Compliant with Kenya Data Protection Act, 2019

Privacy Policy

Last Updated: May 2, 2026

At Lizzie's Marque, we are committed to protecting the privacy and security of our clients' personal data. This Privacy Policy outlines our practices regarding data collection, usage, storage, and your rights as a data subject in compliance with the **Data Protection Act, 2019 (Kenya)**.

1. Data Collection and Usage

We collect only the personal data necessary to fulfill your orders and provide a premium shopping experience. This includes:

Identity Data: Full name.
Contact Data: Phone number (M-PESA) and delivery address.
Transaction Data: Details about payments and items purchased.

We collect this data for specific, lawful purposes: processing orders, managing payments, and improving our boutique services.

2. Consent and Transparency

We process your data based on your explicit consent. During checkout, you are required to opt-in to data processing for fulfillment. Marketing communications are strictly optional and require a separate opt-in.

3. Secure Storage and Encryption

Your security is paramount. We implement robust technical measures, including:

SSL Encryption: All data transmitted to and from our boutique is secured via HTTPS.
AES-256 Encryption: Your contact details and addresses are encrypted at rest in our databases.
Secure Payments: We use compliant M-PESA payment gateways that adhere to Kenyan cybersecurity standards.

4. Data Minimization and Retention

We follow the principle of data minimization, collecting only what is essential for the transaction. We do not store your data longer than necessary for legal, accounting, or reporting requirements.

5. Your Rights as a Data Subject

Under the Data Protection Act, you have the right to:

Access: Request a copy of the personal data we hold about you.
Rectification: Correct any inaccurate or incomplete data.
Erasure (Right to be Forgotten): Request the deletion of your personal data when it is no longer necessary.
Restriction: Object to or restrict the processing of your data.

To exercise these rights, please contact us at privacy@lizziesmarque.co.ke.

6. Breach Notification

In the unlikely event of a data breach, we are committed to notifying the Office of the Data Protection Commissioner (ODPC) and affected users within the statutory timelines (72 hours).

7. ODPC Registration

Lizzie's Marque is in the process of/registered with the Office of the Data Protection Commissioner in Kenya as a Data Controller and Processor.

8. Contact Us

For any inquiries regarding this policy or our data practices, please reach out to our Data Protection Officer at dpo@lizziesmarque.co.ke.