Privacy Policy

Last updated: June 19, 2026

Cheeky Wags (“we”, “our”, “the platform”), operated by The Baobab Collective, is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and your rights under Kenya’s Data Protection Act (2019).

1. Data Controller

The data controller for personal data processed through Cheeky Wags is The Baobab Collective, Nairobi, Kenya.

Data Protection Officer: privacy@cheekywags.com

2. Data We Collect

Account Information

Name, email address, phone number, location (county), profile photo, and account type (pet parent, vendor, or vet). For vendors: business name, service descriptions, M-Pesa number, and verification documents. For vets: clinic name and license number.

Pet Information

Pet name, species, breed, age, gender, weight, medical history, vaccination records, and photos. This data forms part of the Pet Passport feature.

Booking & Service Data

Booking details, service requests, job posts, payment terms, payment proof (M-Pesa references), reviews, messages between users, and booking status history.

Technical Data

IP address, browser type, device information, and access timestamps. We use this data for security, fraud prevention, and platform stability.

3. Legal Basis for Processing

We process your data on the following legal grounds under the Data Protection Act:

  • Consent: You provide consent when creating your account and agreeing to these terms
  • Contractual necessity: Processing required to provide our services (bookings, messaging, payments)
  • Legitimate interest: Platform security, fraud prevention, and service improvement
  • Legal obligation: Compliance with Kenyan law, including the Data Protection Act and tax regulations

4. How We Use Your Data

  • To create and manage your account
  • To connect pet parents with vendors and vets
  • To process bookings, job applications, and service requests
  • To send transactional emails (booking confirmations, password resets, verification codes)
  • To send occasional promotional emails about features, tips, and offers, only if you have opted in, which you can reverse at any time in your settings
  • To send SMS for phone number verification (one-time only)
  • To maintain Pet Passport health records
  • To display vendor profiles, reviews, and ratings on the marketplace
  • To enable messaging between users
  • To prevent fraud and ensure platform security
  • To comply with legal obligations

5. Data Sharing

We do not sell your personal data. We share data only as follows:

  • Between users: When you book a service, your name, pet information, and contact details are shared with the vendor. Vendor profiles, M-Pesa numbers, and reviews are visible to pet parents.
  • Service providers: Brevo (email and SMS delivery), Cloudinary (image hosting), Pesapal (subscription payments), and Google (Google Analytics, used only with your consent to measure website usage). These providers process data on our behalf under data processing agreements.
  • Legal requirements: We may disclose data if required by Kenyan law, court order, or to protect the safety of users or the public.

6. Data Storage & Security

Your data is stored on secured servers hosted by Hetzner (Germany/Finland), compliant with EU GDPR standards which meet or exceed the requirements of Kenya’s Data Protection Act. We implement the following security measures:

  • Passwords hashed with bcrypt (12 rounds)
  • JWT authentication with HMAC signature verification
  • HTTPS encryption for all data in transit
  • HttpOnly, Secure, SameSite cookies
  • Rate limiting on authentication endpoints
  • Admin action audit logging
  • Input validation and sanitisation on all API endpoints

7. Data Retention

  • Active accounts: Data retained for as long as your account is active
  • Deleted accounts: Personal data is permanently deleted within 30 days of account deletion. Anonymised booking records may be retained for legal and financial compliance
  • Password reset tokens: Expire after 1 hour and are marked as used
  • Verification codes: Expire after 10 minutes
  • Audit logs: Retained for 7 years for accountability and dispute resolution

8. Your Rights

Under Kenya’s Data Protection Act, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data via your account settings
  • Erasure: Delete your account and all associated personal data from your account settings
  • Data portability: Request your data in a structured, machine-readable format
  • Restriction: Request that we limit how we process your data
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Withdraw consent at any time. You can turn off analytics cookies through the cookie preferences on the site, turn off promotional emails in your account settings, or delete your account. You may also contact us.

To exercise any of these rights, contact us at privacy@cheekywags.com or use the account deletion feature in your settings. We will respond within 30 days as required by the Data Protection Act.

9. Children’s Privacy

Cheeky Wags is not intended for use by persons under 18 years of age. We do not knowingly collect data from minors. If we discover that we have collected data from a person under 18, we will delete it promptly.

10. Cookies

We use two kinds of cookies. Strictly necessary cookies keep you signed in and secure, and the site cannot work without them. Your authentication cookie is HttpOnly and Secure, so it cannot be accessed by client-side scripts. Analytics cookies are optional. With your consent, we use Google Analytics to understand how the site is used so that we can improve it. We do not use cookies for advertising and we do not sell your data. You choose whether to allow analytics the first time you visit, and you can change your choice at any time through the cookie preferences on the site.

11. International Transfers

Your data may be processed on servers located in Germany and Finland (Hetzner). These countries provide adequate data protection under EU GDPR, which is recognised as meeting the standards required by Kenya’s Data Protection Act for international transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email. The “Last updated” date at the top indicates the most recent revision.

13. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya. Website: www.odpc.go.ke

14. Contact

For privacy-related inquiries:
Email: privacy@cheekywags.com
General support: support@cheekywags.com