1. Information we collect
We collect information you provide directly, information generated through your use of the Service, and
limited technical information required to operate, secure, and improve the Service. Categories include:
Account and identity information
- Name, email address, phone number, login credentials, and optional Google sign-in identity details.
- Shop name, business details, and subscription preferences.
Business and transactional data
- Products, stock levels, pricing, and inventory records you create or import.
- Sales, receipts, payment records, and transaction history.
- Debtor and credit balances, customer names, customer phone numbers, and payment schedules.
- Shop settings, staff accounts, roles, and access permissions.
Billing and payment information
- Selected subscription plan, billing interval, and payment method.
- Transaction references, payment status, processor response data, and purchase history for add-ons such as SMS bundles or automation credits.
Technical and device information
- Device type, operating system, browser or app version, IP address, and device identifiers.
- Screen and page activity, crash details, request failures, and performance metrics.
- Session identifiers, queued sync operations, and locally cached data where offline support is enabled.
Support and communications
- Messages you send to our support team and any information you provide in connection with a support request.
2. How we use information
We use collected information for the following purposes:
- Account management. Create, authenticate, and manage user accounts, shop access, staff roles, and device registrations.
- Service delivery. Provide point-of-sale, inventory, debtor management, receipt, analytics, reminder, messaging, and related business features.
- Data synchronization. Synchronize data across sessions and devices, including offline-first workflows where supported.
- Billing and payments. Process subscriptions, payment confirmations, billing events, checkout requests, and credit allocations.
- Communications. Send service-related messages such as email verification, password resets, payment confirmations, SMS reminders, debtor notifications, and operational alerts.
- Security and fraud prevention. Detect, investigate, and prevent unauthorized access, abuse, fraud, and security incidents.
- Analytics and improvement. Monitor performance, diagnose failures, understand usage patterns, improve reliability, and develop new features.
- Legal compliance. Comply with applicable laws, regulations, legal processes, and governmental requests.
3. Third-party service providers
Certain features of the Service rely on third-party providers that process information on our behalf or in
connection with services you choose to use. These may include:
- Payment processors. Payments and billing may involve providers such as M-Pesa and IntaSend, which process payment information according to their own terms and policies.
- SMS and messaging providers. SMS reminders, debtor notifications, and alerts may be delivered through providers such as Africa's Talking.
- Email infrastructure. Email verification, password reset, and transactional messages may be delivered through our email service providers.
- Authentication providers. Optional Google sign-in uses Google account identity information that you authorize for authentication.
- Cloud hosting and infrastructure. The Service is hosted on third-party cloud infrastructure providers that store and process data on our behalf.
- Analytics and monitoring. We may use analytics and monitoring tools to understand usage, diagnose issues, and improve the Service.
These providers may process personal, business, or transactional information in accordance with their own
terms and privacy policies. We select providers that we believe maintain appropriate security practices, but
we are not responsible for the privacy or security practices of third-party providers.
4. When we share information
We may share information in the following circumstances:
- With service providers and infrastructure partners that help us host, secure, authenticate, message, and operate the Service.
- With payment processors where necessary to complete a transaction, verify payment status, or process billing events.
- With SMS or messaging providers to deliver reminders, notifications, or alerts you configure or that the Service sends on your behalf.
- Where required by applicable law, regulation, court order, or a valid governmental request.
- Where reasonably necessary to investigate fraud, enforce our Terms, protect our rights, or respond to security incidents.
- In connection with a merger, acquisition, or sale of assets, in which case we will notify affected users.
We do not sell your personal information to third parties for advertising or marketing purposes.
5. Cookies, sessions, and analytics
On the web, Duka Digital uses session cookies and browser storage to maintain authenticated sessions,
remember interface settings (such as theme preferences), and support core application functionality. These
are essential to the operation of the Service and cannot be disabled while using the web application.
We also collect limited telemetry and diagnostic information to understand failures, monitor performance,
track feature adoption, and improve the Service. We make reasonable efforts to filter sensitive fields from
telemetry payloads before storage.
On Android, the application may store session data and cached business information locally on the device to
support offline operation and improved performance.
6. Android permissions and on-device storage
The Duka Digital Android application currently requests network-related permissions only, including
internet access and network state, in order to connect to the Service and synchronize data.
The Android application does not request access to contacts, location, camera, microphone, photos, or
SMS messages.
The application may store account and business information locally on the device to support offline
operation, queued synchronization, and improved performance. This data remains on your device until you sign
out, clear app data, or uninstall the application.
7. Data retention
We retain information for as long as your account is active and for a reasonable period afterward as needed
for legitimate business operations, legal compliance, dispute resolution, fraud prevention, backup, and
enforcement of our agreements.
Automated inactivity detection. Shops that have had no activity (such as logins, sales,
product updates, or dashboard usage) for approximately 180 days may be automatically flagged for deletion.
When a shop is flagged, the account owner receives an email warning and has a 14-day grace period to sign
in or perform any activity to cancel the process. If no activity occurs during the grace period, shop data
is soft-deleted and access is suspended. Soft-deleted data is retained for an additional 30 days before
permanent removal, during which time support may be able to assist with recovery. After permanent removal,
shop data cannot be restored.
Information stored locally on a device may remain until removed by signing out, clearing app data, or
uninstalling the application.
8. Data security
We use reasonable administrative, technical, and organizational safeguards designed to protect information
against unauthorized access, disclosure, alteration, and destruction. These measures include encrypted
connections, secure credential storage, role-based access controls, and regular monitoring.
However, no method of electronic storage or internet transmission is completely secure. We cannot guarantee
absolute security and are not responsible for the security of information you transmit to the Service over
networks we do not control.
9. Your rights and choices
Depending on your location and applicable law, you may have certain rights regarding your personal information:
- Access. You may request a copy of the personal information we hold about you.
- Correction. You may update or correct inaccurate information. Many records can be edited directly within the Service.
- Deletion. You may request deletion of your account and personal data by submitting a request through Account Deletion or by contacting us at support@dukadigital.com.
To exercise any of these rights, contact us at support@dukadigital.com.
We will respond within a reasonable timeframe and may ask you to verify your identity before processing your request.
Your responsibilities. You are responsible for ensuring that you have the lawful right to
collect, upload, store, and process customer and business information in the Service, including any personal
data of your customers, staff, or debtors.
10. Children's privacy
The Service is intended for merchants, shop owners, and shop staff. It is not directed to children under
18. We do not knowingly collect personal information from children. If we learn that we have collected
information from a child, we will take steps to delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will publish the
revised version on this page and update the effective date. Where appropriate, we may notify you through
the Service. Your continued use of the Service after changes are published constitutes your acceptance of
the revised policy.
12. Contact
If you have questions about this Privacy Policy, your data, or your privacy rights, please contact us at
support@dukadigital.com.