πŸ”’
Legal

Privacy Policy

We believe you have a right to know exactly what data we collect, why we collect it, and what we do with it. This policy is written in plain language β€” no legalese where we can avoid it.

Last updated: January 2025
Jurisdiction: Republic of Kenya
Data controller: Jirani Hub
🀝
Plain language commitment: We don't sell your data. We don't share it with advertisers. We only collect what we genuinely need to run the marketplace and serve you well. If you ever want to know what we hold about you, just ask.
1 Who We Are
The data controller and how to reach us

Jirani Hub is a community marketplace operated from our physical shop off Kikuyu Road, Near Kirigu Police Station, Mutuini-Kirigu, Dagoretti South, Nairobi, Kenya. We are the data controller for all personal information collected through the Jirani Hub website (jiranihubmarket.co.ke), mobile interface, and shop counter.

If you have any questions about this Privacy Policy or about how we handle your personal data, you can reach us:

  • WhatsApp: +254 742 744 502
  • In person: Off Kikuyu Road, Near Kirigu Police Station, Mutuini-Kirigu, Dagoretti South, Nairobi β€” Monday to Saturday, 07:00–20:00
2 What Data We Collect
Information we collect and why

We collect personal data in three ways: information you give us directly, information generated when you use the platform, and information received from third-party services you connect (such as Google login).

DataWhen collectedWhy we need it
Full name Registration / seller application Identify your account, display on orders and tickets, verify at counter collection
Phone number Registration / checkout WhatsApp order notifications, delivery coordination, M-Pesa refund processing, account recovery
Email address Registration / Google login Account login, password reset, occasional service communications
Delivery address At checkout (delivery orders) Dispatch rider to correct location, store on order record for disputes
M-Pesa reference number Payment confirmation Verify payment, process refunds, resolve payment disputes
Order history On every order Account order tracking, payout calculations, dispute resolution, admin reporting
Product photos Seller application submission Display product listing on the marketplace, stored in photo_paths column
Seller Badge (SLR-XXXX) On seller approval Permanent seller identity, used at counter intake and linked to all seller activity
Google account data If you sign in with Google Name and email passed from Google OAuth to create or match your account. We do not receive your Google password.
Rider session token When a rider session is created Authenticate delivery rider portal access for a single delivery slot. Tokens expire automatically.
Device / browser info Automatically on site visit Basic server logs for security and error monitoring. Not used for profiling or advertising.
What we do NOT collect
We do not collect your M-Pesa PIN, bank account details, national ID number, or any payment card information. We never store sensitive financial authentication credentials.
3 How We Use Your Data
The specific purposes for using your information

We only use your personal data for the following purposes. We do not use it for any other purpose without informing you first.

  • Processing your orders β€” your name, phone number, address, and payment reference are used to confirm, pack, dispatch, and complete your order.
  • WhatsApp notifications β€” we send order confirmations, reservation reminders, delivery dispatch alerts, and stock-ready notifications via WhatsApp to your registered phone number. These are operational messages, not marketing.
  • Account management β€” your email and password (hashed) are used to authenticate your login and manage your account. We never store passwords in plain text.
  • Seller operations β€” seller data including Seller Badge, product listings, stock quantities, and payout records are used to manage the seller relationship and calculate payouts.
  • Dispute resolution β€” order history, M-Pesa references, and timestamps are used to investigate and resolve disputes fairly.
  • Platform security β€” server logs and session data are used to detect and prevent fraudulent activity and unauthorised access.
  • Platform improvement β€” aggregated, anonymised data (e.g. most-ordered product categories, peak order times) may be used internally to improve the service. This data cannot be traced back to any individual.
We do not use your data for advertising
Jirani Hub does not run targeted advertising and does not use your personal data to build advertising profiles. We do not sell your data to any third party, ever.
4 Who We Share Data With
Third parties who may receive your information

We share personal data only where necessary to operate the platform. We do not sell data or share it for marketing purposes. The third parties we work with are:

Third PartyData sharedPurpose
Safaricom (M-Pesa) Phone number, transaction reference Payment processing. Safaricom processes your M-Pesa transaction independently under their own privacy policy.
Google (OAuth) Name, email (if you use Google Sign-In) Authentication only. Google returns your name and email to create or match your account. Governed by Google's Privacy Policy.
Truehost Kenya All platform data Our hosting provider. All data is stored on servers in Kenya. Truehost is bound by Kenyan data protection law.
Delivery riders Your name, phone number, delivery address, order summary To complete your delivery. Riders receive only the minimum information needed for that specific delivery slot via a time-limited session link.

We may also disclose personal data if required to do so by Kenyan law or a lawful order from a competent authority (such as a court order or a request from law enforcement). We will notify affected users where we are legally permitted to do so.

