Shopeak

Legal

Privacy Policy

Last updated: June 14, 2026

1.Introduction

Shopeak LTD (“Shopeak”, “we”, “us”, or “our”) is a company incorporated in Kenya and operated by Big Theta Group. Our mission is to make commerce accessible, affordable, and rewarding for every entrepreneur in Africa.

This Privacy Policy explains how we collect, use, share, and protect personal information when you use our platform, mobile applications, websites, and related services (collectively, the “Services”). It applies to:

  • Merchants (Sellers)— individuals and businesses who use Shopeak to sell products and manage their commerce operations.
  • Buyers (Consumers)— individuals who browse and purchase products through Shopeak storefronts.
  • Partners— developers, logistics providers, and other third parties who integrate with or provide services through our platform.
  • Visitors— anyone who visits our websites, including this coming-soon page.

By using our Services, you agree to the practices described in this Policy. If you do not agree, please do not use our Services.

2.Our values

Your information belongs to you

We believe that your personal data is yours. We design our systems with privacy in mind from the ground up, collect only what is necessary to deliver our Services, and give you meaningful control over how your information is used.

We protect your information from others

If a third party requests your personal information, we will refuse to share it unless you have given consent or we are legally required to do so. When we are compelled by law to disclose your information, we will provide you with notice wherever reasonably possible.

We help our merchants meet their obligations

We provide tools, documentation, and platform features that help merchants using Shopeak comply with the Kenya Data Protection Act, 2019 and other applicable data protection laws, so they can build trust with their own customers.

3.Why we process your information

We process your personal information only when we have a lawful basis to do so under the Kenya Data Protection Act, 2019 and other applicable laws. These bases include:

  • Performance of a contract— to provide, maintain, and improve our Services, process transactions, and manage your account.
  • Legitimate interests— to detect and prevent fraud, secure our platform, improve user experience, conduct analytics, and send you relevant product updates (where you have not opted out).
  • Legal obligations— to comply with applicable laws, regulations, court orders, or government requests, including anti-money laundering and tax reporting requirements in Kenya.
  • Your consent— where we rely on your consent to process your data (for example, marketing communications), you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4.What information we collect

The personal information we collect depends on how you interact with our Services:

Information you provide directly

  • Account information— name, email address, phone number (including WhatsApp number), password, and business details when you register.
  • Payment and financial information— M-Pesa phone numbers, bank account details, mobile money transaction references, and billing addresses necessary to process payments and payouts.
  • Identity verification— national ID number, KRA PIN, business registration certificates, or other documents required for seller verification and regulatory compliance.
  • Store and product content— product descriptions, images, pricing, inventory data, and storefront customisation settings.
  • Communications— messages you send through our support channels, feedback forms, or correspondence with us.

Information collected automatically

  • Device and usage data— IP address, browser type, device model, operating system, unique device identifiers, pages visited, actions taken, timestamps, and referral URLs.
  • Location data— approximate location derived from your IP address. We do not collect precise GPS location without your explicit consent.
  • Cookies and similar technologies— see the Cookies section below for details.

Information from third parties

  • Payment providers— transaction confirmation details from M-Pesa, card processors, and other payment gateways.
  • Analytics services— aggregated usage and performance data from our analytics providers.
  • Social login providers— basic profile information when you choose to sign in through a third-party service (e.g., Google).

5.Your rights over your information

Under the Kenya Data Protection Act, 2019, and other applicable data protection laws, you have the following rights:

  • Right of access— request a copy of the personal data we hold about you.
  • Right to rectification— request correction of inaccurate or incomplete personal data.
  • Right to erasure— request deletion of your personal data, subject to legal and contractual retention obligations.
  • Right to restrict processing— request that we limit how we use your data in certain circumstances.
  • Right to data portability— receive your personal data in a structured, commonly used format or request its transfer to another controller.
  • Right to object— object to the processing of your personal data for direct marketing or on grounds relating to your particular situation.
  • Right to withdraw consent— where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, please contact us at privacy@shopeak.co.ke. We will respond to your request within 30 days as required by the Kenya Data Protection Act. We may ask you to verify your identity before processing your request.

If you believe that we have not adequately addressed your concerns, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.

6.Where we send your information

Shopeak is headquartered in Nairobi, Kenya. To deliver our Services, your personal data may be transferred to and processed in countries outside Kenya. These transfers may occur when we use cloud infrastructure providers, payment processors, or other service providers located in different jurisdictions.

When we transfer personal data outside Kenya, we ensure appropriate safeguards are in place as required by the Kenya Data Protection Act, 2019, including:

  • Transfers to countries that have been determined to have adequate data protection standards by the ODPC.
  • Contractual arrangements with our service providers that require them to protect your data to the same standard required in Kenya.
  • Obtaining your explicit consent where appropriate.

7.How long we retain your information

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.

  • Active accounts— we retain your information for the duration of your account’s existence and your use of our Services.
  • Closed merchant accounts— store data and associated records are retained for two years after account closure, after which they are securely deleted or anonymised.
  • Transaction records— financial transaction data may be retained for up to seven years to comply with Kenyan tax and accounting regulations.
  • Waitlist data— email addresses and information collected through our waitlist are retained until we launch our Services or until you request removal, whichever comes first.

When personal data is no longer needed, we securely delete or anonymise it so that it can no longer be associated with you.

8.How we protect your information

We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS) and at rest.
  • Access controls that limit who within our organisation can access personal data, based on role and necessity.
  • Regular security assessments and monitoring of our systems.
  • Secure handling of payment data through certified payment processors and M-Pesa integration partners.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but we are committed to promptly addressing any breach in accordance with the Kenya Data Protection Act, 2019.

9.Cookies and tracking technologies

We use cookies and similar tracking technologies to operate, improve, and personalise our Services. Cookies are small text files placed on your device that help us understand how you interact with our platform.

Types of cookies we use

  • Essential cookies— required for the basic operation of our Services, such as maintaining your session and security.
  • Analytics cookies— help us understand how visitors interact with our websites, enabling us to improve performance and user experience.
  • Functional cookies— remember your preferences and settings to provide a more personalised experience.

Managing cookies

You can control or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our Services. Most browsers allow you to:

  • View and delete existing cookies.
  • Block cookies from specific or all websites.
  • Set preferences for certain types of cookies.

10.Children’s privacy

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@shopeak.co.ke.

11.Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated policy on our website with a revised “Last updated” date and, where appropriate, through email or in-app notification.

We encourage you to review this policy periodically. Your continued use of our Services after the posting of changes constitutes your acceptance of such changes.

12.How to reach us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy enquiries

privacy@shopeak.co.ke

General enquiries

info@shopeak.co.ke

Mailing address

Shopeak LTD
A company of Big Theta Group
Nairobi, Kenya

Regulatory authority

Office of the Data Protection Commissioner (ODPC)
P.O. Box 00200, Nairobi, Kenya