Privacy Policy

When you sign up for a Washly account, you (the laundry business) are the data controller of your customers' personal data. Washly acts as a data processor on your behalf, governed by our Data Processing Agreement (DPA).

For data we collect directly from you as an account holder (billing details, login records, support messages), Washly is the controller.

• Account data: name, email, phone number, business name, country, password hash.
• Customer data you upload: your customers' names, phone numbers, addresses, order history, garment notes, photos.
• Payment data: processed by Paystack, Flutterwave, Stripe, or Moniepoint. We store only the last 4 digits, brand, and transaction reference — never full card numbers.
• Usage data: IP address, device, browser, pages viewed, feature usage, error logs.
• Cookies & similar tech: session cookies, analytics (privacy-friendly), and CSRF tokens.

• Provide, maintain, and improve the Service.
• Process payments and send invoices/receipts.
• Send transactional notifications (order updates, password resets, billing).
• Provide customer support and respond to enquiries.
• Detect, prevent, and address fraud, abuse, or security incidents.
• Comply with legal obligations (tax, anti-money-laundering, lawful requests).
• Send product updates and marketing — only with your consent, and you can opt out at any time.

• Contract — to deliver the Service you signed up for.
• Legitimate interests — to secure our platform and improve features.
• Consent — for marketing communications and non-essential cookies.
• Legal obligation — for tax, accounting, and lawful enforcement requests.

We do not sell personal data. We share data only with:

• Sub-processors — cloud hosting (AWS, Cloudflare), email (Postmark), SMS/WhatsApp (Twilio, Termii), payments (Paystack, Flutterwave, Stripe, Moniepoint), analytics (Plausible).
• Your team — staff and managers you invite to your workspace, subject to the roles you assign.
• Legal authorities — when required by valid legal process.
• Successors — in the event of a merger, acquisition, or asset sale, under equivalent privacy protections.

Data may be processed in jurisdictions other than your own (primarily the EU, UK, and US). Where required, we use Standard Contractual Clauses (SCCs), the UK IDTA, or adequacy decisions to ensure equivalent protection under the GDPR, UK GDPR, NDPA (Nigeria), POPIA (South Africa), and the Kenya DPA.

We keep account data while your subscription is active and for up to 90 days after cancellation, after which it is permanently deleted from production systems. Backups are purged within 35 days. Financial records are retained for the period required by applicable tax law (typically 6–7 years).

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Request deletion ("right to be forgotten").
• Restrict or object to processing.
• Data portability.
• Withdraw consent at any time.
• Lodge a complaint with your data protection authority (NDPC, ICO, CNIL, Information Regulator SA, ODPC Kenya, etc.).

Submit requests to privacy@washly.app. We respond within 30 days.

We encrypt data in transit (TLS 1.2+) and at rest (AES-256), run continuous vulnerability scans, enforce least-privilege access, and maintain incident-response procedures. See our Security page for full details.

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

We may update this policy from time to time. Material changes will be notified by email or in-app at least 14 days before they take effect. The "Last updated" date above will always reflect the current version.

Washly Technologies Ltd · Data Protection Officer
Email: privacy@washly.app
Postal: 12 Admiralty Way, Lekki Phase 1, Lagos, Nigeria