Privacy Policy

Data Controller
Personal Data We Collect
How We Use Your Data
Legal Basis for Processing
Marketing Communications
AI Chatbot & Automated Processing
Data Sharing & Third Parties
Cross-Border Data Transfers
Data Retention
Your Rights Under the Data Protection Act
Cookies & Tracking Technologies
Data Security
Children's Privacy
Changes to This Policy
Complaints & ODPC
Contact Us

Karare - Tech Solutions ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website at k-techsolutions.co.ke (the "Platform"), interact with our WhatsApp AI Chatbot, or engage with our services.

This policy is drafted in compliance with the Data Protection Act No. 24 of 2019 of the Republic of Kenya and the regulations issued by the Office of the Data Protection Commissioner (ODPC).

1. Data Controller

The data controller responsible for your personal data is:

Entity: Karare - Tech Solutions
Address: Msanifu Kombo Road, Mombasa, Kenya
Email: info@k-techsolutions.co.ke
Phone: +254 735 494 929

For data protection enquiries, please contact us at the email address above with the subject line "Data Protection Enquiry".

2. Personal Data We Collect

We collect different categories of personal data depending on how you interact with our Platform:

2.1 Account Registration

Data	Purpose	Required?
First name, last name	Account identification, order fulfilment	Yes
Email address	Account verification (OTP), order confirmations, communications	Yes
Phone number	Account identification, SMS notifications, delivery coordination	Yes
Date of birth	Age verification (18+ eligibility)	Yes
Password	Account security (stored as bcrypt hash, never in plain text)	Yes
Newsletter preference	Marketing consent record	Optional

2.2 Orders & Transactions

Data	Purpose
Delivery address (street, city, county, postal code)	Order delivery
Order history (products, quantities, prices, dates)	Order tracking, customer service, warranty claims
Payment references (M-Pesa transaction IDs, PesaPal references)	Payment verification and reconciliation

Note: We do not store full credit/debit card numbers, M-Pesa PINs, or payment credentials. Payment processing is handled by our third-party payment providers (Safaricom M-Pesa and PesaPal).

2.3 Browsing & Shopping Activity

Data	Purpose
Product views and search queries	Service improvement, product recommendations
Wishlist items	Saved for your convenience
Shopping cart contents	Order completion, abandoned cart recovery

2.4 WhatsApp AI Chatbot Interactions

Data	Purpose
WhatsApp phone number	Identifying you in the conversation
Message content (your questions and queries)	Providing automated customer support
Conversation history and timestamps	Service quality, training, and improvement

2.5 Communications

Data	Purpose
Marketing consent status (opt-in/opt-out)	Compliance with consent requirements
Communication history (emails, SMS sent to you)	Record-keeping, unsubscribe management

2.6 Product Reviews & Ratings

Data	Purpose
Review text, star rating	Community product feedback
Display name (first name)	Attribution of review

2.7 Device & Technical Data

Data	Purpose
IP address	Security (rate limiting, fraud prevention)
Browser type and version	Ensuring Platform compatibility
Operating system	Ensuring Platform compatibility
Session cookies	Authentication, shopping cart persistence

3. How We Use Your Data

We process your personal data for the following specific purposes:

Order Fulfilment: Processing, confirming, and delivering your orders; generating invoices and receipts; handling warranty claims.
Account Management: Creating and maintaining your account; verifying your identity via OTP; enabling password resets.
Customer Service: Responding to your enquiries via email, phone, or the WhatsApp AI Chatbot; resolving complaints and disputes.
Marketing Communications: Sending promotional emails, SMS, and WhatsApp messages about new products, deals, and offers — only with your explicit opt-in consent.
Abandoned Cart Recovery: Sending you email reminders if you add items to your cart but do not complete the purchase.
Product Recommendations: Personalising your experience based on your browsing and purchase history.
Wishlist Management: Maintaining your saved products for future reference.
AI Chatbot Service: Processing your WhatsApp messages to generate automated responses using artificial intelligence.
Security & Fraud Prevention: Detecting and preventing fraudulent activity; enforcing rate limits; protecting against unauthorised access.
Analytics & Improvement: Understanding how customers use the Platform to improve our services, product range, and user experience.
Legal Compliance: Meeting our obligations under Kenyan law, including tax reporting, consumer protection, and data protection requirements.

