1. Introduction
Welcome to Dr. Spice Organics Kenya ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website https://www.drspiceorganicskenya.com, use our services, or interact with us in any way.
Key Commitment
We process your personal data fairly, lawfully, and transparently, in accordance with the Kenya Data Protection Act, 2019 and relevant international standards.
Scope: This policy applies to all our services including:
- Herbal consultations and wellness programs
- Wellness memberships and masterclass training
- Franchise and partnership applications
- Product purchases and deliveries
- Website usage and digital interactions
- Customer support and feedback submissions
By using our services, you consent to the data practices described in this policy. If you do not agree, please discontinue use of our services immediately.
2. Data We Collect
We collect information that you provide directly to us, as well as information automatically collected when you use our services.
2.1 Information You Provide
- Identity Data: Full name, date of birth, gender, national ID/passport number
- Contact Data: Phone number, email address, physical address, branch preference
- Health & Wellness Data: Medical history, symptoms, current medications, allergies, wellness goals (collected only with explicit consent for consultations)
- Financial Data: Payment method details, transaction history (processed securely via licensed payment providers)
- Professional Data: Business name, registration details, experience (for franchise/partnership applications)
- Communications: Messages, feedback, complaints, and support requests
2.2 Information Collected Automatically
- Device & Usage Data: IP address, browser type, operating system, pages visited, time spent, clickstream data
- Cookies & Tracking: See Section 8 for details on cookies and similar technologies
- Location Data: Approximate location derived from IP address or precise location if you enable GPS for branch services (with consent)
Sensitive Data Notice
Health-related information is classified as sensitive personal data under Kenyan law. We collect such data only with your explicit consent, solely for providing personalized herbal consultations, and implement enhanced security measures for its protection.
3. How We Use Your Data
We use your personal information for the following purposes:
- Service Delivery: To provide consultations, process orders, deliver products, manage memberships, and deliver training programs
- Personalization: To tailor herbal recommendations, wellness plans, and communications to your needs and preferences
- Communication: To send appointment confirmations, order updates, service notifications, and respond to your inquiries
- Account Management: To create and manage your user account, verify identity, and maintain service access
- Improvement & Innovation: To analyze usage patterns, conduct research, and improve our services, products, and user experience
- Legal Compliance: To comply with Kenyan laws, regulations, court orders, or governmental requests
- Security & Fraud Prevention: To detect, prevent, and address technical issues, security breaches, or fraudulent activities
- Marketing (with consent): To send promotional offers, newsletters, or updates about new services — only if you have opted in
We do NOT:
- Sell your personal data to third parties
- Use health data for marketing without explicit consent
- Retain data longer than necessary for the stated purposes
4. Legal Basis for Processing (Kenya DPA 2019)
Under the Kenya Data Protection Act, 2019, we process your personal data based on one or more of the following lawful grounds:
Consent
You have given clear, specific, and informed consent for one or more purposes (e.g., health data for consultations, marketing emails).
Contract
Processing is necessary to perform a contract with you (e.g., fulfilling orders, providing membership benefits, delivering training).
Legal Obligation
Processing is necessary to comply with Kenyan legal requirements (e.g., tax records, health regulations, data breach notifications).
Vital Interests
Processing is necessary to protect your vital interests or those of another person (e.g., emergency health situations).
Legitimate Interests
Processing is necessary for our legitimate interests (e.g., fraud prevention, network security, service improvement), provided your rights do not override these interests.
You may withdraw consent at any time by contacting us (see Section 13), though this may affect our ability to provide certain services.
5. Data Sharing & Disclosure
We do not sell, trade, or rent your personal information to third parties. We may share your data only in the following limited circumstances:
5.1 Service Providers
We engage trusted third-party vendors to perform services on our behalf, such as:
- Payment processing (licensed providers like M-Pesa, banks)
- Delivery and logistics partners
- Cloud hosting and IT infrastructure providers
- Email/SMS communication services
- Analytics and website optimization tools
All service providers are contractually obligated to protect your data and use it only for the specified services.
