• Home
  • The Problem
  • Solution
  • How it Works
  • Industries
  • Benefits
  • Pricing
Book a Demo

Data Protection

Effective Date: 01 April 2026

Website: https://mtejaflow.com

Product: MtejaFlow™

Operated by: Lolla Technologies Ltd

Powered by: Mteja360

1. Our Commitment to Data Protection

MtejaFlow™ is built to help businesses manage WhatsApp communication in a structured, secure and responsible way.

Because MtejaFlow™ may process customer names, phone numbers, WhatsApp conversations, bookings, orders, payment references, support requests, feedback and related business information, we take data protection seriously.

We are committed to protecting personal data, respecting customer consent, supporting responsible WhatsApp communication and helping businesses use customer information lawfully and transparently.

MtejaFlow™ is operated by Lolla Technologies Ltd and powered by Mteja360.

2. Purpose of This Data Protection Notice

This Data Protection Notice explains how MtejaFlow™ approaches the protection of personal data when businesses use the platform to communicate with customers, automate workflows, manage support requests, send payment links, trigger reminders and analyze customer interactions.

It is intended to help:

  • • Businesses understand their data protection responsibilities
  • • Customers understand how their data may be handled
  • • Staff users understand acceptable handling of customer data
  • • Partners understand how MtejaFlow™ supports responsible data processing

This Notice should be read together with our Privacy Policy, Terms of Service and WhatsApp Opt-In Policy.

3. Our Role in Data Processing

Depending on the situation, MtejaFlow™ / Lolla Technologies Ltd may act as:

3.1 Data Processor / Technology Provider

In many cases, a business uses MtejaFlow™ to communicate with its own customers. The business decides:

  • • Which customers to contact
  • • Which WhatsApp number to use
  • • Which messages or templates to send
  • • Which workflows to configure
  • • Which staff can access conversations
  • • How customer requests are handled
  • • How long business records should be retained

In this case, the business is generally the data controller, and MtejaFlow™ acts as a technology provider or data processor.

3.2 Data Controller

MtejaFlow™ / Lolla Technologies Ltd may act as a data controller for information collected directly by us, such as:

  • • Website inquiries
  • • Demo requests
  • • Sales conversations
  • • Support requests
  • • Billing contacts
  • • Product usage data
  • • Internal account administration records
4. Types of Data Processed

MtejaFlow™ may process the following categories of data depending on the client setup and workflows configured.

4.1 Customer Identity Data

  • • Customer name
  • • Phone number
  • • WhatsApp profile information where available
  • • Customer ID
  • • Student ID
  • • Member number
  • • Account number
  • • Booking ID
  • • Order ID

4.2 Communication Data

  • • WhatsApp messages
  • • Message timestamps
  • • Message delivery status
  • • Customer replies
  • • AI-assisted responses
  • • Agent replies
  • • Escalation notes
  • • Conversation history

4.3 Workflow Data

  • • Bookings
  • • Orders
  • • Support tickets
  • • Complaints
  • • Feedback
  • • Surveys
  • • Appointment requests
  • • Service requests
  • • Application updates
  • • Task assignments

4.4 Payment-Related Data

  • • Payment request amount
  • • Invoice reference
  • • Order reference
  • • Payment link status
  • • Payment confirmation status
  • • Receipt reference
  • • Transaction metadata

MtejaFlow™ does not store mobile money PINs, card PINs or full card credentials.

4.5 Business Configuration Data

  • • Business name
  • • WhatsApp number
  • • Staff users
  • • Branches
  • • Departments
  • • Services and products
  • • Menus and price lists
  • • Business hours
  • • Escalation rules
  • • AI knowledge base
  • • Message templates
  • • Integration settings

4.6 Technical and Security Data

  • • Login activity
  • • Audit logs
  • • Error logs
  • • Webhook logs
  • • API events
  • • Device and browser information
  • • IP address
  • • Access permissions
  • • System activity records
5. Data Protection Principles

MtejaFlow™ is guided by the following data protection principles.

5.1 Lawfulness, Fairness and Transparency

Personal data should be collected and used in a lawful, fair and transparent way.

Businesses using MtejaFlow™ should tell customers why their data is being collected and how it will be used.

5.2 Purpose Limitation

Personal data should only be used for clear and legitimate business purposes, such as:

  • • Responding to customer inquiries
  • • Managing bookings
  • • Processing orders
  • • Sending payment links
  • • Handling support requests
  • • Sending service updates
  • • Collecting feedback
  • • Managing customer experience

5.3 Data Minimization

Only data that is necessary for the intended purpose should be collected and processed.

Businesses should avoid collecting unnecessary personal information through WhatsApp workflows.

5.4 Accuracy

Businesses should ensure that customer information, service details, prices, menus, account details and automated responses are accurate and up to date.

5.5 Storage Limitation

Personal data should not be kept longer than necessary for the purpose for which it was collected, unless retention is required for legal, contractual, audit or legitimate business reasons.

5.6 Integrity and Confidentiality

Personal data should be protected against unauthorized access, loss, misuse, alteration or disclosure.

