Privacy Policy

1. Introduction

MallMatt Technologies (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share personal data in connection with the MallMatt platform (“Platform”), and describes your rights under the Kenya Data Protection Act 2019 (“DPA 2019”).

MallMatt Technologies acts as the data controller for personal data processed through the Platform. This policy applies to all users of the Platform, including store owners, store staff, and customers of stores powered by MallMatt.

2. Data We Collect

Store customers

• Full name (first and last)
• Email address
• Phone number (optional at registration; required for M-Pesa checkout)
• Delivery address, city, and country
• Order history and order items
• Cart and wishlist items
• Product reviews and ratings you submit

Store owners and staff

• Email address
• Store configuration and settings
• M-Pesa integration credentials (stored encrypted using AES-256-GCM; never stored in plaintext)
• Activity logs (actions taken in the admin dashboard)

Collected automatically

• IP address (used for rate limiting and abuse prevention)
• Authentication session tokens
• Browser type and version (standard server logs)

3. How We Use Your Data

We use the personal data we collect to:

• Create and manage your account
• Process and fulfil orders
• Initiate M-Pesa STK push payment requests on your behalf
• Prevent fraud, bot abuse, and unauthorised access (rate limiting, CAPTCHA verification)
• Provide customer support
• Produce aggregate, anonymised platform analytics (individual users are never identified in analytics)
• Send transactional emails (order confirmations, account notifications) — we do not send unsolicited marketing emails without your explicit consent

4. M-Pesa Payment Data

When you make a payment on a MallMatt-powered store, we initiate an M-Pesa STK push request via Safaricom’s Daraja API. In doing so:

• Your phone number is transmitted to Safaricom to trigger the payment prompt on your handset
• We store the M-Pesa transaction ID and checkout request ID for order reconciliation and dispute resolution
• We do not store your M-Pesa PIN, SIM card details, or any payment card numbers
• Safaricom’s own privacy policy governs how Safaricom handles your M-Pesa transaction data

5. Data Sharing

We do not sell, rent, or trade your personal data to third parties for marketing purposes. Your data is shared only with:

• Safaricom — to process M-Pesa payments
• Supabase — our database and file storage infrastructure provider (data is stored in their managed PostgreSQL and object storage)
• Vercel — our application hosting provider (processes request data in order to serve the Platform)
• Kenyan law enforcement or courts — where we are required to do so by law, court order, or regulatory authority

6. Data Retention

After the applicable retention period, data is deleted or anonymised.

7. Your Rights (DPA 2019)

Under the Kenya Data Protection Act 2019, you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your personal data, subject to our legal retention obligations
• Right to data portability — request your data in a structured, machine-readable format
• Right to object to processing — object to processing carried out on the basis of legitimate interests

To exercise any of these rights, email privacy@mallmatt.com. We will respond within 21 days, as required by the DPA 2019.

8. Cookies & Local Storage

The Platform uses the following cookies and storage mechanisms:

• Authentication session cookies (NextAuth.js) — required for you to stay logged in; expire when you sign out or your session ends
• Cloudflare Turnstile security cookies — set by our CAPTCHA provider for bot detection purposes only; not used for advertising or tracking

We do not use third-party advertising cookies, analytics cookies, or any form of cross-site tracking technology.

9. Children's Privacy

The Platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a minor, please contact privacy@mallmatt.com and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will provide at least 14 days’ notice by email to registered account holders before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

11. Contact & Data Protection Officer

For privacy-related enquiries, data subject requests, or to reach our Data Protection Officer, contact:

MallMatt Technologies — Data Protection Officer
Email: privacy@mallmatt.com

We will acknowledge your request within 3 business days and provide a full response within 21 days, as required by the Kenya Data Protection Act 2019.