Privacy Policy

1. Introduction and Data Controller

Obu Eats KE ("Obu Eats", "we", "us", or "our") operates a digital nutrition guidance platform accessible via website and mobile applications (collectively, the "Service"). This Privacy Policy describes our practices regarding the collection, use, storage, disclosure, and protection of personal data.

Data Controller: Obu Eats KE is the data controller responsible for your personal data processed through the Service.

Registration: We are registered with the Office of the Data Protection Commissioner (ODPC) of Kenya as required under the Data Protection Act, 2019.

Contact Information:
Email: support@obueatske.com
Data Protection Officer: dpo@obueatske.com

2. Scope and Applicability

This Privacy Policy applies to:

• All users of the Obu Eats Service, whether registered or non-registered
• Personal data collected through our website, mobile applications, and APIs
• Personal data collected from users located in Kenya or Kenyan citizens regardless of location
• Data processing activities conducted by Obu Eats and authorized third-party processors

This Policy does not apply to third-party websites, applications, or services that may be linked from our Service but are not controlled by Obu Eats.

3. Personal Data We Collect

3.1 Information You Provide Directly

Category	Data Elements	Purpose
Account Data	Full name, email address, password (hashed), phone number (optional)	Account creation, authentication, communication
Profile Data	Age range, gender, dietary preferences, health goals, food allergies, activity level	Personalized recommendations, meal planning
Payment Data	M-PESA phone number, payment transaction IDs (not full card details)	Processing subscriptions and purchases
User Content	Saved recipes, meal plans, food diary entries, comments, photos	Service delivery, social features
Communications	Support inquiries, feedback, survey responses	Customer support, service improvement

3.2 Information Collected Automatically

• Usage Data: Pages visited, features accessed, search queries, interaction patterns, time spent on Service
• Device Information: Device type, operating system, browser type and version, unique device identifiers, IP address, mobile network information
• Location Data: General geographic location (city/region level) derived from IP address (we do not collect precise GPS location)
• Cookies and Similar Technologies: Session cookies, preference cookies, analytics cookies (see Section 11)

3.3 Sensitive Personal Data

Under the Data Protection Act, 2019, certain data is classified as sensitive and receives heightened protection:

• Health-related information: Food allergies, dietary restrictions for medical reasons, health goals related to chronic conditions
• Collection basis: Explicit consent obtained separately and clearly
• Special protections: Enhanced security measures, limited processing, strict access controls

3.4 Data We Do NOT Collect

We explicitly do not collect:

• Official medical records or diagnoses
• Protected Health Information (PHI) as defined by medical privacy laws
• Biometric data (fingerprints, facial recognition, retinal scans)
• Precise geolocation data (GPS coordinates)
• Financial account credentials or full payment card details

4. Legal Basis for Processing

Under the Data Protection Act, 2019, we process personal data based on one or more of the following legal bases:

4.1 Consent (Section 30, DPA 2019)

• Processing sensitive personal data (health-related information)
• Marketing communications
• Non-essential cookies and analytics
• Consent is freely given, specific, informed, and unambiguous
• Consent can be withdrawn at any time

4.2 Contract Performance (Section 30(1)(b), DPA 2019)

• Creating and managing your account
• Providing the Service features you request
• Processing payments for subscriptions
• Delivering customer support

4.3 Legitimate Interests (Section 30(1)(f), DPA 2019)

• Improving and developing the Service
• Training AI models with anonymized data
• Preventing fraud and ensuring security
• Conducting analytics to understand Service usage
• Legitimate interests balanced against your rights and freedoms

4.4 Legal Obligation (Section 30(1)(c), DPA 2019)

• Compliance with tax and accounting laws
• Responding to lawful requests from authorities
• Retention for legal and regulatory requirements

5. How We Use Personal Data

5.1 Service Provision and Personalization

• Create and manage user accounts
• Deliver personalized meal recommendations and nutrition guidance
• Generate AI-powered meal plans based on preferences and goals
• Provide recipe search and discovery features
• Enable food diary and nutrition tracking
• Facilitate optional human expert consultations

5.2 Service Improvement and Development

• Analyze usage patterns to improve user experience
• Train and refine AI recommendation algorithms (using anonymized data)
• Develop new features and functionality
• Conduct research and analytics on nutrition trends
• Perform A/B testing to optimize Service performance

