Privacy Policy
Last updated April 26, 2026
Last updated: 16 April 2026
This Privacy Policy explains how MyDuka ("we", "us", "our") collects, uses, shares, and protects personal data when you use myduka.link and the related shops, dashboards, and tools (the "Service"). It is written to comply with the Kenya Data Protection Act, 2019 ("DPA") and, where relevant, the EU/UK General Data Protection Regulation ("GDPR").
1. Who is the data controller
The data controller for personal data we collect about you is MyDuka, a business operating in Kenya. You can contact our Data Protection Officer at privacy@myduka.link.
Important: If you are a customer buying from a shop hosted on our platform, the Seller is the controller of the personal data you provide to complete your order (name, address, phone, order details). We act as a processor on the Seller's behalf for that data. Contact the Seller directly with privacy questions about your purchase.
2. What data we collect
Account data (Sellers): name, email, phone, password (hashed), shop name, subdomain, business details, profile photo if uploaded.
Shop content: products, images, prices, categories, custom domain settings, and any other content you choose to add to your shop.
Order metadata: when a customer places an order on a shop, we store the order details (items, prices, customer name, contact, delivery address, order status) on the Seller's behalf so the Seller can fulfil the order.
Payment data: when you connect a payment provider (M-Pesa, Stripe, PayPal, Pesapal, PayHero), we store the connection credentials needed to route payments. We do not store full card numbers or M-Pesa PINs — those go directly to the payment provider.
Subscription billing: if you are on a paid plan, our payment processor stores your card details on our behalf. We only retain the last four digits, card brand, and billing history.
Usage and device data: IP address, browser type, operating system, pages visited, referring URL, and timestamps. Collected via server logs and cookies.
Communications: emails you send us, support messages, and our replies.
3. Why we use it (legal bases)
We process personal data for the following purposes, with the following lawful bases under the DPA and GDPR:
- To provide the Service (account, shop hosting, order processing, billing) — performance of a contract with you.
- To secure the Service (fraud prevention, abuse detection, session security) — our legitimate interests.
- To improve the Service (analytics, usage statistics, error tracking) — our legitimate interests, balanced against your privacy.
- To send transactional messages (account alerts, payment receipts, security notices) — performance of a contract.
- To send marketing emails — your consent, which you can withdraw any time using the unsubscribe link.
- To comply with law — legal obligation.
4. Cookies and tracking
We use cookies and similar technologies for: keeping you logged in (essential), remembering your preferences (functional), and measuring traffic (analytics — Google Analytics 4, and where you have configured it as a Seller, Facebook Pixel and Google Ads). Essential cookies are set automatically; analytics cookies are set on a legitimate-interests basis with the right to opt out by clearing or blocking cookies in your browser. Parts of the Service may not work without essential cookies.
5. Who we share data with
We share personal data only with the following categories of recipients, and only as needed:
- Payment processors you connect to your shop, or that we use for subscription billing.
- Hosting and infrastructure providers who run our servers, databases, and email delivery.
- Analytics providers such as Google Analytics 4 (and Meta / Google Ads when configured by a Seller).
- Custom domain and SSL providers when you connect your own domain.
- Law enforcement or regulators, where we are legally required.
- A successor entity in the event of a merger, acquisition, or sale of assets — with prior notice to you.
We do not sell your personal data.
6. International transfers
Some of our service providers (for example, Google, Stripe, PayPal) are located outside Kenya, including in the United States and the European Union. When we transfer personal data outside Kenya, we rely on the safeguards permitted by Section 48 of the DPA, including the recipient being subject to a comparable data protection law, contractual safeguards, or your explicit consent.
7. How long we keep data
- Account data: while your account is active, plus up to 12 months after termination, or longer if needed for legal or accounting purposes.
- Order and billing records: at least 7 years, to comply with Kenyan tax law.
- Server logs: typically 90 days.
- Marketing email lists: until you unsubscribe.
8. Your rights under the DPA
Subject to limits in the law, you have the right to:
- Be informed about how we use your data (this Policy).
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your data ("right to be forgotten").
- Object to or restrict processing in certain situations.
- Receive a portable copy of your data in a common format.
- Withdraw consent at any time, where we rely on consent.
- Lodge a complaint with the Office of the Data Protection Commissioner (www.odpc.go.ke) if you believe we have mishandled your data.
To exercise any of these rights, email privacy@myduka.link. We will respond within 30 days.
9. Security
We protect personal data with industry-standard measures: encrypted connections (HTTPS/TLS), hashed passwords (bcrypt), session protections, server hardening, and access controls. No system is perfectly secure, however, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a high risk to you, we will notify you and the ODPC as required by Section 43 of the DPA.
10. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we will delete it.
11. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 14 days before the change takes effect.
12. Contact
Questions about this Policy or your personal data? Email privacy@myduka.link.