Your privacy matters to us. This policy explains clearly what information we collect when you visit or transact on this site, why we collect it, and how you can exercise your rights under the Kenya Data Protection Act, 2019 (DPA).
Who We Are
Data Controller: Elitech Mobile Solutions, a business registered in Kenya and operating from Kenyatta Avenue, Nairobi ("Elitech", "we", "us", "our").
We operate this website and related e-commerce platform to sell mobile devices, accessories, and related services. Questions about this policy should be directed to our Data Protection contact listed in Section 13.
Data We Collect
We collect data in three ways: information you give us directly, information collected automatically when you use our site, and information we receive from third-party payment processors.
| Category | Examples | When collected |
|---|---|---|
| Account data | Name, email address, phone number, password (hashed) | Registration or profile update |
| Order data | Billing/shipping address, items purchased, order history | Checkout and post-purchase |
| Payment data | M-Pesa transaction reference, payment status | Payment initiation; we never store full card/mobile wallet credentials |
| Communications | Contact-form messages, support enquiries, quote requests | When you reach out to us |
| Visitor & device data | IP address, browser, device type, screen size — see Section 3 | Every site visit automatically |
| Usage data | Pages viewed, search queries, wishlist items, reviews | While browsing |
Device & Visitor Fingerprint Data
To understand how our site is used, detect fraud, and improve security, we automatically record technical signals from every visit. This includes both server-side data from your HTTP request and client-side signals collected by a lightweight JavaScript snippet that runs on page load.
| Signal | Source | Purpose |
|---|---|---|
| IP address | Server (HTTP header) | Geolocation, fraud detection |
| User-Agent string | Server (HTTP header) | Device type, OS, browser identification |
| Device type | Derived from User-Agent | Mobile / tablet / desktop / bot classification |
| Operating system & version | Derived from User-Agent | Compatibility analytics |
| Browser & version | Derived from User-Agent | Compatibility analytics |
| Accept-Language | Server (HTTP header) | Preferred language detection |
| Referrer URL | Server (HTTP header) | Marketing attribution |
| Screen resolution & colour depth | JavaScript beacon | Display analytics |
| Timezone offset | JavaScript beacon | Regional analytics |
| Hardware concurrency (CPU cores) | JavaScript (navigator.hardwareConcurrency) |
Device capability classification |
| Device memory estimate | JavaScript (navigator.deviceMemory) |
Device capability classification |
| Touch support | JavaScript | Mobile UX optimisation |
| Canvas fingerprint hash | JavaScript (HTML5 Canvas API) | Fraud & bot detection; anonymous visitor continuity |
| WebGL renderer hash | JavaScript (WebGL API) | Fraud & bot detection |
| Anonymous session ID | Cookie (_vsid) |
Linking page views within a single visit session |
| Pages visited | Server request path | Usage analytics |
Hashed fingerprint values (canvas, WebGL) are one-way hashes. We store the hash only — not the raw image data — and use them solely to detect duplicate/bot sessions and for security, not to build advertising profiles.
If you are a logged-in customer, your customer account ID is linked to the visit record so we can detect suspicious account activity such as logins from unusual locations.
How We Use Your Data
We use the personal data described above only for the following purposes:
| Purpose | Data used |
|---|---|
| Order fulfilment | Account data, order data, payment data |
| Customer support | Account data, communications, order data |
| Security & fraud prevention | IP address, device fingerprint, login audit logs |
| Site analytics & improvement | Visitor & device data, usage data |
| Legal & compliance obligations | All categories as required by law |
| Marketing communications (opt-in only) | Email address, purchase history |
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.
Legal Bases for Processing
Under the Kenya Data Protection Act, 2019 (DPA 2019), we process your personal data on the following legal grounds:
Contractual necessity: Processing required to fulfil your order, manage your account, process payments, and deliver customer support.
Legitimate interests: Security monitoring, fraud prevention, system analytics, and improving site performance — where these interests are not overridden by your privacy rights.
Legal obligation: Where we must retain or disclose data to comply with Kenyan law, a court order, or a regulatory authority.
Consent: Marketing emails and any optional data collection not covered above. You may withdraw consent at any time by contacting us or using the unsubscribe link in any email.
Cookies & Sessions
We use a small number of first-party cookies. We do not currently use third-party advertising cookies.
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
_vsid |
First-party / functional | 1 year | Anonymous visitor session identifier for linking page views |
| Session cookie (Flask) | First-party / strictly necessary | Browser session | Staff login session management |
| JWT token (localStorage) | First-party / functional | 30 days | Customer authentication token (e-commerce) |
You may delete or block cookies in your browser settings. Blocking the _vsid
cookie will not prevent you from using the site, but means your visit may be counted multiple
times in our analytics.
Sharing & Disclosure
We share your data only in the following limited circumstances:
Payment processing: M-Pesa / Safaricom processes payment transactions. We share only the minimum data required (phone number, amount, order reference) and do not store M-Pesa PINs or wallet credentials.
Email delivery: We use an email service provider to send order confirmations and password-reset emails. This provider processes your email address on our behalf under a data-processing agreement.
Legal requirements: We may disclose data if required by the Office of the Data Protection Commissioner (ODPC), a Kenyan court, or other competent authority.
Business transfer: If Elitech Mobile is involved in a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction. We will give notice before data is transferred or becomes subject to a different privacy policy.
Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
All passwords are stored as salted hashes using Werkzeug's PBKDF2-SHA256 algorithm. Communications between your browser and our servers are encrypted via HTTPS (TLS 1.2+). Access to the administration interface requires authenticated staff credentials. All significant data changes are recorded in an audit log including the IP address and User-Agent of the acting user.
Data Retention
| Data type | Retention period |
|---|---|
| Customer account data | Duration of account + 3 years after closure |
| Order & payment records | 7 years (Kenyan tax / accounting obligations) |
| Visitor / device fingerprint logs | 13 months from visit date |
| Activity & audit logs | 24 months |
| Contact / support messages | 3 years from last interaction |
| Password-reset tokens | 30 minutes (expire automatically) |
After retention periods expire, data is either securely deleted or anonymised such that it can no longer be linked to an individual.
Your Rights
Under the Kenya Data Protection Act, 2019, you have the following rights regarding your personal data. To exercise any of them, contact us at the address in Section 13. We will respond within 21 days.
Request a copy of the personal data we hold about you and information about how it is processed.
Ask us to correct inaccurate or incomplete personal data without undue delay.
Request deletion of your personal data where there is no compelling reason to continue processing.
Ask us to restrict processing of your data in certain circumstances, for example while accuracy is disputed.
Object to processing based on legitimate interests, including profiling and direct marketing.
Receive your data in a structured, commonly used, machine-readable format.
Where processing is based on consent, withdraw it at any time without affecting prior processing.
Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.
Children's Privacy
Our services are not directed to children under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us personal data, we will delete it promptly. If you believe a child has submitted data to us, please contact us immediately.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will update the "Last revised" date at the top of this page and, where appropriate, notify registered customers by email.
Continued use of the site after the effective date of a revised policy constitutes your acceptance of the changes.
Contact Us
For all privacy-related enquiries, data subject requests, or to report a suspected data breach, please contact our Data Protection Lead:
Return to store