Data, privacy, and KDPA
cart.ke is bound by the Kenya Data Protection Act (KDPA, 2019). See /legal/privacy for the full policy and /legal/data-request to exercise your data-subject rights.
What we hold: your email, your store data (handle, products, photos, prices), your subscription history, and anonymous buyer-side analytics (visit counts and WhatsApp-click counts, kept in raw form for 90 days). We do not hold any buyer name or phone number, and browsing or ordering never collects a buyer's email — buyers reach you directly on WhatsApp. There are two exceptions where a buyer's email may be collected: if someone uses the report-a-store form and opts in to be contacted, we keep the email they leave so moderation can follow up (otherwise we keep only a one-way hash to spot duplicate reports); and if a buyer files a data-request at /legal/data-request, they enter an email so we can reply to that request.
Where it's stored: in Supabase's EU-Ireland region.
Sub-processors: see /legal/privacy.