Privacy Policy

Qserve Billing ("we", "us", or "our") is committed to protecting the privacy and security of all personal data we process. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the rights you have with respect to your data. It applies to all users of our website at qserve-isp.net and the Qserve Billing platform (collectively, the "Service").

By using the Service you acknowledge that you have read and understood this policy. If you do not agree, please discontinue use of the Service.

1. Who We Are

Qserve Billing is an ISP billing and subscriber management platform operated from Nairobi, Kenya. We act as a data controller for information collected directly through our website and registration process. For subscriber data that Internet Service Providers (ISPs) store inside their Qserve Billing account, the ISP is the data controller and Qserve Billing acts as a data processor on their behalf.

2. Information We Collect

2.1 Information you provide directly

• Account registration: name, business name, email address, phone number, and country.
• Billing information: M-Pesa transaction references, payment amounts, and invoice records.
• Support requests: contact form submissions including name, email, and message content.
• Profile updates: any changes you make to your account settings.

2.2 Information generated through your use of the Service

• Subscriber data: ISP operators add their customers' names, phone numbers, MAC addresses, IP addresses, and service plans. This data is held on behalf of the ISP.
• Network data: MikroTik router connection logs, PPPoE session data, hotspot usage records, and bandwidth statistics synced from your routers.
• Transaction records: M-Pesa STK push results, payment confirmations, and invoice history.
• Audit logs: records of actions taken within your account (logins, configuration changes, bulk operations).

2.3 Information collected automatically

• Log data: IP address, browser type, operating system, referring URL, pages visited, and timestamps.
• Cookies & local storage: session tokens, theme preference, and authentication state. See Section 7 for details.
• Analytics: We use Google Analytics (ID: G-KMEKV6CRLF) to understand aggregate usage patterns. This data is anonymised and does not personally identify visitors.

3. How We Use Your Information

We use collected data to:

• Provide, operate, and improve the Qserve Billing platform.
• Authenticate users and maintain account security.
• Process M-Pesa payments and generate invoices.
• Communicate with you about your account, service updates, and support requests.
• Synchronise MikroTik router configurations and subscriber sessions on your behalf.
• Detect and prevent fraud, abuse, or unauthorised access.
• Comply with our legal obligations under applicable Kenyan and East African law.
• Analyse aggregate usage to improve platform performance and plan new features.

We will never sell your personal data to third parties, and we do not use it for targeted advertising.

4. Legal Bases for Processing

We process personal data under the following legal bases as defined by Kenya's Data Protection Act, 2019:

• Contract performance — to deliver the Service you have signed up for.
• Legitimate interests — to secure our platform, prevent fraud, and improve the Service.
• Legal obligation — to comply with applicable law (e.g., tax records, anti-money-laundering requirements).
• Consent — where you have explicitly opted in, such as marketing emails. You may withdraw consent at any time.

5. How We Share Your Information

We share data only in the following limited circumstances:

• Service providers: Trusted third-party processors who help us deliver the Service (e.g., cloud hosting, SMS gateway, M-Pesa API). These providers are contractually bound to process data only on our instructions and to maintain appropriate security.
• Safaricom / M-Pesa: Payment data is shared with Safaricom PLC to process mobile money transactions. Safaricom's own privacy policy governs their use of that data.
• Legal requirements: Where required by law, court order, or government authority, we may disclose information to comply with legal obligations.
• Business transfers: In the event of a merger, acquisition, or sale of assets, data may be transferred as part of that transaction. We will notify affected users in advance.

We do not share subscriber data held on behalf of an ISP with any party other than the ISP itself and the processors acting under the ISP's direction.

6. Data Retention

• Account data is retained for as long as your account is active and for a reasonable period thereafter to resolve disputes or comply with legal obligations.
• Subscriber and network data is retained in accordance with your ISP's configuration. You may export or delete records at any time from within the platform.
• Payment records are retained for a minimum of 7 years in compliance with Kenyan tax and financial regulations.
• Support correspondence is retained for up to 3 years from the date of last contact.
• Server logs are automatically purged after 90 days.

7. Cookies & Tracking Technologies

We use the following types of cookies:

You can disable cookies through your browser settings. Disabling session cookies will prevent you from logging in to the platform.

8. Data Security

We implement industry-standard technical and organisational measures to protect your data, including:

• TLS/HTTPS encryption for all data in transit.
• Encrypted storage for passwords (bcrypt hashing) and sensitive tokens.
• Role-based access controls ensuring platform users only access data within their scope.
• Regular security reviews and dependency auditing.
• Audit logs for all privileged actions.

No system is completely secure. If you suspect unauthorised access to your account, contact us immediately at info@qserve-isp.net.

9. International Data Transfers

Our servers are primarily located in the Republic of Kenya. Some third-party services (e.g., Google Analytics, cloud infrastructure providers) may process data outside Kenya. Where data is transferred internationally, we ensure appropriate safeguards are in place consistent with the Kenya Data Protection Act, 2019 and applicable cross-border transfer regulations.

10. Your Rights

Under the Kenya Data Protection Act, 2019, and where applicable the EU General Data Protection Regulation (GDPR), you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — request deletion of your data, subject to retention obligations.
• Restriction — ask us to limit how we process your data in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at info@qserve-isp.net. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner of Kenya (www.odpc.go.ke).

11. Children's Privacy

The Service is intended for business use by ISP operators and their staff. It is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

12. Third-Party Links

Our website may contain links to third-party sites (e.g., Safaricom, MikroTik). We are not responsible for the privacy practices of those sites and encourage you to review their policies separately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top and, for material changes, notify account holders by email or an in-platform notice. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

14. Contact Us

For any privacy-related questions, requests, or complaints, please reach out to us: