Data Policy

Effective date: 7 June 2026. This policy should be read together with the Privacy Policy, Terms & Conditions, and Imara Assurance Policy.

1. Purpose of this Data Policy

Imara Flow is a business operating platform. Businesses use it to manage customers, products, orders, staff, invoices, receipts, money records, mini stores, contact cards and protected transactions. This policy explains how data is organised inside the platform and how it should be handled by Imara Flow, business owners, staff members, buyers, sellers and invited parties.

2. Types of data handled

• Account data: names, emails, phone numbers, login records, authentication providers, role and workspace access.
• Business data: business name, logo, brand colours, location, contact details, store settings, staff details and module settings.
• Customer data: customer names, phone numbers, emails, addresses, notes, order history and communication records.
• Product and inventory data: product names, descriptions, prices, categories, stock, images, SKUs and service listings.
• Payment and ledger data: payment references, gross amounts, gateway fees, Imara fees, net amounts, status, timestamps, receipts and wallet entries.
• KYC/KYB data: identity and business verification information used for compliance, wallet activation, fraud prevention and transaction review.
• Imara Assurance data: agreements, parties, evidence files, approvals, payment records, disputes, audit trails and downloadable summaries.

3. Workspace ownership and access

Each business workspace controls its operational data. The workspace owner is responsible for choosing who can access the workspace, what roles staff members receive, what information is uploaded, and whether customer or staff data is accurate and lawfully collected.

4. Data separation

Imara Flow stores records with business identifiers such as business_id or company_id. These identifiers separate stores, wallets, payments, orders, products and reports across different businesses using the same platform. This is important where one payment gateway or shared infrastructure processes activity for many businesses.

5. Payment and internal ledger records

Payment records may include the payment provider, internal reference, provider reference, amount, currency, status, customer details, product details, fees, metadata and timestamps. Internal ledger records help separate customer payments, wallet credits, protected transaction balances, platform fees, payment provider fees and reconciliation entries.

6. KYC/KYB and verification records

KYC/KYB information may be required before enabling wallet, payout, protected transaction, high-risk activity or manual approval features. These records should only be accessed by authorised administrators or reviewers for compliance, fraud prevention, account support, transaction safety, dispute support or legal obligations.

7. Mini store and marketplace data

Businesses that enable the mini store can publish products, images, descriptions, prices and contact details publicly. Public store and shop pages may be indexed by search engines unless disabled by platform settings or robots rules. Businesses are responsible for ensuring product descriptions, prices, images and stock information are accurate.

8. Contact card data

Contact cards are public profile pages when shared. A contact card may include a name, role, photo, phone number, WhatsApp number, email, business name, links and social media profiles. Users should only publish information they are comfortable making public.

9. Evidence and protected transaction data

Evidence uploaded to Imara Assurance may include photos, PDFs, receipts, delivery notes, agreements, screenshots, identity records and inspection notes. Evidence should be relevant, lawful, accurate and uploaded only by parties authorised to participate in the transaction.

10. Data quality duties

Business owners and users must keep data accurate. This includes prices, customer details, product details, order status, delivery instructions, payment instructions, account roles, legal names, tax labels and transaction terms.

11. Retention

Some records may be retained after deletion or account closure where needed for accounting, audit, fraud prevention, legal compliance, dispute handling, financial reconciliation, security investigation or enforcement of the Terms. This may include invoices, receipts, wallet entries, protected transaction records, KYC/KYB decisions, payment references and audit logs.

12. Exports, correction and deletion

Businesses may request access, correction or export of records where technically available and legally permitted. Deletion requests may be refused, delayed or limited where deleting the record would break required financial, legal, security, dispute or audit records.

13. Third-party processors

Imara Flow may use third-party providers for email delivery, payment processing, cloud hosting, analytics, authentication and security. These providers process data only to support platform operations, payments, notifications, security and service delivery.

14. Security controls

Imara Flow uses practical safeguards such as access control, session protection, server-side validation, database separation, audit logs, restricted admin workflows and payment reference tracking. No system is perfectly secure, and users must protect their passwords, devices and staff access.

15. Administrator access

Authorised administrators may access business data only where necessary for support, debugging, compliance, reconciliation, fraud review, service operation, security response or legal obligations. Administrative access should be logged where technically possible.

16. Contact

Questions about this Data Policy can be sent through the contact page or the support channels provided inside the Imara Flow dashboard.