Introduction
1.1 Who We Are
CYAN, BLUES & MWANGI LIMITED (hereinafter "the Company," "we," "us," or "our") is a limited liability company incorporated under the laws of the Republic of Kenya.
We develop and operate a diverse portfolio of digital products and services, including mobile applications, games, web applications, SaaS platforms, e-commerce stores, and content properties. We are passionate about creating technology that serves our users while respecting their privacy and data rights.
This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data across all our platforms and services.
1.2 What This Policy Covers
This Privacy Policy applies to all products, services, and platforms operated by the Company, including but not limited to:
Digital Platforms:
- Website: mwangi.co.ke and associated domains
- Mobile Applications: iOS and Android apps distributed through Apple App Store and Google Play Store
- Games: Mobile games, web-based games, and browser games
- Web Applications: Browser-based tools and utilities
- SaaS Products: Software as a Service platforms with user accounts and subscriptions
E-Commerce Operations:
- Shopify Stores: Customer purchases, order processing, shipping
- Etsy Marketplace: Buyer and seller transactions
- Amazon Marketplace: Product sales and fulfillment
- Self-Hosted Stores: Direct e-commerce platforms
Content Properties:
- Blogs: Multiple blog properties across various topics
- Newsletters: Email subscriptions and communications
- Social Media: Company presence on social platforms
Developer Tools:
- APIs: Application Programming Interfaces
- SDKs: Software Development Kits
- Documentation: Technical resources and guides
1.3 Our Privacy Philosophy
We collect only what we need. We protect what we collect. We delete what we don't need.
Core Principles:
- Transparency: We tell you exactly what data we collect and why
- User Control: You have rights over your data, and we honor them
- Minimal Collection: We don't collect data "just in case" - every data point has a purpose
- No Data Sales: We do NOT sell, rent, or trade your personal data to third parties for monetary or other valuable consideration
- Security First: We implement reasonable safeguards to protect your data
- Compliance: We comply with Kenya Data Protection Act 2019, GDPR, CCPA, COPPA, and applicable laws
1.4 Important Notice Regarding Limited Liability
CRITICAL DISCLOSURE: While we implement reasonable security measures and comply with applicable data protection laws, we make NO WARRANTY of absolute data security. You acknowledge that internet transmission is inherently insecure and use our services at your own risk. See Section 16 (Disclaimers & Limitations of Liability) for complete details.
Data Controller Information
2.1 Company Details
Legal Name: CYAN, BLUES & MWANGI LIMITED
Company Registration Number: CR/214365879/2025
Registered Office: 13th Flr. Dream House, Baraka Road, Nanyuki, Kenya
Email: hello@mwangi.co.ke
Website: https://mwangi.co.ke
2.2 Contact Email Addresses
| Purpose | Email Address |
|---|---|
| General Inquiries | hello@mwangi.co.ke |
| Customer Support | support@mwangi.co.ke |
| Privacy & Data Protection | privacy@mwangi.co.ke |
| Data Protection Officer (DPO) | dpo@mwangi.co.ke |
| Legal & DMCA | legal@mwangi.co.ke |
| Business Partnerships | business@mwangi.co.ke |
| Billing & Refunds | billing@mwangi.co.ke |
2.3 Data Protection Officer (DPO)
Status: Will be designated when required under Section 24 of the Kenya Data Protection Act, 2019.
As we grow and if we meet the threshold that triggers mandatory DPO designation (large-scale systematic monitoring or large-scale processing of sensitive personal data), we will designate a Data Protection Officer and update this policy accordingly.
For now, all data protection inquiries should be directed to privacy@mwangi.co.ke.
2.4 EU Representative
Status: Not required under GDPR Article 27.
We are not required to designate an EU representative because we only occasionally process data of EU residents and do not have an establishment in the EU.
EU data subjects should contact us directly at privacy@mwangi.co.ke.
Definitions
To help you understand this Privacy Policy, key terms are defined below:
- "Personal Data" or "Personal Information"
- means any information relating to an identified or identifiable natural person, including but not limited to name, email address, phone number, physical address, IP address, device identifiers, location data, payment information, browsing history, and any other data that can directly or indirectly identify you.
- "Processing"
- means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, restriction, erasure, or destruction.
- "Data Controller"
- means the entity that determines the purposes and means of processing Personal Data. For all services covered by this Privacy Policy, CYAN, BLUES & MWANGI LIMITED is the Data Controller.
- "Data Processor"
- means a person or entity that processes Personal Data on behalf of the Data Controller. Our third-party service providers (e.g., Apple, Google, Shopify, AWS) are Data Processors.
- "Data Subject"
- means you - the individual whose Personal Data is being processed.
- "Sensitive Personal Data"
- means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation. We do NOT intentionally collect Sensitive Personal Data.
- "Consent"
- means any freely given, specific, informed, and unambiguous indication of your wishes by which you signify agreement to the processing of your Personal Data, typically by a statement or clear affirmative action.
- "Cookies"
- means small text files placed on your device by websites or applications to store data that can be recalled by a web server or application.
- "Third Country"
- means any country outside the Republic of Kenya and, for EU residents, any country outside the European Economic Area (EEA).
- "Standard Contractual Clauses" (SCCs)
- means contractual commitments approved by the European Commission for transfers of Personal Data to Third Countries.
- "Services"
- means all platforms, products, and services operated by the Company, as described in Section 1.2.
- "User" or "You"
- means any individual who accesses or uses our Services.
What Data We Collect
We collect different types of Personal Data depending on which Services you use and how you interact with them. This section provides a comprehensive breakdown by platform.
