Privacy Policy · Waplee

1Introduction

In short

We collect only the data we need to print and deliver your orders, communicate with you, and improve our service. We protect it, and we honour your rights under Kenyan law.

At Waplee, we take your privacy seriously. This Privacy Policy explains what personal data we collect about you, how we use it, who we share it with, and the rights you have over your data. It applies to your use of waplee.org and any related services we provide (the "Platform").

This Policy is issued in accordance with the Data Protection Act, 2019 of Kenya and the Data Protection (General) Regulations, 2021. It should be read alongside our Terms & Conditions.

2Data Controller

Waplee is the data controller responsible for your personal data:

Waplee
Gill House, 1st Floor, Room 28
Nairobi, Kenya
Email: privacy@waplee.org

For all privacy-related queries, requests, and complaints, please use the contact details above.

3What Personal Data We Collect

Depending on how you use the Platform, we may collect the following categories of personal data:

Category	Examples
Identity data	Name, profile photo (if you sign in with Google)
Contact data	Email address, phone number, delivery address
Account data	Username, password (stored hashed by Firebase Authentication), authentication provider
Order data	Product details, design files, quantities, order history, special instructions
Payment data	M-Pesa phone number, transaction reference, amount, payment status. We do not store M-Pesa PINs or card details.
Content data	Designs, images, text, and other content you upload, create, or save
Technical data	IP address, browser type, device information, operating system, time zone
Usage data	Pages visited, features used, session duration, referring URLs
Communication data	Messages you send to us via the contact form, email, or in-app messaging

4How We Collect Personal Data

We collect personal data through the following means:

Directly from you — when you create an account, place an Order, contact us, or otherwise interact with the Platform;
Automatically — through cookies and similar technologies when you use the Platform (see section 12);
From third-party authentication providers — if you sign in using Google, we receive your name, email, and profile photo as authorised by you;
From payment providers — Safaricom (via Daraja) provides us with M-Pesa transaction confirmations.

5Why We Use Your Personal Data

We use your personal data for the following purposes:

To provide our services — creating and managing your account, processing Orders, producing and delivering your Products;
To process payments — initiating M-Pesa STK Push, verifying transactions, issuing refunds;
To communicate with you — sending order confirmations, delivery updates, password resets, and customer support replies;
To improve our Platform — analysing usage to fix bugs, improve features, and develop new offerings;
To prevent fraud and abuse — detecting and investigating suspicious activity;
To comply with the law — meeting our regulatory, tax, and legal obligations;
For marketing — only with your consent, sending you promotional emails. You can opt out at any time.

6Legal Basis for Processing

Under the Data Protection Act, 2019, we rely on the following lawful bases to process your personal data:

Performance of a contract — to fulfil our agreement with you, including processing Orders and providing customer support;
Consent — for marketing communications and certain optional cookies. You may withdraw your consent at any time without affecting the lawfulness of prior processing;
Legitimate interests — for fraud prevention, service improvement, and security, balanced against your rights and freedoms;
Legal obligation — where we must process data to comply with applicable laws, such as tax records and lawful requests from authorities.

7Sharing Your Personal Data

We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:

Recipient	Purpose
Google / Firebase (Google LLC and Google Ireland Ltd)	Authentication, database hosting (Realtime Database, europe-west1), file storage, Cloud Functions, analytics
Safaricom PLC	Processing M-Pesa payments via the Daraja API
Brevo (Sendinblue SAS)	Sending transactional emails (order confirmations, password resets, delivery notifications)
Courier partners	Delivering Orders to your address (recipient name, address, phone)
Government authorities	Where required by law, court order, or to protect our legal rights
Professional advisers	Lawyers, accountants, and auditors bound by confidentiality

Each of our processors is contractually required to handle your data confidentially and only as instructed by us.

8International Data Transfers

Some of our service providers store and process data outside Kenya:

Google / Firebase — our database is hosted in the europe-west1 region (Belgium). File storage and Cloud Functions may also be hosted in the European Union or other Google Cloud regions;
Brevo — based in France, with infrastructure in the European Union.

Where we transfer your personal data outside Kenya, we ensure appropriate safeguards are in place as required by Section 48 of the Data Protection Act, 2019, including reliance on contractual safeguards with our processors and the adequacy of European Union data protection law.

9Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for compliance with legal, accounting, or reporting requirements. Specifically:

Account data — retained until you delete your account, plus a short period for backup and dispute resolution;
Order and payment records — retained for at least 7 years for tax and accounting purposes, in line with Kenyan tax law;
Design content — retained as long as your account is active. Deleting a design removes it from your account, but copies may persist briefly in backups;
Marketing data — retained until you withdraw consent or after a period of inactivity;
Communications — retained as long as needed to handle queries, plus a reasonable period for record-keeping.

When personal data is no longer needed, we securely delete or anonymise it.

10Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction. These include:

Encryption in transit (HTTPS/TLS) for all communications between your browser and our servers;
Encryption at rest for data stored in Firebase services;
Authentication and access controls so that only authorised personnel can access user data;
Database security rules that restrict reads and writes to the user's own data;
Regular reviews of our security practices.

Despite our efforts, no method of transmission or storage is 100% secure. If we become aware of a personal data breach that affects you, we will notify you and the Office of the Data Protection Commissioner in accordance with our legal obligations.

11Your Rights Under the Data Protection Act

As a data subject, you have the following rights under the Data Protection Act, 2019:

Right to be informed — about how we use your personal data (this Policy);
Right of access — to obtain a copy of the personal data we hold about you;
Right to rectification — to have inaccurate or incomplete personal data corrected;
Right to erasure — to have your personal data deleted, subject to exceptions (such as legal retention requirements);
Right to restrict processing — to limit how we use your data in certain circumstances;
Right to data portability — to receive your data in a structured, machine-readable format;
Right to object — to certain types of processing, including direct marketing;
Right not to be subject to automated decisions — that significantly affect you.

To exercise any of these rights, please email privacy@waplee.org. We will respond within the timeframes required by the Data Protection Act (generally within 7 days, with a possible extension).

12Cookies and Similar Technologies

We use cookies and similar technologies to make the Platform work, remember your preferences, and understand how you use it. The cookies we use fall into the following categories:

Strictly necessary — required for core functionality such as authentication and session management. These cannot be disabled;
Functional — remember your preferences (such as language, recently used templates);
Analytics — help us understand how the Platform is used, in aggregated form.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Platform.

13Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@waplee.org and we will take steps to remove the information.

14Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. When we make material changes, we will post the updated Policy on this page and update the "Last updated" date. Where required, we will provide additional notice (such as an email or a banner on the Platform).

15Contact Us & Complaints

For privacy questions, requests, or complaints, contact our privacy team:

Waplee — Privacy
Gill House, 1st Floor, Room 28
Nairobi, Kenya
Email: privacy@waplee.org

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner if you believe we have not handled your personal data in accordance with the law. Visit odpc.go.ke for details.