Log inStart free trial
LEGAL

Privacy Policy

Effective May 19, 2026 · Kolimo Multimedia · GíríBooks

How we collect, use, share and protect your information — and the rights you have over it. Read alongside our Terms of Service.

1. Introduction

This Privacy Policy ("Policy") explains how Kolimo Multimedia and its affiliates ("Kolimo Multimedia", "we", "us", "our") collect, use, share and protect personal information when you access or use the GíríBooks website, applications, APIs and related services (collectively, the "Service").

This Policy applies whether you reach us as a visitor browsing our marketing pages, a registered account holder, a member of a business workspace, or a client receiving an invoice, receipt or estimate sent from a GíríBooks user. It works alongside our Terms of Service — please read both.

By using the Service, you confirm you have read and understood this Policy. If you do not agree, please do not use the Service. Some sections refer to specific jurisdictions (Nigeria, the EU/UK, the United States); local law in your country may grant you additional rights, which we will honour to the extent required.

2. Who is the data controller

Kolimo Multimedia is the controller of personal data submitted to the public website and used to run your GíríBooks Account.

When you create a Business workspace and add clients, employees, payroll records or other personal data about third parties, you act as the controller of that data and we act as your processor — that is, we hold and process it on your behalf and only on your instructions. The Terms of Service govern that relationship.

For questions about either role, contact us at privacy@giribooks.com.

3. Information we collect

We collect the information described below to operate, secure and improve the Service. We try to collect only what we need.

a) Information you provide directly:

  • Account details — name, email address, password (stored as a salted hash via Supabase Auth), and any optional profile fields (avatar, country, phone).
  • Business details — business name, logo, tagline, address, contact email/phone, brand colour, tax registration and any settings you save.
  • Customer Data — invoices, estimates, receipts, clients, expenses, payroll runs, calendar events, chat messages and any other content you create inside a workspace.
  • Billing details — when you subscribe to a paid plan, our payment processor (Polar.sh) collects your card number and billing address. We never see or store full card numbers; we only retain a reference to your Polar customer and subscription.
  • Communications — anything you send us by email, support form or in-app messaging.

b) Information we collect automatically:

  • Device & browser data — IP address, browser type and version, operating system, screen size, referrer URL.
  • Usage data — pages visited, features used, timestamps, error logs, performance metrics. Used to keep the Service running and prioritise improvements.
  • Cookies & similar technologies — see Section 9 (Cookies & tracking).

c) Information from third parties:

  • Authentication providers — if you sign in with a third-party provider (e.g. Google, GitHub via OAuth), we receive your name, email and a stable identifier from that provider.
  • Payment processor — Polar.sh sends us webhook events (subscription created / updated / canceled / past_due) so we can match your subscription to your business and unlock the right plan tier.
  • Email delivery provider — Resend sends us delivery / bounce events for outgoing email so we can warn you if a message you sent didn’t reach the recipient.

4. How we use information

We use personal information for the following purposes:

  • Provide the Service — host your workspaces, render your data, send invoices and receipts, run payroll, generate reports.
  • Operate billing — create checkout sessions, recognise paid subscriptions, send subscription receipts, recover failed payments.
  • Secure the Service — detect and prevent fraud, abuse, unauthorised access and rate-limit violations. Maintain audit logs of significant actions for accountability.
  • Support — respond to your help requests and investigate issues. Support agents only access account data when needed to resolve a ticket and never use it for marketing.
  • Communicate — send transactional emails (welcome, invite, billing, security notifications). We do not use Customer Data to market to your clients.
  • Improve the Service — analyse aggregated usage to prioritise features and fix bugs. Where possible we use de-identified or aggregated data.
  • Legal compliance — comply with tax, accounting, anti-fraud and other laws that apply to us as a service provider.

6. Who we share information with

We do not sell your personal information. We share it only with the recipients below, only for the purposes described, and only under written agreements that require them to protect it.

a) Sub-processors and infrastructure providers:

  • Supabase, Inc. — database, authentication and edge function hosting (EU region). Customer Data is stored here.
  • Polar.sh — subscription billing and checkout processing.
  • Resend — transactional email delivery (invites, invoice emails, receipts).
  • Vercel, Inc. — web hosting and edge network for the public site and dashboard.
  • GitHub — source code hosting; we do not store Customer Data on GitHub.

b) Your team — anyone you invite to a Business workspace can see the Customer Data in that workspace, subject to the role you grant them (owner / admin / member / user).

c) Recipients of documents you send — when you email an invoice, estimate or receipt to a client, the recipient sees the contents of that document plus any "from" / "reply-to" identification we apply.

d) Authorities — we may disclose information when required by law, court order, valid legal process, or to protect the rights, safety or property of Kolimo Multimedia, our users or others. We will challenge requests we believe are unlawful or overbroad.

e) Business transfers — if Kolimo Multimedia is involved in a merger, acquisition, financing or sale of assets, your information may be transferred to the successor or acquirer, subject to the protections in this Policy.

