Privacy Policy

Last updated: April 2026

Vertex Photo Store(“we”, “us” or “our”), based at Royal Plaza, Kirinyaga Road, 2nd Floor C4, Nairobi, is the data controller for personal information collected through this website and our order fulfilment process. This Privacy Policy explains what we collect, why, how we protect it, and the rights you have under the Kenyan Data Protection Act, 2019.

Information we collect

Contact and account data: name, email address, phone number, and shipping addresses when you create an account or place an order.
Payment data: the M-Pesa phone number used to complete a Buy Goods (Till) transaction. We do not see or store your M-Pesa PIN; the transaction is handled by Safaricom PLC. No card details are stored on our systems.
Uploaded images and order details: files you upload and customisation choices needed to produce your order.
Usage data: IP address, browser type, device information, pages visited, and approximate location derived from IP — used for security, abuse prevention, and site analytics.

How we use your information

To process, fulfil and deliver your orders.
To send order confirmations, payment receipts, and delivery updates.
To provide customer support.
To improve our website, product range and service quality.
To send marketing communications, only with your prior consent.
To prevent fraud, abuse, and to comply with legal obligations.

Our data processors

We rely on vetted third parties to operate the service. Each is bound by a data processing agreement to only use your data as we direct:

Supabase Inc. — database, authentication and encrypted storage.
Safaricom PLC (Daraja API) — M-Pesa Buy Goods (Till) payments.
Resend, Inc. — transactional email (order confirmations, receipts).
Cloudflare, Inc. — edge network, DDoS protection and bot mitigation.
Upstash, Inc. — rate-limit counters (keyed by IP, not identity).
Vercel Inc. — application hosting and analytics.

How long we keep your data

Uploaded images: deleted 30 days after order completion unless you ask us to keep them for a reprint.
Order records: retained for 7 years to meet tax and accounting obligations.
Account data: retained until you ask us to delete it.

Security

All traffic to this site is encrypted using TLS. Access to our admin dashboard is restricted to authorised staff and protected by one-time-code authentication. Uploaded images are held in private storage buckets with time-limited access links. We conduct regular reviews of our security controls and promptly address any issues identified.

Cookies

We use a small number of cookies for essential functions (shopping cart, authentication, CSRF protection), analytics, and — only with your consent — marketing. You can control cookies through your browser settings.

Your rights

Under the Kenyan Data Protection Act, 2019 you have the right to:

Access the personal data we hold about you.
Request correction of inaccurate or incomplete data.
Request deletion of your data, where we are not required to keep it for legal reasons.
Object to processing for direct marketing.
Lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

Contact

To exercise any of these rights or to ask a privacy question, write to [email protected] or visit us at Royal Plaza, Kirinyaga Road, 2nd Floor C4, Nairobi.

Last updated: April 2026

Information we collect

Contact and account data: name, email address, phone number, and shipping addresses when you create an account or place an order.

Payment data: the M-Pesa phone number used to complete a Buy Goods (Till) transaction. We do not see or store your M-Pesa PIN; the transaction is handled by Safaricom PLC. No card details are stored on our systems.

Uploaded images and order details: files you upload and customisation choices needed to produce your order.

Usage data: IP address, browser type, device information, pages visited, and approximate location derived from IP — used for security, abuse prevention, and site analytics.

How we use your information

To process, fulfil and deliver your orders.

To send order confirmations, payment receipts, and delivery updates.

To provide customer support.

To improve our website, product range and service quality.

To send marketing communications, only with your prior consent.

To prevent fraud, abuse, and to comply with legal obligations.

Our data processors

We rely on vetted third parties to operate the service. Each is bound by a data processing agreement to only use your data as we direct:

Supabase Inc. — database, authentication and encrypted storage.

Safaricom PLC (Daraja API) — M-Pesa Buy Goods (Till) payments.

Resend, Inc. — transactional email (order confirmations, receipts).

Cloudflare, Inc. — edge network, DDoS protection and bot mitigation.

Upstash, Inc. — rate-limit counters (keyed by IP, not identity).

Vercel Inc. — application hosting and analytics.

Security

Your rights

Under the Kenyan Data Protection Act, 2019 you have the right to:

Access the personal data we hold about you.

Request correction of inaccurate or incomplete data.

Request deletion of your data, where we are not required to keep it for legal reasons.

Object to processing for direct marketing.

Lodge a complaint with the Office of the Data Protection Commissioner (ODPC).