4.1 Website & Blog Data
When you visit our website or blog:
| Data Type | Examples | Purpose | Collection Method |
|---|---|---|---|
| Browsing Data | Pages viewed, time on site, click patterns, scroll depth | Analytics, content improvement, user experience optimization | Automatic (Google Analytics, server logs) |
| Device Data | Browser type, OS, screen resolution, device type (mobile/desktop/tablet) | Responsive design, compatibility testing | Automatic (HTTP headers) |
| IP Address | IPv4/IPv6 address (anonymized in analytics) | Geographic analytics, security, fraud prevention | Automatic (server logs, analytics) |
| Referral Source | How you found us (Google search, social media, direct link, etc.) | Marketing effectiveness, content strategy | Automatic (HTTP referrer) |
| Cookies | Analytics cookies, preference cookies | Session tracking, user preferences, analytics | Automatic (with consent via cookie banner) |
When you submit our contact form:
| Data Type | Examples | Purpose | Retention |
|---|---|---|---|
| Name | First and last name | Personalized communication | 2 years from last contact |
| Email Address | your@email.com | Response to inquiry | 2 years from last contact |
| Message Content | Your inquiry, feedback, or request | Address your specific needs | 2 years from last contact |
| Request Type | General inquiry, bug report, business proposal, GDPR request | Routing and prioritization | 2 years from last contact |
| Metadata | Submission timestamp, IP address, User-Agent | Security, spam prevention, abuse detection | 2 years from last contact |
4.2 Mobile Apps & Games Data
When you use our mobile applications or games:
| Data Type | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Device Identifiers | IDFA (iOS), Android Advertising ID, device model, OS version | Analytics, crash reporting, feature compatibility | Legitimate interest |
| Gameplay Data | Scores, achievements, progress, session duration, levels completed | Game functionality, leaderboards, progress saving | Performance of contract |
| In-App Analytics | Feature usage, screen views, user flows, engagement metrics | App improvement, feature development | Legitimate interest |
| Crash Reports | Stack traces, device state, app version, error logs | Bug fixing, stability improvement | Legitimate interest |
| Push Notification Tokens | FCM token (Android), APNs token (iOS) | Send notifications with user consent | Consent |
| Location Data (if applicable) | GPS coordinates, approximate location | Location-based features (only if app requires) | Consent |
| In-App Purchase Data | Purchase history, transaction IDs, receipt validation | Transaction processing, fraud prevention | Performance of contract |
| Social Features (if applicable) | Friends list, chat messages, shared content | Multiplayer, social features | Performance of contract |
| Advertising Data (if ads present) | Ad impressions, clicks, conversions | Ad performance measurement | Legitimate interest (with opt-out) |
Third-Party Processing:
- Apple App Store: Receives purchase data, analytics, crash reports
- Google Play Store: Receives purchase data, analytics, crash reports
- Firebase (Google): Analytics, crash reporting, cloud messaging
4.3 SaaS & Web Application Data
When you create an account and use our SaaS products:
| Data Type | Examples | Purpose | Retention |
|---|---|---|---|
| Account Data | Username, email, password (hashed), display name | Account creation, authentication | Until account deletion + 30 days |
| Profile Data | Profile photo, bio, preferences, settings | Personalization, user experience | Until account deletion |
| Subscription Data | Plan type, billing cycle, payment method (tokenized), billing history | Subscription management, billing | 7 years (tax/accounting requirements) |
| Usage Data | Features used, API calls, storage consumed, bandwidth usage | Usage monitoring, billing, performance optimization | 12 months (then aggregated) |
| User Content | Files uploaded, data stored, configurations created | Service delivery, data storage | Until deletion by user or account closure |
| Support Data | Support tickets, chat logs, email correspondence | Customer support, issue resolution | 3 years from ticket closure |
| Billing Data | Invoices, payment confirmations, tax information | Accounting, tax compliance | 7 years (Kenya Tax Law) |
4.4 E-Commerce Data
When you make a purchase through our Shopify, Etsy, Amazon stores, or self-hosted platforms:
| Data Type | Examples | Purpose | Retention |
|---|---|---|---|
| Customer Data | Name, email, phone number | Order communication, customer service | 7 years (accounting/tax) |
| Shipping Data | Delivery address, city, postal code, country | Order fulfillment, shipping | 7 years (accounting/tax) |
| Payment Data | Payment method, billing address, transaction IDs (NOT full card numbers - PCI-DSS) | Payment processing | 7 years (tokenized; full card data NOT stored) |
| Order History | Products purchased, quantities, prices, order dates | Order tracking, returns, customer service | 7 years (accounting/tax) |
| Browsing Data | Products viewed, cart contents, wish lists | Personalization, abandoned cart recovery | 90 days |
| Reviews & Ratings | Product reviews, ratings, comments | Social proof, product improvement | Until review deletion |
| Returns Data | Return requests, reasons, refund processing | Returns management, quality control | 7 years (accounting/tax) |
Third-Party E-Commerce Platforms:
- Shopify: Processes customer data, payment data, order data
- Etsy: Processes buyer/seller communication, transaction data
- Amazon: Processes orders, customer data, fulfillment data (FBA)
- Payment Processors: Stripe, PayPal, M-Pesa process payment information
CRITICAL NOTICE: We do NOT store full credit card numbers. Payment data is processed by PCI-DSS compliant third-party processors (Stripe, PayPal, Shopify Payments, etc.). We receive only tokenized payment methods and transaction confirmations.
4.5 Blog Comments & Newsletter Data
When you comment on our blogs or subscribe to newsletters:
| Data Type | Examples | Purpose | Retention |
|---|---|---|---|
| Comment Data | Name, email, comment text, website URL (optional) | Display comments, spam prevention | Until comment deletion |
| Newsletter Data | Email address, subscription preferences, topics of interest | Send newsletters, content updates | Until unsubscribe + 30 days |
| Engagement Data | Email opens, link clicks, unsubscribes | Newsletter effectiveness, content optimization | 12 months |
4.6 Marketing & Social Media Data
When you interact with us on social media or through marketing campaigns:
| Data Type | Examples | Purpose | Collection Method |
|---|---|---|---|
| Social Media Interactions | Comments, likes, shares, mentions, DMs | Engagement, customer service, community building | Social media platforms |
| Marketing Campaign Data | Ad impressions, clicks, conversions, referral sources | Campaign effectiveness, ROI measurement | Marketing platforms (Facebook Ads, Google Ads) |
IMPORTANT: We do NOT scrape social media profiles. We only process publicly available data you choose to share when interacting with our social media accounts.
4.7 What We DON'T Collect (Explicit Exclusions)
To be absolutely clear, we DO NOT collect:
- Sensitive Personal Data: Race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data (unless explicitly required and consented for authentication), health data, sex life, sexual orientation
- Financial Account Credentials: Bank account passwords, credit card CVV codes, PIN numbers
- Government IDs (unless legally required): National ID numbers, passport numbers, driver's license numbers (except where required for age verification or legal compliance)
- Children's Data (under 13): We do not knowingly collect Personal Data from children under 13 years of age
- Microphone or Camera Data (unless explicitly permitted): No background recording or surveillance
- Precise Geolocation (unless explicitly permitted): No continuous GPS tracking (only if user enables location features in apps)
Legal Basis for Processing
We process your Personal Data only when we have a valid legal basis under applicable data protection laws.
5.1 Kenya Data Protection Act, 2019 (Section 30)
Consent (Section 30(1)(a)):
We rely on your consent for:
- Cookies and analytics tracking (cookie banner consent)
- Marketing communications (newsletter subscriptions)
- Location data processing in mobile apps (in-app permission)
- Push notifications (device-level permission)
- Optional data sharing (e.g., social features in games)
How consent works: Consent must be freely given, specific, informed, and unambiguous. You may withdraw consent at any time by contacting us, adjusting device settings, or using opt-out mechanisms.
Performance of Contract (Section 30(1)(b)):
We rely on contractual necessity for:
- Processing orders and payments (e-commerce transactions)
- Delivering SaaS services and user accounts
- Providing app features and functionality
- Processing in-app purchases
- Customer support and service delivery
Legal Obligation (Section 30(1)(c)):
We process Personal Data to comply with legal obligations, including:
- Tax and accounting record retention (7 years under Kenya Tax Law)
- Data subject rights requests (Kenya DPA, GDPR, CCPA)
- Law enforcement requests (lawful court orders, warrants)
- Data breach notification (Kenya DPA Section 43)
- Consumer protection compliance
Legitimate Interests (Section 30(1)(f)):
We rely on legitimate interests for:
- Website analytics and improvement
- Fraud prevention and security
- Network and information security
- Business intelligence and operational optimization
- Product development and research
- Direct marketing (with opt-out option)
Balancing Test: We have conducted balancing tests and determined that our legitimate interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 11).
5.2 GDPR (For EU Data Subjects)
EU residents benefit from the same legal bases under GDPR Articles 6(1)(a)-(f), which align with Kenya DPA Section 30.
Special Categories of Data (GDPR Article 9): We do NOT process special categories of Personal Data (race, health, biometrics, etc.) except where:
- You have given explicit consent for a specific purpose, OR
- Processing is necessary for legal claims, OR
- Processing is manifestly made public by the data subject
5.3 CCPA/CPRA (For California Residents)
California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We do NOT "sell" Personal Data as defined by CCPA.
"Do Not Sell My Personal Information" Disclosure:
WE DO NOT SELL PERSONAL DATA. We do not exchange Personal Data for monetary or other valuable consideration. We do not engage in data brokerage or cross-context behavioral advertising that constitutes a "sale" under CCPA.
