Privacy Policy

About This Privacy Policy

This Privacy Policy explains how Click & Go Auto Suppliers collects and processes your personal data when you visit our website, create an account, place an order, or contact us. It describes what data we hold, why we hold it, who we may share it with, and the rights you have over your own information.

We take privacy seriously. We collect only what we need, use it only for the purposes described in this policy, and never sell your personal data to third parties.

Who We Are & Data Controller

Click & Go Auto Suppliers is an automotive lubricants and fluids retailer operating from Impala Down Town Ltd, Outer Ring Rd, Kahawa, Nairobi, Kenya. We operate the website at clickandgoauto.com and related mobile-accessible services.

For the purposes of the Kenya Data Protection Act, 2019, Click & Go Auto Suppliers is the data controller responsible for the personal data collected through our website. This means we determine the purposes and means of processing your personal data.

If you have any questions about how we handle your data, or wish to exercise any of your rights, you may contact our data privacy contact point using the details in Section 15 of this policy.

Information We Collect About You

Personal data means any information that can be used to identify you, directly or indirectly. We collect the following categories:

A. Information you provide to us directly

• Account registration: name, email address, and password (stored as a secure one-way hash — never in plain text)
• Orders: billing and delivery address, phone number, order contents, and order value
• Contact form: name, email address, phone number, subject, and message body
• Reviews & testimonials: product ratings and written feedback you choose to submit
• Wishlist: products you save for later while logged in to your account
• Marketing preferences: whether you wish to receive promotional communications from us

B. Information collected automatically when you use our website

• IP address: used for rate-limiting, fraud prevention, and abuse detection
• Session data: your shopping cart contents and login state stored in a server-side session tied to your browser
• Device and browser information: type of device, operating system, and browser version, collected for compatibility and analytics
• Usage data: pages visited, time spent on pages, products viewed or added to cart, and date and time of your visit — used to improve the website experience
• Referral source: how you arrived at our website (e.g. search engine, social media, direct link)

C. Information we do not collect

• Full card numbers, CVV/CVC codes, or M-Pesa PINs — these go directly to the payment processor and never pass through our servers
• Government ID, national ID, or passport numbers
• Sensitive personal data (health, religion, ethnicity, biometric data) as defined under the Data Protection Act, 2019

Cookies & Session Data

A cookie is a small file placed on your device that helps our website recognise you between pages and visits. We use the following types:

• Session cookie (required): keeps you logged in and maintains your shopping cart between pages. Without this, the site cannot function correctly.
• Security token (required): a short-lived token that protects form submissions from cross-site request forgery (CSRF). It is generated per session and verified server-side.
• Preference cookies (optional): may remember display or filter preferences within a session.

We do not currently use third-party advertising cookies, tracking pixels, or cross-site behavioural profiling. If this changes, we will update this policy and add a cookie-consent prompt before deploying any such technology.

You can control cookies through your browser settings. Disabling session cookies will prevent you from logging in or using the shopping cart. Disabling other cookies will not significantly affect your experience.

How We Use Your Information

We collect and use your personal data for the following purposes:

• Registering you as a customer: creating and managing your account
• Order fulfilment: processing your payment, packing your order, and arranging delivery
• Order communication: sending confirmation, dispatch, and delivery notifications via email or SMS
• Customer support: responding to enquiries submitted through the contact form, email, or WhatsApp
• Account management: enabling you to view order history, manage your wishlist, and update your profile
• Promotions & surveys: enabling you to participate in competitions, discount offers, or customer satisfaction surveys where you have opted in
• Website improvement: understanding which products and pages are most popular so we can improve them
• Product recommendations: suggesting relevant products based on your browsing and order history, where you have consented
• Fraud & abuse prevention: detecting and protecting against malicious activity and unusual usage patterns
• Legal compliance: retaining transaction records as required by Kenyan tax and commercial law
• Marketing (with consent only): if you opt in, sending you updates about new products, promotions, or offers. You can unsubscribe at any time by clicking the link in any marketing email or contacting us directly.

Legal Basis for Processing Your Data

Under the Kenya Data Protection Act, 2019, we must have a lawful basis to process your personal data. Depending on the purpose, we rely on one or more of the following:

A. Your Consent

Where you have given us clear consent, for example when opting in to receive marketing communications or newsletters. You may withdraw your consent at any time by clicking the “unsubscribe” link in any marketing email, or by contacting us at info@clickandgoauto.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

B. Performance of a Contract

Where processing is necessary to fulfil a contract with you, or to take steps at your request before entering into one. This covers processing your order, managing delivery, and providing customer support for purchases you have made.

C. Our Legitimate Business Interests

Where it is necessary for us to understand our customers, improve our services, and operate our business effectively — provided this is done in a way that does not unfairly override your privacy rights. This covers analytics, fraud prevention, and general website operation. We always balance our interests against yours before relying on this basis.

D. Compliance with a Legal Obligation

Where we are required by Kenyan law to process or retain your data. This includes retaining transaction records under the Income Tax Act and VAT Act, and disclosing information in response to valid legal requests from regulatory or law-enforcement authorities.

