Privacy Policy

GrandMarket respects privacy. We process personal data in line with the Kenya Data Protection Act, 2019, the Kenya Data Protection (General) Regulations, 2021, and other privacy laws that may apply to merchants or shoppers, including GDPR-style and CCPA-style rights where applicable.

1. Who this policy covers

This policy applies to:

• Merchants, tenants, store owners, admins, staff, and POS users who create or manage stores on GrandMarket
• Customers and visitors who shop on a GrandMarket-powered storefront or marketplace page
• People who contact us, receive platform messages, use support, or interact with GrandMarket websites and services

Merchants remain responsible for their own customer-facing disclosures, product terms, delivery terms, return policies, marketing consents, and lawful handling of customer data inside their stores.

2. Our role and merchant responsibilities

For merchant account data, billing, platform security, product improvement, fraud prevention, and support, GrandMarket normally acts as an independent data controller. For shopper, order, staff, POS, and store content data processed to operate a merchant's store, GrandMarket normally acts as a data processor or service provider for that merchant.

Each merchant must collect personal data lawfully, give customers clear notices, obtain required consents, maintain accurate store policies, respond to data rights requests, and avoid uploading personal data that is not needed to run the store.

3. Personal data we collect

Depending on how the Service is used, we may collect or process:

• Account and tenant data: store name, tenant key, admin name, email, password hash, phone or WhatsApp number, business profile, plan, billing status, settings, domains, and support requests.
• Storefront customer data: customer names, phone numbers, email addresses, delivery details, cart details, order history, product reviews, support chats, and customer account credentials.
• Payment data: payment references, checkout status, M-Pesa identifiers, Paystack references, transaction amounts, fraud signals, and reconciliation records. Card details are handled by payment processors and should not be stored in GrandMarket.
• POS and operations data: cashier activity, register names, shift logs, refunds, discounts, inventory movements, receipt records, and offline sync metadata.
• Messaging and communications: WhatsApp setup data, message metadata, support conversations, email logs, notifications, and consent or unsubscribe records.
• Device and usage data: IP address, browser, operating system, session identifiers, pages viewed, features used, log data, errors, security events, analytics, and approximate location derived from technical data.
• Content: product names, descriptions, images, files, categories, storefront text, SEO data, reviews, and other information merchants or users upload.

4. How we use personal data

We use personal data to:

• Create stores, authenticate users, manage roles, and provide dashboards, storefronts, checkout, POS, chat, and analytics
• Process orders, payments, refunds, subscriptions, fraud checks, receipts, delivery workflows, and payment reconciliation
• Send service messages, WhatsApp order updates, admin alerts, account notices, support replies, and security notifications
• Maintain platform security, detect misuse, prevent fraud, debug errors, back up data, and enforce legal terms
• Improve the Service, develop features, personalize merchant dashboards, and measure platform performance
• Comply with tax, accounting, consumer protection, data protection, cybercrime, court, regulator, and law enforcement obligations

5. Legal bases

Where a legal basis is required, we rely on contract performance, legitimate interests, consent, compliance with legal obligations, vital interests in limited safety cases, and merchant instructions for data processed on behalf of merchants. Where consent is required for marketing, cookies, children's data, sensitive data, location data, or cross-border transfers, the relevant party must collect and manage that consent lawfully.

6. Sharing and service providers

We do not sell personal data. We may share data with:

• Merchants and their authorised admins, staff, delivery teams, and support users
• Payment providers, banks, mobile money providers, fraud prevention providers, and reconciliation partners
• Hosting, database, cloud storage, security, analytics, email, WhatsApp, SMS, support, logging, and infrastructure providers
• Professional advisers, auditors, insurers, acquirers, or business transfer counterparties under confidentiality controls
• Courts, regulators, law enforcement, ODPC, tax authorities, or other authorities where legally required or needed to protect rights and safety

7. International transfers

GrandMarket may use providers or infrastructure located outside Kenya. Where personal data is transferred internationally, we rely on legally recognised safeguards, merchant instructions, contracts, consent where required, or other lawful transfer mechanisms designed to preserve an appropriate level of protection.

8. Cookies and similar technologies

We use necessary cookies and local storage for login, cart, tenant routing, security, preferences, and checkout. We may use analytics cookies or similar tools to understand usage and improve the Service. Merchants must not add third-party advertising or tracking tools to their stores unless they provide required notices and choices.

9. Security

We use technical and organisational measures designed to protect personal data, including access controls, password hashing, encryption where appropriate, tenant isolation, monitoring, logging, backups, and security reviews. No system is perfectly secure, and users must protect credentials, restrict admin access, use accurate staff permissions, and notify us quickly about suspected compromise.

10. Data retention

We keep personal data only as long as needed for the purposes in this policy, merchant instructions, legal obligations, accounting, tax, fraud prevention, dispute resolution, security, backups, and service continuity. Some records may be retained after account closure where required by law or where necessary to protect legal rights. Data may be anonymised or aggregated so it no longer identifies a person.

11. Your rights

Depending on your location and relationship with the Service, you may have rights to access, correction, deletion, objection, restriction, portability, withdrawal of consent, opt-out of marketing, and complaint to a regulator. Kenyan data subjects may contact the Office of the Data Protection Commissioner. EU/UK users may have GDPR or UK GDPR rights. California residents may have CCPA/CPRA rights such as notice, access, deletion, correction, and opt-out rights where those laws apply.

If your request concerns a specific merchant store, we may direct the request to that merchant because the merchant controls the customer relationship. We may verify your identity before acting on a request.

12. Data breaches

If we become aware of a personal data breach, we will investigate, take containment steps, and notify affected merchants, users, regulators, or authorities when required by applicable law. Merchants must promptly tell GrandMarket about suspected unauthorised access, lost credentials, unlawful exports, or customer data incidents affecting their store.

13. Children's data

GrandMarket is not intended for children to create merchant accounts. Merchants must not knowingly collect children's personal data through a store unless they have the required parental or guardian consent, age-appropriate notices, and lawful basis. Merchants selling products for children remain responsible for child privacy compliance.

14. Automated features and AI

Some platform features may use automation or AI to support search, recommendations, product descriptions, analytics, fraud checks, or support suggestions. Merchants must review AI-generated content before publishing it and must not use automated features to make unlawful, discriminatory, or unsupported decisions about individuals.

15. Marketing choices

You can opt out of non-essential marketing communications through unsubscribe links or by contacting us. Service, security, billing, legal, and transactional messages may still be sent when needed to operate the Service.

16. Mobile app privacy and account deletion

The GrandMarket Tenant Admin mobile app may process sign-in data, tenant keys, admin profile details, app version and device diagnostics, selected product or store images, camera or photo picker files chosen by the user, session tokens, feature usage, and error logs to operate the app, secure merchant accounts, upload store content, and provide support. Camera and media access are used only when a user chooses to capture or upload store content.

Mobile app users can request deletion in the app from More > Request account deletion, or from the web at account-deletion.html. When we process a deletion request, we delete or disable account credentials, sessions, profile data, and app account data where legally and technically possible. We may retain limited records for orders, payments, tax, accounting, disputes, fraud prevention, security, backups, or legal compliance.

17. Changes to this policy

We may update this policy to reflect changes to law, products, providers, or business operations. The updated version will be posted on this page with a new effective date. Material changes may also be notified by email, dashboard message, or other reasonable means.

18. Contact

For privacy questions or data requests, contact us through the GrandMarket contact page or email privacy@geministore.co.ke. Include the store name, tenant key, email or phone used, and enough detail for us to verify and route the request.