Legal

Privacy Policy

How Shosho's Kiondo collects, uses, and protects your personal information.

Business: Shosho's Kiondo Owner: Brenda Cheptoo Location: Nairobi, Kenya Last Updated: January 2025 Contact: hello@shoshoskiondo.co.ke
Summary: Shosho's Kiondo collects only the personal information necessary to process your orders and provide our service. We do not sell your data to third parties. We use Google Firebase for secure authentication and Firestore as our database. You have full rights over your data at any time.

1. Who We Are

Shosho's Kiondo is an online organic food shop based in Nairobi, Kenya, owned and operated by Brenda Cheptoo. We sell fresh organic produce, nuts, proteins, carbohydrates, and fruits, delivered directly to our customers across Nairobi.

This Privacy Policy explains how we handle personal data collected through our website at shoshoskiondo.co.ke (and any associated Vercel-hosted domain).

2. What Information We Collect

2.1 Information You Provide Directly

  • Account registration: your name, email address, and phone number when you create an account
  • Google Sign-In: your Google display name, email address, and profile photo (if you sign in via Google)
  • Order information: your delivery address, phone number, and any special delivery instructions (including accessibility needs)
  • Contact form: your name, email, phone number, and the content of your message when you use our contact form

2.2 Information Collected Automatically

  • Usage data: pages visited and actions taken on our website (collected by Firebase Analytics if enabled)
  • Device information: browser type, operating system, and IP address (collected by Firebase and Vercel infrastructure)
  • Authentication tokens: stored in your browser's local storage to keep you logged in between sessions

2.3 Payment Information

We do not collect or store payment card details. Payments are made via M-Pesa directly through Safaricom's platform. We only record confirmation that a payment was made and the order total amount.

3. How We Use Your Information

  • To process and deliver your orders — we need your name, address, and phone to fulfil deliveries
  • To manage your account and allow you to view your order history
  • To communicate with you about your order status, delivery updates, and responses to your enquiries
  • To improve our service — understanding what products are popular and how customers use our website
  • To comply with legal obligations under Kenyan law including the Data Protection Act 2019

We will never use your personal information for unsolicited marketing without your explicit consent, and we will never sell or rent your data to third parties.

4. Legal Basis for Processing (Kenya Data Protection Act 2019)

Under the Kenya Data Protection Act 2019, we process your personal data on the following lawful bases:

  • Contract performance: processing your name, address and contact details is necessary to fulfil your order
  • Consent: you consent to account creation when you register; you may withdraw this consent at any time by deleting your account
  • Legitimate interests: we have a legitimate interest in understanding how our website is used to improve it, provided this does not override your rights

5. How We Store and Protect Your Data

Your data is stored in Google Firebase Firestore, a cloud database hosted on Google's secure infrastructure. Firebase is certified to industry standards including ISO 27001 and SOC 1/2/3.

  • All data is encrypted in transit (HTTPS/TLS) and at rest
  • Access to our Firestore database is restricted by Firebase security rules — only authorised administrators can access customer data
  • Authentication is handled by Firebase Authentication, which uses industry-standard OAuth 2.0 and encrypted credential storage
  • We do not store passwords in our database — Firebase manages password hashing and storage securely

6. Sharing of Your Information

We share your personal data only in the following limited circumstances:

  • Our delivery riders — your name, phone number, address, and any accessibility/disability notes are shared with the rider assigned to your delivery
  • Google Firebase — as our authentication and database provider (Google's privacy policy applies: policies.google.com/privacy)
  • Vercel — our website hosting provider may log IP addresses and request data as part of standard infrastructure operation (vercel.com/legal/privacy-policy)
  • Legal requirements — if required by Kenyan law, court order, or government authority

We do not share your data with advertising networks, data brokers, social media platforms, or any other third parties for commercial purposes.

7. Accessibility and Disability Information

If you voluntarily provide information about a disability or special delivery requirement during checkout, this information is used solely to instruct our delivery riders and ensure an accessible service. This sensitive information is:

  • Stored securely in our Firestore database
  • Visible only to our admin team and the assigned delivery rider
  • Never shared with third parties beyond the delivery context
  • Deleted upon your request at any time

8. Cookies and Local Storage

Our website uses browser local storage (similar to cookies) to:

  • Keep you logged in between browser sessions (Firebase authentication token)
  • Remember items in your shopping cart

We do not use advertising cookies or third-party tracking cookies. You can clear your browser's local storage at any time through your browser settings, which will log you out and clear your cart.

9. Your Rights Under the Kenya Data Protection Act 2019

As a data subject under Kenyan law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate personal data (you can also update most details directly in your account profile)
  • Deletion — request that we delete your personal data ("right to be forgotten"). We will comply within 30 days, subject to legal obligations to retain certain order records
  • Portability — request your data in a machine-readable format
  • Objection — object to processing of your data for purposes beyond order fulfilment
  • Withdraw consent — you may withdraw your consent to data processing at any time by contacting us or deleting your account

To exercise any of these rights, contact us at shoshoskiondo@gmail.com or via WhatsApp at +254 141 564475. We will respond within 14 days.

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya if you believe your rights have been violated.

10. Children's Privacy

Our service is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us immediately and we will delete it.

11. Data Retention

  • Account data — retained for as long as your account is active, or until you request deletion
  • Order data — retained for 7 years in compliance with Kenyan tax and commercial law requirements
  • Contact messages — retained for 2 years, then deleted
  • Authentication logs — managed by Firebase and retained per Google's data retention policies

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify registered customers by email of any material changes. The "Last Updated" date at the top of this page will always reflect the most recent version.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Contact Us View FAQ ← Back to Home