Privacy Policy

Last updated: 2026-07-06

This Privacy Policy explains how PriceKenya ("we", "us", "our") collects and processes personal data in compliance with the Kenya Data Protection Act, 2019 and the guidelines issued by the Office of the Data Protection Commissioner ("ODPC"). By using this site or subscribing to a price alert, you agree to the practices described below.

1. Who we are

PriceKenya is a price-comparison service operated from Nairobi, Kenya. For the purposes of the Kenya Data Protection Act, the data controller is the operator of pricekenya.co.ke. Data-protection queries should be directed to [email protected].

2. What we collect

  • Alert email address β€” when you subscribe to a price-drop alert, we store the email you provide, the product you're watching, and any target price you set.
  • Marketing opt-in status β€” a single boolean recording whether you consented to occasional non-transactional updates from us. Off by default.
  • Basic request logs β€” IP address, user-agent, and requested URL, retained for up to 30 days for abuse-prevention and error diagnosis.
  • No accounts, no passwords, no payment data. We do not operate user accounts; we do not process payments; we do not use tracking cookies or advertising pixels.

3. Why we process it

  • Alert emails: lawful basis is your explicit consent (Kenya DPA s.30(1)(a)). We use your email solely to notify you when the price you asked to watch has changed. Nothing else.
  • Marketing updates: if β€” and only if β€” you tick the marketing opt-in box, we may occasionally send you site announcements. You can withdraw this consent at any time (see Β§7).
  • Site operation: logs are processed on the basis of our legitimate interest in keeping the service secure and functional.

4. Who we share it with (subprocessors)

Your email address may be handled by the following processors solely to deliver the service you requested:

  • Resend (email delivery, United States) β€” sends the alert emails you subscribed to.
  • Cloudflare (DNS, edge network, email routing, United States) β€” serves the site and routes inbound mail such as this address.
  • Render (application hosting, EU / Frankfurt) β€” runs the web application.
  • Neon (managed Postgres, EU) β€” stores the alert records.

Some of these providers are located outside Kenya. Cross-border transfers are made under appropriate safeguards as required by Kenya DPA s.48–49 (standard contractual protections and each provider's own data-processing agreements). We do not sell your data, and we do not share it with any advertiser, data broker, or third party for marketing purposes.

5. How long we keep it

  • Active alerts are retained until you unsubscribe or the alert has fired once (single-shot notifications).
  • Inactive (unsubscribed or fired) alerts are retained for 90 days for audit purposes, then permanently deleted.
  • Request logs: 30 days.
  • Marketing opt-in records: retained while active, deleted on withdrawal.

6. Cookies and analytics

We do not set any tracking or advertising cookies. The site uses only the following strictly-necessary browser storage, all of which is optional:

  • A theme entry in localStorage to remember whether you selected dark mode. Read only by the site and never transmitted.
  • A watchlist cookie (HttpOnly, Secure, SameSite=Lax) that stores the IDs of price alerts you created so we can show them back to you at /watchlist. The value is signed with an HMAC so it can't be forged. Clearing your cookies clears the list; the underlying alerts (and your email address on them) are only removed when you use the unsubscribe link.

7. Your rights

Under s.26 of the Kenya Data Protection Act, you have the right to:

  • Access the personal data we hold about you.
  • Correct any data that is inaccurate.
  • Have your data erased ("right to be forgotten").
  • Restrict or object to further processing.
  • Receive your data in a portable format.
  • Withdraw your consent at any time (using the unsubscribe link in any alert email, or by writing to us).
  • Lodge a complaint with the Office of the Data Protection Commissioner at odpc.go.ke.

To exercise any of these rights, email [email protected]. We respond within 7 working days, as required by the Act.

8. Security

All traffic to and from the site is encrypted (TLS 1.2+). Unsubscribe links are cryptographically signed so they cannot be forged or shared beyond the recipient. We limit who inside the operation can access the alert database and never log full email addresses in application or CI output.

9. Changes to this policy

If we change how we handle your data, we will update this page and, where the change is material, notify subscribed users by email. The "Last updated" date at the top of this page indicates when it was last revised.

10. Contact

Questions, requests, or complaints: [email protected].