5.3 Communication

• Send transactional communications (account confirmations, password resets, payment receipts)
• Provide customer support and respond to inquiries
• Send important Service updates and security notifications
• Deliver marketing communications (with consent, opt-out available)
• Request feedback and conduct user surveys

5.4 Security and Compliance

• Detect, prevent, and investigate fraud and security threats
• Enforce Terms of Service and other policies
• Comply with legal obligations and respond to lawful requests
• Protect the rights, property, and safety of Obu Eats and users

5.5 Payment Processing

• Process subscription payments and one-time purchases
• Manage billing and invoicing
• Handle refund requests
• Prevent payment fraud

6. Data Sharing and Disclosure

6.1 Third-Party Service Providers

We share personal data with trusted third-party service providers who process data on our behalf under strict contractual obligations:

• Cloud Hosting and Infrastructure: Servers and data storage (with at least one copy maintained in Kenya as required by law)
• Payment Processors: M-PESA integration providers, payment gateways (receive only data necessary to process transactions)
• Nutrition Data Providers: Third-party APIs for nutritional information and recipe databases
• Analytics Services: Usage analytics and performance monitoring (anonymized data where possible)
• Customer Support Tools: Help desk and communication platforms
• Email and Communications: Email delivery and messaging services

Processor Obligations: All third-party processors are bound by data processing agreements requiring:

• Processing only on our documented instructions
• Implementing appropriate security measures
• Maintaining confidentiality
• Assisting with data subject rights requests
• Deleting or returning data upon termination

6.2 Business Transfers

In the event of merger, acquisition, reorganization, asset sale, or bankruptcy, personal data may be transferred to successor entities. Users will be notified of any such transfer and changes to data handling practices.

6.3 Legal Requirements and Protection

We may disclose personal data when required by law or when we believe disclosure is necessary to:

• Comply with legal obligations, court orders, or lawful government requests
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of Obu Eats, users, or the public
• Prevent or investigate fraud, security issues, or illegal activities

6.4 Aggregated and Anonymized Data

We may share aggregated, anonymized data that does not identify individuals with:

• Research partners for nutrition and health studies
• Industry associations and public health organizations
• Business partners for trend analysis

6.5 What We Do NOT Do

We do NOT:

• Sell personal data to third parties
• Share data with advertisers for targeted advertising
• Disclose health-related information without explicit consent (except as required by law)

7. Cross-Border Data Transfers

7.1 Data Localization (Section 50, DPA 2019)

In compliance with the Data Protection Act, 2019:

• We maintain at least one serving copy of all personal data on servers or data centers located within Kenya
• Primary data storage infrastructure is located in Kenya
• Kenyan users' data is primarily processed within Kenya

7.2 International Transfers (Section 48, DPA 2019)

When we transfer personal data outside Kenya, we ensure compliance through:

• Adequacy determination: Transfers to countries with adequate data protection standards as recognized by the Data Commissioner
• Appropriate safeguards: Standard contractual clauses, binding corporate rules, or other approved mechanisms
• Explicit consent: User consent for transfers when required, after being informed of potential risks
• Necessity: Transfers necessary for contract performance or other legitimate purposes

7.3 Notification

We notify the Office of the Data Protection Commissioner of significant cross-border data transfers as required by law.

8. Data Security

8.1 Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:

• Encryption: Data encrypted in transit using TLS/HTTPS; sensitive data encrypted at rest
• Access Controls: Role-based access control (RBAC); multi-factor authentication for staff; principle of least privilege
• Network Security: Firewalls, intrusion detection/prevention systems, regular security monitoring
• Secure Development: Security testing, code reviews, vulnerability assessments
• Data Minimization: Collect and retain only necessary data
• Pseudonymization: Where feasible, separate identifying information from other data
• Staff Training: Regular data protection and security training for employees
• Vendor Management: Security assessments of third-party processors
• Physical Security: Secure data centers with restricted access
• Backup and Recovery: Regular encrypted backups; disaster recovery procedures

8.2 Data Breach Notification (Section 41, DPA 2019)

In the event of a personal data breach likely to result in risk to your rights and freedoms:

• ODPC Notification: We will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach
• User Notification: We will notify affected users in writing within a reasonably practicable period
• Information Provided: Nature of the breach, categories and approximate number of affected individuals, likely consequences, measures taken or proposed
• Remedial Actions: Steps to mitigate harm and prevent recurrence

8.3 Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the Internet. Users are responsible for maintaining the security of their account credentials.

