Legal

Privacy Policy

Last updated: April 18, 2026Effective: April 18, 2026Version: 1.0
Download PDFView version history
The short version
  • We collect only the data needed to run your GwizaSuite account.
  • We never sell your data. We never share it with advertisers.
  • You can export and delete everything any time.
  • Your data is encrypted at rest and in transit.
  • Your data is stored in EU data centers.
  • If we ever suffer a breach that affects you, we’ll tell you within 72 hours.

This summary is informational. The full policy below is the legally binding version.

01.Who we areLegal review required

This Privacy Policy applies to GwizaSuite Ltd, a company registered in the Republic of Rwanda, with its registered office at KG 7 Ave, Kigali Heights, 4th floor, Suite 4B, Kacyiru, Kigali, Rwanda.

For the purposes of Rwanda’s Law Nº 058/2021 on the protection of personal data and privacy (the “Data Protection Law”), GwizaSuite Ltd is the data controller in respect of personal data processed through the GwizaSuite service and website.

You can reach our designated data protection contact at privacy@gwizasuite.com. Postal correspondence can be addressed to the office above, marked “Privacy / Data Protection.”

02.What data we collectLegal review required

We collect the following categories of personal data. We describe each category in terms of its purpose, not the underlying systems that store it.

Account data
The information you provide when you sign up or invite team members: name, email address, role, preferred language, and hashed password.
Business data
The records you create inside GwizaSuite: customers, suppliers, invoices, payments, stock, ledger entries, documents you upload, and related metadata. This is the data you own and control.
Usage data
Information about how you interact with the service: features used, pages viewed, actions taken, and timestamps. We use this to improve reliability and UX.
Device and log data
Device type, browser, IP address, operating-system version, and server logs of requests. Retained for a limited time for security and debugging.
Payment metadata
When you pay for a subscription we collect billing contact details, tax ID, and subscription metadata. We do not store full card numbers. Card details are handled by our PCI-compliant payment processor directly.

03.How we use your dataLegal review required

We process personal data only for the following purposes:

  • To run the service. Authenticate you, render your data, process invoices and payments, synchronize between modules.
  • To support you. Respond to tickets, investigate issues, and — only with your explicit, time-boxed consent — temporarily impersonate your account to reproduce a bug.
  • To improve the product. Aggregate usage analytics (in most cases anonymized) to identify friction and prioritize improvements.
  • To meet legal obligations. Retain financial records, respond to lawful requests from Rwandan authorities, and assist with RRA audits.
  • To communicate with you. Send transactional emails (invoices, password resets, security notices) and — only if you’ve opted in — the newsletter.

We do not sell, rent, or trade your personal data. We do not share it with advertising networks. We do not use your business data to train AI models.

Under Law Nº 058/2021, we rely on the following legal bases for the processing described above:

Performance of a contract
Processing necessary to provide the service you’ve signed up for — authentication, hosting your records, producing the outputs you ask for (invoices, reports, exports).
Legitimate interest
Security monitoring, fraud prevention, product analytics in aggregate form, and service reliability. We balance these against your interests and do not use this basis for marketing.
Consent
Marketing communications (newsletter), optional non-essential cookies, and any time we impersonate your account for support. You can withdraw consent at any time.
Legal obligation
Retention of financial records for the period required by Rwandan tax law (currently 7 years), compliance with lawful requests from Rwandan authorities.

05.Who we share data withLegal review required

We engage a limited number of sub-processors to operate GwizaSuite. We do not publish the names of these sub-processors on this public page for security reasons — a full, named list is included in our Data Processing Agreement (DPA), available under NDA during procurement. Contact privacy@gwizasuite.com to request it.

The categories of sub-processor we rely on are:

Category of processorPurposeRegion
Our managed infrastructure providerApplication hosting, database, backups, file storageEuropean Union
Our payment processorSubscription billing and PCI-compliant card handlingEuropean Union
Our transactional email providerSending authenticated transactional emails (receipts, password resets)European Union
Our error-tracking providerCapturing and aggregating application errors for debuggingEuropean Union
Our help-centre providerHosting the public help centre and in-app help articlesEuropean Union

Each sub-processor is bound by a written agreement that requires them to process personal data only on our instructions, to maintain confidentiality, and to apply appropriate technical and organisational security measures.

06.Where we store dataLegal review required

Your data is stored in data centres located in the European Union, with redundancy across multiple availability zones. Backups are encrypted and retained in the same region. See Section 12 on international transfers for information about how Rwanda-to-EU transfers are handled.

