Overview & Plain Language Summary
Centipid operates in two capacities: as a data controller for our own platform users (venue operators and their staff), and as a data processor on behalf of venue operators for data collected from their WiFi customers. We do not sell personal data to anyone. WiFi portal data belongs to the venue operator. End users can always opt out. We comply with the Kenya Data Protection Act 2019, the Nigeria Data Protection Act 2023, the Ghana Data Protection Act 2012, and the EU General Data Protection Regulation (GDPR).
This Privacy Policy explains how Centipid Technologies Limited ("Centipid", "we", "us", "our") handles personal data across two distinct contexts:
- Platform Users — businesses, venue operators, and individuals who create and manage a Centipid account to operate WiFi marketing campaigns.
- WiFi End Users — customers, guests, and visitors who connect to a WiFi network operated through the Centipid platform at a physical venue (restaurant, hotel, gym, etc.).
If you are a WiFi end user and want to understand what data was collected about you at a specific venue, you should contact that venue directly. Centipid processes this data on the venue's behalf. This policy explains how we do so and what protections are in place.
Who We Are
Centipid Technologies Limited is a technology company incorporated in Kenya. We build and operate a WiFi marketing and analytics platform that allows venue operators to capture leads, run automated marketing campaigns, collect reviews, and manage WiFi access through guest captive portals.
| Detail | Information |
|---|---|
| Company | Centipid Technologies Limited |
| Registration | Registered in Kenya under the Companies Act (Cap. 486) |
| Principal Office | I&M Bank Building, Upperhill, Nairobi, Kenya |
| Data Protection Officer | [email protected] |
| Privacy Enquiries | [email protected] |
| Applicable Laws | Kenya DPA 2019, NDPR 2023, Ghana DPA 2012, GDPR, CASL, CAN-SPAM |
Data Controller vs. Data Processor
Under applicable data protection laws, there is an important distinction between a data controller (who decides why and how data is processed) and a data processor (who processes data on behalf of a controller). Centipid acts in both capacities, depending on the context.
When Centipid is the Data Controller
For data relating to our platform users — including account registration data, billing information, support correspondence, and usage analytics of the Centipid platform itself — Centipid is the data controller. We decide the purposes and means of processing this data.
When Centipid is a Data Processor
For data collected from WiFi end users through captive portals operated by our venue operator customers, Centipid acts as a data processor. The venue operator (our customer) is the data controller. They determine what data to collect, what consent language to use, and what marketing they send. Centipid processes this data strictly on their documented instructions.
As the data controller for your WiFi customers' data, you are legally responsible for ensuring valid consent is obtained, that your privacy notice is visible on your captive portal, and that you honour any data subject requests from your customers. Centipid provides the tools and infrastructure; you bear the controller responsibility. Our Data Processing Agreement (DPA) is available on request.
Information We Collect
4a. WiFi Portal Data (Collected on Behalf of Venue Operators)
When a person connects to a Centipid-powered WiFi network, the captive portal may collect the following, depending on the venue operator's configuration:
| Data Type | How Collected | Required? |
|---|---|---|
| Email address | Direct entry or social login (Google, Facebook) | Configurable |
| Full name | Direct entry or social login | Configurable |
| Phone number | Direct entry + OTP verification | Configurable |
| Date of birth | Optional field shown on portal | Optional |
| Gender | Optional field shown on portal | Optional |
| Custom fields | Venue operator may add custom form fields (Professional+ plans) | Configurable |
| MAC address | Device identifier captured at login for session management | Technical — automatic |
| Device type & OS | User-agent string from device browser | Technical — automatic |
| Session data | Login time, session duration, data usage, reconnection events | Technical — automatic |
| Location (venue) | WiFi access point identifier — identifies which venue/zone was visited | Technical — automatic |
| Marketing consent | Consent checkbox state recorded with timestamp at login | Required for marketing |
4b. Platform Account Data (Centipid as Controller)
When you create and use a Centipid account, we collect:
- Registration information — name, email address, business name, country, phone number.
