Privacy Policy

1. Introduction

Cafe-Yako Limited ("Cafe-Yako," "we," "us," or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Platform.

We are registered with the Office of the Data Protection Commissioner of Kenya and comply with the Data Protection Act, 2019, and Article 31 of the Constitution of Kenya, 2010, which guarantees every person the right to privacy.

By using the Cafe-Yako Platform, you consent to the collection, use, and processing of your personal data as described in this Privacy Policy.

2. Key Definitions

Under this Privacy Policy:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in the Data Protection Act, 2019.
• "Data Subject" means an identified or identifiable living person to whom personal data relates.
• "Data Controller" means a person who, alone or jointly with others, determines the purposes and means of processing personal data.
• "Data Processor" means a person who processes personal data on behalf of a data controller.
• "Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or erasure.
• "Platform" means the Cafe-Yako web application, mobile applications, POS systems, and all related services.

3. Data Controller Information

Cafe-Yako Limited is the Data Controller for personal data collected through the Platform. Our contact details are:

4. Personal Data We Collect

4.1 Business User Information

When you register as a Business User, we collect:

• Identity Information: Full name, business name, business registration number (if applicable), national ID or passport number
• Contact Information: Email address, phone number, physical business address, postal address
• Financial Information: Bank account details, mobile money numbers (M-Pesa), tax identification number (PIN), payment card information (processed by third-party payment processors)
• Business Information: Business type, industry category, number of employees, business operating hours, subscription plan details
• Authentication Data: Username, password (encrypted), two-factor authentication settings

4.2 Client User (Staff) Information

When Business Users add staff members, we collect:

• Full name and employee ID
• Email address and phone number
• Role and permission level
• Shift schedules and attendance records
• Sales and transaction data associated with the staff member

4.3 End Customer Information

When Business Users collect customer information through the Platform, we process:

• Name and contact details (phone number, email address)
• Shipping/delivery address
• Order history and transaction details
• Payment information (processed by third-party payment gateways)

Important: For end customer data, the Business User acts as the Data Controller, and Cafe-Yako acts as the Data Processor. Business Users are responsible for obtaining valid consent from their customers.

4.4 Content and Media

We collect and process:

• Videos, images, and multimedia content uploaded for creation and publishing
• Product catalogs, descriptions, and pricing information
• Social media content and captions
• Marketing materials and promotional content

4.5 Automatically Collected Information

When you use the Platform, we automatically collect:

• Device Information: Device type, operating system, browser type and version, device identifiers
• Usage Data: Pages viewed, features used, time spent on Platform, click patterns, search queries
• Location Data: IP address, geographic location (with consent)
• Log Data: Access times, error logs, system events
• Cookies and Tracking Technologies: Session cookies, analytics cookies, preference cookies (see Section 12)

4.6 Third-Party Integration Data

When you connect third-party services, we may receive:

• Social Media: Profile information, follower counts, engagement metrics, content performance data from TikTok, Instagram, YouTube
• E-commerce Platforms: Product data, order information, inventory levels from Shopify, WooCommerce
• Payment Gateways: Transaction confirmations, payment status (payment card details are NOT stored by us)

5. How We Use Your Personal Data

5.1 Lawful Basis for Processing

We process personal data on the following lawful bases under the Data Protection Act, 2019:

• Consent: Where you have given specific, informed, and unambiguous consent
• Contractual Necessity: To perform our contract with you (Terms and Conditions)
• Legal Obligation: To comply with Kenyan laws and regulations
• Legitimate Interests: For our legitimate business interests that do not override your rights

5.2 Specific Purposes

We use your personal data to:

a) Provide and Operate the Platform

• Create and manage your account
• Provide content creation, editing, and publishing services
• Enable business operations (inventory, orders, payments, POS)
• Facilitate staff management and collaboration
• Process transactions and payments
• Publish content to third-party platforms on your behalf

b) Communication and Support

• Send service-related notifications and updates
• Provide customer support and respond to inquiries
• Send subscription renewal and payment reminders
• Notify you of Platform changes, new features, or updates

c) Analytics and Improvement

• Analyze Platform usage and performance
• Generate business analytics and reports for Business Users
• Improve Platform features and user experience
• Develop new services and functionalities

d) Security and Fraud Prevention

• Detect and prevent fraud, abuse, and security incidents
• Verify identity and authenticate users
• Monitor for suspicious activities
• Protect the rights and safety of users and third parties

e) Legal Compliance

• Comply with legal obligations under Kenyan law
• Respond to lawful requests from authorities
• Maintain records required by tax and financial regulations
• Enforce our Terms and Conditions

f) Marketing (with your consent)

