Global Chains ERP — Privacy Policy

This Privacy Policy ("Policy") explains how Global Chains ERP and its operating entity ("Global Chains ERP," "we," "us," or "our") collects, uses, discloses, stores, and protects information in connection with our cloud software platform and related services (collectively, the "Service"). The Service is designed as financial and business operations infrastructure, including without limitation: smart invoicing; accounts payable and receivable; vendor and client records; treasury, wallet, and payment-orchestration tooling; multi-currency and reconciliation features; M-Pesa and other payment-channel integrations where enabled; subscription billing; organization and workspace management; roles and approvals; APIs, webhooks, and third-party integrations; document and logo uploads; PDF ingestion where offered; email and messaging-related features; optional blockchain or digital-asset-related workflows; optional push notifications; ledger or accounting-oriented exports/sync where offered; and administrative or compliance-oriented logging.

Important: This Policy is provided for transparency. It does not constitute legal advice. Financial, payroll, tax, sanctions, and data-protection requirements vary by jurisdiction and use case. Engage qualified counsel and, where applicable, execute a Data Processing Addendum (DPA) with us for enterprise deployments.

Last updated: May 10, 2026

1. Who this Policy covers

This Policy applies to visitors to our websites, registered users, organization administrators and members, payors or counterparties who interact with public or tokenized flows we host (such as hosted invoice or payment pages or vendor submission links), and individuals whose information is submitted into the Service by a customer (for example employees, vendors, or clients of our customers).

If you interact with the Service only as an employee or contact of our customer, that customer is typically responsible for informing you about processing and for honoring privacy requests for business data they control. We may still process certain information as an independent controller for security, billing, and platform integrity.

2. Controller and processor roles

The Service is multi-tenant. In general:

  • Customer as controller: For data your organization inputs or connects—such as invoices, payables, clients, vendors, chart-of-account style references, payroll fields, files, treasury configurations, and business communications metadata—your organization is typically the controller, and we process such data as a processor to provide the Service, subject to your instructions, these terms, and any executed DPA.
  • We as controller: We act as a controller where we determine purposes and means—for example account creation and authentication events, subscription and billing with payment partners, fraud and abuse prevention, security monitoring, aggregated analytics, product and policy notices, certain cookie-based analytics where not solely on behalf of a customer, and compliance with legal process directed to us.

Where laws require a lawful basis (such as under GDPR/UK GDPR), we rely on contract, legitimate interests (balanced against rights), legal obligation, or consent as appropriate to the activity. California and other U.S. state laws may classify certain processing differently; see Section 18.

3. Information we collect

Depending on how you use the Service, we may collect:

3.1 Account, identity, and access

  • Name, email, phone, password or OAuth tokens, session identifiers, organization membership, roles
  • Workspace or organization identifiers, invitation and onboarding state
  • Security-related events (e.g. sign-in timestamps, device or IP indicators where logged)

3.2 Billing and subscriptions

  • Plan, subscription status, usage metrics relevant to billing
  • Payment data: typically handled by payment processors (e.g. Paystack or other configured providers). We may receive limited tokens, last-four, receipt metadata, customer references, and transaction status—not full card data where the processor tokenizes it.

3.3 Financial, ERP, and operational content

  • Invoices, line items, taxes, approvals, numbering, PDFs, and delivery history you configure
  • Payables, bills, vendor banking or payment instructions you store, approval chains, audit trails
  • Clients, vendors, counterparties, and contact directories you maintain
  • Bank account labels, payment method preferences, reconciliation notes, and similar operational fields

3.4 Treasury, wallets, and blockchain-related data

  • Wallet addresses, chain identifiers, transaction hashes, Safe or multi-sig configurations, gas or fee settings, and provider references (including data returned by node providers or wallet-connection SDKs)
  • On-chain data is public by nature; we may index or display it to operate features you enable
  • Webhook or provider callbacks related to treasury movements (e.g. funding or payout status payloads) may be logged for reconciliation and security

3.5 Mobile money and regional payment channels

  • Where M-Pesa or similar channels are enabled, we may process phone numbers, transaction references, reconciliation keys, and status messages as you or integrations submit them

3.6 HR, payroll, and workforce information

  • If you use payroll or HR-oriented fields: salaries or rates, deductions, tax identifiers, national IDs, bank details for wages, attendance or HR notes—often special-category or sensitive under law. You must have a lawful basis (including employee notice and consent where required). We process such data only to provide the Service per your instructions.

