Privacy & Data Protection Policy

1. Introduction & Data Controller

Veesa Solutions Ltd (trading as Veesa Solutions), located at Bazaar Plaza, 1 Moi Avenue, Nairobi, is the data controller responsible for your personal data within the meaning of Section 2 of the Data Protection Act, 2019 (No. 24 of 2019) ("the Act").

This Policy explains how we collect, process, store, and protect your personal data in compliance with the Act and Article 31(c) and (d) of the Constitution of Kenya, 2010, which guarantees your right to privacy.

By using our website (veesasolutions.co.ke), you acknowledge that you have read and understood this Policy. This platform is intended exclusively for persons aged 18 years and above.

2. Personal Data We Collect

In accordance with Section 28 of the Act, we collect personal data directly from you. The categories include:

• Identity Data: Full name, username or account identifier.
• Contact Data: Shipping address (county, town, street, building), email address, phone number including M-Pesa registered number.
• Transaction Data: Order history, payment amounts, M-Pesa receipt numbers, payment method used.
• Technical Data: IP address, recorded exclusively at the point of consent as an audit record of lawful processing. This data is not used for any other purpose.
• Account Data: Secured account credentials, login timestamps, session identifiers.
• Google Account Data (if you sign in with Google): Name, email address, and profile picture — received from Google solely for account creation and authentication. We do not receive your Google password at any point.

We do not collect sensitive personal data as defined under Section 44 of the Act (race, health status, biometric data, or any equivalent category).

3. Legal Basis for Processing

Under Section 30 of the Act, we process your personal data on the following lawful grounds:

• Performance of Contract (s.30(1)(b)(i)): To process and deliver your orders, manage your account, and coordinate M-Pesa payment processing and physical delivery.
• Consent (s.30(1)(a)): Where you have given express, specific, and unambiguous consent via the unticked checkbox at the shipping address stage of checkout, prior to any personal data being permanently stored.
• Legal Obligation (s.30(1)(b)(ii)): To comply with Kenya Revenue Authority tax obligations and financial record-keeping statutes mandating retention of fiscal records for a minimum of seven years.
• Legitimate Interests (s.30(1)(b)(vii)): To record IP addresses at the point of consent as an audit record, to prevent fraud, and to secure our platform — provided this does not override your fundamental rights and freedoms.

4. How We Use Your Data

In line with the data minimisation principle under Section 25(d) of the Act, we process only the data necessary for each purpose:

• To register and manage your customer account.
• To process, fulfil, and deliver your orders including M-Pesa payment processing and courier dispatch.
• To send transactional communications: order confirmations, payment receipts, delivery updates, and refund notifications.
• To detect and prevent fraud, unauthorised M-Pesa reversals, and unauthorised access to accounts.
• To comply with legal obligations including KRA tax reporting and audit trail maintenance.
• To maintain records evidencing lawful consent and processing for regulatory compliance purposes.

We do not use your data for profiling, automated decision-making, behavioural advertising, or direct marketing of any kind, as described under Section 35 of the Act.

5. Third-Party Data Processors

In accordance with Section 42 of the Act, we only share your data with processors who have appropriate contractual safeguards. Each processor is contractually bound to process your data only as instructed by us, to maintain appropriate security measures, and to notify us without undue delay of any personal data breach.

• Safaricom PLC — M-Pesa payment processing. Receives your phone number and payment amount to process STK Push requests. Kenya-registered licensed entity regulated by the Communications Authority of Kenya and the Central Bank of Kenya.
• Fargo Courier / G4S Kenya — Delivery services. Receive your name, phone number, and shipping address for delivery purposes only. Kenya-registered entities operating exclusively within Kenya.
• Cloud Hosting Provider — Application hosting and edge infrastructure. Independently security certified. Data Processing Agreement on file.
• Managed Database Provider — Database infrastructure where your personal data is stored persistently. Data encrypted in transit and at rest. Data Processing Agreement on file.
• Transactional Email Provider — Receives your name and email address solely to deliver order confirmations, payment receipts, and delivery notifications. Data Processing Agreement on file.
• Security Monitoring Provider — Receives anonymised error telemetry only. No plaintext personal data is included in any data transmitted to this provider. Data Processing Agreement on file.
• Platform Security Provider — Processes IP-derived rate limiting keys and session token identifiers solely for platform security and abuse prevention. No names, email addresses, phone numbers, or delivery addresses are transmitted. Data Processing Agreement on file.
• Google LLC (United States)— Authentication services. When you choose to sign in with Google, we receive your name, email address, and profile picture from your Google account solely to create and manage your Veesa Solutions account. We do not receive your Google password. ISO/IEC 27001 certified. Google's use of this data is governed by the Google Privacy Policy.