- Billing and payment data — payment method (card last four digits, M-Pesa number, or Paystack/Flutterwave reference). Full card numbers are processed by our payment providers (Paystack, Flutterwave, Stripe) and are never stored by Centipid.
- Business information — venue details, industry type, number of locations, WiFi hardware configuration.
- Communication records — emails, support tickets, live chat conversations, and WhatsApp support messages.
- Verification documents — for Enterprise accounts, we may request business registration documents or identification to verify your business.
4c. Platform Usage Data & Analytics
When you use the Centipid dashboard, we automatically collect:
- Log data — IP address, browser type, pages visited within the dashboard, actions taken, timestamps.
- Device data — operating system, screen resolution, browser version.
- Feature usage analytics — which features you use, how often, and in what sequence. Used to improve the platform.
- Error and crash reports — automatically collected to diagnose and fix platform issues.
How We Use Your Data
For Platform Users (Centipid as Controller)
- Providing the service — operating your account, processing payments, configuring portals, delivering campaigns.
- Customer support — responding to enquiries, diagnosing technical issues, onboarding assistance.
- Platform improvements — analysing usage patterns to improve features, fix bugs, and build new functionality.
- Security and fraud prevention — monitoring for suspicious account activity, preventing abuse of the platform.
- Legal compliance — maintaining records as required by applicable law, responding to lawful requests from authorities.
- Product communications — sending product updates, new feature announcements, and account notifications. You may opt out of non-essential communications at any time.
For WiFi End User Data (Centipid as Processor)
Centipid processes WiFi end user data solely on the documented instructions of the venue operator (data controller). This includes:
- Authenticating the user's WiFi session and managing network access.
- Storing captured lead data in the venue operator's Centipid account.
- Sending marketing campaigns (email, SMS, WhatsApp) on behalf of the venue operator, subject to the end user's consent.
- Generating visit analytics, segmentation, and campaign performance reports for the venue operator.
We do not use WiFi end user data for Centipid's own marketing, we do not build profiles across multiple venues, and we do not share it with third parties except as necessary to deliver the service (sub-processors listed below).
Legal Basis for Processing
Under the GDPR and comparable African data protection laws, processing must have a lawful basis. The following table sets out the bases we rely on:
| Processing Activity | Legal Basis |
|---|---|
| Providing our platform service to registered customers | Performance of contract |
| Processing payments and maintaining billing records | Performance of contract / Legal obligation |
| Sending essential service communications (security alerts, downtime notices) | Performance of contract / Legitimate interest |
| Sending marketing emails about Centipid products to existing customers | Legitimate interest (with opt-out) |
| Sending marketing emails to prospective customers | Consent (where required) / Legitimate interest |
| Platform usage analytics and product improvement | Legitimate interest |
| WiFi session management (MAC address, session logs) | Legitimate interest of venue operator |
| WiFi portal lead capture and marketing campaigns | Consent of the WiFi end user (obtained at portal) |
| Fraud detection and security monitoring | Legitimate interest / Legal obligation |
| Complying with legal requests from authorities | Legal obligation |
International Data Transfers
Centipid serves customers globally and our infrastructure involves sub-processors in the United States and Europe. Personal data may therefore be transferred outside the country in which it was collected.
Where data is transferred outside the EEA or a country with an adequate level of protection, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) — for transfers to sub-processors in countries without an adequacy decision.
- Adequacy decisions — where applicable, we rely on formal adequacy determinations by relevant supervisory authorities.
- Data Processing Agreements — all sub-processors are bound by contractual obligations equivalent to those in this policy.
Customers who require data residency within specific jurisdictions (e.g., Kenya or Nigeria) should contact us. We can accommodate this for Enterprise plan customers on request.
Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Platform account data | Duration of account + 90 days after deletion request | Service delivery |
| WiFi end user lead data (Starter) | 3 months from capture | Plan limit |
| WiFi end user lead data (Starter Plus) | 6 months from capture | Plan limit |
| WiFi end user lead data (Professional) | 12 months from capture | Plan limit |
| WiFi end user lead data (Scale / Enterprise) | 24 months from capture or custom | Plan limit |
| Billing and invoice records | 7 years from invoice date | Kenya tax / accounting law |
| Marketing campaign logs | 12 months from send date | Deliverability and compliance |
| Support conversation records | 3 years from last interaction | Legitimate interest |
| Session / audit logs | 90 days rolling | Security and fraud prevention |
| Backup copies | Purged within 30 days of primary deletion | Technical |
When an account is closed, we export a final data snapshot for the account holder upon request, then permanently delete all personal data from production systems within 30 days and from backup systems within 90 days.
Security Measures
We implement technical and organisational measures appropriate to the risk of processing personal data. These include:
- Encryption in transit — all data is transmitted over TLS 1.2 or higher. WiFi portal pages served over HTTPS.
- Encryption at rest — database storage is encrypted using AES-256. Backups are encrypted.
- Access controls — internal access to personal data is limited to employees who need it for their role, authenticated by multi-factor authentication.
- Network security — all services are protected by Cloudflare WAF, DDoS mitigation, and rate limiting. WireGuard VPN for internal infrastructure access.
- Penetration testing — regular third-party security assessments of our infrastructure and application code.
- Incident response — we maintain a documented data breach response procedure. We will notify affected individuals and supervisory authorities within 72 hours of becoming aware of a qualifying breach.
- Employee training — all staff with access to personal data receive data protection training on joining and annually.
If you discover a potential security vulnerability in our platform, please contact us at [email protected] before disclosing publicly. We respond to all responsible disclosure reports within 24 hours.
Your Rights
Depending on your location, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at [email protected]. We respond within 30 days (or such shorter period as required by law).
Right to Access
Request a copy of the personal data we hold about you, including the purposes we process it for.
Right to Rectification
Ask us to correct inaccurate or incomplete data we hold about you.
Right to Erasure
Request deletion of your personal data where we no longer have a lawful basis to process it.
Right to Restrict
Ask us to restrict processing while a dispute is resolved, rather than deleting your data.
Right to Portability
Receive your data in a structured, machine-readable format (CSV or JSON) to transfer to another provider.
Right to Object
Object to processing based on legitimate interests, including profiling and direct marketing.
Automated Decisions
Right not to be subject to decisions made solely by automated processing that significantly affect you.
Withdraw Consent
Where processing is based on consent, withdraw it at any time. Withdrawal doesn't affect prior lawful processing.
WiFi End Users
If you connected to a Centipid-powered WiFi network and want to exercise your rights, you should contact the venue (the data controller) directly. Venue contact details are typically available on their captive portal or website. You may also email us at [email protected] and we will direct your request to the appropriate venue operator within 5 business days.
You can opt out of marketing messages at any time using the unsubscribe link in any email or by replying STOP to any SMS. WhatsApp campaigns include instructions for opting out. Opt-out requests are processed within 24 hours.
Supervisory Authority
If you believe your rights have not been respected, you have the right to lodge a complaint with the relevant supervisory authority in your country — including the Office of the Data Protection Commissioner (Kenya), the Nigeria Data Protection Commission (NDPC), or the Data Protection Commission (Ghana).
Children's Privacy
Centipid's platform is not directed at children under the age of 13 (or 16 where required by applicable law). We do not knowingly collect personal data from children. If you are a venue operator and believe that children may use your WiFi, you are responsible as data controller for implementing age-appropriate consent mechanisms on your captive portal.
If we become aware that we have collected personal data from a child without appropriate parental consent, we will delete that data promptly. Contact [email protected] if you have concerns.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Send an email notification to all registered platform users at least 14 days before the changes take effect.
- Display a notice on the Centipid dashboard when you next log in.
For significant changes that affect the legal basis or purposes of processing, we will seek fresh consent where required. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.
Contact & Data Protection Officer
For any questions, concerns, or requests relating to this Privacy Policy or to your personal data, please contact us:
Get in touch about privacy
We take data protection seriously. Our Data Protection Officer responds to all enquiries within 5 business days. For urgent matters — including suspected breaches — please mark your subject line URGENT.