Privacy Policy

Freddia Ltd ("Freddia", "we", or "us") is committed to protecting the privacy of our customers. This Privacy Policy describes how we collect, use, store, and protect your information when you use the Freddia platform.

We collect the following categories of data:

• Account information: name, email address, phone number, organisation name, TIN/TPIN, business address, and similar onboarding details.
• Customer Data: financial records, invoices, bills, expenses, employee records, payroll data, and documents that you or your team upload or generate while using the Service.
• Usage data: anonymised logs of how the Service is used (e.g. pages visited, features used, error reports) to improve performance and reliability.

• To provide, maintain, and improve the Service.
• To authenticate users and provide customer support.
• To send important service notices (e.g. security alerts, billing notices). Marketing messages are opt-in only.
• To comply with legal obligations under Malawian law.

We do not sell your data to third parties. We do not use your financial or employee data to train general- purpose AI models.

Customer Data is stored on Convex Cloud infrastructure, our backend-as-a-service provider. Data is encrypted in transit (TLS) and at rest. Backups are retained by our infrastructure provider for disaster recovery.

You have the following rights in relation to your data:

• Access & portability: export a full JSON copy of your organisation's data at any time from Settings → Data Export.
• Correction: update or correct any personal or organisational information directly in the app.
• Deletion: request permanent deletion of your account and all associated data by emailing us. Deletion is final and cannot be reversed.

• All data is encrypted in transit using TLS 1.2 or higher.
• Data at rest is encrypted on our infrastructure provider.
• Access to customer data is restricted to authorised personnel on a need-to-know basis.
• Passwords are hashed using industry-standard algorithms; we never store plaintext passwords.
• Role-based access control (RBAC) allows you to limit what your team members can see and do inside your organisation.

We use a minimal set of cookies strictly necessary to keep you signed in (authentication session cookies). We do not use advertising, cross-site tracking, or third-party marketing cookies.

The Service integrates with third-party systems you choose to connect (e.g. Malawi Revenue Authority EIS for invoice transmission, optional AI providers for natural-language queries). Data shared with these services is limited to what is necessary for the requested function.

We retain Customer Data for as long as your account is active. On account closure, data is held for a grace period of 30 days to allow recovery, then permanently deleted unless a longer retention period is required by law.

We may update this Privacy Policy from time to time. Material changes will be notified within the Service. The "Last updated" date at the top indicates when the policy was last revised.

For privacy-related questions, data access requests, or deletion requests, please contact us at privacy@freddia.com.