Privacy Policy

Cheeky Wags (“we”, “our”, “the platform”), operated by The Baobab Collective, is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and your rights under Kenya’s Data Protection Act (2019).

1. Data Controller

The data controller for personal data processed through Cheeky Wags is The Baobab Collective, Nairobi, Kenya. We are registered with the Office of the Data Protection Commissioner (ODPC) as required by the Data Protection Act.

Data Protection Officer: privacy@cheekywags.com

2. Data We Collect

Account Information

Name, email address, phone number, location (county), profile photo, and account type (pet parent, vendor, or vet). For vendors: business name, service descriptions, M-Pesa number, and verification documents. For vets: clinic name and license number.

Pet Information

Pet name, species, breed, age, gender, weight, medical history, vaccination records, and photos. This data forms part of the Pet Passport feature.

Booking & Service Data

Booking details, service requests, job posts, payment terms, payment proof (M-Pesa references), reviews, messages between users, and booking status history.

Technical Data

IP address, browser type, device information, and access timestamps. We use this data for security, fraud prevention, and platform stability.

3. Legal Basis for Processing

We process your data on the following legal grounds under the Data Protection Act:

• Consent: You provide consent when creating your account and agreeing to these terms
• Contractual necessity: Processing required to provide our services (bookings, messaging, payments)
• Legitimate interest: Platform security, fraud prevention, and service improvement
• Legal obligation: Compliance with Kenyan law, including the Data Protection Act and tax regulations

4. How We Use Your Data

• To create and manage your account
• To connect pet parents with vendors and vets
• To process bookings, job applications, and service requests
• To send transactional emails (booking confirmations, password resets, verification codes)
• To send SMS for phone number verification (one-time only)
• To maintain Pet Passport health records
• To display vendor profiles, reviews, and ratings on the marketplace
• To enable messaging between users
• To prevent fraud and ensure platform security
• To comply with legal obligations

5. Data Sharing

We do not sell your personal data. We share data only as follows:

• Between users: When you book a service, your name, pet information, and contact details are shared with the vendor. Vendor profiles, M-Pesa numbers, and reviews are visible to pet parents.
• Service providers: Brevo (email and SMS delivery), Cloudinary (image hosting), Pesapal (subscription payments). These providers process data on our behalf under data processing agreements.
• Legal requirements: We may disclose data if required by Kenyan law, court order, or to protect the safety of users or the public.

6. Data Storage & Security

Your data is stored on secured servers hosted by Hetzner (Germany/Finland), compliant with EU GDPR standards which meet or exceed the requirements of Kenya’s Data Protection Act. We implement the following security measures:

• Passwords hashed with bcrypt (12 rounds)
• JWT authentication with HMAC signature verification
• HTTPS encryption for all data in transit
• HttpOnly, Secure, SameSite cookies
• Rate limiting on authentication endpoints
• Admin action audit logging
• Input validation and sanitisation on all API endpoints

7. Data Retention

• Active accounts: Data retained for as long as your account is active
• Deleted accounts: Personal data is permanently deleted within 30 days of account deletion. Anonymised booking records may be retained for legal and financial compliance
• Password reset tokens: Expire after 1 hour and are marked as used
• Verification codes: Expire after 10 minutes
• Audit logs: Retained for 7 years for ODPC compliance

8. Your Rights

Under Kenya’s Data Protection Act, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate or incomplete data via your account settings
• Erasure: Delete your account and all associated personal data from your account settings
• Data portability: Request your data in a structured, machine-readable format
• Restriction: Request that we limit how we process your data
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Withdraw your consent at any time by deleting your account or contacting us

To exercise any of these rights, contact us at privacy@cheekywags.com or use the account deletion feature in your settings. We will respond within 30 days as required by the Data Protection Act.

9. Children’s Privacy

Cheeky Wags is not intended for use by persons under 18 years of age. We do not knowingly collect data from minors. If we discover that we have collected data from a person under 18, we will delete it promptly.

10. Cookies

We use essential cookies only for authentication (session management). We do not use third-party tracking cookies, advertising cookies, or analytics cookies. Your authentication cookie is HttpOnly and Secure, meaning it cannot be accessed by client-side scripts.

11. International Transfers

Your data may be processed on servers located in Germany and Finland (Hetzner). These countries provide adequate data protection under EU GDPR, which is recognised as meeting the standards required by Kenya’s Data Protection Act for international transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email. The “Last updated” date at the top indicates the most recent revision.

13. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya. Website: www.odpc.go.ke

14. Contact

For privacy-related inquiries:
Email: privacy@cheekywags.com
General support: support@cheekywags.com