• Send promotional emails about new features or offers
• Provide personalized recommendations
• Conduct surveys and market research

Note: You can opt out of marketing communications at any time by clicking "unsubscribe" in emails or contacting us.

6. How We Share Your Personal Data

6.1 Our Commitment

Cafe-Yako does NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

6.2 When We Share Data

We may share personal data in the following circumstances:

a) Service Providers and Processors

We share data with trusted third-party service providers who process data on our behalf:

• Cloud Hosting: Amazon Web Services (AWS), Google Cloud Platform for data storage and hosting
• Payment Processors: Stripe, Paystack, M-Pesa (Safaricom) for payment processing
• Email Services: SendGrid, Mailgun for transactional emails
• Analytics: Google Analytics, Mixpanel for usage analytics
• Customer Support: Zendesk, Intercom for support services

All service providers are contractually obligated to protect your data and use it only for specified purposes.

b) Third-Party Integrations (with your authorization)

When you connect third-party platforms, we share data as necessary:

• Social Media: TikTok, Instagram, YouTube to publish your content
• E-commerce: Shopify, WooCommerce to sync products and orders
• CRM and Marketing: Tools you integrate with for business operations

You control these integrations and can disconnect them at any time.

c) Business Transfers

If Cafe-Yako is involved in a merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change.

d) Legal Requirements

We may disclose personal data when required by Kenyan law or in response to:

• Valid legal processes (court orders, subpoenas, warrants)
• Requests from law enforcement or regulatory authorities
• National security or public interest requirements
• Protection of our rights, property, or safety
• Protection of rights and safety of users or the public

e) With Your Consent

We may share data with other third parties when you provide specific consent.

6.3 Customer Data Isolation

End customer data collected by Business Users is only accessible to that specific Business User. We do not share customer data between different Business Users.

7. Cross-Border Data Transfers

7.1 International Transfers

Some of our service providers and third-party integrations are located outside Kenya. When we transfer personal data internationally, we ensure adequate safeguards are in place:

• Standard Contractual Clauses approved by data protection authorities
• Privacy Shield frameworks or equivalent certifications
• Ensuring the recipient country has adequate data protection laws

7.2 Your Consent

By using the Platform and connecting third-party integrations (especially social media platforms), you consent to the transfer of personal data outside Kenya where necessary to provide the Services.

7.3 Data Processing Locations

Personal data may be processed in:

• Kenya (primary data center)
• European Union (cloud backup servers)
• United States (certain service providers)
• Other jurisdictions as required by third-party integrations

8. Data Security and Protection

8.1 Security Measures

We implement industry-standard technical and organizational measures to protect personal data:

• Encryption: TLS/SSL encryption for data in transit, AES-256 encryption for sensitive data at rest
• Access Controls: Role-based access control, multi-factor authentication, principle of least privilege
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Data Isolation: Logical separation of data between different Business Users
• Regular Backups: Automated daily backups with encrypted storage
• Security Audits: Regular security assessments and penetration testing
• Employee Training: Data protection and security awareness training for all staff
• Incident Response: Established procedures for detecting and responding to security breaches

8.2 Your Responsibility

You are responsible for:

• Keeping your password and login credentials confidential
• Using strong, unique passwords
• Enabling two-factor authentication
• Logging out from shared devices
• Immediately reporting any unauthorized access or security concerns

8.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Office of the Data Protection Commissioner within 72 hours of becoming aware
• Notify affected data subjects without undue delay if the breach poses a high risk
• Provide information about the nature of the breach, likely consequences, and measures taken

8.4 Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your personal data. You use the Platform at your own risk.