How Payments Are Handled

We accept M-Pesa and bank transfer. Payments are handled by third-party processors or your bank. Your financial credentials are never stored on our servers.

M-Pesa

When you pay via M-Pesa, a payment prompt is sent directly to your phone by Safaricom. You enter your M-Pesa PIN on your own device. This PIN is never transmitted to or accessible by us. We only receive a transaction confirmation reference from Safaricom to verify your payment.

Bank Transfer

Bank transfer payments are made directly from your bank to ours through standard encrypted banking channels. Your banking credentials remain entirely within your bank’s system and are never shared with us. We receive only the incoming transfer record to match against your order.

Who We Share Your Data With

We do not sell, rent, or trade your personal data. We share it only where strictly necessary for the following purposes:

• Courier and delivery partners: we share your name, phone number, and delivery address with our logistics partners to fulfil your order. These partners are bound by confidentiality obligations and may not use your data for any other purpose.
• Payment processors: Safaricom processes M-Pesa transactions. They receive only the data required to process your payment. We do not share unnecessary personal data with payment processors.
• IT and service providers: we use third-party providers for hosting, email delivery, and analytics. They process your data on our instructions only and under contractual data-processing agreements.
• Legal authorities: we may disclose your data if required to do so by a valid court order, regulatory request, or law-enforcement requirement under applicable Kenyan law.
• Business transfers: if we sell or transfer all or part of our business, your data may be transferred as part of that transaction. We will notify you in advance where required by law.

We require all third parties we share data with to handle it securely, use it solely for the specified purpose, and comply with the Kenya Data Protection Act, 2019.

International Transfers of Your Data

Our primary operations and data storage are based in Kenya. However, some of the third-party service providers we use (such as cloud hosting or email delivery services) may process data in other countries.

Where we transfer your personal data outside Kenya, we take steps to ensure it receives a comparable level of protection to that required under the Kenya Data Protection Act, 2019. This includes:

• Using providers in countries recognised as providing adequate data protection standards
• Requiring contractual data-protection commitments from any third-party processor that handles your data outside Kenya

We are aware of the inherent risks in cross-border data transfers and take reasonable technical and organisational measures to mitigate them. If you have questions about specific transfers, contact us at info@clickandgoauto.com.

How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy. Specifically:

• Order records: retained for 7 years as required by Kenyan tax regulations (Income Tax Act, VAT Act)
• Account data: retained while your account is active. If you request deletion, we will remove your personal data within 30 days, except where retention is required by law
• Contact form messages: retained for up to 12 months for customer service reference, then deleted
• Session data: expires when you close your browser or after a period of inactivity
• Marketing preferences: retained until you withdraw consent or request deletion
• Fraud and rate-limit records: temporary records used for abuse detection are deleted automatically on a short rolling cycle

We actively review the data we hold and securely delete or anonymise it when there is no longer a legal, business, or operational reason to retain it.

How We Protect Your Data

We have put in place appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration, or destruction. These include:

• Password hashing: account passwords are stored as one-way cryptographic hashes and are never stored or transmitted in plain text
• HTTPS encryption: all data transmitted between your browser and our website is encrypted using TLS
• Access controls: access to personal data is restricted to staff who have a legitimate business need to process it. All such personnel are subject to confidentiality obligations
• Session security: CSRF tokens protect form submissions; session tokens are regenerated on login
• Payment isolation: payment credentials (M-Pesa PIN, bank login) are never transmitted through our systems
• Regular review: we periodically review our security measures and update them in line with best practices

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the Office of the Data Protection Commissioner of Kenya in accordance with our obligations under the Data Protection Act, 2019.

Your Rights Under the Data Protection Act 2019

As a data subject under Kenyan law, you have the following rights in relation to your personal data:

1. Right of access: request a copy of the personal data we hold about you
2. Right to rectification: ask us to correct inaccurate or incomplete data — it is important you keep your account information up to date
3. Right to erasure: ask us to delete your data where there is no longer a lawful reason to keep it. You may also close your account to trigger deletion of your profile data
4. Right to restrict processing: ask us to pause using your data in certain circumstances, for example while a correction is pending
5. Right to data portability: receive your data in a structured, commonly used, machine-readable format
6. Right to object: object to us processing your data for direct marketing purposes at any time. You may also object to processing based on our legitimate interests where you have grounds relating to your particular situation
7. Right to withdraw consent: where processing is based on your consent, withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at info@clickandgoauto.com. We will respond within 21 days as required by the Act. We may ask you to verify your identity before actioning your request and may refuse requests that are manifestly unfounded or excessive.

If you believe we have handled your data unlawfully, you may lodge a complaint with the Office of the Data Protection Commissioner of Kenya.

Children Under 18

Our website and services are intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at info@clickandgoauto.com and we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable law, or best practices. When we make material changes, we will update the “Last updated” date shown in the sidebar and, where appropriate, notify registered account holders by email.

Continued use of our website after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

Privacy Enquiries & Data Controller

For any questions, requests, or concerns about this policy or how we handle your personal data, contact us using any of the following:

We will investigate any complaint about the way we manage personal data and respond to all substantiated complaints within 21 days as required by the Kenya Data Protection Act, 2019.