07.How long we keep dataLegal review required

  • Financial records (invoices, payments, ledger entries, audit logs): 7 years from the date of the record, as required by Rwandan tax law.
  • Account data (name, email, role, language preference): retained for the lifetime of your account, deleted within 30 days of account cancellation unless retention is required by law.
  • Usage and log data: retained for up to 90 days for debugging and security, then deleted or aggregated.
  • Backups: retained for 30 days, then overwritten in rolling cycles.

You can request earlier deletion of any data not required by law by emailing privacy@gwizasuite.com.

08.Your rightsLegal review required

Under Law Nº 058/2021 you have the following rights in respect of your personal data:

  • Right of access. You can ask for a copy of the personal data we hold about you.
  • Right to rectification. You can ask us to correct inaccurate or incomplete data.
  • Right to erasure. You can ask us to delete your data, subject to legal retention obligations.
  • Right to data portability. You can export your data in a structured, machine-readable format (CSV / PDF / signed-CSV for audit logs).
  • Right to object. You can object to processing based on legitimate interests.
  • Right to withdraw consent. Where processing is based on consent, you can withdraw consent at any time.
  • Right to complain. You can lodge a complaint with the Rwandan data protection authority if you believe your rights have been infringed.

To exercise any of these rights, email privacy@gwizasuite.com. We respond to requests within 30 days.

09.SecurityLegal review required

We apply technical and organisational measures designed to protect your data against unauthorised access, alteration, disclosure, or destruction. Measures include TLS 1.3 for data in transit, AES-256 encryption at rest, row-level security enforced in the database, an append-only audit log, quarterly restore drills, and a responsible-disclosure programme.

A fuller technical description — including our infrastructure architecture, encryption key management, and incident response process — is published on our Security page. The long-form Security & Compliance Brief (PDF) is available on request.

10.Cookies and trackingLegal review required

We use cookies and similar technologies for the following purposes:

  • Strictly necessary cookies — session authentication, CSRF protection, language preference. These cannot be disabled without breaking the service.
  • Functional cookies — remembering UI state such as the last report view, tab order, or collapsed panels.
  • Analytics cookies — aggregated usage metrics. We do not use advertising cookies, and we do not share analytics data with third-party ad networks.

You can manage cookie preferences in your browser settings. A dedicated cookie preferences panel will be available directly from the footer of every public page in an upcoming release.

11.Data breachesLegal review required

If we become aware of a personal data breach that is likely to affect your rights, we will:

  • Notify you by email within 72 hours of becoming aware, at the primary email address on your account.
  • Notify the Rwandan data protection authority within the same window, as required by Law Nº 058/2021.
  • Publish a public post-mortem within 14 days of the incident — regardless of severity — describing what happened, what data was affected, and what we changed to prevent recurrence.

To report a suspected security issue, email security@gwizasuite.com. We respond within 24 hours.

12.International transfersLegal review required

GwizaSuite is operated from Rwanda, but the primary data storage is located in the European Union. This means personal data collected in Rwanda is transferred to the EU for storage and processing.

We rely on an appropriate legal transfer mechanism under the Data Protection Law, including contractual safeguards equivalent to standard contractual clauses, and we ensure each sub-processor in the EU is bound by equivalent obligations.

13.Children’s privacyLegal review required

GwizaSuite is a business-to-business product and is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will delete it promptly. If you believe a child has provided us with data, please email privacy@gwizasuite.com.

14.Changes to this policyLegal review required

We may update this policy from time to time. When we make material changes — changes that affect your rights, our data-processing purposes, or our sub-processors — we will:

  • Notify all account owners by email at least 30 days before the change takes effect.
  • Update the “Last updated” date at the top of this page.
  • Publish a diff in the version history below, summarising what changed and why.

Non-material changes (typos, clarifications, broken-link fixes) are made without advance notice but are still logged in the version history.

15.How to contact usLegal review required

Questions about this policy, your personal data, or our data-protection practices should be directed to our Data Protection Officer:

Email
privacy@gwizasuite.com
Post
GwizaSuite Ltd — Data Protection
KG 7 Ave, Kigali Heights, 4th floor, Suite 4B
Kacyiru, Kigali, Rwanda
Priority line
+250 788 000 000 (urgent matters only)
Web form
gwizasuite.com/contact

We respond to data-protection requests within 5 business days for acknowledgement and within 30 days for completion, as required by Law Nº 058/2021.

§Version history

VersionDateSummary of changes
1.0April 18, 2026Initial publication.

Older versions available on request from privacy@gwizasuite.com.

Questions about your data?

Email our data protection officer at privacy@gwizasuite.com. We respond within 5 business days. For urgent matters, use the priority line at +250 788 000 000.

Email privacy@gwizasuite.comRequest your data (GDPR-aligned)
Privacy policy | GwizaSuite