BINGWA SOKONI

Privacy Policy

Effective date: 19 May 2026 · Last updated: 19 May 2026 · Applies to: Bingwa Sokoni mobile app (Android & iOS) and bingwasokoni.com

The 60-second summary. We collect your phone number and basic profile so you can run a shop, your shop and order activity so we can pay you, and the data your customers send through the app so we can deliver their bundles. We share payment data with Safaricom (M-Pesa) and your auth tokens with the social networks you connect. We never sell your data. You can delete your account anytime at bingwasokoni.com/legal/data-deletion.

1. Who we are

Bingwa Sokoni is a WhatsApp-first commerce platform operated from Nairobi, Kenya, that lets sellers (we call them "affiliates") run a free online shop selling Safaricom and Telkom airtime, data bundles, and other goods to customers who pay via M-Pesa. This Privacy Policy covers both:

The Bingwa Sokoni Android and iOS app, when published to Google Play and the App Store.
Our website at bingwasokoni.com and per-affiliate subdomains like username.bingwasokoni.com.

Together, we refer to these as "the service." When we say "we," "us," or "Bingwa Sokoni," we mean the operator of this service. When we say "you," we mean either an affiliate (someone running a shop) or a customer (someone buying through a shop).

2. What data we collect

We only collect what we need for the service to work. Concretely:

From affiliates (people running shops)

Data	What it is	How we collect it
Phone number	Your Kenyan mobile number (e.g. 254712…), used as your login + M-Pesa payout destination.	You enter it when signing up.
Password	Hashed with bcrypt; we never see your raw password.	You set it on signup.
Username / shop name	Used to make your shop URL (`username.bingwasokoni.com`).	You enter it on signup.
WhatsApp session credentials	An encrypted device-pairing token that lets our system send messages from your WhatsApp on your behalf.	Generated when you pair WhatsApp on your dashboard. Stored encrypted at rest.
Facebook / Instagram / TikTok OAuth tokens	API access tokens that let us auto-post your shop content to those networks.	You connect each platform through their official OAuth flow. Stored encrypted at rest (AES-256-GCM).
Synced WhatsApp address book	Names and phone numbers of contacts your WhatsApp has on file. Used to deliver shop posts to relevant contacts.	Pulled automatically when you pair WhatsApp. Only the contacts WhatsApp itself surfaces — not your full device contacts.
Order history & earnings	What was sold, when, for how much, your commission earned, and your withdrawal history.	Generated by the service when customers buy through your shop.
Push-notification subscription	A browser-issued push token (no name or phone) so we can notify you of new sales.	Created when you allow notifications.

From customers (people buying through a shop)

Data	What it is	How we collect it
WhatsApp identity (JID)	The WhatsApp ID of whoever messages our bot — typically a phone number.	When the customer messages a shop's WhatsApp.
Display name	The name WhatsApp surfaces for them.	From the WhatsApp message metadata.
Message content	What you typed in chat with the bot — limited to commerce intent (e.g. "BUY 1GB").	From the WhatsApp message.
M-Pesa phone & receipt	The phone you paid from; the receipt number Safaricom returns.	From Safaricom's callback when payment confirms.
Order details	What you bought, how much, when, status.	Created when you tap Buy.

Technical data (everyone)

IP address & user-agent — captured by our web server and by Cloudflare for fraud and rate-limiting. Stored for at most 30 days.
Session cookies — dash.sid identifies your login session; bs_seen tells us you've visited before. No third-party tracking cookies.
App device data (mobile only) — Android Advertising ID and basic device model are not collected by us. Crash reports, if you opt in, are anonymous.

3. Why we collect it

We use the data above only for these specific purposes:

Run your shop — store your products, route orders, attribute commission, pay you out via M-Pesa.
Deliver customer purchases — process the M-Pesa payment, top up the customer's airtime or data, send the receipt.
Auto-post to your social channels — only the platforms you connected via OAuth, only the content you authorize.
Customer support — investigate and resolve a transaction issue you raise.
Fraud prevention & abuse limits — detect spam, throttle abusive sign-ups, ban accounts that violate our terms.
Legal compliance — respond to lawful requests from Kenyan authorities.

We do not use your data to:

Sell or rent it to anyone.
Build a profile to show you ads.
Train AI models.
Send marketing messages you didn't sign up for.

We share data only with these specific third parties, and only the minimum needed for each integration:

Service	What we share	Why
Safaricom Daraja (M-Pesa)	Customer M-Pesa phone, amount, account reference	To issue the STK push prompt and credit affiliate payouts.
Meta (Facebook & Instagram)	Your OAuth token (encrypted server-side; only the token reaches Meta), Page IDs, post payloads	Auto-posting to your Page; receiving DMs from your customers.
TikTok	Your OAuth token, your TikTok user ID, post payloads	Publishing product videos and carousels you create.
WhatsApp (Meta)	Your device-pairing token, message payloads	To send/receive messages through your paired WhatsApp.
Cloudflare	Request metadata (IP, user-agent, headers)	DNS, CDN, DDoS protection. Per their privacy notice.
Google Play / App Store	Crash reports (if opted in), app install events	Solely for stability metrics. No personal data attached.

