Privacy Policy

1. Introduction

PaintSoko (“we,” “our,” or “us”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the Data Protection Act, 2019 of Kenya and other applicable laws.

By using our website paintsoko.com or our services, you consent to the collection and use of your personal data as described in this Privacy Policy.

2. Data Controller Information

PaintSoko is the data controller responsible for your personal data.

Contact Details:
Email: [your email]
Phone: [your phone number]
Physical Address: [your physical address]
Website: paintsoko.com

Data Protection Compliance:
We are registered with the Office of the Data Protection Commissioner (ODPC) in Kenya as required under the Data Protection Act, 2019.

3. Personal Data We Collect

3.1 Information You Provide Directly

When you use our website or services, we may collect:

Identity Data:

  • Full name
  • Date of birth (if provided)
  • National ID or passport number (for certain transactions)

Contact Data:

  • Physical address
  • Delivery address
  • Email address
  • Phone number(s)
  • M-Pesa details

Account Data:

  • Username and password
  • Account preferences
  • Communication preferences

Transaction Data:

  • Order history
  • Payment information
  • Products purchased
  • Delivery details
  • Invoice information

Financial Data:

  • Payment method details
  • Bank account information (for refunds)
  • Transaction records

Technical Data:

  • IP address
  • Browser type and version
  • Device information
  • Operating system
  • Time zone settings

Usage Data:

  • Pages visited on our website
  • Products viewed
  • Search queries
  • Time spent on pages
  • Referring websites

Marketing Data:

  • Your preferences for receiving marketing communications
  • Communication history with PaintSoko

3.2 Information Collected Automatically

When you visit our website, we automatically collect:

  • Device information (browser, operating system)
  • IP address and location data
  • Cookies and similar tracking technologies
  • Website usage patterns and analytics

3.3 Information from Third Parties

We may receive personal data from:

  • Payment processors (M-Pesa, banks, payment gateways)
  • Delivery service providers
  • Credit reference agencies (for business accounts)
  • Publicly available sources

4. How We Use Your Personal Data

4.1 Legal Basis for Processing

We process your personal data based on:

  • Your consent – where you have given explicit permission
  • Contract performance – to fulfill our obligations under purchase agreements
  • Legal obligation – to comply with Kenyan laws and regulations
  • Legitimate interests – for business operations that do not override your rights

4.2 Purposes of Processing

We use your personal data to:

Order Processing:

  • Process and fulfill your orders
  • Arrange delivery of products
  • Send order confirmations and updates
  • Handle returns and refunds
  • Provide customer support

Payment Processing:

  • Process payments securely
  • Verify payment information
  • Prevent fraud and unauthorized transactions
  • Issue invoices and receipts

Account Management:

  • Create and manage your account
  • Authenticate your identity
  • Provide personalized services
  • Save your preferences

Communication:

  • Respond to your inquiries
  • Send important updates about orders
  • Provide customer support
  • Request feedback on products and services

Marketing (with your consent):

  • Send promotional offers and newsletters
  • Inform you about new products
  • Share special discounts and deals
  • Conduct customer surveys

Business Operations:

  • Improve our website and services
  • Analyze customer preferences and trends
  • Conduct market research
  • Manage inventory
  • Detect and prevent fraud

Legal Compliance:

  • Comply with tax and accounting requirements
  • Respond to law enforcement requests
  • Enforce our terms and conditions
  • Protect our legal rights

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Transaction records: 7 years (for tax and accounting purposes as required by Kenyan law)
  • Account information: Until you request deletion or account closure, then 90 days
  • Marketing data: Until you withdraw consent, then 30 days
  • Website analytics: 24 months
  • Customer support records: 3 years

After the retention period, we will securely delete or anonymize your personal data.

6. How We Share Your Personal Data

6.1 Third-Party Service Providers

We may share your personal data with trusted third parties who provide services on our behalf:

Delivery Partners:

  • Courier and logistics companies for product delivery
  • Only receive information necessary for delivery (name, address, phone number)

Payment Processors:

  • M-Pesa, banks, and payment gateways
  • Process payments securely on our behalf
  • Subject to their own privacy policies

Technology Providers:

  • Website hosting services
  • Email service providers
  • Customer relationship management systems
  • Analytics platforms

Professional Advisors:

  • Legal advisors
  • Accountants and auditors
  • Business consultants

6.2 Legal Requirements

We may disclose your personal data when required by law to:

  • Law enforcement agencies
  • Regulatory authorities
  • Tax authorities
  • Courts and tribunals
  • Government agencies

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the new owner, subject to this Privacy Policy.

6.4 Data Processor Agreements

All third parties with whom we share your data are required to:

  • Process data only for specified purposes
  • Implement appropriate security measures
  • Comply with the Data Protection Act, 2019
  • Not use your data for their own purposes

7. International Data Transfers

Your personal data is primarily stored and processed within Kenya. If we need to transfer your data outside Kenya, we will:

  • Ensure the destination country has adequate data protection laws, or
  • Obtain your explicit consent, or
  • Implement appropriate safeguards (such as standard contractual clauses)
  • Notify the Office of the Data Protection Commissioner as required

We will only transfer data internationally when necessary and with appropriate protections in place.