4. Legal Basis for Processing

Under the Kenya Data Protection Act 2019, we process your data on the following legal bases:

Legal Basis	Applicable Processing
Consent (Section 32)	Marketing communications (email, SMS, WhatsApp); newsletter subscription; AI Chatbot usage; product reviews
Performance of Contract (Section 30(1)(b))	Order processing and delivery; payment processing; account creation and management; warranty claims
Legitimate Interest (Section 30(1)(f))	Fraud prevention and security; abandoned cart reminders; analytics and service improvement; customer support
Legal Obligation (Section 30(1)(c))	Tax records; regulatory compliance; responding to lawful requests from authorities

5. Marketing Communications

We will only send you marketing communications if you have given us your explicit opt-in consent during account registration or through your account settings.

5.1 Channels

Email: Promotional newsletters, new product announcements, and special offers.
SMS: Sent via our messaging partner, Onfon Media, to your registered phone number. Standard message rates may apply.
WhatsApp: Promotional messages and updates sent to your WhatsApp number.

5.2 How to Unsubscribe

You may withdraw your marketing consent at any time through any of the following methods:

Click the "unsubscribe" link at the bottom of any marketing email.
Reply STOP to any marketing SMS message.
Update your preferences in your Account settings on the Platform.
Email us at info@k-techsolutions.co.ke with the subject "Unsubscribe".

We will process your unsubscribe request promptly. Note that opting out of marketing does not affect transactional communications (order confirmations, delivery updates, security alerts).

6. AI Chatbot & Automated Processing

Our WhatsApp AI Chatbot uses artificial intelligence to process your messages and generate automated responses. You should be aware of the following:

Automated Decision-Making: The AI Chatbot uses automated processing to interpret your queries and generate responses. No human reviews individual chatbot interactions in real time.
Right to Human Review: Under Section 35 of the Data Protection Act, you have the right not to be subject to a decision based solely on automated processing that significantly affects you. If the chatbot provides information that impacts your order, payment, or account, you may request a human review by contacting us directly.
Limitations: AI responses may be inaccurate, incomplete, or inappropriate. We do not guarantee the correctness of chatbot responses. Do not rely on the AI Chatbot for critical decisions.
Data Processing: Your chatbot conversations may be processed by third-party AI service providers. These providers are bound by data processing agreements that require them to protect your data.
Storage: Chatbot conversation logs are stored for up to 12 months for service quality and dispute resolution purposes, after which they are deleted.

We may share your personal data with the following categories of third parties, strictly for the purposes described:

Third Party	Data Shared	Purpose
Safaricom (M-Pesa)	Phone number, transaction amount	Processing M-Pesa payments via Daraja API
PesaPal	Name, email, phone, transaction amount	Processing card and mobile money payments
Onfon Media	Phone number, message content	Delivering SMS notifications and marketing messages
WhatsApp / Meta	Phone number, message content	WhatsApp AI Chatbot and marketing messages
Delivery Partners	Name, phone, delivery address	Delivering your orders
Hosting Provider	All Platform data	Website hosting and infrastructure
AI Service Providers	Chatbot conversation content	Processing AI chatbot responses

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. All third parties are required to process your data in accordance with our instructions and applicable data protection laws.

8. Cross-Border Data Transfers

Some of our third-party service providers may process your data outside of Kenya. Where this occurs, we ensure that appropriate safeguards are in place as required by Section 48 of the Data Protection Act, including:

Ensuring the recipient country provides adequate data protection.
Entering into data processing agreements with appropriate contractual clauses.
Obtaining your consent where required.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

Data Category	Retention Period
Account information	Duration of your account + 2 years after deletion request
Order history and transaction records	7 years (Kenya tax law requirement)
Payment references	7 years (financial record-keeping)
Marketing consent records	Duration of consent + 2 years after withdrawal
WhatsApp AI Chatbot logs	12 months from conversation date
Email/SMS communication logs	3 years
Product reviews	Indefinitely (unless you request deletion)
Technical/device data (IP, sessions)	90 days
Abandoned cart data	6 months

After the retention period expires, data is securely deleted or anonymised so that it can no longer identify you.