3.7 Files, media, and documents

  • Uploaded logos, attachments, contracts, and PDFs you or your users provide
  • Where PDF or document parsing is used, extracted text and structure may be processed to populate fields you approve

3.8 Communications

  • Email content metadata, delivery status, and SMTP or provider logs when we send system or product emails (e.g. via Nodemailer or your configured mail transport)
  • If you connect WhatsApp Business API (Meta) or similar channels, message metadata and payloads may be processed according to your configuration and Meta's policies

3.9 APIs, webhooks, and integrations

  • API keys or tokens you create, webhook URLs, request logs, error logs, and integration configuration
  • Payloads received from third-party systems you connect to the Service

3.10 Public and unauthenticated flows

  • When counterparties use hosted invoice pay flows, vendor link tokens, or similar URLs, we may collect IP address, device/browser data, payment attempt metadata, and fraud signals as needed to operate and secure those flows

3.11 Technical, cookies, and similar technologies

  • Cookies, local storage, or similar for sessions, preferences, security, and analytics
  • IP address, user agent, referrer, approximate location derived from IP

3.12 Push notifications

  • If you opt in to web push, subscription endpoints and keys required for delivery may be stored in accordance with browser standards

3.13 AI-assisted features

  • Inputs you provide and outputs generated may be processed by models or automation to deliver features you enable. Retention and subprocessors depend on configuration and provider terms.

3.14 Support and abuse handling

  • Ticket content, correspondence, and investigation notes when you contact us or we investigate incidents

4. Purposes of processing

  • Provide, maintain, debug, and improve the Service and its features
  • Authenticate users, enforce RBAC, and maintain tenant isolation
  • Route or orchestrate payments, treasury actions, and notifications as you configure
  • Detect, prevent, and respond to fraud, abuse, security incidents, and illegal activity
  • Comply with law, regulations, court orders, and government requests
  • Perform sanctions and risk screening where required or prudent
  • Bill and collect fees; manage subscriptions and trials
  • Communicate about the Service, incidents, and policy updates
  • Analytics, product development, and benchmarking using aggregated or de-identified data where possible
  • Train or evaluate models only as permitted by applicable agreements and settings

5. Automated processing and profiling

We may use rules-based systems or machine learning for fraud scoring, risk flags, categorization, suggestions, or workflow routing. Such processing may produce recommendations only; it does not replace your judgment unless you explicitly configure automation. Where required, you may have rights to human review or to object.

6. Legal bases (EEA, UK, and similar)

Where GDPR, UK GDPR, Kenya Data Protection Act, Nigeria NDPA, South Africa POPIA, India DPDP Act, UAE frameworks, or comparable laws apply, we process personal data under one or more of: performance of a contract, legitimate interests (e.g. securing the Service, preventing fraud—balanced against individual rights), legal obligation, vital interests (rare), or consent where required (e.g. non-essential cookies or certain marketing). Public-sector or employment contexts may impose additional rules.

7. Disclosure, subprocessors, and categories of recipients

We may disclose information to:

  • Infrastructure and database providers (e.g. document databases such as MongoDB in cloud regions you or we configure)
  • Application hosting and edge/CDN providers that serve our web application and assets
  • Authentication and identity services integrated with the platform
  • Payment processors (e.g. Paystack for subscriptions or other configured acquirers)
  • Treasury or banking-as-a-service partners you enable (e.g. providers receiving webhooks or settlement instructions)
  • Blockchain node, wallet, and smart-contract infrastructure (e.g. RPC providers, wallet connection SDKs, Safe stack components) as required to execute features you choose
  • Email delivery (SMTP relays or transactional email vendors) and messaging platforms (e.g. Meta/WhatsApp when connected)
  • Analytics, logging, observability, error reporting, and security vendors
  • Professional advisers, auditors, insurers, and due-diligence participants
  • Acquirers, successors, or affiliates in a merger, financing, or asset sale, subject to confidentiality and legal requirements
  • Law enforcement and regulators when we believe disclosure is required by law or necessary to protect rights, safety, and integrity

A Subprocessor Disclosure may list names and purposes; the list may change. We will provide enterprise customers notice where contractually required before engaging a new subprocessor that processes personal data on their behalf.

