Last updated: March 1, 2025.
ImpactMeL ("we", "our", or "the Company") is committed to protecting the privacy and security of personal data processed through our platform. This Privacy Policy explains how we collect, use, store, and share information when you use ImpactMeL's software-as-a-service platform and related services.
By accessing or using ImpactMeL, you acknowledge that you have read, understood, and agree to this Privacy Policy.
We collect the following categories of information:
Account & Organization Data: Name, work email address, organization name, job title, billing information, and account credentials.
Program & M&E Data: Results frameworks, indicators, indicator values, program narratives, uploaded documents, and beneficiary/participant records you enter into the platform.
Usage Data: Log data, IP addresses, browser type, pages visited, features used, and session durations — collected to improve platform performance and security.
Communications: Emails and support tickets you send us, including content and metadata.
We use collected data to:
- Provide, operate, and improve the ImpactMeL platform - Authenticate users and enforce access controls - Respond to support requests and customer communications - Send service notifications, security alerts, and product updates - Analyze usage patterns to improve platform features - Comply with legal obligations and enforce our terms
We do not sell your personal data or your beneficiary data to third parties. We do not use your M&E program data for advertising purposes.
For users in the European Economic Area, our legal bases for processing personal data are:
- Contract performance: Processing necessary to provide the ImpactMeL service under our agreement with your organization. - Legitimate interests: Security monitoring, fraud prevention, and platform improvement — where our interests do not override your rights. - Legal compliance: Where processing is required by applicable law. - Consent: Where you have explicitly consented to specific processing activities.
For beneficiary data entered into the platform, your organization acts as the Data Controller. ImpactMeL acts as a Data Processor and processes such data only per your instructions.
ImpactMeL offers data residency options for enterprise customers:
- European Union (Frankfurt, Germany — AWS eu-central-1) - United States (Virginia, USA — AWS us-east-1) - Africa (Cape Town, South Africa — AWS af-south-1)
Data is stored in the region you select during onboarding. Where data transfers across regions are necessary (e.g., for support or backups), we use Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.
ImpactMeL maintains the following security standards:
- SOC 2 Type II certification — independently audited annually - Encryption in transit: TLS 1.2+ for all data transmissions - Encryption at rest: AES-256 encryption for all stored data - Access controls: Role-based permissions, SSO/SAML 2.0 support, MFA - Audit logging: Immutable logs of all data access and changes - Penetration testing: Third-party testing conducted bi-annually - Backups: Automated encrypted backups every 6 hours with 90-day retention
We report material security incidents to affected customers within 72 hours of discovery.
Depending on your jurisdiction, you may have rights to:
- Access: Request a copy of personal data we hold about you - Correction: Request correction of inaccurate personal data - Deletion: Request deletion of your personal data ("right to be forgotten") - Portability: Receive your data in a machine-readable format - Objection: Object to specific processing activities - Restriction: Request restriction of processing in certain circumstances
To exercise these rights, contact us at privacy@impactmel.com. We will respond within 30 days.
We retain personal data for as long as your organization maintains an active account, plus a 90-day grace period after account closure to allow for data export. After this period, account data is permanently deleted from our systems.
Aggregated, anonymized analytics data may be retained indefinitely for platform improvement purposes. Audit logs are retained for 2 years to meet compliance requirements.
ImpactMeL uses essential cookies to maintain sessions, security tokens, and user preferences. We also use analytics cookies (first-party only) to understand how the platform is used.
We do not use third-party advertising trackers. You can control cookie preferences through your browser settings. Disabling essential cookies will affect platform functionality.
Data Protection Officer: dpo@impactmel.com
Privacy inquiries: privacy@impactmel.com
Mailing address: ImpactMeL, c/o Data Protection Officer, Nairobi, Kenya
For enterprise customers requiring a Data Processing Agreement (DPA) for GDPR compliance, please contact your customer success manager or email dpa@impactmel.com.
This Privacy Policy was last updated on March 1, 2025.