Your Kenyan business needs a real privacy policy.
Not a US template with "Kenya" pasted on top. A privacy policy that actually references the Data Protection Act 2019, names the rights your users have under Kenyan law, and won't embarrass you when the ODPC comes looking.
Free preview · No credit card · Takes 5 minutes
Most Kenyan websites are using the wrong privacy policy.
Copy a US or UK template from Google
It references GDPR, CCPA, and California law. It mentions "cookies" but not the Kenya DPA 2019. It doesn't name the ODPC. It doesn't mention data localization. It doesn't list the rights Kenyan data subjects have under Section 26 of the DPA 2019 — the right to be informed, to access, to object, to correct, and to delete. If the Data Commissioner's office audits you, this policy is worth nothing.
Pay an advocate KES 20,000–100,000
A law firm will draft you a proper policy. It will be correct. It will also take 2–4 weeks, cost more than most small businesses can justify, and become outdated the moment the ODPC issues new guidance — which they do regularly.
Answer 15 questions. Get compliant documents.
Sheria Digital asks you what data you collect, why, from whom, where you store it, and who you share it with. In five minutes you get a privacy policy, cookie policy, and data subject request form that actually reference the Data Protection Act 2019 — the law that applies to your business.
Update when the law changes. Not when you remember.
When the ODPC issues new regulations or guidance notes, we update the templates. Your documents stay current. No advocate retainer needed.
Three steps. Five minutes.
Tell us about your business
Company name, what personal data you collect, why you collect it, where you store it, whether you transfer it outside Kenya, your DPO contact if you have one. Fifteen short questions — no legal jargon, no ambiguity.
Review your documents
Sheria Digital generates a privacy policy, cookie policy, and data subject request form tailored to your answers. Every clause references the specific DPA 2019 sections that apply to you. Read it, edit it, make it yours.
Download and publish
Export in Word, PDF, or HTML. Paste it on your website footer, send it to your app developer, include it in your ODPC registration application. Done.
What Sheria Digital actually produces.
Duka Digital Limited
Duka Digital Limited ("we," "us," or "our") is committed to protecting the personal data of individuals who use our services. This Privacy Policy describes how we collect, use, store, and protect your personal data in compliance with the Data Protection Act, 2019 (Cap. 411C) and its subsidiary regulations, as enforced by the Office of the Data Protection Commissioner (ODPC).
In accordance with Section 29 of the Act, we are required to inform you, before collecting your personal data, of the matters set out in this policy.
The data controller responsible for your personal data is Duka Digital Limited, registered in Kenya under the Companies Act (Company No. PVT-2024-XXXXX), with its principal office at Westlands Business Park, Nairobi. For data protection inquiries, contact our Data Protection Officer at dpo@dukadigital.co.ke.
We collect the following categories of personal data:
- Identity data: full name, national ID or passport number, date of birth
- Contact data: email address, phone number, delivery address
- Transaction data: order history, payment method (M-Pesa, card), amounts
- Technical data: IP address, browser type, device identifiers, cookies
As a data subject, you have the following rights under the Data Protection Act 2019:
- The right to be informed of the use to which your personal data is put (Section 26(a))
- The right to access your personal data in our custody (Section 26(b))
- The right to object to the processing of your personal data (Section 26(c))
- The right to correction of false or misleading data (Section 26(d))
- The right to deletion of false or misleading data (Section 26(e))
To exercise any of these rights, contact our Data Protection Officer at dpo@dukadigital.co.ke. We will respond to your request within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner.
Where we transfer personal data outside Kenya, we ensure that adequate safeguards are in place in accordance with Section 48 of the Data Protection Act 2019. We maintain at least one serving copy of personal data on servers located within Kenya.
The documents the ODPC expects you to have.
Core (v1 — available now)
- Privacy policy § 29
- Cookie policy § 29, 30, 32
- Data subject request form § 26
Extended (coming soon)
- Data Processing Agreement § 42
- DPIA template § 31
- Breach notification letter § 43
Operations (planned)
- Employee data protection policy
- Consent form templates
- ODPC registration checklist
Less than one hour of advocate time.
- Full privacy policy preview
- Watermarked output
- No account required
- Privacy policy (no watermark)
- Cookie policy
- Data subject request form
- Word + PDF + HTML export
- Free updates for 12 months
- Everything in Starter
- Data Processing Agreement
- DPIA template
- Breach notification letter
- Employee data policy
- Free updates for 24 months
Compare: a law firm charges KES 20,000–100,000 for the same documents
Answered honestly.
Is this legal advice?
No. Sheria Digital generates compliance documents based on the requirements of the Data Protection Act 2019 and its subsidiary regulations. The documents are drafting assistance, not legal advice. For complex or high-risk data processing, we recommend having an advocate review the documents before publishing them.
How is this different from Termly or iubenda?
Termly and iubenda are built for US and EU law. They reference GDPR, CCPA, and CalOPPA. Sheria Digital is built specifically for the Kenya Data Protection Act 2019. Our documents reference the correct Kenyan sections, name the ODPC as the supervisory authority, address Kenya's data localization provisions under Sections 48 and 50, and list the specific rights data subjects have under Section 26 of the Act. These are not the same as GDPR rights.
Does the ODPC actually enforce?
Yes. The Office of the Data Protection Commissioner has been issuing enforcement notices, conducting compliance audits, and publishing guidance notes. Non-compliance can result in fines of up to KES 3 million per breach and prison terms of up to 10 years. The ODPC is also actively developing new regulations including compliance audit procedures.
What if the law changes?
When the ODPC issues new regulations or guidance, we update the templates. If you purchased a Starter or Professional package, you receive updated documents at no additional cost during your update period (12 or 24 months). We'll email you when an update is available.
Can I edit the documents after generating them?
Yes. You receive Word, PDF, and HTML formats. The Word version is fully editable — add clauses, change wording, incorporate advice from your advocate. The generated document is a starting point, not a locked file.
Stop using a privacy policy that doesn't apply to your business.
Generate a Kenya DPA 2019-compliant privacy policy in five minutes. Preview it free. Pay only if it's worth it.
Generate your privacy policyFree preview · No credit card · Takes 5 minutes
Get notified when we launch new documents
DPIA templates, breach notification letters, and more — coming soon.