How We Use Your Data
This section explains exactly what we do with your Personal Data, organized by purpose.
6.1 Service Delivery & Functionality
Purpose: To provide, operate, maintain, and improve our Services.
Activities:
- Process user registrations and account creation
- Authenticate users and manage sessions
- Deliver app and web application features
- Process e-commerce transactions and orders
- Fulfill shipping and delivery
- Provide customer support
- Save user preferences and settings
- Enable social features (leaderboards, multiplayer)
- Manage subscriptions and billing
Legal Basis: Performance of contract, legitimate interest
6.2 Communication
Purpose: To communicate with you about our Services.
Activities:
- Respond to contact form inquiries
- Send transactional emails (order confirmations, receipts, shipping notifications)
- Provide customer support via email or in-app messaging
- Send account-related notifications (password resets, security alerts)
- Send push notifications (with consent)
- Deliver newsletters and content updates (with consent, opt-out available)
Legal Basis: Performance of contract, consent, legitimate interest
Marketing Communications: We will NOT send marketing emails without your explicit consent. You may opt out of marketing communications at any time using the "unsubscribe" link in emails.
6.3 Analytics & Improvement
Purpose: To understand how users interact with our Services and improve user experience.
Activities:
- Analyze website traffic and user behavior (Google Analytics)
- Track app usage and feature adoption (Firebase Analytics)
- Monitor game performance and player engagement
- Conduct A/B testing and experimentation
- Identify bugs and errors
- Measure campaign effectiveness
- Conduct user research and surveys (with consent)
Legal Basis: Legitimate interest (with opt-out mechanisms)
Data Minimization: Analytics data is anonymized or aggregated where possible. We use IP anonymization in Google Analytics.
6.4 Security & Fraud Prevention
Purpose: To protect our Services, users, and business from fraud, abuse, and security threats.
Activities:
- Detect and prevent fraudulent transactions
- Monitor for spam and abuse
- Enforce Terms of Service
- Respond to security incidents
- Implement access controls and authentication
- Maintain server logs for security monitoring
- Investigate suspected violations
Legal Basis: Legitimate interest, legal obligation
6.5 Legal Compliance
Purpose: To comply with applicable laws, regulations, and legal obligations.
Activities:
- Respond to lawful requests from government authorities
- Comply with tax and accounting requirements
- Process data subject rights requests (access, deletion, correction)
- Maintain records as required by law
- Report data breaches to supervisory authorities (when required)
- Defend legal claims
Legal Basis: Legal obligation
6.6 Business Operations
Purpose: To manage our business operations and strategic planning.
Activities:
- Financial accounting and reporting
- Internal audits and compliance monitoring
- Business intelligence and reporting
- Strategic planning and forecasting
- Mergers, acquisitions, or business transfers (with notice)
Legal Basis: Legitimate interest, legal obligation
6.7 Advertising & Monetization
Purpose: To generate revenue through advertising networks and support free access to our Services.
Activities:
- Display third-party advertisements on blogs, mobile apps, and games
- Serve personalized ads based on browsing behavior and interests (with consent)
- Measure ad performance and effectiveness
- Prevent ad fraud and invalid click activity
- Optimize ad placement and targeting
Ad Networks:
- Google AdSense: Display ads on blogs and websites
- Google AdMob: Mobile app advertising (in-app banner ads, interstitial ads, rewarded video ads)
- Unity Ads: In-game advertising for mobile games
Data Shared with Ad Networks:
- Cookies and device identifiers (IDFA, Android Advertising ID)
- IP address (may be anonymized)
- Browsing behavior (pages viewed, time on site, clicks)
- Device information (device type, OS, screen resolution)
- Ad interactions (impressions, clicks, conversions)
- Geographic location (country/city level, not precise GPS)
User Control:
- Personalized Ads: You may opt out of personalized advertising through:
- Cookie consent banner (website)
- iOS: Settings > Privacy > Tracking > Disable "Allow Apps to Request to Track"
- Android: Settings > Google > Ads > Opt out of Ads Personalization
- Ad Blockers: You may use ad blockers, but some content may become inaccessible
- COPPA Compliance: Children under 13 receive only non-personalized, contextual ads (no behavioral tracking)
Legal Basis: Consent (personalized ads), Legitimate interest (contextual ads)
IMPORTANT DISCLOSURES:
- We do NOT sell personal data to advertisers. Ad networks (Google, Unity) serve ads through our platforms but do not receive personal data from us for their independent marketing use.
- Ad networks have their own privacy policies governing their data practices. See Section 7 for details.
- We earn revenue from ad impressions and clicks, but user data is not sold or traded.
6.8 Affiliate Marketing & Sponsored Content
Purpose: To earn commissions from affiliate partnerships and support content creation.
Activities:
- Include affiliate links in blog posts, newsletters, and product recommendations
- Earn commissions when users make purchases through affiliate links
- Track conversions using affiliate network cookies
- Disclose affiliate relationships in compliance with FTC guidelines (16 CFR Part 255)
Affiliate Networks:
- Amazon Associates
- ShareASale
- Commission Junction (CJ)
- Impact
- Direct merchant affiliate programs
Data Implications:
- Affiliate Links Contain Tracking Parameters: Links include unique identifiers to track conversions
- Cookies Track Purchases: Affiliate networks set cookies (typically 24-90 days) to attribute purchases to our referral
- No Additional PII Collected by Us: The merchant (Amazon, etc.) handles your purchase; we only receive commission confirmation
- We do NOT see your purchase details beyond confirmation that a sale occurred
User Control:
- Block Third-Party Cookies: Prevent affiliate tracking by blocking third-party cookies in browser settings
- Affiliate links are clearly disclosed: Look for "Affiliate Link," "Ad," or disclosure statements in content
- No Extra Cost to You: Affiliate commissions are paid by the merchant; you pay the same price whether you use our link or not
FTC Compliance:
- Material Connection Disclosure: We disclose affiliate relationships prominently in content
- Honest Recommendations: Product recommendations are based on genuine opinion, not solely on commission potential
- Clear Marking: Affiliate links marked with visual indicators or disclosure language
Legal Basis: Legitimate interest (with transparent disclosure and opt-out mechanisms)
6.9 What We DON'T Do with Your Data
Explicit Prohibitions:
- We do NOT sell your Personal Data for monetary or other valuable consideration
- We do NOT rent or trade your Personal Data to data brokers or marketers
- We do NOT use your data for targeted advertising based on sensitive categories (health, religion, political beliefs)
- We do NOT share your data with advertisers for their independent use (ads are served through networks; data stays with networks)
- We do NOT use automated decision-making that significantly affects you without human review
- We do NOT profile you for discriminatory purposes (lending, employment, housing)
- We do NOT send unsolicited marketing without consent
- We do NOT track children under 13 for behavioral advertising (COPPA compliance)
Third-Party Processors
We share your Personal Data with trusted third-party service providers (Data Processors) who assist us in operating our Services. We execute Data Processing Agreements (DPAs) with all processors and require them to comply with applicable data protection laws.
