abuse of the Service, and security incidents;
- Support and customer service: to respond to your inquiries, troubleshoot issues, and provide technical assistance;
- Service improvement: to analyze usage patterns, diagnose technical problems, and improve the reliability and functionality of the Service;
- Communications: to send you transactional messages (such as top-up confirmations, low-balance alerts, and changes to these terms), and, where you have opted in, product updates and marketing communications;
- Legal compliance: to comply with applicable law, respond to lawful requests from regulatory or law enforcement authorities, and enforce our Terms of Service.
We may also aggregate or anonymize data so that it no longer identifies you or any individual, and use that aggregated or anonymized data for any lawful purpose, including analytics, service improvement, and benchmarking. Aggregated and anonymized data is not personal data under this Policy.
4. Legal Bases for Processing
Under the Kenya Data Protection Act, 2019 and applicable data protection frameworks, we process your personal data on the following legal bases:
- Contract performance: processing necessary to provide the Service to you under our Terms of Service, including account management, call routing, and billing;
- Legitimate interests: processing necessary for our legitimate business interests, including security and fraud prevention, service improvement, and product communications (balanced against your rights and interests);
- Legal obligation: processing required to comply with applicable law, including financial record-keeping, telecommunications regulatory requirements, and responding to lawful government or regulatory requests;
- Consent: where we rely on your consent (for example, for optional marketing communications), you may withdraw that consent at any time by contacting us or using the unsubscribe mechanism in our emails.
5. How We Share Your Information
We do not sell your personal data. We share personal data only as described below:
Telecommunications carriers and interconnect partners. To route calls through our network, we pass call signaling information (including caller and destination phone numbers) to the telecommunications carriers and interconnect partners we work with. These parties process such data in accordance with their own regulatory obligations and privacy practices.
Payment processors.We share the information necessary to process your wallet top-up with our payment processing partners. Top-ups are currently processed by Paystack; we expect to add M-Pesa (Safaricom) as a payment method over time. Each partner's own privacy policy governs how it handles payment data.
Cloud and infrastructure providers. Our backend infrastructure runs on DigitalOcean, Google Cloud, and Angani (a Kenya-based cloud provider). Call recordings are stored in Google Cloud Storage. These providers process data on our behalf under data processing agreements and implement appropriate security measures.
Service providers. We engage third-party service providers to support functions such as email delivery, analytics, customer support tooling, and security monitoring. These providers are authorized to process your data only as necessary to perform services for us and are bound by appropriate confidentiality obligations.
Legal and compliance disclosures. We may disclose your information where required by law, court order, or regulatory requirement, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
Business transfers. If Brrng Digital Limited is involved in a merger, acquisition, asset sale, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership that materially affects how your data is handled.
Third-party privacy policies. The privacy policies of the principal third parties we work with are available here:
- Paystack — paystack.com/privacy/merchant
- Safaricom (M-Pesa) — safaricom.co.ke/dataprivacystatement
- Google Cloud — cloud.google.com/terms/cloud-privacy-notice
- DigitalOcean — digitalocean.com/legal/privacy-policy
- Angani — angani.co/privacy-policy
6. International Data Transfers
Brrng Digital Limited is based in Kenya, and the Service is primarily operated from Kenya. Data hosted with Angani remains within Kenya. However, some of the third parties we work with — including Google Cloud and DigitalOcean — may process or store data on servers located outside Kenya, including in the European Economic Area, the United States, and other jurisdictions.
Where your personal data is transferred outside Kenya, we take steps to ensure that appropriate safeguards are in place in accordance with the requirements of the Kenya Data Protection Act, 2019 and any associated regulations. These safeguards may include data processing agreements that incorporate standard contractual clauses, reliance on adequacy determinations, or other mechanisms recognized under applicable law.
By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions outside Kenya as described in this Policy.
7. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described in this Policy, and in any case for as long as required by applicable law. Specifically:
- Call recordingsare retained for 24 hours by default, after which they are automatically and permanently deleted. Customers who subscribe to a paid storage tier receive longer retention windows, as published on our pricing page. Recordings that would exceed your workspace's storage allowance are not stored at all. It is your responsibility to retrieve any recordings you wish to keep beyond the applicable retention window.