5.2 Legal Requirements
We may disclose your information if required by law, regulation, court order, or governmental request, or to protect our rights, property, or safety, or that of our users or the public.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your data.
5.4 With Your Consent
We may share your information with third parties when you explicitly consent to such sharing (e.g., referring you to a specialist practitioner with your permission).
6. Data Retention
We retain your personal information only for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account & Contact Data | 7 years after last activity | Service continuity, legal compliance |
| Health & Consultation Records | 10 years after last consultation | Medical record-keeping standards, continuity of care |
| Transaction & Payment Data | 7 years | Tax and financial regulations |
| Marketing Preferences | Until consent withdrawn + 1 year | Respect for opt-out requests |
| Website Usage Logs | 24 months | Security monitoring, analytics |
When data is no longer needed, we securely delete or anonymize it in accordance with industry standards.
7. Your Rights Under Kenyan Law
As a data subject under the Kenya Data Protection Act, 2019, you have the following rights regarding your personal information:
Right to Access
Request confirmation of whether we process your data and obtain a copy of your personal information.
Right to Rectification
Request correction of inaccurate or incomplete personal data we hold about you.
Right to Erasure
Request deletion of your personal data under certain circumstances ("right to be forgotten").
Right to Restrict Processing
Request limitation of how we use your data while a dispute about accuracy or lawfulness is resolved.
Right to Data Portability
Receive your data in a structured, machine-readable format and transmit it to another controller.
Right to Object
Object to processing based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making
Not be subject to decisions based solely on automated processing that produce legal or significant effects.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing.
How to Exercise Your Rights: Submit a written request to our Data Protection Officer (contact details in Section 13). We will respond within 30 days as required by law. We may request verification of your identity to protect your data.
No Discrimination
We will not discriminate against you for exercising any of your privacy rights, including denying services, charging different prices, or providing a different level of service.
9. Data Security Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption: Sensitive data (e.g., health records, payment info) encrypted in transit (TLS/SSL) and at rest
- Access Controls: Strict role-based access; staff trained on data protection; multi-factor authentication for admin systems
- Secure Infrastructure: Hosting with reputable providers; regular security patches; intrusion detection
- Data Minimization: Collecting only necessary data; anonymizing where possible
- Incident Response: Documented breach response plan; notification to affected users and the Office of the Data Protection Commissioner (ODPC) within 72 hours if required
- Vendor Management: Due diligence on third-party processors; contractual data protection clauses
Your Responsibility
You are responsible for keeping your account credentials confidential. Do not share your password. Notify us immediately if you suspect unauthorized access to your account.
10. Children's Privacy
Our services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16.
If you are a parent or guardian and believe your child under 16 has provided us with personal information, please contact us immediately. If we become aware that we have collected such data without parental consent, we will take steps to delete it promptly.
For users aged 16-18, we require parental or guardian consent before collecting sensitive personal data (e.g., health information for consultations).
11. International Data Transfers
Dr. Spice Organics is based in Kenya, and your data is primarily processed and stored within Kenya.
In limited circumstances, data may be transferred to countries outside Kenya (e.g., for cloud hosting, analytics, or payment processing). When we transfer data internationally, we ensure:
- The destination country provides an adequate level of data protection as recognized by the ODPC, OR
- We implement appropriate safeguards such as Standard Contractual Clauses approved by the ODPC, OR
- We rely on your explicit consent for the specific transfer
You may request details of the safeguards we use for international transfers by contacting our Data Protection Officer.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements.
How we notify you:
- Posting the updated policy on this page with a new "Last Updated" date
- For material changes, providing prominent notice via email or website banner
- For changes affecting how we use previously collected health data, obtaining your renewed consent where required
We encourage you to review this policy periodically. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, please contact our Data Protection Officer:
Data Protection Officer
Nacico Chambers, 3rd Floor
Nairobi, Kenya
Response Time: We aim to respond to all privacy inquiries within 30 days as required by the Kenya Data Protection Act, 2019.