7.1 App Store Platforms
Apple Inc. (App Store, iOS Analytics)
- Data Shared: App analytics, crash reports, purchase data, device IDs, user interactions
- Purpose: App distribution, analytics, payment processing, crash reporting
- Location: United States (California)
- Safeguards: Apple Data Processing Addendum, Standard Contractual Clauses, Apple Privacy Commitments
- Privacy Policy: https://www.apple.com/legal/privacy/
- Your Control: Limit Ad Tracking (iOS Settings), manage app permissions
Google LLC (Google Play Store, Firebase, Analytics)
- Data Shared: App analytics, crash reports, purchase data, device IDs, push notification tokens
- Purpose: App distribution, analytics, payment processing, cloud messaging, crash reporting
- Location: United States (California)
- Safeguards: Google Data Processing Terms, Standard Contractual Clauses, EU-US Data Privacy Framework certification
- Privacy Policy: https://policies.google.com/privacy
- Your Control: Opt out of personalized advertising (Android settings), Google Analytics Opt-out Add-on
7.2 E-Commerce Platforms
Shopify Inc.
- Data Shared: Customer names, emails, addresses, phone numbers, order data, payment information (tokenized)
- Purpose: E-commerce platform, order management, payment processing, shipping
- Location: Canada (with US data centers)
- Safeguards: Shopify Data Processing Addendum, Standard Contractual Clauses, PCI-DSS Level 1 certification
- Privacy Policy: https://www.shopify.com/legal/privacy
- Your Control: Contact us to exercise rights; Shopify processes on our behalf
Etsy Inc.
- Data Shared: Buyer/seller data, transaction data, messaging, reviews
- Purpose: Marketplace platform, transaction processing, communication
- Location: United States (New York)
- Safeguards: Etsy Data Processing Addendum, Standard Contractual Clauses
- Privacy Policy: https://www.etsy.com/legal/privacy
- Your Control: Etsy account settings, contact us for data rights
Amazon.com, Inc.
- Data Shared: Product listings, order data, customer data, FBA inventory data
- Purpose: Marketplace platform, fulfillment (FBA), payment processing
- Location: United States (with global data centers)
- Safeguards: Amazon Data Processing Addendum, Standard Contractual Clauses
- Privacy Policy: https://www.amazon.com/gp/help/customer/display.html?nodeId=201909010
- Your Control: Amazon account settings, contact us for data rights
7.3 Payment Processors
CRITICAL NOTICE: We do NOT store full credit card numbers or CVV codes. Payment data is processed by PCI-DSS compliant third-party processors.
Stripe, Inc.
- Data Shared: Payment card data (tokenized by Stripe), billing addresses, transaction amounts
- Purpose: Payment processing, fraud prevention, subscription billing
- Location: United States (California)
- Safeguards: Stripe Data Processing Agreement, PCI-DSS Level 1, Standard Contractual Clauses
- Privacy Policy: https://stripe.com/privacy
- Your Control: Payment data stored by Stripe; contact us to delete payment methods
PayPal Holdings, Inc.
- Data Shared: PayPal account data, transaction data, billing addresses
- Purpose: Payment processing
- Location: United States (California)
- Safeguards: PayPal Data Protection Agreement, Standard Contractual Clauses, PCI-DSS
- Privacy Policy: https://www.paypal.com/myaccount/privacy/privacyhub
- Your Control: PayPal account settings, PayPal privacy controls
M-Pesa (Safaricom PLC)
- Data Shared: Phone numbers, transaction amounts, M-Pesa transaction IDs
- Purpose: Mobile money payment processing (Kenya)
- Location: Kenya (Nairobi)
- Safeguards: M-Pesa Merchant Agreement, Kenya DPA compliance
- Privacy Policy: https://www.safaricom.co.ke/personal/privacy-policy
- Your Control: Contact us to exercise rights
7.4 Cloud Infrastructure & CDN
Amazon Web Services (AWS)
- Services Used: CloudFront (CDN), S3 (storage), EC2
- Data Shared: Images, static files, CDN access logs, application data (if hosted on AWS)
- Purpose: Content delivery, file storage, hosting infrastructure
- Location: Africa (Cape Town), Europe, US
- Safeguards: AWS Data Processing Addendum, Standard Contractual Clauses, ISO 27001, SOC 2
- Privacy Policy: https://aws.amazon.com/privacy/
- Your Control: Data deletion requests processed through us
7.5 Analytics & Marketing
Google Analytics
- Data Shared: IP addresses (anonymized), browsing behavior, device information, referral sources
- Purpose: Website analytics, traffic analysis, user behavior insights
- Location: United States
- Safeguards: Google Analytics Data Processing Amendment, IP anonymization enabled
- Privacy Policy: https://policies.google.com/privacy
- Your Control: Google Analytics Opt-out Add-on, cookie consent banner
Google Ireland Limited (AdSense, AdMob)
Services: Display advertising (AdSense for blogs/websites), Mobile app advertising (AdMob for apps/games)
- Data Shared:
- AdSense: Cookies, IP address (may be anonymized), browsing behavior, device type, ad interactions, geographic location
- AdMob: Device IDs (IDFA on iOS, Android Advertising ID), app usage data, ad interactions, approximate location, device information
- Purpose: Serve personalized and contextual ads, measure ad performance, prevent fraud, optimize ad delivery
- Location: Ireland (EU) with global data centers including United States
- Legal Basis: Consent (personalized ads via cookie banner/app permission), Legitimate Interest (contextual ads)
- Safeguards: Google Ads Data Processing Terms, Standard Contractual Clauses, EU-US Data Privacy Framework certification, COPPA compliance mode
- Privacy Policy: https://policies.google.com/privacy
- Ad Settings: https://adssettings.google.com
- Your Control: Cookie consent banner, iOS/Android tracking settings, Reset Advertising ID
Unity Technologies ApS (Unity Ads)
- Services: In-game advertising for mobile games
- Data Shared: Device IDs (IDFA, Android Advertising ID), gameplay data, ad interactions, device information, approximate location
- Purpose: Serve rewarded video ads, interstitial ads, banner ads; measure ad performance
- Location: Denmark (EU headquarters) with global data centers
- Safeguards: Unity Ads Data Processing Addendum, Standard Contractual Clauses, COPPA compliance mode
- Privacy Policy: https://unity.com/legal/privacy-policy
- Your Control: iOS/Android tracking settings, Reset Advertising ID
Affiliate Networks
Services: Referral tracking and commission attribution (Amazon Associates, ShareASale, Commission Junction, Impact, Others)
- Data Shared: Referral source (via affiliate link parameters); Affiliate networks set cookies independently
- Cookie Duration: 24 hours to 90 days (varies by network and merchant)
- Legal Basis: Legitimate Interest (with transparent disclosure)
- Your Control: Block third-party cookies in browser settings, use private browsing
7.6 Data Processor Accountability
Our Commitments:
- We execute Data Processing Agreements (DPAs) with all processors
- We require processors to implement appropriate technical and organizational measures
- We conduct due diligence on processor security and compliance
- We obtain Standard Contractual Clauses for international transfers
- We monitor processor compliance and conduct periodic reviews
Your Rights:
- You may request information about our processors
- You may request copies of Data Processing Agreements (redacted for confidentiality)
- You may object to specific processors (subject to service limitations)
LIMITATION OF LIABILITY: We are NOT responsible for the acts or omissions of third-party processors except as required by law. See Section 16 for complete disclaimers.
Data Sharing & Transfers
8.1 When We Share Personal Data
We share your Personal Data only in the following circumstances:
A. Service Providers (Data Processors):
As described in Section 7, we share data with processors who assist us in operating our Services. These processors act on our behalf and are bound by Data Processing Agreements.
B. Business Transfers:
If the Company undergoes a merger, acquisition, reorganization, asset sale, or bankruptcy, your Personal Data may be transferred to the acquiring entity. We will notify you of such transfer and any changes to this Privacy Policy.
