Privacy Policy

1. Information We Collect

We collect information you provide directly, information collected automatically, and information from third parties.

1.1 Information You Provide

• Account information: Name, email address, password, phone number when you create an account.
• Profile information: Profile photo, display name, and preferences you set in your account.
• Payment information: Card details, M-Pesa phone number, or other payment method details. Card details are processed by our payment partners (Stripe, Safaricom M-Pesa) and are not stored on our servers.
• Order information: Shipping address, billing address, order history, and purchase details.
• Vendor information: Business name, business type, tax identification, bank account details (for vendors receiving payouts).
• Communications: Messages you send to customer support, product reviews, and vendor communications.

1.2 Information Collected Automatically

• Device information: Device type, operating system, browser type, unique device identifiers.
• Usage data: Pages visited, products viewed, search queries, click patterns, time spent on pages.
• Location data: IP address, approximate geographic location (city/country level) for fraud prevention and localised services.
• Cookies and tracking: We use cookies and similar technologies for authentication, preferences, and analytics. See our Cookie Policy for details.

1.3 Information from Third Parties

• Social sign-in: If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive or store your Google password.
• Payment providers: Transaction confirmations and fraud check results from Stripe and Safaricom.

2. How We Use Your Information

• Process orders: Fulfil purchases, process payments, arrange shipping, and send order confirmations.
• Manage your account: Create and maintain your account, authenticate your identity, and provide customer support.
• Improve our services: Analyse usage patterns, diagnose technical issues, and develop new features.
• Communicate with you: Send order updates, promotional offers (with your consent), and important service notifications.
• Prevent fraud: Detect and prevent fraudulent transactions, abuse, and security threats.
• Legal compliance: Comply with applicable laws, tax regulations, and legal processes.
• Vendor payouts: Process payments to vendors for their sales on the platform.

3. How We Share Your Information

We do not sell your personal information. We share information only in these circumstances:

• With vendors: When you place an order, the vendor receives your name, shipping address, and order details to fulfil your purchase.
• Payment processors: Stripe and Safaricom M-Pesa process your payments under their own privacy policies.
• Shipping partners: Delivery companies receive your shipping address and contact details.
• Analytics providers: Aggregated, anonymised data may be shared with analytics services to improve our platform.
• Legal requirements: When required by law, court order, or governmental regulation.
• Business transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

4. Data Security

• All data is transmitted over HTTPS (TLS 1.2+) encryption.
• Passwords are hashed using industry-standard bcrypt algorithms and never stored in plain text.
• Payment card details are processed by PCI DSS-compliant payment providers and are never stored on our servers.
• Mobile app credentials are stored using platform-native secure storage (iOS Keychain / Android Keystore).
• Access to personal data is restricted to authorised personnel on a need-to-know basis.
• We conduct regular security reviews and vulnerability assessments.

5. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfil the purposes described in this policy:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
• Order history: Retained for 7 years for tax and legal compliance purposes.
• Payment records: Retained as required by financial regulations (typically 7 years).
• Usage logs: Automatically purged after 90 days.

6. Your Rights

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Update or correct inaccurate personal information.
• Deletion: Request deletion of your account and personal data, subject to legal retention requirements.
• Data portability: Request your data in a structured, machine-readable format.
• Opt out of marketing: Unsubscribe from promotional emails at any time using the link in any marketing email.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@felbastore.co.ke. We respond to all requests within 30 days.

7. International Data Transfers

FelbaStore is based in Kenya. If you access our services from outside Kenya, your information may be transferred to and processed in Kenya or other countries where our service providers operate. We ensure appropriate safeguards are in place to protect your data in accordance with the Kenya Data Protection Act, 2019, and applicable international data protection standards.

8. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at privacy@felbastore.co.ke and we will promptly delete the information.

9. Third-Party Links

Our platform may contain links to third-party websites or services (vendor websites, payment providers, social media). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page with a new "Last updated" date. For significant changes, we may also send you an email notification. Your continued use of our services after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: