Login

Country

Cart

Your cart is empty

Privacy policy

Last updated: 1 March 2026

This Privacy Policy explains how Grounded collects, uses, and shares your personal data when you visit groundedafrica.com, place an order, sign up for our emails, or interact with us on social media. It also covers our use of cookies (Section 10) and how we handle marketing communications (Section 9).

Written to comply with Kenya’s Data Protection Act, 2019 (DPA) and structured so we can comply with the EU / UK GDPR as we grow globally.

We take privacy seriously. We do not sell your personal data, and we will not send you marketing emails unless you have actively opted in (double opt-in).

1. Who is the data controller?

Global Slacker Enterprises, Ltd (trading as “Grounded”) is the data controller for personal data collected through grounded.co.ke.

KRA PIN: P051605517B
Registered office: P.O. Box 693 - 00902, Kikuyu, Kenya
Trading location: Magana Light Industries Regen, Kikuyu, Kiambu
ODPC registration number: 947-293C-4886

Privacy contact: compliance @ grounded.co.ke -  this mailbox is monitored by operations leads


2. What personal data we collect

2.1 Data you give us directly

  • Identity and contact data: name, email address, phone number, delivery and billing address.

  • Order data: products ordered, order history, delivery instructions, gift-message text.

  • Account data: login credentials and preferences if you create an account.

  •  Communications: messages you send us via email, WhatsApp, social, or the contact form, including support tickets and product reviews.

  •  Marketing preferences: whether you have opted in to email, SMS, or WhatsApp marketing.

2.2 Data we collect automatically

  • Device and usage data: IP address, browser type, device type, operating system, referring URL, pages visited, time on site, clicks, and scroll behaviour.

  • Cookies and similar technologies: see Section 10 for the full list and your choices.

2.3 Data from third parties

  • Payment confirmations and fraud signals from Safaricom (M-Pesa), Paystack..

  • Engagement data from Meta (Facebook / Instagram) and Google when you interact with our ads.

  • Email engagement data from Klaviyo or Mailchimp (opens, clicks, signups).

We do not store your full card number, expiry, or CVV. Payment details are handled directly by our payment processors on PCI-compliant infrastructure.



3. Why we use your data and our legal basis

Under the Kenya Data Protection Act, 2019, we must have a lawful basis for each use of your data. Below is the purpose and our lawful basis under DPA 2019 s.30 (and GDPR Art. 6 for customers outside Kenya).

  • Process and fulfil your order — performance of a contract with you.

  • Payment processing and fraud prevention — contract performance, and our legitimate interest in preventing fraud.

  • Customer service and dispute resolution — contract performance, and our legitimate interest in responding to you.

  • Account management — contract performance.

  •  Marketing emails, SMS, and WhatsApp broadcasts — your explicit, opt-in consent, which you can withdraw at any time.

  • Transactional communications (order confirmations, shipping updates, service notices) — contract performance. These are not marketing; you will receive them even if you have not opted into marketing.

  •  Site analytics and product improvement — your consent (via cookie banner) for non-essential analytics; our legitimate interest for essential analytics.

  • Advertising on Meta and Google — your consent (via cookie banner).

  •  Legal, tax, and regulatory compliance — compliance with a legal obligation (KRA, ODPC, courts).


4. Who we share your data with

We share the minimum data necessary with the following categories of recipients, each under a written processor agreement where required by the DPA:

  • Hosting and commerce: Shopify Inc. (Canada / Ireland). See Shopify’s own privacy policy for how they handle data they collect through our store.

  • Payment processors: Safaricom PLC (M-Pesa via Till 650 363), Paystack, Shopify Payments — depending on the method you choose at checkout.

  • Shipping and courier partners: DHL, Fargo, and select distribution partners.. We share only what the courier needs: name, delivery address, phone number, and a high-level item description.

  •  Email marketing: Klaviyo Inc., Mailchimp (United States) — if you have opted in to marketing.

  • Analytics and advertising: Google LLC (Google Analytics, Google Ads) and Meta Platforms Inc. (Facebook / Instagram Pixel) — only where you have consented via the cookie banner.

  • Professional advisors: lawyers, accountants, and auditors bound by confidentiality.

  • Authorities: Kenya Revenue Authority, Office of the Data Protection Commissioner, courts, or law enforcement where legally required.

We do not sell your personal data. We do not share it with data brokers.


5. International transfers

Some of our processors are based outside Kenya (principally Canada, the EU, the UK, and the United States).

Under DPA s.48–49, we transfer personal data outside Kenya only where one of the following applies:

  • The destination country provides a comparable level of protection.

  • The transfer is governed by appropriate safeguards (such as Standard Contractual Clauses or binding corporate rules).