10. Your Rights Under the Data Protection Act

Under the Kenya Data Protection Act 2019, you have the following rights regarding your personal data:

Right to be Informed (Section 26): You have the right to know what personal data we collect and how we use it. This Privacy Policy fulfils this obligation.
Right of Access (Section 26(b)): You may request a copy of the personal data we hold about you.
Right to Rectification (Section 26(c)): You may request correction of inaccurate or incomplete personal data. You can also update your information directly in your Account settings.
Right to Erasure (Section 26(d)): You may request deletion of your personal data, subject to legal retention requirements (e.g., tax records).
Right to Restrict Processing: You may request that we limit how we process your data in certain circumstances.
Right to Data Portability (Section 26(f)): You may request your personal data in a structured, commonly used, machine-readable format.
Right to Object (Section 26(e)): You may object to processing of your data based on legitimate interest, including profiling and direct marketing.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
Right Regarding Automated Decisions (Section 35): You have the right not to be subject to decisions based solely on automated processing (including AI Chatbot responses) that significantly affect you, and to request human intervention.

How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: info@k-techsolutions.co.ke (subject: "Data Protection Request")
Post: Karare - Tech Solutions, Msanifu Kombo Road, Mombasa, Kenya

We will respond to your request within 30 days of receipt. We may request verification of your identity before processing your request. If your request is complex or involves a large volume of data, we may extend the response period by an additional 30 days, with notification.

11. Cookies & Tracking Technologies

We use the following technologies to enhance your experience on the Platform:

Technology	Type	Purpose	Duration
Session cookie (`ktech_sess`)	Essential	Maintaining your login session and CSRF protection	2 hours
localStorage (cart data)	Essential	Persisting your shopping cart contents	Until cleared
localStorage (theme preference)	Functional	Remembering your light/dark theme preference	Until cleared

We do not use third-party tracking cookies, advertising pixels, or analytics platforms that track you across other websites. Essential cookies cannot be disabled as they are necessary for the Platform to function.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

Password Hashing: All passwords are hashed using bcrypt with a cost factor of 12 and are never stored in plain text.
CSRF Protection: All state-changing requests are protected by CSRF tokens to prevent cross-site request forgery attacks.
HTTPS Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL.
Rate Limiting: We enforce rate limits on sensitive operations (login, registration, password resets) to prevent brute-force attacks.
OTP Verification: Email verification uses time-limited one-time passwords.
Session Management: Sessions expire after 2 hours of inactivity.
Parameterised Queries: All database queries use prepared statements to prevent SQL injection.
Input Sanitisation: User inputs are validated and sanitised to prevent cross-site scripting (XSS) attacks.

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Data Breach Notification

In the event of a personal data breach, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach, as required by Section 43 of the Data Protection Act. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.

13. Children's Privacy

Our Platform is not intended for persons under the age of 18. We do not knowingly collect personal data from children. Our registration process requires users to be at least 18 years old, and we verify this through the date of birth provided during registration.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete such data promptly. If you believe that a child has provided us with personal data, please contact us immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

The "Last updated" date at the top of this page will be revised.
For significant changes, we will notify you via email or a prominent notice on the Platform.
Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

We encourage you to review this Privacy Policy periodically.

15. Complaints & the ODPC

If you are not satisfied with how we handle your personal data or respond to your data protection request, you have the right to lodge a complaint with:

Office of the Data Protection Commissioner (ODPC)
Immaculate Conception Catholic Church Grounds, 5th Ngong Avenue, off Bishops Road, Nairobi
P.O. Box 93476-80111, Mombasa, Kenya
Email: complaints@odpc.go.ke
Website: www.odpc.go.ke

We encourage you to contact us first so we can attempt to resolve your concern before escalating to the ODPC.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Company: Karare - Tech Solutions
Address: Msanifu Kombo Road, Mombasa, Kenya
Email: info@k-techsolutions.co.ke
Phone: +254 735 494 929
Website: k-techsolutions.co.ke

Table of Contents