C. Legal Requirements:
We may disclose Personal Data when required by law or in good-faith belief that such action is necessary to:
- Comply with lawful court orders, warrants, or subpoenas
- Respond to lawful requests from government authorities
- Enforce our Terms of Service or other agreements
- Protect the rights, property, or safety of the Company, our users, or the public
- Investigate fraud, security incidents, or violations of law
D. With Your Consent:
We may share Personal Data for purposes not described in this Privacy Policy with your explicit consent.
8.2 What We DON'T Share
Explicit Prohibitions:
- We do NOT sell Personal Data to third parties for monetary or other valuable consideration
- We do NOT rent or trade Personal Data to brokers, advertisers, or marketers
- We do NOT share Personal Data for third-party advertising purposes (except aggregated, anonymized analytics)
- We do NOT disclose Sensitive Personal Data except as required by law or with explicit consent
8.3 Aggregated & Anonymized Data
We may share aggregated or anonymized data that does not identify you personally, such as:
- Website traffic statistics
- Aggregated user demographics
- Usage trends and analytics
- Public benchmarks and reports
This data is NOT considered Personal Data and is not subject to this Privacy Policy's restrictions.
International Data Transfers
9.1 Data Transfer Locations
Primary Data Storage: Our primary data storage is located in Kenya and uses AWS (Amazon Web Services) Africa (Cape Town) region, with CDN distribution via CloudFront global edge locations.
International Transfers: When you use our Services, your Personal Data may be transferred to, stored in, and processed in the following jurisdictions:
| Destination | Reason for Transfer | Safeguards |
|---|---|---|
| United States | Apple App Store, Google Play Store, Shopify, Stripe, PayPal, AWS, Google Analytics | Standard Contractual Clauses, EU-US Data Privacy Framework (for certified entities), Data Processing Agreements |
| Canada | Shopify data centers | Standard Contractual Clauses, adequacy decision (for EU transfers), Data Processing Agreement |
| European Union | If applicable | GDPR compliance, intra-EU transfers |
9.2 Legal Safeguards for International Transfers
Standard Contractual Clauses (SCCs):
We have executed Standard Contractual Clauses approved by the European Commission with all processors receiving Personal Data in Third Countries. SCCs provide contractual guarantees that processors will protect Personal Data in accordance with EU standards.
EU-US Data Privacy Framework:
Some processors (Google, AWS, Stripe) are certified under the EU-US Data Privacy Framework, which provides adequacy for data transfers from the EU to participating US organizations.
Kenya Data Protection Act Compliance:
Under Section 48 of the Kenya DPA, we transfer Personal Data to Third Countries only when:
- The destination country has adequate data protection laws (as determined by the Kenya Data Commissioner), OR
- We have implemented appropriate safeguards (Standard Contractual Clauses, binding corporate rules), OR
- You have explicitly consented to the transfer after being informed of the risks
9.3 Your Rights Regarding International Transfers
You have the right to:
- Be informed of international transfers and destination countries
- Object to transfers to specific countries
- Withdraw consent for transfers based on consent
- Request information about safeguards in place
- Request a copy of Standard Contractual Clauses (redacted for confidentiality)
To exercise these rights: Contact us at privacy@mwangi.co.ke with subject line "International Transfer Objection."
Consequence of objection: If you object to international transfers, we may be unable to provide certain Services that require third-party processors located in Third Countries (e.g., App Store distribution, e-commerce payment processing).
9.4 Risks of International Transfers
IMPORTANT DISCLOSURE: You acknowledge that Third Countries (particularly the United States) may have different data protection laws than Kenya or the European Union, including:
- Broader government surveillance powers
- Different legal standards for law enforcement access
- Weaker data subject rights
- Different judicial remedies
We implement contractual and technical safeguards to mitigate these risks, but we cannot eliminate risks inherent in international data transfers. By using our Services, you acknowledge and accept these risks.
Data Security
10.1 Security Measures We Implement
We take data security seriously and implement reasonable technical and organizational measures to protect your Personal Data from unauthorized access, disclosure, alteration, and destruction.
Technical Safeguards:
- Encryption in Transit: HTTPS/TLS 1.3 for all website and API communications
- Access Controls: Role-based access control (RBAC), principle of least privilege
- Authentication: Strong password requirements, multi-factor authentication (MFA) for administrators
- Firewall Protection: Network firewalls, intrusion detection systems (IDS)
- Regular Security Updates: Timely patching of software and dependencies
- Secure Development: Code reviews, security testing, vulnerability scanning
- Data Minimization: Collect only necessary data, delete when no longer needed
- IP Anonymization: Google Analytics configured with IP anonymization
- Honeypot Protection: Contact forms include honeypot fields to prevent spam bots
Organizational Safeguards:
- Employee Training: Regular security awareness training for employees
- Confidentiality Agreements: All employees and contractors sign confidentiality agreements
- Access Audits: Regular audits of access logs and permissions
- Incident Response: Documented incident response plan for data breaches
- Vendor Management: Due diligence and ongoing monitoring of third-party processors
- Data Processing Agreements: Contractual security requirements for all processors
Physical Safeguards (where applicable):
- Cloud providers implement physical security (data center access controls, surveillance, environmental controls)
- Office premises secured with access controls and visitor logs
10.2 Your Responsibilities
Security is a shared responsibility. You are responsible for:
- Strong Passwords: Using unique, complex passwords for your accounts
- Account Security: Keeping login credentials confidential, not sharing accounts
- Device Security: Securing your devices with passwords/biometrics, keeping software updated
- Phishing Awareness: Being cautious of phishing emails and fraudulent communications
- Immediate Reporting: Notifying us immediately of suspected unauthorized access to your account
Contact us immediately at privacy@mwangi.co.ke if:
- You suspect unauthorized access to your account
- You receive a suspicious email claiming to be from us
- You identify a security vulnerability in our Services
10.3 Data Breach Notification
If a personal data breach occurs:
- We will notify the Kenya Office of the Data Protection Commissioner (ODPC) within 72 hours (Kenya DPA Section 43)
- We will notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
- We will notify EU supervisory authorities within 72 hours (GDPR Article 33) for EU data subjects
Breach notification will include:
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken to address the breach
- Recommendations for data subjects to mitigate risks
10.4 Limitations of Security (CRITICAL DISCLAIMER)
IMPORTANT - READ CAREFULLY:
While we implement reasonable security measures, WE MAKE NO WARRANTY THAT OUR SERVICES OR SYSTEMS ARE IMMUNE FROM UNAUTHORIZED ACCESS, HARDWARE FAILURE, SOFTWARE VULNERABILITIES, CYBERATTACKS, OR OTHER CIRCUMSTANCES BEYOND OUR CONTROL.
You acknowledge and accept that:
- No system is 100% secure. Internet transmission and electronic storage are inherently insecure.
- We rely on third-party processors (Apple, Google, Shopify, AWS, etc.) whose security practices are beyond our direct control.
- Security threats evolve constantly. Previously secure systems may become vulnerable to new attack vectors.
- Zero-day vulnerabilities exist. Unknown vulnerabilities may exist in our software or dependencies.
- Sophisticated attacks may succeed. State-sponsored actors, organized cybercrime, and advanced persistent threats may overcome our defenses despite best efforts.
BY USING OUR SERVICES, YOU ASSUME THE RISK THAT PERSONAL DATA MAY BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED DESPITE OUR SECURITY MEASURES.
OUR TOTAL LIABILITY FOR SECURITY BREACHES SHALL NOT EXCEED THE LIMITS SET FORTH IN SECTION 16 (LIMITATION OF LIABILITY).
This limitation does not affect our legal obligation to notify you and supervisory authorities of data breaches as required by law.