  • The transfer is necessary to perform our contract with you (e.g. fulfilling your order).

  • You have provided explicit consent.

A current list of our sub-processors and their locations is available on request.


6. How long we keep your data

  • Order and tax records: 7 years from the date of the transaction, to comply with Kenyan tax law.

  • Account data: for as long as your account is active, plus 2 years.

  • Marketing lists: until you unsubscribe, or after 24 months of no engagement, whichever is earlier.

  • Customer service messages: up to 3 years after the case is closed.

  •  Analytics data: typically 14–26 months, in line with Google Analytics defaults.

When data is no longer needed, we delete or anonymise it.


7. Your rights under the Data Protection Act

You have the following rights over your personal data. Most are free of charge and we aim to respond within 30 days.

  • Access — ask for a copy of the data we hold about you.

  • Rectification — ask us to correct data that is inaccurate or incomplete.

  • Erasure — ask us to delete your data where we no longer have a lawful reason to keep it.

  •  Restriction — ask us to pause processing while we verify something.

  • Objection — object to processing based on legitimate interest, including direct marketing (which we will honour immediately).

  • Portability — ask for your data in a structured, machine-readable format.

  • Withdraw consent — where we rely on your consent, you can withdraw it at any time.

  • Not be subject to solely automated decisions that have a legal or similar effect. We do not currently make such decisions.

How to exercise your rights: email us from the address we have on file, or write to the postal address above. We may need to verify your identity before acting.


8. Security

We use industry-standard measures to protect your data, including encrypted connections (HTTPS), access controls on our Shopify admin and email tools, two-factor authentication on staff accounts, and vetting of processors. No system is ever 100% secure, so we also recommend using a strong, unique password for your account.


9. Marketing communications

Our commitments:

  • We use double opt-in. You will not receive marketing until you confirm your email after signing up.
  • Every marketing email has a one-click unsubscribe link and our legal name and postal address in the footer.
  • We will never share, rent, or sell our mailing list.
  • We stop sending to contacts with no engagement for 24 months, to keep our list healthy and respect your inbox.
  • To stop transactional messages (e.g. order updates), you will need to cancel or close your account.


Email: sent from a verified grounded.co.ke, or groundedafrica.com  sending domain via Klaviyo, Mailchimp. Unsubscribe from any email to stop all marketing email.

SMS: only to numbers that have explicitly opted in at checkout or via a signup form. Reply STOP to any message to opt out.

WhatsApp: only to numbers that have explicitly opted in. Reply STOP to opt out.


10. Cookies and tracking technologies

A cookie is a small text file stored on your device when you visit a website. Cookies let the site recognise your browser, remember your preferences, and understand how people use the site. We also use pixels and local storage; for simplicity, we refer to all of them as “cookies” below.

10.1 Categories of cookies we use

 

Type

Purpose

Examples

Consent needed?

Strictly necessary

Keep the site secure, load pages, remember your cart, process payments.

Shopify session, cart, checkout, CSRF tokens.

No — always active

Functional

Remember preferences such as currency and language.

Currency selector, recently viewed products.

Yes (soft)

Analytics

Understand how people use the site so we can improve it.

Google Analytics (_ga, _gid), Shopify Analytics.

Yes

Marketing / Advertising

Show you relevant ads on Meta and Google and measure their performance.

Meta Pixel (_fbp), Google Ads (_gcl_au), Klaviyo (__kla_id).

Yes

 

10.2 Your choices

  •  On your first visit you will see a cookie banner offering Accept all, Reject non-essential, or Customise.

  • You can change your choice at any time via “Cookie preferences” in the site footer.

  • You can clear or block cookies in your browser settings. Disabling strictly necessary cookies will break parts of the site.

  •  Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout

  • Opt out of interest-based ads: https://youradchoices.com and your device’s privacy settings.

10.3 Do Not Track

Some browsers send a “Do Not Track” signal. There is no industry standard on how to respond, so we do not currently action it. Please use the cookie banner to set your preference.


11. Children

Grounded is not directed at children under 18 and we do not knowingly collect their personal data. If you believe a child has given us data, please contact us and we will delete it.


12. Data breaches

If we suffer a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner within 72 hours as required by the DPA, and notify affected individuals without undue delay where the risk is high.


13. Changes to this Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect the most recent change. Material changes will be highlighted on the site and, where we have your email, communicated by email.


14. Complaints

If you are unhappy with how we handle your data, please raise it with us first. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya — odpc.go.ke. Customers based in the EU or UK may also complain to their national supervisory authority.


15. Contact

  • Email: compliance @ grounded.co.ke
  •  Post: P.O. Box 693 - 00902, Kikuyu, Kenya
  • Phone / WhatsApp: +254 740 410 585