A complete list of our data processors and their Data Processing Agreements is available to the Office of the Data Protection Commissioner upon request.

6. Cross-Border Data Transfers

We transfer personal data outside Kenya only where appropriate safeguards exist in accordance with Sections 48 and 49 of the Act and Regulation 41(1)(a) of the Data Protection (General) Regulations, 2021. Our infrastructure is hosted with cloud providers in jurisdictions with commensurate data protection laws. Each processor located outside Kenya is bound by a written Data Processing Agreement providing a level of protection materially equivalent to that required by the Act.

Full details of our processors and their Data Processing Agreements are available to the Office of the Data Protection Commissioner upon request.

7. Data Retention

Under Section 39 of the Act, we retain personal data only as long as necessary:

• Order & Transaction Data: Retained for 7 years from the transaction date as required by Kenyan tax and accounting statutes.
• Delivery Address Data: Retained for 7 years tied to the order record. Anonymised upon receipt of a verified erasure request.
• Account & Profile Data: Retained for the duration of your active account plus 7 years. Anonymised upon verified erasure request.
• Consent Audit Records & IP Addresses: Retained permanently as evidence of lawful processing for regulatory and legal purposes.
• Guest Session Tokens & Abandoned Cart Data: Automatically purged after 30 days of inactivity.

Upon expiry of applicable retention periods, personal data is anonymised — all personally identifiable attributes are permanently removed — while the financial record structure is preserved where legally required. The resulting record cannot identify any natural person, in accordance with Section 39(2) of the Act.

8. Your Rights Under the Data Protection Act

Section 26 of the Act grants you the following rights. To exercise any right, contact privacy@veesasolutions.co.ke. No fee is charged. We acknowledge all requests within 48 hours.

• Right to be Informed (s.26(a)): To know how your personal data is used — fulfilled by this Policy.
• Right of Access (s.26(b)): To request a copy of all personal data we hold about you, together with information on processing purposes, recipients, and retention periods. Fulfilled within 7 days of a verified request.
• Right to Correction(s.26(d) & s.40(1)(a)): To request correction of inaccurate, incomplete, or misleading data. Fulfilled within 14 days.
• Right to Deletion(s.26(e) & s.40(1)(b)): To request erasure of your personal data. Fulfilled via anonymisation of your profile — all personally identifiable attributes permanently removed while financial records are preserved to meet mandatory retention obligations. Fulfilled within 14 days.
• Right to Object (s.26(c)): To object to the processing of your personal data. Reviewed within 14 days. Where processing is for direct marketing (which we do not conduct), objection is absolute and honoured immediately.
• Right to Restrict Processing (s.34): To request restriction of processing on grounds of contested accuracy, unlawful processing, or pending objection. Fulfilled within 14 days.
• Right to Data Portability (s.38): To receive your data in a structured, machine-readable format. Fulfilled within 30 days via request to privacy@veesasolutions.co.ke.

9. Consent & Withdrawal

In accordance with Section 32 of the Act:

• You provide consent via an unticked checkbox at the shipping address stage of checkout, prior to any personal data being permanently stored or any payment being initiated.
• You may withdraw consent at any time (s.32(2)) by contacting privacy@veesasolutions.co.ke or deleting your account.
• Withdrawal of consent does not affect the lawfulness of processing conducted before the withdrawal (s.32(3)).
• Certain data will be retained after withdrawal where required by law, including KRA tax records for 7 years.

10. Children's Data

This platform is not directed at persons under the age of 18. We do not knowingly collect personal data from children. In the event that personal data is collected from a person under the age of 18, we will immediately suspend the relevant account, permanently delete or anonymise the personal data within 48 hours, and notify the Office of the Data Protection Commissioner where appropriate, in compliance with Section 33 of the Act.

11. Data Breach Notification

In accordance with Section 43 of the Act:

• In the event of a personal data breach posing a real risk of harm, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware (s.43(1)(a)).
• We will notify affected data subjects without undue delay with a description of the breach, measures taken, and recommended protective steps including changing account passwords and monitoring your M-Pesa account (s.43(5)).
• We maintain appropriate technical and organisational security measures in accordance with Sections 41 and 42 of the Act to protect your personal data against unauthorised access, loss, or destruction.

12. Cookies

We use only essential cookies strictly necessary for the operation of our website:

• Session Cookie: Maintains your login state and shopping cart. Expires when you close your browser or your session ends.
• Authentication Token: Securely identifies your account after login. Expires after 30 days.

We do not use third-party tracking cookies, advertising cookies, or analytics cookies of any kind.

13. Contact & Complaints

For any data protection enquiry or to exercise your rights, contact our Data Protection Officer:

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner in accordance with Section 56 of the Act.