MtejaFlow™ supports this through access controls, audit logs, secure integrations and responsible system administration.

5.7 Accountability

Businesses using MtejaFlow™ should be able to demonstrate that they handle customer data responsibly, including how consent is obtained, how opt-outs are managed and how staff access is controlled.

6. Customer Consent and WhatsApp Opt-In

MtejaFlow™ supports WhatsApp communication between businesses and their customers.

Businesses are responsible for ensuring that customers have given appropriate consent where required before receiving WhatsApp messages.

Consent may be collected through:

  • • Website forms
  • • Booking forms
  • • Order forms
  • • Customer registration forms
  • • QR code scans
  • • WhatsApp conversation initiation
  • • Digital consent checkboxes
  • • Signed customer forms
  • • Service enrollment forms
  • • Existing business relationship where legally permitted

Businesses should make it clear that the customer is agreeing to receive communication from the business through WhatsApp or related channels.

7. Opt-Out and Customer Choice

Customers should have a simple way to stop receiving non-essential WhatsApp messages.

MtejaFlow™ may support opt-out options such as:

  • • Replying "STOP"
  • • Replying "UNSUBSCRIBE"
  • • Requesting removal through the business
  • • Contacting MtejaFlow™ support where appropriate

Once a customer opts out, the business should stop sending non-essential or marketing messages unless further communication is required for legal, transactional or service-related purposes.

8. AI and Automated Decision Support

MtejaFlow™ may use AI to help businesses:

  • • Understand customer intent
  • • Suggest replies
  • • Respond to common questions
  • • Route messages to the right department
  • • Create support tickets
  • • Trigger workflows
  • • Detect urgency or negative sentiment
  • • Escalate conversations to human staff

AI is used as a support tool. It should not replace human judgment in sensitive, complex or high-risk situations.

Businesses are responsible for reviewing and updating:

  • • FAQs
  • • AI knowledge base
  • • Service rules
  • • Prices
  • • Policies
  • • Escalation settings
  • • Approved response language

Where AI confidence is low or a customer requests human support, the conversation should be escalated to a staff member.

9. Staff Access and Role-Based Controls

Businesses should only give MtejaFlow™ access to authorized staff.

Recommended access principles:

  • • Give users only the access they need
  • • Remove access for staff who leave the business
  • • Use unique user accounts where possible
  • • Avoid sharing passwords
  • • Review permissions regularly
  • • Restrict admin rights to trusted staff
  • • Track actions through audit logs where available

MtejaFlow™ supports role-based access and operational accountability depending on the client's selected plan and configuration.

10. Data Security Measures

MtejaFlow™ applies reasonable technical and organizational measures to protect data.

These may include:

  • • Role-based access control
  • • Secure authentication
  • • Encrypted communication channels
  • • Secure API tokens
  • • Access logs
  • • Audit trails
  • • Webhook monitoring
  • • Staff access controls
  • • Secure hosting practices
  • • Backup and recovery procedures
  • • Error and incident monitoring
  • • Controlled access to production systems
  • • Segregation of client data where applicable

No digital platform can guarantee absolute security, but MtejaFlow™ is designed to reduce avoidable risks and support responsible data handling.

11. Client Responsibilities

Businesses using MtejaFlow™ are responsible for:

  • • Collecting customer consent where required
  • • Informing customers how their data will be used
  • • Using approved and appropriate message templates
  • • Keeping business information accurate
  • • Ensuring staff access is properly managed
  • • Handling customer complaints and rights requests
  • • Avoiding spam or unauthorized marketing
  • • Maintaining lawful customer records
  • • Reviewing AI-generated or automated responses
  • • Ensuring integrations are authorized
  • • Complying with applicable data protection laws

MtejaFlow™ provides the technology platform, but each business remains responsible for how it communicates with its customers.

12. Data Sharing

Personal data may be shared only where necessary to provide the service, support the client or comply with legal obligations.

Data may be shared with:

  • • The business using MtejaFlow™
  • • Authorized staff of that business
  • • WhatsApp / Meta services for message delivery
  • • Payment service providers
  • • Hosting and cloud infrastructure providers
  • • ERP, CRM, POS or booking systems connected by the client
  • • Technical support providers
  • • Legal or regulatory authorities where required
  • • Professional advisers where necessary

MtejaFlow™ does not sell personal data.

13. Third-Party Platforms

MtejaFlow™ may depend on third-party platforms such as:

  • • WhatsApp Business Platform
  • • Meta services
  • • Payment providers
  • • Hosting providers
  • • ERP systems
  • • CRM systems
  • • POS systems
  • • Email or SMS providers
  • • Analytics tools

These third parties may have their own privacy policies, terms and data handling practices.

Businesses should review relevant third-party terms where applicable.

14. Cross-Border Data Processing

Some systems, infrastructure providers or support services used by MtejaFlow™ may process or store data outside Kenya.

Where cross-border processing occurs, MtejaFlow™ aims to use appropriate safeguards and reasonable contractual or technical measures to protect personal data.