Your Rights Under Data Protection Laws
You have comprehensive rights over your Personal Data. The specific rights available to you depend on your jurisdiction.
11.1 Rights Under Kenya Data Protection Act, 2019
Right to Access (Section 34):
You may request confirmation of whether we process your Personal Data and obtain a copy of your data.
Right to Correction (Section 35):
You may request correction of inaccurate or incomplete Personal Data.
Right to Deletion / "Right to be Forgotten" (Section 36):
You may request deletion of your Personal Data in the following circumstances:
- The data is no longer necessary for the purposes for which it was collected
- You withdraw consent (where processing is based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- The data must be erased to comply with a legal obligation
Exceptions: We may refuse deletion if retention is necessary for:
- Compliance with legal obligations (e.g., tax records)
- Establishment, exercise, or defense of legal claims
- Archiving purposes in the public interest
Right to Object (Section 38):
You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Data Portability (Section 39):
You may request your Personal Data in a structured, commonly used, machine-readable format (JSON, CSV, or PDF) and transmit it to another controller.
Right to Withdraw Consent:
Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to Lodge a Complaint (Section 56):
You may lodge a complaint with the Kenya Office of the Data Protection Commissioner (ODPC) if you believe we have violated your data protection rights. See Section 20 for contact details.
11.2 Rights Under GDPR (For EU Data Subjects)
EU residents have the same rights as above (GDPR Articles 15-21) plus:
Right to Restriction of Processing (GDPR Article 18):
You may request restriction (rather than deletion) when:
- You contest the accuracy of data (restriction during verification)
- Processing is unlawful but you prefer restriction over deletion
- We no longer need the data but you need it for legal claims
- You have objected to processing (restriction pending verification of legitimate grounds)
Right Not to Be Subject to Automated Decision-Making (GDPR Article 22):
You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you.
We do NOT engage in automated decision-making with significant effects.
11.3 Rights Under CCPA/CPRA (For California Residents)
California residents have the following rights:
Right to Know (CCPA §1798.100):
You may request disclosure of:
- Categories of Personal Information collected
- Categories of sources
- Business or commercial purpose for collection
- Categories of third parties with whom we share Personal Information
- Specific pieces of Personal Information collected about you
Right to Delete (CCPA §1798.105):
You may request deletion of Personal Information collected from you, subject to exceptions for legal obligations, security, and legitimate business purposes.
Right to Correct (CPRA §1798.106):
You may request correction of inaccurate Personal Information.
Right to Opt-Out of Sale/Sharing (CCPA §1798.120):
We do NOT sell or share Personal Information as defined by CCPA. No opt-out is necessary.
Right to Limit Use of Sensitive Personal Information (CPRA §1798.121):
We do NOT collect or use Sensitive Personal Information for purposes beyond those permitted by CPRA.
Right to Non-Discrimination (CCPA §1798.125):
We will NOT discriminate against you for exercising your CCPA rights (e.g., denying services, charging different prices, providing different levels of service).
Authorized Agent Requests:
You may designate an authorized agent to submit requests on your behalf. The agent must provide proof of authorization.
11.4 Rights for Users in Other Jurisdictions
If you are located in a jurisdiction with data protection laws not specifically mentioned above (e.g., Brazil LGPD, South Africa POPIA, Canada PIPEDA), you may have similar rights. Contact us at privacy@mwangi.co.ke to inquire about your jurisdiction-specific rights.
How to Exercise Your Rights
We make it straightforward to exercise your data protection rights. No bureaucracy, no delays, no fees (unless requests are manifestly unfounded or excessive).
12.1 How to Contact Us
Email: privacy@mwangi.co.ke
Subject Lines (for faster processing):
- "Data Access Request" (Right to Access)
- "Data Deletion Request" (Right to be Forgotten)
- "Data Correction Request" (Right to Correction)
- "Data Portability Request" (Right to Data Portability)
- "Object to Processing" (Right to Object)
- "CCPA Request" (California residents)
- "GDPR Request" (EU residents)
Include in Your Request:
- Your full name
- Email address associated with your account (if applicable)
- Description of your request
- Jurisdiction (if exercising region-specific rights)
- Proof of identity (if we cannot verify your identity from your email)
12.2 Via Contact Form
Use our contact form at https://mwangi.co.ke/contact and select:
- "GDPR Request - Data Access"
- "GDPR Request - Data Deletion"
- "GDPR Request - Data Modification"
- "Privacy Question" (for general inquiries)
12.3 Identity Verification
To protect your privacy, we may ask you to verify your identity before fulfilling requests. Verification methods may include:
- Email confirmation link
- Account login verification
- Provision of specific account details only you would know
- Government-issued ID (for high-risk requests like deletion)
We will NOT ask for:
- Passwords or login credentials
- Credit card CVV codes or full card numbers
- Sensitive Personal Data unrelated to verification
12.4 Response Timeframes
| Request Type | Initial Response | Fulfillment Time | Legal Requirement |
|---|---|---|---|
| Privacy Questions | 2-3 business days | N/A | N/A |
| Data Access | 7 business days | 30 days max | Kenya DPA: 21 days; GDPR: 1 month; CCPA: 45 days |
| Data Deletion | 3 business days (confirmation) | 7 business days (actual deletion) | Kenya DPA: 30 days; GDPR: 1 month; CCPA: 45 days |
| Data Correction | 3 business days | 14 business days | Kenya DPA: 30 days; GDPR: 1 month; CCPA: 45 days |
| Data Portability | 7 business days | 30 days max | GDPR: 1 month |
Extension: If your request is complex or we receive multiple requests, we may extend the response time by an additional 1-2 months with notification and explanation.
12.5 Fees
No Fee for Reasonable Requests:
We will NOT charge a fee for processing your first request or reasonable requests.
Fee for Excessive Requests:
We may charge a reasonable fee or refuse the request if it is:
- Manifestly unfounded
- Excessive (e.g., repetitive requests for the same data)
- Clearly abusive
Fee Notification: If a fee applies, we will notify you before processing your request. You may withdraw your request before incurring the fee.
12.6 Refusal of Requests
We may refuse a request in the following circumstances:
- Identity cannot be verified (to protect privacy)
- Request is manifestly unfounded or excessive
- Legal obligation to retain data (e.g., tax records, legal defense)
- Overriding legitimate interests (e.g., fraud prevention, security)
- Legal claims (data needed for establishment, exercise, or defense of claims)
If we refuse: We will provide written reasons and inform you of your right to lodge a complaint with a supervisory authority.
Children's Privacy
14.1 Age Restrictions
Our Services are NOT intended for children under 13 years of age.
