Skip to content
Log in Sign up free

Privacy Policy

Last updated April 26, 2026

Last updated: 16 April 2026

This Privacy Policy explains how MyDuka ("we", "us", "our") collects, uses, shares, and protects personal data when you use myduka.link and the related shops, dashboards, and tools (the "Service"). It is written to comply with the Kenya Data Protection Act, 2019 ("DPA") and, where relevant, the EU/UK General Data Protection Regulation ("GDPR").

1. Who is the data controller

The data controller for personal data we collect about you is MyDuka, a business operating in Kenya. You can contact our Data Protection Officer at privacy@myduka.link.

Important: If you are a customer buying from a shop hosted on our platform, the Seller is the controller of the personal data you provide to complete your order (name, address, phone, order details). We act as a processor on the Seller's behalf for that data. Contact the Seller directly with privacy questions about your purchase.

2. What data we collect

Account data (Sellers): name, email, phone, password (hashed), shop name, subdomain, business details, profile photo if uploaded.

Shop content: products, images, prices, categories, custom domain settings, and any other content you choose to add to your shop.

Order metadata: when a customer places an order on a shop, we store the order details (items, prices, customer name, contact, delivery address, order status) on the Seller's behalf so the Seller can fulfil the order.

Payment data: when you connect a payment provider (M-Pesa, Stripe, PayPal, Pesapal, PayHero), we store the connection credentials needed to route payments. We do not store full card numbers or M-Pesa PINs — those go directly to the payment provider.

Subscription billing: if you are on a paid plan, our payment processor stores your card details on our behalf. We only retain the last four digits, card brand, and billing history.

Usage and device data: IP address, browser type, operating system, pages visited, referring URL, and timestamps. Collected via server logs and cookies.

Communications: emails you send us, support messages, and our replies.

3. Why we use it (legal bases)

We process personal data for the following purposes, with the following lawful bases under the DPA and GDPR:

4. Cookies and tracking

We use cookies and similar technologies for: keeping you logged in (essential), remembering your preferences (functional), and measuring traffic (analytics — Google Analytics 4, and where you have configured it as a Seller, Facebook Pixel and Google Ads). Essential cookies are set automatically; analytics cookies are set on a legitimate-interests basis with the right to opt out by clearing or blocking cookies in your browser. Parts of the Service may not work without essential cookies.

5. Who we share data with

We share personal data only with the following categories of recipients, and only as needed:

We do not sell your personal data.

6. International transfers

Some of our service providers (for example, Google, Stripe, PayPal) are located outside Kenya, including in the United States and the European Union. When we transfer personal data outside Kenya, we rely on the safeguards permitted by Section 48 of the DPA, including the recipient being subject to a comparable data protection law, contractual safeguards, or your explicit consent.

7. How long we keep data

8. Your rights under the DPA

Subject to limits in the law, you have the right to:

To exercise any of these rights, email privacy@myduka.link. We will respond within 30 days.

9. Security

We protect personal data with industry-standard measures: encrypted connections (HTTPS/TLS), hashed passwords (bcrypt), session protections, server hardening, and access controls. No system is perfectly secure, however, and we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to result in a high risk to you, we will notify you and the ODPC as required by Section 43 of the DPA.

10. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact us and we will delete it.

11. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 14 days before the change takes effect.

12. Contact

Questions about this Policy or your personal data? Email privacy@myduka.link.

WhatsApp support@myduka.link +254797 560 650