Businesses with strict data residency requirements should notify MtejaFlow™ before onboarding.

15. Data Retention

Data is retained only for as long as necessary for the purpose for which it was collected or processed.

Retention may depend on:

  • • Client subscription status
  • • Legal requirements
  • • Audit requirements
  • • Security requirements
  • • Transaction records
  • • Support history
  • • Contractual obligations
  • • Business continuity needs
  • • Client configuration

Examples:

  • • Conversation logs may be retained for customer service and audit purposes.
  • • Payment references may be retained for reconciliation.
  • • Support tickets may be retained for service history.
  • • Opt-in and opt-out logs may be retained for compliance evidence.
  • • Technical logs may be retained for security and troubleshooting.

A client may request data export or deletion subject to legal, contractual, technical and payment limitations.

16. Data Subject Rights

Subject to applicable law, individuals may have rights over their personal data, including the right to:

  • • Be informed about how data is used
  • • Access personal data
  • • Correct inaccurate data
  • • Request deletion
  • • Object to certain processing
  • • Withdraw consent
  • • Request restriction of processing
  • • Request data portability where applicable
  • • Lodge a complaint with a competent authority

Where MtejaFlow™ processes data on behalf of a business, data subject requests may need to be handled by that business as the data controller.

Requests can be sent to:

support@mtejaflow.com

17. Data Breach and Incident Response

If MtejaFlow™ becomes aware of a data security incident, we will take reasonable steps to:

  • • Investigate the incident
  • • Contain the issue
  • • Assess the risk
  • • Notify affected clients where appropriate
  • • Support corrective action
  • • Preserve relevant logs
  • • Improve controls where necessary

Where legally required, affected parties or regulators may be notified.

Businesses using MtejaFlow™ should also maintain internal procedures for identifying and reporting suspected data incidents.

18. Children and Education Data

MtejaFlow™ may be used by schools, colleges or institutions to communicate with parents, guardians, students or applicants.

Where children's or student data is processed, the institution is responsible for ensuring that:

  • • Appropriate consent or lawful basis exists
  • • Parent or guardian communication is handled properly
  • • Student data is protected
  • • Access is limited to authorized staff
  • • Communication is appropriate and necessary
  • • Institutional policies and applicable laws are followed

MtejaFlow™ provides the communication and workflow platform, but the institution remains responsible for lawful handling of student and education records.

19. Marketing and Broadcast Controls

Businesses using MtejaFlow™ should only send marketing or promotional messages where appropriate consent exists.

Marketing messages should:

  • • Be relevant
  • • Be truthful
  • • Identify the business
  • • Respect opt-out requests
  • • Avoid excessive frequency
  • • Comply with WhatsApp / Meta requirements
  • • Comply with applicable data protection and consumer protection laws

MtejaFlow™ may support frequency throttling, approval workflows and opt-out tracking to help businesses manage responsible campaigns.

20. Internal Governance

MtejaFlow™ promotes responsible data governance through:

  • • Defined user roles
  • • Access control
  • • Audit trails
  • • Consent records
  • • Opt-out records
  • • Escalation logs
  • • Message delivery logs
  • • Support ticket history
  • • Workflow records
  • • Reporting dashboards

Businesses should appoint responsible staff to manage data, customer communication, WhatsApp campaigns and support escalations.

21. Contact for Data Protection Matters

For data protection questions, requests or concerns, contact:

MtejaFlow™ Data Protection Contact
Operated by Lolla Technologies Ltd

Website: https://mtejaflow.com

Email: support@mtejaflow.com

Sales: sales@mtejaflow.com

Phone / WhatsApp: +254 717 042 042

Location: Nairobi, Kenya

22. Updates to This Notice

This Data Protection Notice may be updated from time to time to reflect changes in our platform, legal requirements, operating practices or third-party services.

The updated version will be posted on https://mtejaflow.com with a revised effective date.

23. Closing Statement

MtejaFlow™ is built to help businesses use WhatsApp in a more structured, professional and responsible way.

Our goal is to help organizations communicate faster while respecting customer privacy, consent and data protection obligations.

MtejaFlow™ is powered by Mteja360 and operated by Lolla Technologies Ltd.

Turn WhatsApp into a structured business engine for bookings, orders, payments, support and customer workflows.

Product
  • How It Works
  • Pricing
  • Industries
  • Book Demo
Industries
  • Salons/Spas
  • Restaurant/Café
  • Schools
  • University
  • Clinic/Hospital
  • Retail Shop
  • Enterprise/Multi-Branch
  • Service Business
Company
  • About
  • Support
  • Mteja360
Legal
  • Privacy Policy
  • Terms of Service
  • Data Protection
  • WhatsApp Opt-In Policy
  • Data Deletion
+254 717 042 042
Call / WhatsApp
sales@mtejaflow.com
Sales
support@mtejaflow.com
Support
Nairobi, Kenya
MtejaFlow™ is a WhatsApp automation module powered by Mteja360 and operated by Lolla Technologies Ltd.
© 2026 MtejaFlow. All rights reserved.