Privacy Policy
Effective Date: 20 May 2026 • Last Updated: 20 May 2026
Blackpaw Innovations Company (“Blackpaw,” “we,” “us,” or “our”) respects your privacy and is committed to protecting personal data handled through HakiqaDuka and related web, mobile, and support services. This Privacy Policy explains how we collect, use, store, share, and protect personal data.
This policy supports compliance with the Kenya Data Protection Act, 2019, guidance from the Office of the Data Protection Commissioner (ODPC), and GDPR principles where applicable.
1. Who We Are
Data Controller / Service Provider:
Blackpaw Innovations Company
Registration No: BN-GVCJRKZP
Muringa Court, Kirichwa Road, Kileleshwa, Nairobi, Kenya
General Contact: admin@blackpawinnovations.com
Privacy Contact: privacy@blackpawinnovations.com
HakiqaDuka is a product of Blackpaw Innovations Company. For enterprise or partner deployments, Blackpaw may act as a processor on behalf of a client, in which case contractual data-processing terms govern the relationship in addition to this policy.
2. Scope
This policy covers personal data processed in connection with:
- Customer and prospect communications
- Account registration and administration
- User authentication and access management
- Subscription billing and account status
- Support, incident response, and security monitoring
- Analytics used to maintain and improve the service
3. Personal Data We Collect
3.1 Identity and Contact
- Full name, business owner name, employee name
- Email address, telephone number
- Business contact details and branch/location information
3.2 Account and Profile
- Username or login identifier
- Hashed password credentials (never stored in plain text)
- Two-factor authentication (2FA) enrollment data
- Trusted device records and session identifiers
- Role, permissions, and user profile settings
3.3 Business and Operational
- Company and branch details
- Inventory, supplier, employee, customer, and product records
- Transaction summaries and operational logs
- Subscription package information
3.4 Payment and Billing
- Billing contact details, invoice records, and subscription status
- Payment provider transaction reference numbers and metadata
We do not store payment card numbers, CVV codes, or full card details. Where payment processing is handled by a third-party provider (such as M-Pesa), your payment credentials are governed by that provider’s own security and privacy controls.
3.5 Technical and Device
- IP address, browser type and version, operating system
- Approximate location inferred from IP address
- Session identifiers, crash or diagnostic information
- App and page usage metadata
3.6 Security and Audit
- Successful and failed login attempts and lockout events
- Password reset requests and 2FA verification events
- Device-recognition records and suspicious-session indicators
- Privileged account actions and audit log entries
3.7 Optional Location
Where a feature specifically requests location, we may process coarse location inferred from IP address (for security review) or, with your explicit permission, precise GPS location for specific features such as branch presence validation. Precise GPS is never collected silently as a condition of ordinary login.
4. How We Collect Data
- Directly from you at registration, subscription, or support contact
- From your organisation when users are invited or provisioned
- Automatically through service use, including cookies (see Cookie Policy)
- From payment providers, hosting platforms, and security systems used to operate the service
5. Why We Use Personal Data
- To create and manage accounts and authenticate users
- To provide the requested product functionality
- To manage subscriptions, invoicing, and support
- To configure businesses, branches, roles, and permissions
- To monitor service availability, performance, and abuse
- To prevent fraud, unauthorised access, and misuse
- To communicate service, billing, security, and product information
- To comply with legal, regulatory, tax, audit, and enforcement obligations
- To improve product quality, support responsiveness, and platform design
6. Lawful Bases for Processing
Under the Kenya Data Protection Act, 2019 (s.30) and applicable GDPR principles, we process personal data only where a lawful basis applies:
| Purpose | Lawful Basis |
|---|---|
| Account creation, login, and service delivery | Contract performance |
| Subscription billing and invoice management | Contract performance |
| Security monitoring, fraud prevention, and abuse detection | Legitimate interests |
| Audit logging for privileged actions | Legitimate interests / Legal obligation |
| Compliance with tax and regulatory obligations | Legal obligation |
| Marketing communications (opt-in only) | Consent |
| Optional precise GPS for security verification features | Consent |
| Analytics for product improvement | Legitimate interests |
Where consent is relied on, you may withdraw it at any time by contacting privacy@blackpawinnovations.com or through your account settings.