9. Data Retention

9.1 Retention Periods

We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

• Active Accounts: Personal data is retained while your account is active
• Suspended Accounts: Data is retained during suspension (30-day grace period for payment issues)
• Closed Accounts: After account closure, data is retained for 90 days for recovery purposes, then permanently deleted unless legally required to retain
• Financial Records: Transaction and payment data is retained for 7 years to comply with Kenyan tax and accounting laws
• Legal Obligations: Data required for legal proceedings or compliance is retained until obligations are fulfilled
• Backups: Backup copies are retained for 90 days and then automatically deleted

9.2 Data Deletion

When data is no longer needed, we securely delete or anonymize it using industry-standard methods.

10. Your Data Subject Rights

Under the Data Protection Act, 2019, and the Constitution of Kenya, you have the following rights:

10.1 Right to Be Informed

You have the right to be informed about the collection and use of your personal data. This Privacy Policy serves that purpose.

10.2 Right of Access

You have the right to request:

• Confirmation that we process your personal data
• Access to your personal data
• A copy of your personal data in a commonly used format
• Information about how your data is processed, who it is shared with, and retention periods

We will respond to access requests within 7 days as required by Kenyan law.

10.3 Right to Rectification

You have the right to request correction of inaccurate, incomplete, or misleading personal data. We will respond within 14 days.

10.4 Right to Erasure ("Right to Be Forgotten")

You have the right to request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the original purpose
• You withdraw consent and there is no other legal basis
• You object to processing and there are no overriding grounds
• The data was unlawfully processed
• Erasure is required by law

This right does not apply where we have a legal obligation to retain the data (e.g., financial records for tax purposes).

10.5 Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain cases, such as when:

• You contest the accuracy of the data
• Processing is unlawful but you oppose erasure
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

10.6 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) and to transmit that data to another controller.

10.7 Right to Object

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing (including profiling)
• Processing for research or statistical purposes

10.8 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.9 Right to Lodge a Complaint

You have the right to lodge a complaint with the Office of the Data Protection Commissioner:

10.10 How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer at:

• Email: dpo@cafe-yako.com
• Subject Line: "Data Subject Rights Request"
• Include: Your name, email address, account details, and specific request

We may require additional information to verify your identity before processing requests.

11. Consent Management

11.1 Obtaining Consent

Where we rely on consent to process personal data, we ensure that consent is:

• Freely Given: Not a condition of service where unnecessary
• Specific: Clearly stated for particular purposes
• Informed: You understand what you're consenting to
• Unambiguous: Requires affirmative action (opt-in, not pre-ticked boxes)

11.2 Burden of Proof

We bear the burden of demonstrating that valid consent was obtained. We maintain records of consents given.

11.3 Managing Your Consent

You can manage your consent preferences in your account settings or by contacting us. You may:

• Opt out of marketing emails
• Disable specific cookies
• Disconnect third-party integrations
• Adjust location sharing settings

12. Cookies and Tracking Technologies

12.1 What Are Cookies

Cookies are small text files stored on your device when you visit the Platform. We use cookies and similar technologies (web beacons, pixels, local storage) to enhance your experience.

12.2 Types of Cookies We Use

• Essential Cookies: Required for Platform functionality (authentication, security, session management)
• Performance Cookies: Help us understand how users interact with the Platform (Google Analytics)
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Track effectiveness of marketing campaigns (with consent)

12.3 Managing Cookies

You can control cookies through:

• Your browser settings (block, delete, or disable cookies)
• Our cookie consent banner when you first visit
• Cookie preferences in your account settings

Note: Disabling essential cookies may affect Platform functionality.

13. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children under 18.

If we discover that we have collected personal data from a child under 18, we will promptly delete such information. If you believe we have collected data from a child, please contact us immediately at dpo@cafe-yako.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features.

When we make material changes, we will:

• Update the "Last Updated" date at the top of this Policy
• Send an email notification to registered users
• Display a prominent notice on the Platform
• Request renewed consent where required by law

Changes will take effect 30 days after notice is provided. Continued use of the Platform after changes constitutes acceptance of the updated Policy.

15. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

16. Acknowledgment

By using the Cafe-Yako Platform, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal data as described in this Privacy Policy.

Last Updated: April 15, 2026