- Call metadata (numbers, timestamps, durations, costs) is retained for as long as your account is active and for a period thereafter as required for billing dispute resolution, tax, and regulatory compliance purposes.
- Account and ledger records are retained for the duration of your account and for the period required under applicable Kenyan financial record-keeping and tax legislation (typically seven years from the relevant transaction).
- Log and security data is typically retained for 90 days, subject to extension where required for an ongoing security investigation.
We may retain personal data for longer than the periods above where reasonably necessary to resolve disputes, prevent fraud or abuse, enforce our Terms of Service, or establish, exercise, or defend legal claims. When we no longer have a lawful basis to retain your personal data, we will securely delete or anonymize it.
8. Security Measures
We implement technical and organizational security measures appropriate to the nature of the data we hold and the risks associated with its processing. These measures include encryption of data in transit (TLS) and at rest, access controls and authentication requirements for our systems, network security monitoring, and regular review of our security practices.
API keys and access tokens are hashed and stored securely; we never store them in plain text. You are responsible for keeping your own API credentials secure and for rotating them promptly if you suspect they have been compromised.
No method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant authorities as required by applicable law.
9. Your Rights
Under the Kenya Data Protection Act, 2019 and comparable data protection laws in the markets where we operate, you have the following rights in relation to your personal data:
- Right of access: you may request confirmation of whether we hold personal data about you, and a copy of that data;
- Right to rectification: you may request that we correct inaccurate or incomplete personal data we hold about you;
- Right to erasure: you may request that we delete your personal data where we no longer have a lawful basis to retain it, subject to any legal obligations requiring us to keep it;
- Right to data portability: where we process your data based on your consent or on a contract with you, you may request that we provide your personal data in a structured, commonly used, machine-readable format;
- Right to object: you may object to our processing of your personal data where we rely on legitimate interests as the legal basis, and we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests; and
- Right to withdraw consent: where we rely on your consent to process your data, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
These rights apply to personal data for which we are the controller. Where your personal data is processed by us on behalf of one of our Customers (for example, personal data contained in a Customer's call recordings), please direct your request to that Customer; we will refer any such request we receive to the relevant Customer and support their response in our role as processor.
To exercise any of these rights, please contact us at support@helloduty.com. We will respond to your request within the timeframes required by applicable law (typically 30 days, with the possibility of extension for complex requests). We may need to verify your identity before processing a request, and we may charge a reasonable fee where permitted by applicable law for requests that are manifestly unfounded, excessive, or repetitive.
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya or the relevant supervisory authority in your jurisdiction.
10. Children
The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that a child under 18 has provided us with personal data without your consent, please contact us at support@helloduty.com and we will take steps to delete that information as promptly as practicable.
11. Cookies
We use cookies and similar tracking technologies on our website and dashboard. Cookies are small text files placed on your device when you visit a website. We use the following types of cookies:
- Strictly necessary cookies: required for the operation of our website and dashboard, including session management and authentication. These cannot be disabled.
- Analytics cookies: used to understand how visitors interact with our website, which pages are most popular, and how users navigate through our content, so we can improve the user experience. We process this data in aggregate and pseudonymised form where possible.
- Preference cookies: used to remember your settings and preferences, such as language or theme selection.
You can control non-essential cookies through your browser settings. Most browsers allow you to refuse cookies or to delete cookies that have already been set. Please note that disabling cookies may affect the functionality of parts of the Service. For more information about cookies, including how to see what cookies have been set and how to manage and delete them, visit allaboutcookies.org.
12. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by email to the address associated with your account and/or by posting a prominent notice in the Sautikit dashboard, at least 14 days before the changes take effect. The updated Policy will be identified by a revised “Last updated” date at the top of this page.
Your continued use of the Service after the effective date of the revised Policy constitutes your acknowledgement of the updated terms. If you object to any changes, please stop using the Service and contact us to close your account.
13. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us:
- Email: support@helloduty.com
- Company: Brrng Digital Limited, trading as Helloduty
- Address: YPL Place, George Padmore Lane, Nairobi, Kenya
We are committed to working with you to resolve any concerns about your privacy and your personal data. We will acknowledge your inquiry promptly and respond within the timeframes required by applicable law.