DRAFT — these pages are pending Kenya-admitted lawyer review and may change before launch.

cart.ke Privacy Policy

Last updated: 2026-05-23

1. About this policy

This policy explains what data cart.ke collects, how it is used, and your rights under the Kenya Data Protection Act (KDPA, 2019).

2. Seller data we collect

Email address (for sign-in and account notifications).
WhatsApp number (displayed on your storefront so buyers can reach you).
Store name, handle, and product information you enter.
Photos you upload (we strip EXIF metadata before publishing).
M-Pesa confirmation codes you submit for subscription payment.

3. Buyer data we collect

When a buyer visits /<handle>, cart.ke records an anonymous session token (a random opaque cookie), the page viewed, the timestamp, and — when they tap "Order on WhatsApp" — an anonymous record that the click happened (which product, when). This lets us show the seller anonymous visit and WhatsApp-click counts. We do not collect a buyer's name or phone number, and ordinary browsing and ordering never collect a buyer's email — the buyer's WhatsApp profile reaches you directly when they tap "Order on WhatsApp." These per-visit and per-click records are anonymous and are deleted after 90 days (see "Data retention" below); only aggregated daily totals are kept longer.

There are two exceptions where we may collect a buyer's email. The first is the report-a-store form (/r/<handle>): a reporter may optionally leave an email so our moderation team can follow up. If they tick "keep my email on file", we store that email so we can reach them; if they leave that box unticked, we keep only a one-way hashed value (used to detect duplicate or abusive reports) and discard the email itself. The second is the data-request form (/legal/data-request): a buyer who files a Kenya Data Protection Act request enters an email so we can respond to it within the statutory window; we use it only to reply to that request.

We do not use third-party advertising trackers.

4. Sub-processors

cart.ke relies on the following sub-processors to run the Service:

Supabase Inc. (EU-Ireland region) — managed database, authentication, and file storage. All customer data is stored inside the EU-Ireland region.

Cloudflare, Inc. — image storage and content-delivery network for storefront photos and pages.

Resend (email delivery) — sign-in codes and account emails (renewal reminders, data-export links).

Sentry (error monitoring) — diagnostic error reports used to keep the Service reliable.

Customer data is stored in the EU-Ireland region. cart.ke's application servers may process data in transit outside the EU until our launch region configuration is finalised; we will keep this disclosure accurate as that configuration is confirmed. We will give 30 days' notice via this policy before adding any new sub-processor.

5. Your rights under KDPA

Right to be informed about processing (this policy).
Right of access to your personal data (request via /legal/data-request).
Right to rectification of inaccurate data (via /dashboard).
Right to erasure (cancel your store via /dashboard/account/cancel; 30-day export window precedes deletion).
Right to restrict processing (contact /support/contact-us).
Right to data portability (in-dashboard data export — a zip of your store data — at /dashboard/account/data-export).

6. Data breach notification

In the event of a personal-data breach affecting Kenyan data subjects, we will notify the Office of the Data Protection Commissioner within 72 hours per KDPA Article 43, and we will notify affected sellers without undue delay.

7. Data retention

Active store data is retained for the lifetime of your account.
After cancellation, store data is retained for 30 days (the data-export window) and then permanently deleted.
We retain a minimal record of verified subscription payments (date, amount, period, and M-Pesa confirmation code) after deletion, as required for tax and dispute-resolution obligations under Kenyan law. All other personal data is permanently deleted at the end of the 30-day window.
Anonymous buyer-side analytics are aggregated daily; raw per-visit and per-WhatsApp-click rows older than 90 days are deleted. Only the aggregated daily totals are kept longer.
Account audit logs (admin actions on your store) are retained 12 months in anonymized form (no link back to your account).

8. Cookies

cart.ke uses cookies only where they are essential to the Service: a session cookie that keeps you signed in to your dashboard, and an anonymous, randomly-generated token used to prevent abuse and to count storefront visits (described under "Buyer data we collect" above).

We set no third-party advertising or cross-site tracking cookies. Because these cookies are strictly necessary for sign-in and abuse-prevention, the Service relies on them to function; by continuing to use the Service you consent to their use. You can clear cookies through your browser settings at any time, though doing so will sign you out.

9. Contact

Questions about this policy or to file a data-subject request: see /legal/data-request.

← Back to home