Privacy Policy
Effective date: 24 April 2026 · Last updated: 24 April 2026
1. Who We Are
SaccoShares is a product of Play360 Solutions LTD, a company incorporated in Kenya ("we", "us", "our"). SaccoShares operates a classifieds marketplace for the transfer of SACCO (Savings and Credit Co-operative Organisation) shares in Kenya, enabling sellers to list shares and buyers to pay for contact details via M-Pesa.
Play360 Solutions LTD is the data controller responsible for all personal data processed through SaccoShares. Contact details are in Section 13.
2. Data We Collect
We collect the following categories of personal data:
| Category | Specific data | Source | Lawful basis (s.30 DPA) |
|---|---|---|---|
| Account data | Full name, email address, phone number, WhatsApp number, profile picture URL | You (sign-up form or Facebook Login) | Contractual necessity |
| Authentication credentials | Hashed password; Google OAuth tokens; Facebook User ID & access token | You / Google / Facebook | Contractual necessity |
| Session data | IP address, browser user-agent string, session token (HTTP-only cookie) | Your device / browser | Legitimate interest (security) |
| Listing content | SACCO name, share quantity, price, county, seller-authored description | You (listing form) | Contractual necessity |
| Inquiry data | Buyer name, buyer phone number, message text | You (inquiry form) | Contractual necessity (service delivery) |
| Payment data | M-Pesa phone number, M-Pesa receipt number, amount paid, subscription plan, payment timestamp | You / Safaricom M-Pesa | Contractual necessity; legal obligation (financial records) |
3. Facebook Login Data
If you choose to sign in with Facebook, we request only the public_profile and email permissions. This means we receive your Facebook name, profile picture URL, and email address. We do not access your friends list, posts, likes, or any other Facebook data.
Data received from Facebook is used solely to create or authenticate your SaccoShares account. It is stored in our database (see Section 6) and is not shared with any third party for advertising or profiling purposes.
You may request deletion of data obtained via Facebook at any time — see our Data Deletion Instructions page or Section 8 of this policy.
4. How We Use Your Data
- Create and manage your account, and authenticate you on each visit.
- Deliver the core marketplace service: publishing listings and connecting buyers with sellers.
- Process M-Pesa payments and issue confirmation via WhatsApp.
- Send WhatsApp OTP messages for phone-number verification.
- Prevent fraud, detect abuse, and maintain platform security.
- Comply with our legal and regulatory obligations in Kenya.
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
5. Third-Party Services and Data Sharing
We share personal data with the following third parties only to the extent necessary to operate the service:
| Recipient | Purpose | Data shared | Location |
|---|---|---|---|
| MongoDB Atlas (MongoDB, Inc.) | Database hosting | All personal data stored in the platform | Cape Town, South Africa |
| Vercel, Inc. | Application hosting & serverless compute | Request data processed in transit (ephemeral) | United States (global edge) |
| Safaricom PLC (M-Pesa Daraja) | Payment processing | M-Pesa phone number, payment amount | Kenya |
| Meta Platforms, Inc. (WhatsApp Cloud API) | WhatsApp OTP delivery & transaction notifications | WhatsApp phone number, message content | United States / European Union |
| Meta Platforms, Inc. (Facebook Login) | Social authentication | Facebook User ID, name, email, profile picture URL | United States / European Union |
| Google LLC (Google OAuth) | Social authentication | Google account ID, name, email, profile picture URL | United States |
We do not sell your personal data. We do not share it with advertisers, data brokers, or any other parties not listed above.
6. Cross-Border Data Transfers
Your personal data may be transferred to and processed in countries outside Kenya. We rely on the following safeguards (pursuant to Sections 48–50 of the Kenya Data Protection Act, 2019):
- South Africa (MongoDB Atlas, Cape Town): South Africa's Protection of Personal Information Act, 2013 (POPIA) provides data protection standards comparable to the Kenya DPA, and is recognised as an adequate jurisdiction.
- United States (Vercel, Google, Meta): These providers operate under Standard Contractual Clauses (SCCs) and their respective Data Processing Addenda, which provide appropriate safeguards for international transfers.
Section 50 of the Kenya DPA requires at least one serving copy of personal data to be stored on a server located in Kenya. Kenya-based cloud infrastructure is not yet commercially available through our current providers. We are monitoring ODPC guidance on this requirement and will take steps to comply as the regulatory and infrastructure landscape develops.
7. Data Retention
| Data category | Retention period | Basis |
|---|---|---|
| Account & profile data | Duration of account + 30 days after deletion request | Contractual necessity |
| Session data (IP, user-agent) | 30 days | Legitimate interest (security) |
| Listing content | Duration of listing + 30 days after removal | Contractual necessity |
| Inquiry records | 2 years from creation | Contractual necessity; dispute resolution |
| Payment records (M-Pesa) | 7 years | Legal obligation (Kenya Revenue Authority / tax law) |
After the relevant retention period, data is deleted or anonymised so it can no longer be attributed to an individual.
8. Your Rights Under the Kenya DPA
Under the Kenya Data Protection Act, 2019, you have the following rights in respect of your personal data:
- Right of access (s.26(a)): Request a copy of the personal data we hold about you.
- Right to rectification (s.26(b)): Ask us to correct inaccurate or incomplete data.
- Right to erasure (s.26(c)): Request deletion of your data where there is no longer a lawful basis for us to hold it. See our Data Deletion Instructions.
- Right to restrict processing (s.26(d)): Ask us to pause processing of your data in certain circumstances.
- Right to data portability (s.26(e)): Receive a copy of your data in a structured, machine-readable format.
- Right to object (s.26(f)): Object to processing based on legitimate interest, including processing for direct marketing.
- Right to withdraw consent: Where we rely on consent as our lawful basis, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@saccoshares.co.ke. We will respond within 14 days in accordance with the Data Protection (General) Regulations, 2021.
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC): Britam Towers, 12th Floor, Hospital Road, Upper Hill, Nairobi. Email: complaints@odpc.go.ke.
9. Cookies and Session Data
SaccoShares uses a single, strictly necessary HTTP-only session cookie to keep you signed in. This cookie does not track you across other websites, is not used for advertising, and expires after 30 days of inactivity.
We do not use analytics cookies, advertising cookies, or any third-party tracking pixels at this time. If we introduce such technologies in the future, we will update this policy and present a consent mechanism before placing any non-essential cookies.
10. Children's Data
SaccoShares is a financial marketplace intended exclusively for adults aged 18 and over. SACCO membership and share transactions are adult financial activities under Kenyan law. We do not knowingly collect personal data from persons under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@saccoshares.co.ke and we will delete it promptly.
11. Data Security and Breach Notification
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include HTTPS encryption in transit, HTTP-only session cookies, hashed passwords, and access controls.
In the event of a personal data breach, we will notify the ODPC within 72 hours of becoming aware of the breach (Section 43, Kenya DPA) and will notify affected data subjects in writing within a reasonable period thereafter.
12. ODPC Registration Status
Play360 Solutions LTD currently operates below the KES 5,000,000 annual turnover registration threshold. We will register with the ODPC as a data controller if our turnover exceeds the threshold or if we determine that our processing activities otherwise require registration under the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. For material changes, we will notify you by email or by a prominent notice on the platform before the changes take effect.
14. Contact Us
Play360 Solutions LTD (operating SaccoShares)
Nairobi, Kenya
Email: privacy@saccoshares.co.ke
Office of the Data Protection Commissioner (ODPC)
Britam Towers, 12th Floor, Hospital Road, Upper Hill, Nairobi
Email: complaints@odpc.go.ke