Privacy Policy
We’re committed to privacy by design. This policy explains what we collect, how we use it, who we share it with, and your rights.
Last updated: 05 Sep 2025
This Privacy Policy applies to the QwikSale marketplace available at https://qwiksale.sale and related services (the “Services”). By using the Services you agree to this Policy and our Terms of Service.
1) Who we are & how to contact us
- Controller: QwikSale (“we”, “us”, “our”).
- Contact: privacy@qwiksale.sale (preferred) or /contact.
- Data Protection Lead (DPL): privacy@qwiksale.sale
- Registered address: (Add your legal/registered address here.)
2) Information we collect
2.1 You provide
- Account & profile: name, email, username, password (hashed), avatar, optional WhatsApp/phone, location, bio, social links.
- Listings & content: titles, descriptions, photos, category, price, location.
- Communications: messages, support requests, feedback, and survey responses.
- Payments: donation/upgrade signals and receipts (e.g., M-Pesa request IDs and status). We never collect or store your M-Pesa PIN.
2.2 Collected automatically
- Usage & diagnostics: device/browser type, pages viewed, actions, timestamps, IP address, approximate location, crash logs.
- Cookies/SDKs: session cookies to keep you signed in, analytics to improve performance, and security cookies to prevent abuse.
2.3 From third parties
- Auth providers (e.g., Google): name, email, avatar—if you choose to sign in with them.
- Safety & fraud partners: signals that help protect our community.
3) How we use information (purposes & legal bases)
| Purpose | Examples | Legal basis (EU/UK) |
|---|---|---|
| Provide & maintain Services | Accounts, listings, search, favorites, messaging | Contract performance; Legitimate interests |
| Payments & receipts | M-Pesa STK push, donation/upgrade logs | Contract performance; Legal obligation |
| Safety & fraud prevention | Rate limiting, abuse detection, account protection | Legitimate interests; Legal obligation |
| Improve & analyze | Performance metrics, feature usage | Legitimate interests; Consent where required |
| Communications | Service updates, support replies | Contract performance; Legitimate interests |
| Marketing (optional) | Newsletters, promotions | Consent; Legitimate interests (where permitted) |
4) Sharing & disclosures
- Public content: listings, store pages, usernames, some profile details are public by design.
- Processors: hosting, databases, storage/CDN, image processing, analytics, logging/monitoring, and payment gateways (e.g., Safaricom Daraja for M-Pesa). Processors act under contracts and only process data on our instructions.
- Legal/safety: we may disclose information to comply with laws, lawful requests, or to protect rights and safety.
- Business transfers: in a merger/acquisition, data may transfer under this Policy.
5) Retention
We keep personal data only as long as necessary for the purposes above, to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.
- Account basics: kept while your account is active.
- Listings & public content: kept until you remove them or your account is deleted.
- Payment records: retained per tax/accounting obligations (typically 5–7 years, depending on jurisdiction).
- Security logs: short to medium periods to detect and investigate abuse.
6) International transfers
We may process data outside your country. Where required, we implement safeguards such as Standard Contractual Clauses (SCCs) or equivalent, and ensure processors provide adequate protection. Kenya users are protected under the Data Protection Act, 2019 and Regulations.
7) Your rights & choices
7.1 Global
- Access, correction, deletion of your data (subject to lawful exceptions).
- Object to or restrict certain processing, where applicable.
- Data portability (structured, commonly used format) where applicable.
- Withdraw consent at any time (e.g., marketing), without affecting prior lawful use.
To exercise rights, use /contact or email privacy@qwiksale.sale. We may need to verify your identity.
7.2 EEA/UK (GDPR/UK GDPR)
- You may lodge a complaint with your local Supervisory Authority.
- We rely on Contract performance, Legitimate interests, Consent, and Legal obligations.
7.3 Kenya (DPA 2019)
- Rights include access, correction, objection to processing, and deletion.
- You may contact the Office of the Data Protection Commissioner (ODPC) for guidance or complaints.
7.4 U.S. California (CCPA/CPRA)
- Rights to know, delete, correct, and to opt out of “selling” or “sharing” personal information (as defined by CPRA).
- We don’t sell personal information for money. If we ever use targeted advertising that constitutes “sharing,” you can opt out here: Do Not Sell or Share.
8) Cookies & analytics
- Strictly necessary: auth/session, security, basic functionality.
- Performance/analytics: usage and performance metrics (aggregated).
- Preferences: theme, language, remembered inputs.
- Marketing (if enabled): only with consent where required.
You can manage cookies in your browser. Blocking some cookies may impact functionality. If we use consent banners, your preferences are honored and can be changed any time.
9) Marketing communications
You can unsubscribe from marketing emails using the link in the email footer or by contacting us. Service/transactional emails (e.g., receipts, security notices) will still be sent.
10) Automated decision-making
We do not make decisions producing legal or similarly significant effects solely via automated processing. We may use automated signals (e.g., spam/fraud detection) to protect the platform; manual review is available.
11) Security
We use administrative, technical, and organizational measures appropriate to the risk (e.g., encryption in transit, hardened infrastructure, least-privilege access). No system is 100% secure—please use a strong, unique password and enable available protections.
12) User-generated content
Content you submit (e.g., listings, photos) may be public by design. Think carefully before posting personal information in public fields.
13) Children
The Services are not directed to children under the age required by local law to consent to data processing. If we learn we’ve collected data from a child, we’ll take reasonable steps to delete it.
14) Account deletion & data portability
- You can delete your account in Settings or ask us at privacy@qwiksale.sale.
- Some records (e.g., fraud prevention, tax/financial) may be retained as permitted by law.
- To request an export of your data, contact us. We’ll provide a portable format where required by law.
15) Third-party links
Our Services may link to third-party sites. Their privacy practices are governed by their own policies. Review them before providing personal information.
16) “Do Not Track”
We currently do not respond to browser “Do Not Track” signals. You can control cookies in your browser and opt out of marketing where offered.
17) Changes to this Policy
We may update this Policy from time to time. We’ll post the revised version with a new “Last updated” date and, where appropriate, provide additional notice.
18) Contact, appeals & complaints
- Email: privacy@qwiksale.sale
- Web: /contact
- If you believe we have not resolved your concern, you may appeal to us at the same address (subject “Privacy Appeal”) or contact your data protection authority (e.g., ODPC in Kenya, your EU/UK Supervisory Authority, or your state AG in the U.S.).
This summary is provided for transparency and ease of understanding. It does not replace applicable law or any rights granted to you thereunder.