How it works Baskets Why us Order on WhatsApp
Legal

Privacy Policy

Last updated: March 2025

Overview

SupaSoko Ltd ("SupaSoko", "we", "us") operates a wholesale grocery delivery service for Nairobi households. This Privacy Policy explains how we collect, use, store, and protect personal information when you interact with us through WhatsApp, our website (supasoko.africa), or any other channel.

By placing an order with SupaSoko, you agree to the practices described in this policy. If you have questions, contact us at privacy@supasoko.africa.

Data we collect

We collect the minimum data necessary to fulfil your orders and improve our service:

  • Contact information: Your WhatsApp phone number and name, used to manage your orders and communicate with you.
  • Household information: Number of adults and children in your household, used solely to recommend appropriately sized baskets.
  • Delivery address: Your estate name, street, or location pin, used for delivery logistics.
  • Order history: Records of the baskets you have ordered and their delivery dates.
  • Payment reference: Your M-Pesa transaction reference number, used to confirm payment. We do not store your M-Pesa PIN or full phone-number payment details beyond what Safaricom provides in payment confirmations.
  • Website analytics: Anonymised visit data (pages viewed, device type, approximate location) collected via standard analytics tools. No personally identifiable information is included in this data.

How we use your data

We use your data exclusively to:

  • Process and fulfil your grocery orders
  • Communicate order status, delivery updates, and support via WhatsApp
  • Send order reminders if you have set up recurring orders (opt-out available at any time)
  • Improve our basket offerings and service quality
  • Comply with applicable Kenyan law

We do not use your data for third-party advertising. We do not sell or rent your personal information to any third party.

WhatsApp & M-Pesa

WhatsApp

Our ordering process operates via WhatsApp, which is operated by Meta Platforms Inc. Messages sent through WhatsApp are subject to WhatsApp's Privacy Policy. We have no control over Meta's data practices. We recommend reviewing WhatsApp's policy if you have concerns about their data handling.

We use WhatsApp Business to manage customer conversations. Message content related to orders (basket choices, delivery addresses, household size) is stored in our WhatsApp Business account and used solely for order fulfilment and customer support.

M-Pesa

Payments are processed via Safaricom M-Pesa. When you pay, Safaricom collects your payment data under their own privacy policy. SupaSoko receives a payment confirmation (amount, reference number, and partial phone number) from Safaricom to confirm that payment was received. We do not have access to your M-Pesa PIN at any time.

Data sharing

We share your data only in the following circumstances:

  • Delivery riders: Your delivery address and first name are shared with the rider assigned to your order, solely for delivery purposes.
  • Suppliers: No personal customer data is shared with our product suppliers.
  • Service providers: We may use third-party tools (e.g., analytics, cloud storage) that process data on our behalf under data processing agreements. These providers are not permitted to use your data for their own purposes.
  • Legal requirements: We may disclose your data if required to do so by Kenyan law or a valid legal order.

Data retention

We retain your personal data for as long as necessary to provide our service and comply with legal obligations:

  • Active customers: Data is retained while you have an active ordering relationship with SupaSoko.
  • Inactive customers: If you have not placed an order in 24 months, we will delete your personal data unless legal retention obligations require otherwise.
  • Order records: Transaction and payment records are retained for 7 years as required under Kenyan tax and financial regulations.

You may request deletion of your data at any time (see Your rights below).

Your rights

Under the Kenya Data Protection Act (2019), you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Objection: Object to certain uses of your data, including marketing messages.
  • Portability: Request your data in a portable format.

To exercise any of these rights, contact us at privacy@supasoko.africa or message us on WhatsApp. We will respond within 30 days.

Contact

For privacy-related questions or requests, contact us:

Email privacy@supasoko.africa
WhatsApp +254 700 000 000
Address SupaSoko Ltd, Nairobi, Kenya

We may update this Privacy Policy from time to time. We will notify active customers of material changes via WhatsApp. The latest version is always available at supasoko.africa/privacy.