Privacy Policy
Last updated: March 2026
1. Overview
CBC Edu Kenya ("we", "our", "us") operates cbcedukenya.com. This Privacy Policy explains what personal information we collect, why we collect it, and how you can control it. We comply with the Kenya Data Protection Act 2019 and applicable international data protection principles.
By using this website, you consent to the practices described in this policy.
2. Data We Collect
Information you give us
- Name and email address β when you place an order, subscribe to our newsletter, or contact us
- Phone number β when you provide it for M-Pesa payment or to request a callback
- Payment information β we receive confirmation of payment from M-Pesa, Stripe, and PayPal. We do not store full card numbers or M-Pesa PINs on our servers.
- Messages β when you use our contact form
Information collected automatically
- IP address and browser type β for security and fraud prevention
- Pages visited and time spent β via Google Analytics (anonymised)
- Cookies β see Section 5 below
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Process your order and deliver download links | Contract performance |
| Send order confirmation and receipts by email | Contract performance |
| Respond to your enquiries | Legitimate interest |
| Send newsletter (if subscribed) | Consent |
| Improve the website using analytics | Legitimate interest |
| Prevent fraud and abuse | Legitimate interest / Legal obligation |
We do not use your data for unsolicited marketing beyond what you agreed to at the point of collection.
4. Payments
M-Pesa: Payment is processed by Safaricom through the Daraja API. When you pay via M-Pesa, you interact directly with Safaricom's secure system. We receive a transaction confirmation and receipt number β not your PIN or full financial details.
Stripe: Card payments are handled by Stripe, Inc., which is PCI-DSS Level 1 certified. Stripe processes card data on their secure servers. We receive a payment confirmation token only.
PayPal: PayPal payments are handled by PayPal Holdings, Inc. You are redirected to PayPal's secure checkout. We receive payment confirmation only.
5. Cookies
We use the following types of cookies:
- Strictly necessary cookies β session cookies for your cart and checkout (cannot be disabled)
- Analytics cookies β Google Analytics, to understand how visitors use the site. These are anonymised. You can opt out at tools.google.com/dlpage/gaoptout.
- Preference cookies β to remember your cart items (stored in your browser's localStorage)
No third-party advertising cookies are used without your explicit consent.
6. Data Sharing
We do not sell your personal data. We share it only with:
- Payment processors (Safaricom/M-Pesa, Stripe, PayPal) β to process your transaction
- Email service providers (e.g. Brevo/Mailchimp) β to send order confirmations and newsletters
- Analytics providers (Google Analytics) β in anonymised, aggregated form
- Law enforcement β if required by law or to protect against fraud
All third-party providers are contractually obligated to protect your data and use it only for the specific purpose we engage them for.
7. Data Retention
- Order records β retained for 7 years (legal/tax requirements under Kenya law)
- Contact messages β retained for 2 years, then deleted
- Newsletter subscribers β retained until you unsubscribe
- Analytics data β anonymised and retained for 26 months (Google Analytics default)
8. Your Rights
Under the Kenya Data Protection Act 2019, you have the right to:
- Access β request a copy of the personal data we hold about you
- Correction β request correction of inaccurate data
- Deletion β request deletion of your data (subject to legal retention obligations)
- Portability β request your data in a structured, machine-readable format
- Objection β object to processing based on legitimate interest
- Withdraw consent β unsubscribe from marketing at any time
To exercise any of these rights, contact us at cbcedukenya@gmail.com or via WhatsApp.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- HTTPS encryption on all pages
- Password hashing (bcrypt) for any stored credentials
- CSRF token protection on all forms
- HMAC-signed download tokens with expiry
- Regular security reviews of our hosting environment
No system is 100% secure. If you believe your data has been compromised, please contact us immediately.
10. Contact
For any privacy-related enquiries or to exercise your data rights:
- Email: cbcedukenya@gmail.com
- WhatsApp: +254711344702
- Contact form: cbcedukenya.com/contact
We will respond to all privacy requests within 30 days as required by the Kenya Data Protection Act 2019.