Privacy Policy

Effective date: 16 April 2026

1. Who we are

Kulode ("we", "us", "our") is an invoicing and financial management platform for small businesses and freelancers. We are subject to the Nigeria Data Protection Act 2023 (NDPA) and take our obligations under it seriously. Our data controller contact is privacy@kulode.app.

2. Data we collect

We collect the following categories of personal and business data:

  • Account data: your name, email address, organisation name, and password (stored as a one-way hash).
  • Business data: invoices, clients, expenses, vendors, and any other content you create inside Kulode.
  • Payment data: subscription billing is processed by Paystack. We store only a tokenised authorisation reference — we never see or store your full card number.
  • Usage data: pages visited, features used, errors encountered, and session metadata, collected via PostHog to help us improve the product.
  • Technical data: IP address, browser type, device type, and timestamps associated with your requests.
  • Communications: any messages you send us via email or support channels.

We do not collect sensitive personal data (e.g. health, biometric, or political data) and do not sell your data to third parties.

3. How we use your data

We use your data only for the following purposes:

  • Providing, maintaining, and improving the Kulode service.
  • Processing your subscription payments and managing your account.
  • Sending transactional emails (invoice notifications, payment receipts, account alerts).
  • Generating tax filing reports and financial summaries you request.
  • Responding to support requests and resolving disputes.
  • Analysing aggregate, anonymised usage to improve features.
  • Complying with applicable laws, including tax and financial regulations.

We will not use your data for unsolicited marketing without your explicit consent. Where we rely on legitimate interests as a legal basis, you may object at any time.

4. Third-party processors

We share data with the following sub-processors, each bound by data processing agreements:

Processor Purpose Location
Paystack Payment processing and subscription billing Nigeria / Ireland
Google (OAuth) Single sign-on authentication USA
PostHog Product analytics and error tracking EU / USA
Cloud hosting provider Infrastructure and database hosting EU

Where processors are located outside Nigeria, we ensure appropriate safeguards are in place as required by the NDPA.

5. Data retention

We retain your account and business data for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 90 days, except where we are required to retain it for legal or regulatory purposes (e.g. financial records, which may be retained for up to 7 years under Nigerian tax law).

6. Your rights

Under the NDPA and applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data (subject to legal retention obligations).
  • Portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is consent-based.
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your rights have been violated.

To exercise any of these rights, email us at privacy@kulode.app. We will respond within 30 days.

7. Cookies

We use strictly necessary cookies to keep you logged in and maintain your session. We also use analytics cookies (PostHog) to understand how the product is used. You can disable analytics cookies in your browser settings; this will not affect your ability to use Kulode.

8. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, hashed passwords, and role-based access controls. No method of transmission over the internet is 100% secure; we will notify affected users promptly in the event of a data breach as required by law.

9. Children

Kulode is intended for use by adults operating businesses or providing freelance services. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has created an account, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. Continued use of Kulode after the effective date constitutes acceptance of the updated policy.

11. Contact

For any privacy-related queries or to exercise your rights, contact us at:
privacy@kulode.app