9. Data Retention

9.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.

9.2 Retention Periods

Data Category	Retention Period	Basis
Account Data (active accounts)	Duration of account + 30 days after deletion request	Service provision
Transaction Records	7 years from transaction date	Tax and accounting laws
Marketing Consent Records	Duration of consent + 3 years	Compliance demonstration
Customer Support Records	3 years from last interaction	Service improvement, dispute resolution
Usage Logs (anonymized)	Indefinite	Analytics, service improvement
Backup Data	Up to 90 days	System integrity, disaster recovery

9.3 Deletion and Anonymization

Upon expiration of retention periods or user deletion requests:

• Personal data is securely deleted or permanently anonymized
• Deletion is conducted in accordance with industry best practices
• Backup copies deleted within 90 days
• Anonymized data may be retained indefinitely for analytics

10. Children's Privacy

10.1 Definition (Article 260, Constitution of Kenya)

Under Kenyan law, a child is defined as any person under the age of 18 years.

10.2 Parental Consent (Section 33, DPA 2019)

We do not knowingly process personal data of children without verified parental or guardian consent. When we process children's data:

• Age Verification: Account registration requires age verification
• Parental Consent: Explicit, verified consent from parent or legal guardian required for users under 18
• Consent Mechanisms: Age-appropriate consent procedures; parental verification processes
• Best Interests: Processing conducted in manner that protects and advances the child's rights and best interests

10.3 Special Protections

• We do not market weight-loss programs or restrictive diets to minors
• Content and features are age-appropriate
• Enhanced privacy protections and data minimization
• Limited data sharing - no data sold or shared with third parties for marketing

10.4 Parental Rights

Parents and guardians have the right to:

• Access their child's personal data
• Request correction or deletion
• Withdraw consent at any time
• Object to processing

10.5 Notification

If we become aware that we have collected personal data from a child without proper parental consent, we will delete that information as quickly as possible. Parents who believe their child has provided information without consent should contact dpo@obueatske.com immediately.

11. Cookies and Tracking Technologies

11.1 Types of Cookies

• Essential Cookies: Necessary for Service functionality (authentication, security, load balancing). These cannot be disabled.
• Preference Cookies: Remember user settings and choices (language, display preferences)
• Analytics Cookies: Understand Service usage, performance monitoring, feature optimization
• Marketing Cookies: Deliver relevant communications (only with consent)

11.2 Cookie Management

You can control cookies through:

• Cookie banner settings on first visit
• Privacy settings in your account
• Browser settings (note: disabling essential cookies may affect Service functionality)

11.3 Third-Party Cookies

We use third-party analytics services (e.g., Google Analytics) that may set cookies. These are governed by the third parties' privacy policies.

12. Your Rights Under Kenyan Law

12.1 Right to Access (Section 26(1)(a), DPA 2019)

You have the right to request:

• Confirmation whether we process your personal data
• Access to your personal data
• Information about processing purposes, categories, recipients
• Information about retention periods
• Copy of data in structured, commonly used format

12.2 Right to Rectification (Section 26(1)(b), DPA 2019)

You have the right to request correction of inaccurate or incomplete personal data. We will correct or complete data within a reasonable timeframe.

12.3 Right to Erasure (Section 26(1)(c), DPA 2019)

You have the right to request deletion of your personal data ("right to be forgotten") when:

• Data no longer necessary for original purposes
• You withdraw consent and there's no other legal basis
• You object to processing and there are no overriding legitimate grounds
• Data processed unlawfully
• Erasure required for legal compliance

Limitations: Right may be limited when data retention required for legal obligations, exercise of legal claims, or public interest purposes.

12.4 Right to Data Portability (Section 26(1)(d), DPA 2019)

You have the right to receive personal data in structured, commonly used, machine-readable format and transmit to another controller where technically feasible.

12.5 Right to Object (Section 26(1)(e), DPA 2019)

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing communications
• Profiling and automated decision-making

12.6 Right to Restrict Processing (Section 26(1)(f), DPA 2019)

You have the right to request restriction of processing when:

• Contesting data accuracy (during verification period)
• Processing is unlawful but you prefer restriction over deletion
• We no longer need data but you need it for legal claims
• You've objected to processing (pending verification of override)

12.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect lawfulness of processing before withdrawal.