7. Cookies and Similar Technologies
We use cookies and similar technologies to keep users signed in, protect session integrity, remember preferences, and understand usage. For full details, please see our Cookie Policy.
8. Security Monitoring and Administrative Access
To protect businesses and users, Blackpaw monitors the service for security and fraud-prevention purposes, including monitoring login attempts, identifying suspicious IP addresses or devices, and maintaining audit logs.
Where Blackpaw personnel require administrative access for onboarding, support, migration, maintenance, or incident response, that access is:
- Restricted to authorised personnel only
- Used only for the specific stated purpose
- Internally documented with time and reason
- Never used to sell, export, or commercially exploit customer data
Blackpaw does not sell customer business data.
9. How We Share Personal Data
We share personal data only where reasonably necessary to operate the service. Categories of recipients include:
- Hosting and cloud infrastructure providers
- Email and communications providers
- Payment service providers (including M-Pesa / Safaricom)
- Authentication, monitoring, logging, and security tooling providers
- Analytics and support tooling providers
- Professional advisers, auditors, and insurers where required
- Law-enforcement or public authorities where required by law or lawful request
We do not sell personal data. We require all third-party processors to apply appropriate security and data-protection obligations.
Case studies or public references will never disclose sensitive business information, personal credentials, or confidential financial records without appropriate authorisation.
10. International Transfers
Your data may be processed in Kenya or in other countries where Blackpaw or its service providers operate infrastructure or support services. Where personal data is transferred outside Kenya, Blackpaw takes reasonable contractual and organisational steps to ensure an appropriate level of protection consistent with the Kenya Data Protection Act, 2019.
11. Data Retention
| Data Category | Retention Period |
|---|---|
| Active account and business data | Duration of service provision |
| Cancelled or suspended account data | Up to 60 days post-termination, then deleted or anonymised |
| Security and audit logs | Minimum 90 days |
| Invoices and tax-related records | As required by Kenyan tax law (minimum 5 years) |
| Backups | Per backup rotation and disaster-recovery policy |
Where immediate deletion is not possible, we may restrict access, archive securely, or anonymise data.
12. Your Rights
Subject to applicable law, you may have the right to:
- Access your personal data
- Correct inaccurate or incomplete data
- Delete your data (right to erasure)
- Restrict processing
- Object to certain processing, including direct marketing
- Data portability — receive a copy in a structured digital format
- Withdraw consent where consent is the basis for processing
- Lodge a complaint with the ODPC or relevant supervisory authority
To exercise any of these rights, contact: privacy@blackpawinnovations.com. We acknowledge requests within 7 working days and aim to resolve within 21 days.
Kenyan Rights
You may raise a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.
13. Children’s Data
HakiqaDuka is intended for business and professional use and is not directed at children. We do not knowingly collect personal data from children.
14. Security of Your Information
We use administrative, technical, and organisational safeguards including:
- Role-based access controls and least-privilege principles
- Multi-factor authentication and PIN-based controls for sensitive actions
- Session timeout and device-recognition controls
- Encryption in transit
- Audit logging of privileged actions
- Restricted support access with internal documentation
No system is completely secure. If we become aware of a security incident affecting personal data, we will respond in accordance with our legal obligations, including the Kenya DPA 72-hour notification requirement to the ODPC where applicable.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will publish the updated version with a revised effective date. For material changes, we will provide advance notice through the product, by email, or through account communications before the changes take effect.
16. Contact Us
Blackpaw Innovations Company
Muringa Court, Kirichwa Road, Kileleshwa, Nairobi, Kenya
Privacy: privacy@blackpawinnovations.com
General: admin@blackpawinnovations.com
See also: Terms of Service • Cookie Policy • Service Level Agreement