8. International data transfers

We may process and store data in the United States, European Economic Area, United Kingdom, Kenya, and other regions depending on deployment and vendor locations. Where transfers from the EEA, UK, Switzerland, or other restricted jurisdictions occur, we implement appropriate safeguards such as Standard Contractual Clauses, the UK Addendum, or other lawful mechanisms. Copies of transfer assessments or DPAs may be available to enterprise customers upon request.

9. Data residency

Unless a separate enterprise agreement specifies a region, data may be processed globally to operate the Service. Certain regulated workloads may require dedicated deployment; contact us for enterprise options.

10. Security

We implement commercially reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of the Service, including access controls, encryption in transit where standard for the protocol, vulnerability management, logging, and vendor review. No system is perfectly secure. We do not represent that the Service is immune to compromise, "unhackable," or free from defects. You are responsible for safeguarding credentials, API keys, and devices used to access the Service.

11. Audit logs, monitoring, and financial traceability

We may record events such as authentication, role changes, configuration edits, approvals, exports, treasury or payout instructions initiated through the Service, webhook receipts, and administrative actions. Logs support security monitoring, dispute resolution, regulatory inquiries, and forensic investigations. Retention follows operational and legal requirements and may extend beyond account deletion where mandated for accounting or anti-fraud purposes.

12. Retention

We retain personal data for as long as necessary to provide the Service, comply with law (including tax, AML, and bookkeeping retention), resolve disputes, and enforce agreements. Categories such as security logs, billing records, and accounting entries may have longer retention. Backups may persist for a limited period after deletion requests. Enterprise customers may negotiate schedules in a DPA.

13. Deletion, export, and account closure

You may request export or deletion subject to law and technical feasibility. Where we act as processor, requests may need to be routed through your organization's administrator. Some information must be retained by law or for legitimate interests (e.g. billing proofs, abuse prevention). Public blockchain records cannot be erased by us.

14. Cookies and tracking

We use essential, functional, analytics, and security-related cookies or similar technologies. A dedicated Cookie Policy or cookie banner may provide granular choices where required. Disabling certain cookies may impair functionality.

15. Marketing

We may send product updates or offers where permitted. You may opt out of marketing communications; transactional or security notices may continue.

16. Children

The Service is not directed to children under 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children.

17. Sanctions, AML, and restricted activity

We prohibit use of the Service for sanctions evasion, money laundering, terrorist financing, fraud, or other illegal financial activity. We may screen data where required, block activity, freeze features, or terminate accounts consistent with law and risk policies.

18. Regional privacy rights

Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to processing, and to lodge a complaint with a supervisory authority. California residents may have rights under the CCPA/CPRA, including to know, delete, correct, and opt out of certain "sales" or "sharing" (we do not sell personal information for money in the traditional sense; we may use cookies or analytics that could constitute "sharing" under some definitions—see our Cookie disclosures). Other U.S. states are adopting similar laws. We will verify requests as permitted by law.

19. Breach notification

If we determine a personal data breach requires notification under applicable law, we will notify regulators and affected individuals as required. Customers acting as controllers are responsible for notifying their own data subjects where their business data is affected and they have the relationship.

20. Third-party links and embedded services

The Service may link to third-party sites or embed widgets. Their privacy practices are governed by their own policies. Wallet extensions, banking portals, or social login providers may collect data independently.

21. Changes to this Policy

We may update this Policy to reflect product, legal, or operational changes. We will post the updated Policy with a new "Last updated" date and, where required, provide additional notice. Continued use after changes may constitute acceptance where permitted.

22. Contact

Privacy questions and requests:

Email: privacy@globalfinance.com
Data protection: dpo@globalfinance.com
Address: [Your Business Address]