Privacy Policy
This policy outlines how Vertext Digital collects, handles, isolates, and encrypts personal and programmatic metadata across our entire multi-service automation suite.
Last Updated: June 4, 2026Introduction & Platform Scope
Vertext Digital ("we", "our", "us", or "sam.co.ke") operates a unified business automation suite featuring AI Email Agents, Bulk SMS, and programmatic Airtime APIs hosted at sam.co.ke. This Privacy Policy explains how we collect, use, process, and safeguard your personal information when you access our platforms.
Categories of Personal Data Collected & Profile Unification
We collect: (a) Google and GitHub account identifiers; (b) Connected Gmail account metadata; (c) Pre-funded wallet transaction histories; (d) Knowledge base PDF text contents; and (e) Platform telemetry logs. Profiles sharing the same verified email or phone number are dynamically linked under a single primary user ID context.
Google OAuth & Gmail Access Scopes
Our AI Email Agent relies on Google OAuth 2.0. We request gmail.modify and gmail.compose scopes solely to execute autonomous reply loops, retrieve unread incoming message templates, and create draft responses or send direct replies. You can revoke access at any time through the Google Account Security portal.
Processing of Email Snippets and Content
When the background daemon cycle runs, it pulls incoming Gmail threads. Promotional or newsletter items are skipped. Direct inquiries are loaded into system memory to generate answers. We do not store complete email body texts permanently beyond processing logs and temporary AI completion streams.
Unified Wallet Billing & Paystack Processing
Transaction checkouts are processed securely by our partner Paystack. We do not store credit card numbers, CVVs, or mobile money PINs on our servers. We receive and store transaction references, deposit amounts, transaction dates, and billing phone numbers to verify wallet credits.
Vector Database & PDF Ingestions
Documents you upload are parsed, chunked, and transformed into 1536-dimensional numerical embeddings. The source PDF files are not permanently stored on our servers. The vectorized text chunks are saved securely and accessed exclusively to guide your AI agent replies.
Row-Level Security (RLS) Protections
All user information, connection refresh tokens, vectorized knowledge chunks, and transaction histories are stored in our Supabase PostgreSQL database. We enforce strict PostgreSQL Row-Level Security policies on all tables, ensuring that a user's data is only queryable by their authenticated user ID session.
Token Cryptography & Encryption Keys
Google OAuth refresh tokens are encrypted prior to database storage using AES-256-CBC encryption algorithms. The unique encryption key and initialization vector are stored in separate secure environment variable vaults, isolated from the standard databases.
Data Retention & Purging Cycles
We apply strict data retention policies: (a) API log streams and transaction tables are archived for legal auditing; (b) AI Email Agent processing logs are retained for up to 90 days before automated purge; and (c) Vectorized knowledge base embeddings are retained until manually deleted by you.
Google User Data Integrity Statement
Vertext Digital's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access Gmail messages strictly to run automated response workflows. Google OAuth refresh tokens are encrypted at rest. We do not share, sell, or transfer your Google user data to third-party ad networks, data brokers, or analytics platforms.
Outbound Bulk SMS Data Sharing
When sending Bulk SMS campaigns, recipient phone numbers and message payloads are transmitted to partner carrier gateways to facilitate cellular delivery. You agree that you have obtained consent to transmit these phone numbers.
Airtime API Charging Log Records
Airtime dispatches require sharing the destination phone number and recharge amount with partner telecom networks (Safaricom, Airtel, Telkom, JTL, Equitel) to process airtime credits. We retain logs of transaction status, receipt codes, and network callback responses for wallet billing auditing.
Cookies & Active Browser Session States
We set small session cookies to authenticate your dashboard access. These cookies are strictly necessary for platform operation and expire automatically when you sign out or close your web browser. We do not use third-party advertising or tracking cookies.
Browser Local Storage Usage
We use browser local storage to store basic non-sensitive client preferences, including your preferred global currency display setting (USD or KES). Local storage datasets remain client-side and are never transmitted to our backend servers.
Third-Party Service Sub-Processors
Our services integrate: Google Cloud (OAuth and APIs), Supabase Inc. (cloud databases), Groq Inc. (AI model inference hosting), Render Inc. (servers and hosting), and Paystack (payment processing). Each sub-processor handles data under strictly compliant service level agreements.
Kenya Data Protection Act Compliance
Vertext Digital operates in compliance with the Kenya Data Protection Act of 2019. We process all personal data transparently, securely, and exclusively for defined business purposes, and cooperate fully with the Office of the Data Protection Commissioner.
European Union GDPR Alignment
For users accessing our services from the European Economic Area, we align processing activities with GDPR. We act as the Data Processor for your email and vector integrations, while you remain the Data Controller. Data transfers to foreign hosting sites utilize Standard Contractual Clauses.
Right to Access & Data Portability
You hold the legal right to request a complete machine-readable copy of all personal data, transaction histories, API keys, and RAG knowledge chunks stored in your account. We will compile and transmit this information in standard JSON format within 30 days of verification.
Right to Rectification of Profiles
You are entitled to correct or update any outdated or inaccurate personal profiles, linked billing telephone numbers, and vector parameters directly through your user modal dashboard settings. Updates apply immediately across all database nodes.
Right to Erasure (Right to be Forgotten)
Upon account closure, you may request complete deletion of all active profile database items. We will permanently delete your Google OAuth refresh tokens, vectorized chunks, connection histories, and custom vector embeddings within 30 days, leaving only aggregate financial ledger summaries for taxation.
Right to Restrict Data Processing
You may request us to restrict or temporarily freeze active processing of your data while retaining your account database records. You can also achieve this directly by toggling connection parameters inside your dashboard settings.
Children's Online Privacy Protection
Our platform resources are designed strictly for adult business operators and developers. We do not knowingly collect or process personal data from children under the age of 18. If we detect that a minor has authorized Gmail OAuth connections, we will terminate the session and purge the data immediately.
Data Breach Response & Alert Rules
We monitor data access logs continuously. In the unlikely event of a security breach, we will notify affected customers via email and platform alerts within 72 hours of verification, outlining the breach nature and remediation steps.
Data Security Audits & Checks
Our engineering team performs periodic security reviews of our Next.js backend, Supabase database schemas, and cryptographic modules. We keep our npm packages updated to prevent prototype pollution or dependency vulnerabilities.
Exclusion of Analytical Ad Tracking
We do not integrate ad-tracking scripts inside our functional developer dashboards. Your service configurations are never shared with marketing brokers.
Legal Disclosures & Law Enforcement
We may disclose user data only when legally required by valid judicial court orders, government subpoenas, or compliance with national security regulations under Kenyan jurisdiction. We verify all requests for proper legal standing prior to sharing data.
Corporate Restructuring & Mergers
In the event of a corporate merger, acquisition, or asset sale, your personal data and wallet balances may be transferred to the acquiring entity. We will notify you 30 days prior to such transfers, allowing you to close your account.
How to Revoke Gmail OAuth Access
To immediately sever the connection between our AI Email Agent and your Gmail inbox: (a) Revoke access directly inside the Google Security dashboard at myaccount.google.com/permissions; or (b) Click the disconnect trigger inside the Vertext Digital console.
Data Protection Officer Contact
For any privacy inquiries, right-to-erasure exercises, or data audit requests, contact our Data Protection Officer at [email protected] or via sam.co.ke.
Policy Updates & Legal Consent
We may amend this Privacy Policy periodically. Modifications are live once posted to this page with a revised date. Continued account activity constitutes legal consent to updated privacy rules.