7. How long we keep information

We retain personal information for as long as needed to provide the Service, satisfy legal or accounting obligations, resolve disputes and enforce our agreements.

  • Account & workspace data — kept while your Account is active. If you delete a workspace, we retain it for up to 30 days in case the deletion was accidental, then permanently erase it. If you delete your Account, we delete or anonymise the data within 90 days, except where law requires us to retain specific records longer (typically up to 6 years for tax records).
  • Backups — encrypted backups may persist for up to 35 days after deletion as part of our disaster-recovery rotation.
  • Logs — security and audit logs are retained for up to 12 months.
  • Billing records — subscription, invoice and payment records are retained for up to 7 years to comply with tax law.

8. Your rights

Depending on where you live, you may have the following rights over your personal information:

  • Access — request a copy of the personal information we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete information.
  • Erasure ("right to be forgotten") — ask us to delete your personal information, subject to legal retention exceptions.
  • Restriction — ask us to limit how we use your information.
  • Portability — request your personal information in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests, including any direct marketing.
  • Withdraw consent — where we rely on consent, withdraw it at any time without affecting prior processing.
  • Lodge a complaint — with your local supervisory authority (e.g. the Nigeria Data Protection Commission, the UK Information Commissioner’s Office, or your EU member-state DPA).

To exercise any of these rights, email privacy@giribooks.com from the address on your Account. We will respond within 30 days; complex requests may take longer and we will let you know if so.

Where we act as your processor (i.e. for Customer Data you uploaded about third parties), please direct data-subject requests to the Business workspace owner. We will assist them in responding.

9. Cookies & tracking

We use a small number of cookies and similar storage technologies (localStorage, sessionStorage) to make the Service work:

  • Strictly necessary — session tokens, CSRF tokens, the active-business id, sidebar open/closed state, the dashboard view you last visited.
  • Functional — your saved preferences (theme, language, currency picker default).
  • Analytics — minimal, aggregated usage stats to understand how the Service is used and prioritise improvements. We do not use third-party advertising trackers.

You can clear cookies / storage from your browser at any time; doing so will sign you out and reset preferences.

10. How we protect information

We apply layered security controls appropriate for a financial-data product:

  • Encryption in transit — TLS 1.2+ for all browser and API traffic.
  • Encryption at rest — managed by our infrastructure providers (Supabase Postgres encryption at rest, Vercel-managed certs).
  • Access control — role-based access at the Business level (owner / admin / member / user), enforced by row-level security policies in the database.
  • Audit logs — significant actions are logged with the responsible user id and timestamp.
  • Secrets management — API keys for third-party services (Polar.sh, Resend, etc.) live as server-side secrets and are never exposed to the browser.
  • Vulnerability reporting — see SECURITY.md in our public repository for the responsible-disclosure path.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required, and notify affected users without undue delay.

11. International data transfers

GíríBooks is operated from Nigeria and uses infrastructure providers based in the EU, the United States and other regions. Your personal information may be transferred to and processed in countries other than the one in which you reside.

Where we transfer personal information out of the European Economic Area, the UK, or other regions with restrictions on international transfers, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms with our sub-processors. By using the Service, you acknowledge this transfer and processing.

12. Children’s privacy

The Service is not intended for use by children under 16 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact privacy@giribooks.com and we will delete the information.

14. Changes to this Policy

We may update this Policy from time to time to reflect changes in the Service, our practices, or applicable law. When we make material changes, we will update the "Effective" date at the top of this page and, where appropriate, notify you by email or via an in-app notice before the changes take effect.

Continued use of the Service after the changes become effective constitutes acceptance of the updated Policy.

15. Contact us

Questions, requests or complaints about this Policy or our handling of personal data can be sent to:

  • Email — privacy@giribooks.com
  • For legal notices — legal@giribooks.com
  • Operating entity — Kolimo Multimedia
  • Product — GíríBooks

We will acknowledge receipt within a reasonable period and respond within the timelines required by applicable law.