We do not work with advertising networks. We do not use Google Analytics or similar tracking SDKs. We do not embed Facebook Pixel.

5. Android & iOS permissions

The mobile app requests the following permissions. Each one is requested in context (when you tap a feature that needs it), and you can revoke any of them in your device settings later.

Permission	Why we ask for it	Required?
Internet	To talk to our servers.	Yes
Notifications (POST_NOTIFICATIONS on Android 13+)	To tell you when a sale happens or a withdrawal is paid.	Optional
Photos / Camera	So you can upload a product photo or scan an M-Pesa receipt. Only invoked when you tap a photo picker.	Optional
Contacts	Not requested. We do not read your device address book. WhatsApp contacts come from your WhatsApp pairing, not from this app.	—
Location	Not requested. The app does not use GPS.	—
SMS / Call log	Not requested.	—

6. How long we keep it

Affiliate accounts & orders — kept while your account is active, plus 12 months after deletion for tax and dispute records (Kenya Revenue Authority requires 5 years for financial transactions, so M-Pesa receipt numbers and amounts are retained 5 years; PII surrounding them is purged after 12 months).
WhatsApp pairing tokens — deleted immediately when you log out or unpair.
OAuth tokens (Facebook / Instagram / TikTok) — deleted immediately when you disconnect that platform.
Synced WhatsApp address book — deleted when you unpair WhatsApp, or on full account deletion.
IP & user-agent logs — 30 days.
Push subscription tokens — deleted when you uninstall the app or turn off notifications.

7. Your rights and choices

Under Kenya's Data Protection Act 2019, the EU GDPR, the UK GDPR, and similar laws elsewhere, you have the right to:

Access the data we hold about you — email [email protected] and we'll send a copy within 30 days.
Correct anything that's wrong — most fields are editable in your dashboard at bingwasokoni.com/shop/account.
Delete your account and associated data — use the self-service form at bingwasokoni.com/legal/data-deletion. Deletion completes within 14 days; certain financial records are retained 5 years for tax compliance.
Withdraw consent for any optional processing (e.g. push notifications, social posting) by disconnecting that surface in your dashboard.
Object to processing or request a portable export of your data — same email contact.
Lodge a complaint with the Office of the Data Protection Commissioner (Kenya) at odpc.go.ke if you believe we've mishandled your data.

8. Children's privacy

Bingwa Sokoni is intended for users 18 years and older. We do not knowingly collect data from anyone under 18. If you believe a child has signed up, contact us at [email protected] and we'll delete the account and any associated data within 72 hours.

9. How we protect your data

We use industry-standard safeguards:

Encryption in transit — all traffic is HTTPS/TLS 1.2+; HTTP requests are redirected to HTTPS.
Encryption at rest — OAuth tokens, refresh tokens, and WhatsApp pairing credentials are encrypted with AES-256-GCM. Database backups are encrypted.
Password hashing — bcrypt with cost factor 10. We cannot read your password even if we wanted to.
Webhook signature verification — payment callbacks from M-Pesa and webhook events from Meta are verified with HMAC-SHA256 against a shared secret. Forged callbacks are rejected before they touch the database.
Rate limiting — login, signup, and sensitive endpoints are rate-limited per IP via Redis to prevent brute-force attacks.
SSRF protection — user-supplied URLs (e.g. product images) are validated against an allow-list before our server fetches them, preventing internal-network probing.
Session security — sessions regenerate on login (defeats fixation attacks); cookies are HttpOnly, Secure, SameSite=Lax.
Principle of least privilege — server credentials, M-Pesa keys, and OAuth secrets are loaded from environment variables with restrictive file permissions (0600), never committed to source control.

No system is 100% secure. If we learn of a breach that affects your data, we'll notify you within 72 hours by email and at bingwasokoni.com.

10. International transfers

Our servers are located in Kenya. Some of our service providers (Cloudflare, Meta, TikTok, Google Cloud) are based outside Kenya, primarily in the United States and the European Union. By using Bingwa Sokoni, you consent to your data being processed in those jurisdictions, subject to those providers' own privacy commitments.

We rely on contractual safeguards (Standard Contractual Clauses where applicable) for transfers governed by the EU GDPR.

11. Changes to this policy

We may update this Privacy Policy as our service evolves. Material changes will be announced via:

A banner at the top of bingwasokoni.com for at least 7 days before the change takes effect.
An in-app notification to all signed-in affiliates.
An email to your registered address, if we have one.

The "Last updated" date at the top of this page always reflects the most recent revision.

12. Contact us

Questions about this Privacy Policy, data access requests, or anything else privacy-related:

Email: [email protected] (subject: "Privacy")
Data deletion request form: bingwasokoni.com/legal/data-deletion
Postal address: Bingwa Sokoni, Nairobi, Kenya

For complaints about how we handle your data, you can also contact:

Office of the Data Protection Commissioner, Kenya — odpc.go.ke

Privacy Policy

What's in this policy

1. Who we are

2. What data we collect

From affiliates (people running shops)

From customers (people buying through a shop)

Technical data (everyone)

3. Why we collect it

4. Who we share it with

5. Android & iOS permissions

6. How long we keep it

7. Your rights and choices

8. Children's privacy

9. How we protect your data

10. International transfers

11. Changes to this policy

12. Contact us