Privacy Policy

Last updated: March 2026 · Shinda Gari Kenya · Compliant with Kenya Data Protection Act 2019 · Terms & Conditions

1. Introduction

Shinda Gari ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store and protect your information when you use our website (shindagari.com) and participate in our monthly prize draw.

This policy is compliant with the Kenya Data Protection Act 2019 (KDPA) and applicable international data protection standards.

2. Data We Collect

We collect only what is strictly necessary to operate the draw:

• Name — provided at the time of ticket purchase.
• Email address — for ticket confirmation, draw results and prize notification.
• Cryptocurrency transaction reference — to verify payment and link your entry to your ticket numbers.
• IP address and browser data — collected automatically for security, fraud prevention and analytics.
• Payment screenshots — voluntarily uploaded by you to confirm payment. Stored securely and used for verification only.

We do not collect bank account details, card numbers, national ID numbers, passwords or sensitive financial information.

3. How We Use Your Data

• To register and validate your ticket entry.
• To send you your ticket numbers and draw confirmation by email.
• To notify you of draw results.
• To verify your identity if you win and facilitate prize delivery.
• To detect and prevent fraud or abuse.
• To comply with our legal obligations under Kenyan law.
• To communicate important changes to draws, terms or our service (not marketing, unless consented).

4. Legal Basis for Processing

• Contract performance — processing is necessary to fulfil your ticket purchase and deliver the service.
• Legal obligation — we may be required to retain certain records by law.
• Legitimate interests — fraud prevention and website security.
• Consent — where you have explicitly opted in to marketing communications.

5. Data Storage & Security

• Your data is stored on secure servers hosted by Supabase (EU region — Ireland) with industry-standard encryption.
• Access to personal data is restricted to authorised Shinda Gari personnel only.
• We implement technical and organisational measures to prevent unauthorised access, alteration, disclosure or destruction of your data.
• Our website uses HTTPS (SSL/TLS encryption) for all data transmission.
• Despite these measures, no internet transmission is 100% secure. We cannot guarantee absolute security.

6. Data Retention

• Participant data is retained for a maximum of 24 months after the relevant draw.
• Winner data may be retained for up to 7 years for legal and tax compliance purposes.
• You may request deletion at any time (see Section 8).

7. Data Sharing

We do not sell, rent or trade your personal data to third parties.

We may share data only in the following limited circumstances:

• Supabase — our database provider (data processor). Bound by GDPR and equivalent standards.
• Brevo — our email service provider, for sending transactional emails only.
• Legal requirement — if required by a court order, regulatory authority or applicable law.
• Winner publicity — with the winner's explicit consent (name and city only, no full address).

8. Your Rights under KDPA 2019

Under the Kenya Data Protection Act 2019, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate or incomplete data.
• Deletion — request deletion of your personal data (subject to legal retention obligations).
• Objection — object to processing based on legitimate interests.
• Data portability — receive your data in a structured, machine-readable format.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any right, contact us at [email protected]. We will respond within 30 days.

9. Cookies & Analytics

• We use minimal, essential cookies only (session management, preferences).
• We do not use advertising, tracking or third-party analytics cookies without consent.
• You can disable cookies in your browser settings. This may affect site functionality.

10. Children's Privacy

Our service is strictly for individuals aged 18 and over. We do not knowingly collect data from minors. If we become aware of data collected from a person under 18, it will be deleted immediately. If you believe a minor has provided us data, please contact us at once.

11. International Data Transfers

Your data may be processed outside Kenya (e.g., on EU-based servers). Where this occurs, we ensure appropriate safeguards are in place consistent with KDPA requirements.

12. Changes to this Policy

We may update this policy periodically. Material changes will be communicated via our website. The "Last updated" date at the top will reflect any revisions. Continued use of our service after changes constitutes acceptance.

13. Contact & Complaints

For any privacy concerns or to exercise your rights: [email protected]

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC).