SOKOSPOT LIMITED ("SOKOSPOT", "we", "us", "our") is committed to protecting the privacy and personal data of all users of the SOKOSPOT platform. This Privacy Policy explains how we collect, use, store, share, and protect your personal data in compliance with:
- The Data Protection Act, 2019 (Kenya) ("DPA")
- The Kenya Information and Communications Act (Cap. 411A)
- The Computer Misuse and Cybercrimes Act, 2018
- Applicable international best practices, including GDPR principles
By using the Platform, you consent to the practices described in this Policy.
| Data Controller | SOKOSPOT LIMITED |
| Country of Registration | Kenya |
| Privacy Contact | sokospot@sokospot.co.ke |
3.1 Data You Provide to Us
| Category | Data Points | Mandatory? |
|---|---|---|
| Account Registration | Username, email address, full name | Yes |
| Seller Shop Information | Business phone number, WhatsApp number, business email | No — optional, publicly visible |
| Payment Information | M-Pesa phone number | Yes, for paid features |
| Communications | Messages sent via in-app messaging | When using messaging |
| Content | Product and place listings, images, videos (Spots) | When creating listings |
3.2 Data Collected Automatically
When you use the Platform, we may automatically collect device information (type, OS, browser), usage data (pages visited, features used), log data (IP address, access timestamps), location data (country/region derived from IP only — we do not collect precise GPS location), and cookies/analytics data.
3.3 Data from Third Parties
We may receive data from Google for session management; M-Pesa/Safaricom for transaction confirmations; Cloudflare for video upload metadata; and Google Cloud storage for image storage metadata.
| Purpose | Legal Basis (DPA 2019) |
|---|---|
| Creating and managing your account | Contract performance |
| Enabling Seller listings and Buyer browsing | Contract performance |
| Facilitating communications between Buyers and Sellers | Contract performance |
| Processing M-Pesa payments | Contract performance |
| Displaying public Seller shop information | Consent (user-initiated) |
| Providing Boost and advertising services | Contract performance |
| Watermarking marketplace images | Legitimate interest |
| Sending service notifications and updates | Contract performance |
| Preventing fraud, abuse, and illegal activity | Legal obligation / Legitimate interest |
| Complying with legal obligations | Legal obligation |
| Improving Platform features and performance | Legitimate interest |
| Data Type | Retention Period |
|---|---|
| Account data (username, email, full name) | Duration of account + 3 years after deletion |
| Listing content (images, videos, text) | Active account; removed within 30 days of deletion |
| Payment records (M-Pesa transaction references) | 7 years (Kenyan tax and financial regulations) |
| In-app messages | 2 years from date of message, or until account deletion |
| Usage and log data | 12 months |
| Optional shop contact information | Until removed by Seller or account deletion |
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit: All data transmitted uses TLS/HTTPS encryption
- Encryption at rest: Data on Google Cloud and Cloudflare benefits from at-rest encryption
- Access controls: Data accessible only to authorised SOKOSPOT personnel on a need-to-know basis
- Firebase Security Rules: Database access restricted by authenticated user identity
- CORS policies: Storage bucket access restricted to authorised Platform origins
- Regular security reviews: Periodic review of security practices and infrastructure
Despite these measures, no method of transmission or storage is 100% secure. We encourage you to use strong passwords and notify us immediately of any suspected unauthorised access.
| Right | Description |
|---|---|
| Right of Access | Request a copy of the personal data we hold about you |
| Right to Rectification | Request correction of inaccurate or incomplete personal data |
| Right to Erasure | Request deletion of your personal data, subject to legal obligations |
| Right to Object | Object to processing of your data for direct marketing or on grounds relating to your situation |
| Right to Restrict Processing | Request that we limit how we use your data in certain circumstances |
| Right to Data Portability | Request your data in a structured, machine-readable format |
| Right to Withdraw Consent | Withdraw consent at any time where processing is based on consent |
| Right to Lodge a Complaint | File a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya |
To exercise any of these rights, contact us at sokospot@sokospot.co.ke. We will respond within 21 days as required by the DPA 2019.
The Platform is not directed at children under the age of 18 years. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us at sokospot@sokospot.co.ke and we will promptly delete such data.
Your data may be stored and processed outside Kenya through our use of Google Cloud (data centres in multiple global regions) and Cloudflare (distributed globally).
Where data is transferred outside Kenya, we ensure such transfers are subject to adequate safeguards in compliance with Section 49 of the Data Protection Act, 2019, including appropriate contractual clauses with our service providers.
The Platform contains links to third-party services including WhatsApp, email clients, and social media platforms. SOKOSPOT is not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before engaging with them.
13.1 We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law.
13.2 Where changes are material, we will notify you by email or prominent notice on the Platform at least 14 days before the changes take effect.
13.3 Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes.
For any privacy-related questions, requests, or complaints, contact our Data Protection Point of Contact:
| Company | SOKOSPOT LIMITED |
| Support | sokospot@sokospot.co.ke |
We will acknowledge your request within 5 business days and respond fully within 21 days as required by the Data Protection Act, 2019.
Last reviewed by SOKOSPOT LIMITED on 12 March 2026.