12.8 Right to Lodge Complaint

You have the right to lodge a complaint with the Office of the Data Protection Commissioner:

• Website: www.odpc.go.ke
• Email: complaints@odpc.go.ke
• Address: Office of the Data Protection Commissioner, Nairobi, Kenya

12.9 Exercising Your Rights

To exercise any of these rights:

• Email our Data Protection Officer: dpo@obueatske.com
• Use privacy controls in account settings
• Submit request via contact form on website

Response Time: We will respond to requests within 30 days of receipt. For complex requests, we may extend by additional 30 days with explanation.

Verification: We may request additional information to verify your identity before processing requests.

No Fee: Exercising rights is generally free. We may charge reasonable fee for manifestly unfounded or excessive requests.

13. Automated Decision-Making and Profiling

13.1 AI-Powered Recommendations

Our Service uses artificial intelligence and machine learning to provide personalized meal and nutrition recommendations. This involves automated processing of your preferences, goals, and usage patterns.

13.2 Your Rights

You have the right to:

• Be informed about automated decision-making
• Object to solely automated decisions with legal or significant effects
• Request human review of automated decisions
• Challenge and contest automated decisions

13.3 Limitations

Our AI recommendations are guidance only and do not constitute:

• Medical advice or diagnosis
• Decisions with legal or similarly significant effects
• Automated decisions that cannot be overridden by users

14. Marketing Communications

14.1 Consent

We send marketing communications only with your explicit consent. Consent is obtained:

• During account registration (optional)
• Through clear opt-in mechanisms
• Separate from other consents

14.2 Opt-Out

You can withdraw consent and opt-out of marketing communications at any time:

• Click "unsubscribe" link in emails
• Update preferences in account settings
• Contact dpo@obueatske.com

Opt-out does not affect transactional or Service-related communications.

15. Changes to This Privacy Policy

15.1 Updates

We may update this Privacy Policy periodically to reflect:

• Changes in our data practices
• New legal or regulatory requirements
• Service enhancements or new features
• Improved clarity or user experience

15.2 Notification

When we make material changes:

• Update the "Last updated" date
• Notify users via email or prominent in-Service notice
• Provide at least 30 days' notice for significant changes
• Obtain renewed consent where required by law

15.3 Acceptance

Continued use of the Service after changes indicates acceptance of updated Policy. If you do not agree with changes, discontinue use and request account deletion.

16. Additional Provisions

16.1 Third-Party Links

Our Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. We are not responsible for third-party privacy practices. Review their privacy policies before providing personal data.

16.2 Data Protection Officer

We have appointed a Data Protection Officer (DPO) responsible for:

• Monitoring compliance with this Policy and data protection laws
• Serving as contact point for data subjects and the ODPC
• Providing advice on data protection impact assessments
• Cooperating with the ODPC

Contact DPO: dpo@obueatske.com

16.3 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, particularly involving:

• Large-scale processing of sensitive data
• Systematic monitoring
• New technologies or processing methods
• Automated decision-making with significant effects

16.4 Governing Law

This Privacy Policy is governed by the laws of the Republic of Kenya, including:

• Data Protection Act, 2019
• Constitution of Kenya, 2010 (Article 31 - Right to Privacy)
• Computer Misuse and Cybercrimes Act, 2018
• Relevant regulations and guidelines issued by the ODPC

17. Contact Information

Obu Eats KE
Email: support@obueatske.com
Data Protection Officer: dpo@obueatske.com
Website: www.obueatske.com

For Privacy Rights Requests:
Email: dpo@obueatske.com
Subject line: "Privacy Rights Request - [Type of Request]"

To File a Complaint:
Office of the Data Protection Commissioner
Website: www.odpc.go.ke
Email: complaints@odpc.go.ke

Compliance Statement: This Privacy Policy has been prepared in accordance with the Data Protection Act, 2019, and regulations issued thereunder. Obu Eats KE is registered with the Office of the Data Protection Commissioner and committed to protecting your privacy rights.

Legal Disclaimer: This Privacy Policy is a legal document. For specific legal advice regarding your privacy rights, consult a qualified legal professional.