8. Data Security

8.1 Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

Technical Measures:

  • SSL/TLS encryption for data transmission
  • Secure servers and databases
  • Regular security updates and patches
  • Firewall protection
  • Intrusion detection systems

Organizational Measures:

  • Access controls and authentication
  • Employee training on data protection
  • Confidentiality agreements
  • Regular security audits
  • Incident response procedures

8.2 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights:

  • We will notify the Office of the Data Protection Commissioner within 72 hours
  • We will notify affected individuals without undue delay
  • We will take immediate steps to mitigate the breach

8.3 Your Responsibility

You are responsible for:

  • Keeping your account credentials secure
  • Using strong passwords
  • Not sharing your account with others
  • Notifying us of any security concerns

9. Your Rights as a Data Subject

Under the Data Protection Act, 2019, you have the following rights:

9.1 Right to Access

You have the right to request:

  • Confirmation that we process your personal data
  • Access to your personal data
  • Information about how we use your data

9.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data when:

  • It is no longer necessary for the purpose collected
  • You withdraw consent
  • You object to processing
  • The data was unlawfully processed

9.4 Right to Restriction of Processing

You can request that we limit how we use your data in certain circumstances.

9.5 Right to Data Portability

You can request your personal data in a structured, commonly used format for transfer to another service provider.

9.6 Right to Object

You can object to:

  • Processing based on legitimate interests
  • Direct marketing communications
  • Automated decision-making

9.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

Office of the Data Protection Commissioner
Britam Towers, 12th Floor
Hospital Road, Upper Hill
Nairobi, Kenya
Email: [ODPC email]
Website: www.odpc.go.ke

10. How to Exercise Your Rights

To exercise any of your data protection rights:

  1. Contact us via email or phone with your request
  2. Verify your identity – we may request identification to protect your data
  3. Specify your request – clearly state which right you wish to exercise
  4. Response time – we will respond within 30 days

There is no charge for most requests. However, we may charge a reasonable fee for excessive or repeated requests.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide a better user experience.

11.2 Types of Cookies We Use

Essential Cookies:

  • Required for website functionality
  • Enable shopping cart and checkout
  • Maintain your session
  • Cannot be disabled

Analytics Cookies:

  • Help us understand how visitors use our site
  • Collect anonymous usage data
  • Improve website performance
  • Used with your consent

Marketing Cookies:

  • Remember your preferences
  • Provide personalized content
  • Track marketing campaign effectiveness
  • Used with your consent

Third-Party Cookies:

  • Social media plugins
  • Payment processors
  • Analytics providers

11.3 Managing Cookies

You can control cookies through:

  • Our cookie consent banner
  • Your browser settings
  • Browser plugins
  • Opting out of specific services

Note that disabling certain cookies may affect website functionality.

12. Children’s Privacy

Our services are not directed at children under 18 years of age. We do not knowingly collect personal data from minors without parental consent.

If we become aware that we have collected data from a child without consent:

  • We will delete the information immediately
  • We will notify the parent or guardian
  • We will not use the data for any purpose

Parents or guardians who believe we have collected their child’s data should contact us immediately.

13. Marketing Communications

13.1 Consent

We will only send you marketing communications if:

  • You have opted in to receive them
  • You are an existing customer and we are marketing similar products

13.2 Unsubscribing

You can opt out of marketing communications at any time by:

  • Clicking the “unsubscribe” link in emails
  • Contacting our customer service
  • Updating your account preferences
  • Sending an SMS with “STOP”

You will continue to receive transactional emails (order confirmations, delivery updates) even after unsubscribing from marketing.

14. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for:

  • The privacy practices of external sites
  • The content of linked websites
  • Data collection by third parties

We encourage you to read the privacy policies of any websites you visit.

15. Automated Decision-Making

We may use automated decision-making for:

  • Fraud detection and prevention
  • Credit assessments (for business accounts)
  • Personalized product recommendations

You have the right to:

  • Request human intervention
  • Challenge automated decisions
  • Express your point of view

16. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our practices
  • Legal or regulatory requirements
  • New features or services

Notification of Changes:

  • Material changes will be communicated via email
  • Updated policy will be posted on our website
  • Effective date will be updated
  • Continued use constitutes acceptance

We encourage you to review this Privacy Policy periodically.

17. Data Protection Officer

For questions about data protection or to exercise your rights, contact:

Data Protection Contact:
Email: [DPO email]
Phone: [DPO phone number]
Address: [PaintSoko address]

18. Additional Information for Business Customers

If you are a business customer, we may also collect:

  • Business registration details
  • Tax information (PIN number)
  • Credit information
  • Business contact details
  • Trade references

This information is used for:

  • Credit assessments
  • Business account management
  • Regulatory compliance
  • Invoice processing

19. Your Consent

By using our website and services, you consent to:

  • The collection and use of your personal data as described
  • The transfer of data to third-party service providers
  • The use of cookies and tracking technologies (where you have opted in)

You can withdraw your consent at any time by contacting us.

20. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data:

PaintSoko
Email: info@paintsoko.com
Phone: +254 718 291301
Address: Bamboo Gardens along the Ruiru-Tatu City road
Website: paintsoko.com

We are committed to protecting your privacy and handling your personal data responsibly in accordance with Kenyan law.

PaintSoko – Your Privacy Matters to Us