5 Storage & Security
How we protect and store your data

All Jirani Hub data is stored in a MySQL database hosted on servers in Kenya by Truehost Kenya. We take the following security measures:

  • Passwords are hashed using bcrypt (cost factor 12) before storage. We cannot read your password β€” not even our admin team.
  • HTTPS is enforced across the entire platform. All data in transit is encrypted.
  • Access control β€” only admin accounts have access to the database. Staff accounts have limited access defined by their role. Riders have no account access beyond their time-limited session token.
  • Session tokens for riders are single-use per delivery slot and expire automatically after the slot ends.
  • API authentication uses Bearer tokens passed in the Authorization header. Tokens are not stored in URLs or browser history.
  • Product photos are stored in the server's /uploads/ directory, not in the database, with paths stored in the photo_paths field.

No security system is perfect. In the unlikely event of a data breach that affects your personal information, we will notify you as soon as reasonably practicable via WhatsApp and take immediate steps to contain and investigate the incident.

6 Data Retention
How long we keep your data

We keep your data for as long as it is needed to deliver the service or meet a legal obligation. Here is how long specific data types are retained:

Data typeRetention periodReason
Account details (name, email, phone) Until account is closed + 30 days To process any pending orders or payouts after closure
Order history & M-Pesa references 3 years Financial records, dispute resolution, payout audit trail
Seller applications & photos Duration of seller account + 1 year Product listing and dispute reference
Delivery addresses With the order record (3 years) Stored as part of the order for dispute resolution
Rider session tokens Expires at slot end; purged within 7 days Automatically invalidated after each delivery slot
Server logs (IP, browser) 90 days Security monitoring only; automatically deleted

When data reaches the end of its retention period, it is deleted from our database and any associated files are removed from server storage. We do not archive data beyond these periods.

7 Cookies
How we use cookies

Jirani Hub uses a minimal number of cookies β€” small text files stored in your browser. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

  • Session cookie β€” keeps you logged in during a browsing session. Expires when you close your browser or log out. This is essential for the platform to function.
  • Auth token cookie β€” stores your JWT authentication token to keep you logged in across sessions (if you choose to stay logged in). You can clear this by logging out.

We do not use Google Analytics, Facebook Pixel, or any third-party tracking tools. The only cookies on this site are the ones necessary to make it work.

If you disable cookies in your browser, you will not be able to stay logged in, but you can still browse products as a guest.

No tracking
We do not track you across other websites. Jirani Hub cookies are only active on jiranihubmarket.co.ke.
8 Your Rights
What you can ask us to do

Under the Kenya Data Protection Act 2019 and reasonable privacy practice, you have the following rights regarding your personal data. To exercise any of these rights, contact us via WhatsApp at +254 742 744 502. We will respond within 10 business days.

πŸ‘οΈ
Right to Access
Ask us what personal data we hold about you. We'll provide a clear summary of everything on record.
✏️
Right to Correction
If any information we hold is inaccurate or out of date, ask us to correct it. We'll update it promptly.
πŸ—‘οΈ
Right to Deletion
Ask us to delete your account and personal data. We'll do so within 30 days, subject to any legal retention obligations.
πŸ“¦
Right to Portability
Ask for a copy of your data in a readable format (JSON or CSV) so you can take it elsewhere.
🚫
Right to Object
Object to us processing your data for any purpose other than fulfilling your orders. We'll stop any non-essential processing.
πŸ“΅
Right to Opt Out
Opt out of WhatsApp notifications (other than essential order updates). Just let us know and we'll update your preferences.
Deletion and active orders
If you request account deletion while you have active orders, pending payouts (as a seller), or an unresolved dispute, we will need to retain your data until those matters are concluded. We'll let you know the timeline.
9 Children's Privacy
Users under 18

Jirani Hub is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.

If you believe a child has created an account on our platform, please contact us immediately via WhatsApp at +254 742 744 502.

10 Changes to This Policy
How we update this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes β€” such as collecting a new type of data or sharing with a new third party β€” we will update the "Last updated" date at the top of this page and notify active users via WhatsApp where practical.

Minor updates such as clarifications or corrections to wording do not constitute material changes. Continued use of the platform after a policy update constitutes acceptance of the revised policy.

We encourage you to review this policy periodically. Previous versions are available on request.

This policy was last reviewed and updated in January 2025.

Contents
At a Glance
Data sold to advertisersNever
Tracking cookiesNone
Passwords storedHashed only
Server locationKenya
3rd party authGoogle OAuth
Order records kept3 years
Response to requests10 business days
Governing lawKenya DPA 2019
Data request or concern?

WhatsApp us to access, correct, or delete your data β€” we'll respond within 10 business days.

Send Request

Your data, your community.

Any questions about your privacy or your data β€” we're always reachable on WhatsApp or at the shop.

Back to the Market Terms of Service WhatsApp Us