We do NOT knowingly collect Personal Data from children under 13 without verifiable parental consent, in compliance with:
- COPPA (Children's Online Privacy Protection Act) - US Federal Law
- Kenya Data Protection Act, 2019 (heightened protections for children)
- GDPR Article 8 (age of consent: 16, or lower as determined by EU Member States)
Age Thresholds:
- Under 13: Prohibited from using Services without parental consent
- 13-15 (EU): May use Services with parental consent (GDPR jurisdictions where age of consent is 16)
- 13-17 (General): May use Services with parental/guardian consent
- 18+: Full, unrestricted use
14.2 If You Are Under 18
If you are under 18 years of age:
- You must have permission from a parent or legal guardian to use our Services
- Your parent/guardian must review and agree to this Privacy Policy and our Terms of Service
- We may request parental consent for certain features (in-app purchases, social features)
For mobile apps and games:
- Some apps/games may be age-rated 13+, 17+, or 18+ on App Store/Play Store
- Respect age ratings and parental controls
14.3 If You Are a Parent or Guardian
If you believe your child under 13 has submitted Personal Data to us:
- Contact us immediately at privacy@mwangi.co.ke with subject line: "Child Privacy Concern"
- Provide:
- Child's name and age
- Email or account associated with the child
- Proof of parental relationship (to protect the child's privacy)
- We will:
- Investigate within 48 hours
- Delete any Personal Data related to the child
- Confirm deletion to you in writing within 7 days
Your Rights as a Parent (COPPA):
- Review the Personal Data collected from your child
- Request deletion of your child's Personal Data
- Refuse further collection or use of your child's Personal Data
14.4 COPPA-Compliant Advertising for Children
Age-Restricted Ad Serving (COPPA & GDPR Compliance):
When apps, games, or websites are designated as child-directed or mixed-audience (some users under 13), we implement the following restrictions:
NO Behavioral Advertising to Children Under 13:
- Google AdMob: Tag for Child-Directed Treatment (TFCD) enabled
- Unity Ads: Child-directed treatment flag enabled
- Google AdSense: Age-appropriate ad filtering enabled
- Result: Only contextual, non-personalized ads are shown (no tracking, no cookies, no device ID collection for ad targeting)
Data Collection Restrictions:
- No IDFA/Android Advertising ID collection for users under 13
- No browsing history tracking for behavioral ad targeting
- No geolocation data for ad personalization (except country-level for language/content)
- No ad interaction profiling beyond anonymous aggregated metrics
IMPORTANT: We do NOT use advertising revenue to incentivize excessive use by children. Rewarded video ads (watch ad for in-game reward) are NOT shown to users identified as under 13.
Data Retention
We do not hoard data indefinitely. We retain Personal Data only as long as necessary for the purposes for which it was collected or as required by law.
15.1 Retention Periods by Data Type
| Data Type | Retention Period | Justification | Deletion Method |
|---|---|---|---|
| Contact Form Submissions | 2 years from submission | Ongoing communication, relationship building | Automatic deletion after 2 years |
| Website Analytics | 26 months | Google Analytics default; then aggregated | Automatic anonymization by Google |
| Server Logs | 90 days | Security monitoring, abuse prevention | Automatic deletion |
| CDN Access Logs | 7 days | Performance monitoring | Automatic deletion (AWS default) |
| User Accounts (SaaS) | Until account deletion + 30 days | Grace period for accidental deletion | Manual deletion by user, then automatic purge |
| Subscription & Billing Data | 7 years from last transaction | Kenya tax law, accounting requirements | Automatic deletion after 7 years |
| E-Commerce Orders | 7 years from order date | Tax compliance, warranty claims | Automatic deletion after 7 years |
| Customer Support Tickets | 3 years from ticket closure | Knowledge base, quality improvement | Automatic deletion after 3 years |
| Marketing Consent | Until unsubscribe + 30 days | Grace period for re-subscription | Automatic deletion 30 days after unsubscribe |
15.2 Deletion Upon Request
If you request deletion of your Personal Data:
- Active Systems: Data deleted within 7 business days
- Backup Systems: Data deleted from backups within 90 days (next backup cycle)
- Third-Party Processors: Deletion requests forwarded within 48 hours
- Legal Holds: Data under legal hold (litigation, investigations) may be retained until hold is lifted
Confirmation: We will confirm deletion in writing within 14 days of completing deletion.
15.3 Exceptions to Deletion
We may retain data despite deletion requests when:
- Legal Obligation: Tax records (7 years), accounting records (7 years), legal compliance
- Legal Claims: Data necessary for establishment, exercise, or defense of legal claims
- Public Interest: Archiving purposes in the public interest (rare)
- Vital Interests: Protection of vital interests of you or another person
- Aggregated Data: Anonymized/aggregated data no longer identifiable to you
If we refuse deletion: We will provide written reasons and inform you of your right to lodge a complaint.
Disclaimers & Limitations of Liability
READ THIS SECTION CAREFULLY. IT CONTAINS IMPORTANT LIMITATIONS ON OUR LIABILITY TO YOU.
16.1 Disclaimer of Absolute Security
CRITICAL DISCLOSURE:
While we implement reasonable and appropriate security measures as described in Section 10, WE MAKE NO WARRANTY, EXPRESS OR IMPLIED, THAT OUR SYSTEMS ARE IMMUNE FROM UNAUTHORIZED ACCESS, HARDWARE FAILURE, SOFTWARE VULNERABILITIES, CYBERATTACKS, DATA BREACHES, OR OTHER CIRCUMSTANCES BEYOND OUR REASONABLE CONTROL.
BY USING OUR SERVICES, YOU ASSUME THE RISK THAT PERSONAL DATA MAY BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED DESPITE OUR SECURITY MEASURES.
16.2 Third-Party Services Disclaimer
WE ARE NOT RESPONSIBLE FOR:
- Third-party privacy practices or data breaches: Apple App Store, Google Play Store, Shopify, Etsy, Amazon, Stripe, PayPal, M-Pesa, AWS, Firebase, Google Analytics
- Service interruptions, outages, or data loss at third-party providers
- Third-party security vulnerabilities or attacks on third-party infrastructure
- Platform policy changes (App Store, Play Store, marketplace rules) that affect our Services
16.3 Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:
A. EXCLUSION OF CONSEQUENTIAL DAMAGES
THE COMPANY SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO:
- LOSS OF PROFITS, REVENUE, OR INCOME
- LOSS OF DATA OR INFORMATION (including Personal Data lost due to breaches, system failures, or third-party failures)
- LOSS OF BUSINESS OPPORTUNITIES, CONTRACTS, OR GOODWILL
- IDENTITY THEFT OR FRAUDULENT USE OF YOUR PERSONAL DATA
- EMOTIONAL DISTRESS, ANXIETY, OR PSYCHOLOGICAL HARM
B. CAP ON TOTAL LIABILITY
THE TOTAL AGGREGATE LIABILITY OF THE COMPANY FOR ANY AND ALL CLAIMS SHALL NOT EXCEED:
FOR FREE SERVICES: KENYA SHILLINGS ZERO (KES 0)
FOR PAID SERVICES: THE LESSER OF:
- THE TOTAL AMOUNT YOU PAID TO THE COMPANY IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE CLAIM, OR
- KENYA SHILLINGS TEN THOUSAND (KES 10,000)
16.4 Exceptions to Limitations
THE LIMITATIONS IN SECTIONS 16.1-16.3 DO NOT APPLY TO LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW, INCLUDING:
Kenya Law:
- Death or personal injury caused by our gross negligence or willful misconduct
- Fraud or fraudulent misrepresentation by the Company
- Willful or intentional violations of the Kenya Data Protection Act, 2019
GDPR (EU Data Subjects):
- Right to compensation for material or non-material damage resulting from GDPR violations (GDPR Article 82)
CCPA (California Residents):
- Private right of action for data breaches involving unencrypted or unredacted personal information (California Civil Code §1798.150)
- Statutory damages: $100-$750 per consumer per incident
16.5 Force Majeure
THE COMPANY SHALL NOT BE LIABLE FOR ANY FAILURE OR DELAY IN PERFORMANCE OF DATA PROTECTION OBLIGATIONS DUE TO CAUSES BEYOND OUR REASONABLE CONTROL, INCLUDING BUT NOT LIMITED TO:
- Acts of God: Earthquakes, floods, storms, pandemics, epidemics
- War, Terrorism, Civil Unrest: Armed conflict, terrorism, riots
- Infrastructure Failures: Internet backbone failures, power outages
- Third-Party Service Failures: AWS outages, Google outages, Shopify outages
- Cyberattacks: DDoS attacks, ransomware, state-sponsored hacking
Changes to This Policy
17.1 Right to Modify
We reserve the right to modify, amend, or update this Privacy Policy at any time, in our sole discretion, to reflect:
- Changes in data protection laws or regulations
- Changes in our business operations, Services, or data processing activities
- Security updates or improvements
- Changes to third-party processors or integrations
Changes are effective immediately upon posting unless otherwise stated.
17.2 How We'll Notify You
For MATERIAL CHANGES that significantly affect your rights or how we process your data:
- Email Notification: If we have your email address, we will send notice at least 30 days before the effective date
- Website Banner: We will display a prominent notice on our website homepage for at least 30 days
- In-App Notification: For mobile app users, we may display an in-app notice
- Summary of Changes: We will provide a summary of what changed and why
For NON-MATERIAL CHANGES (clarifications, formatting, minor wording):
- "Last Updated" Date: We will update the "Last Updated" date at the top of this Privacy Policy
- No Advance Notice: Changes become effective immediately upon posting
17.3 Your Options if You Disagree with Changes
If you object to material changes:
- Option 1: Stop Using Services - Discontinue use, uninstall apps, delete your account
- Option 2: Request Data Deletion - We will process deletion requests within 7 business days
- Option 3: Withdraw Consent - Adjust privacy settings in your account
- Option 4: Object to Processing - Exercise your right to object
Continued Use = Acceptance: If you continue using our Services after material changes take effect (and after the 30-day notice period), you accept the updated Privacy Policy.
Governing Law & Jurisdiction
18.1 Governing Law
This Privacy Policy and all matters relating to the processing of your Personal Data shall be governed by and construed in accordance with the laws of the Republic of Kenya.
Primary Applicable Laws:
Kenya:
- Data Protection Act No. 24 of 2019 (Kenya DPA) - Primary data protection framework
- Computer Misuse and Cybercrimes Act No. 5 of 2018 - Cybersecurity and data breaches
- Constitution of Kenya, 2010 - Article 31 (Right to Privacy)
- Consumer Protection Act No. 46 of 2012 - Consumer rights and protections
International (where applicable):
- General Data Protection Regulation (GDPR) - For EU data subjects
- California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) - For California residents
- Children's Online Privacy Protection Act (COPPA) - For US children under 13
18.2 Jurisdiction and Venue
Any dispute, claim, or controversy arising out of or relating to this Privacy Policy shall be subject to the EXCLUSIVE JURISDICTION of the courts of the Republic of Kenya.
Venue: The courts located in Nairobi County, Kenya shall have exclusive venue for any legal proceedings.
18.3 Mandatory Rights for Multi-Jurisdictional Users
IMPORTANT: Nothing in this Privacy Policy shall deprive you of the protection afforded by mandatory provisions of law that cannot be derogated from by agreement.
For EU Data Subjects (GDPR):
- You retain ALL rights under GDPR, regardless of governing law provisions
- You may bring proceedings before the courts of your EU Member State of habitual residence
- GDPR rights are enforceable in EU courts and cannot be waived by contract
For California Residents (CCPA/CPRA):
- You retain ALL rights under CCPA/CPRA
- You may bring proceedings in California courts to enforce CCPA rights
Contact Information & Complaints
19.1 How to Contact Us
We make it easy. No phone trees, no ticket systems, no chatbots. Direct human contact.
Email: privacy@mwangi.co.ke
Response Time: 2-3 business days for general inquiries
Postal Address:
CYAN, BLUES & MWANGI LIMITED
13th Flr. Dream House, Baraka Road
Nanyuki, Kenya
Website: https://mwangi.co.ke
Contact Form: https://mwangi.co.ke/contact
19.2 Types of Inquiries We Handle
- General Privacy Questions: How our data processing works, clarifications on this Privacy Policy
- Data Subject Rights Requests: Access, deletion, correction, portability, objection
- Security Incidents: Suspected unauthorized access, phishing, security vulnerability reports
- Child Privacy Concerns: Reports of children under 13 using our Services
- Complaints: Dissatisfaction with our data processing practices
19.3 If You're Not Satisfied with Our Response
If you feel we haven't adequately addressed your privacy concern:
Step 1: Request Review - Escalate to Data Protection Officer / Senior Management
Step 2: Lodge a Complaint with Supervisory Authority - See Section 20
Step 3: Legal Remedies - Seek judicial remedies in accordance with Section 18
We prefer to resolve issues directly, but we respect your right to escalate to supervisory authorities or courts.
Supervisory Authorities
You have the right to lodge a complaint with the relevant supervisory authority if you believe we have violated your data protection rights.
20.1 Kenya - Office of the Data Protection Commissioner (ODPC)
For all users (primary supervisory authority):
Office: Office of the Data Protection Commissioner (ODPC)
Physical Address: Kalamu House, Chania Avenue, Off Ngong Road, Nairobi, Kenya
Postal Address: P.O. Box 15556-00100, Nairobi, Kenya
Email: complaints@odpc.go.ke
Phone: +254 (0) 20 2664724 / +254 (0) 732 000 000
Website: https://www.odpc.go.ke
20.2 EU - Data Protection Supervisory Authorities
For EU residents (GDPR Article 77):
You have the right to lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or place of the alleged infringement.
List of EU Supervisory Authorities:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
20.3 California - Attorney General & California Privacy Protection Agency
For California residents (CCPA/CPRA):
California Attorney General's Office
Website: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
Phone: (916) 210-6276
California Privacy Protection Agency (CPPA)
Website: https://cppa.ca.gov
Email: info@cppa.ca.gov
20.4 Other Jurisdictions
- Brazil (LGPD): Autoridade Nacional de Proteção de Dados (ANPD) - https://www.gov.br/anpd
- South Africa (POPIA): Information Regulator - https://www.justice.gov.za/inforeg/
- Canada (PIPEDA): Office of the Privacy Commissioner of Canada - https://www.priv.gc.ca
- Australia (Privacy Act): Office of the Australian Information Commissioner (OAIC) - https://www.oaic.gov.au
Effective Date & Acknowledgment
21.1 Effective Date
This Privacy Policy is effective as of January 1, 2025.
Last Updated: December 13, 2025
Version: 3.0 (Company Edition - With Advertising & Affiliate Marketing)
21.2 Your Acknowledgment and Acceptance
BY USING ANY OF OUR SERVICES, YOU ACKNOWLEDGE THAT:
- You have read and understood this Privacy Policy in its entirety
- You understand how we collect, use, disclose, store, and protect your Personal Data
- You understand your rights under applicable data protection laws and how to exercise them
- You understand the risks associated with providing Personal Data and international data transfers
- You consent to the processing of your Personal Data as described in this Privacy Policy
- You accept the limitations of liability set forth in Section 16
- You accept international data transfers to Third Countries with the safeguards described in Section 9
- You acknowledge that no system is 100% secure and you assume the risk of data breaches despite our security measures
- You accept the use of third-party processors as described in Section 7
IF YOU DO NOT AGREE TO THIS PRIVACY POLICY IN ITS ENTIRETY, YOU MUST:
- Immediately cease all use of our Services
- Uninstall any mobile applications
- Delete your account (if applicable)
- Not provide any Personal Data to us
Continued use of our Services constitutes acceptance of this Privacy Policy.
21.3 Language and Translation
This Privacy Policy is written in English.
Any translation into other languages is provided for convenience only. In the event of any conflict, the English version shall prevail and control.