Your privacy matters to us. This Privacy Policy explains how Franstat Printing Solutions collects, uses, and protects your personal data in accordance with Kenya's Data Protection Act, 2019 and applicable regulations. Please read it carefully.
01
Who We Are
Franstat Printing Solutions ("Franstat", "we", "us") is a printing and branding business based in Nairobi, Kenya. We operate the Franstat website and online ordering platform at franstat.com.
For the purposes of the Data Protection Act 2019, Franstat is the Data Controller responsible for your personal information.
Contact: support@franstat.com
Phone: +254 700 000 000
Address: Nairobi, Kenya
02
Information We Collect
We collect information that you provide directly, that we generate through your use of our services, and that we receive from third parties (such as M-Pesa).
Category
What we collect
Source
Account Data
Full name, email address, phone number, password (hashed)
You (registration)
Order Data
Service selected, dimensions, quantity, special notes, artwork files
You (ordering)
Payment Data
M-Pesa phone number, transaction receipt, payment status
You & Safaricom M-Pesa
Usage Data
IP address, pages visited, browser type, timestamps
Automated collection
Communications
Support ticket messages, email correspondence
You
Device Data
Device type, operating system (for security logging)
Automated collection
We do not collect sensitive personal data such as biometric data, health information, or government ID numbers.
03
How We Use Your Information
To create and manage your account
To process, produce, and deliver your print orders
To initiate and confirm M-Pesa payments
To send order status updates, receipts, and invoices via email
To respond to support tickets and enquiries
To detect and prevent fraud, abuse, or unauthorised access
To analyse and improve our platform and services
To send marketing communications (only with your consent, and you may opt out at any time)
To comply with legal obligations under Kenyan law
We do not use your data for automated decision-making that produces significant legal effects without human review.
04
Legal Basis for Processing
Under Kenya's Data Protection Act 2019, we process your personal data on the following lawful bases:
Contract: Processing necessary to fulfil your order and manage your account
Legitimate Interests: Security monitoring, fraud prevention, service improvement
Consent: Marketing emails and optional communications (withdraw at any time)
Legal Obligation: Compliance with Kenyan tax and financial regulations
05
Sharing Your Information
We do not sell your personal data. We share it only where necessary:
Safaricom M-Pesa: Your phone number and payment details are shared to process M-Pesa transactions
Supabase (Database): Our secure cloud database provider stores your account and order data
Email provider: We use SMTP to send transactional emails containing your name and order details
Delivery partners: Your name and delivery address are shared with courier services when applicable
Legal authorities: We may disclose data when required by law, court order, or to protect the rights and safety of persons
All third-party processors are bound by data processing agreements and are required to handle your data securely and only for the purposes we specify.
06
M-Pesa & Payment Data
We process M-Pesa payments via Safaricom's Daraja API. When you initiate a payment:
Your M-Pesa phone number is transmitted to Safaricom to trigger the STK push prompt
Safaricom returns a transaction receipt number which we store against your order
We store the payment amount, status, and receipt — but never your M-Pesa PIN
Full card numbers or banking credentials are never collected or stored by Franstat
We never store your M-Pesa PIN. The PIN is entered directly on your handset and is never transmitted to or seen by Franstat.
07
Cookies & Tracking
We use minimal, essential cookies to operate our platform:
Session cookie (fs_token): An HttpOnly, Secure JWT cookie that keeps you signed in for 24 hours. It is never accessible to JavaScript.
We do not use advertising cookies, cross-site tracking cookies, or analytics platforms that share your data with third parties. You may clear cookies from your browser settings at any time, which will sign you out of your account.
08
Data Retention
We keep your data only as long as necessary:
Account data: Retained for the lifetime of your account, plus 3 years after closure for legal compliance
Order & payment records: 7 years (required by Kenyan tax law)
Artwork files: 90 days after order completion, unless you request earlier deletion
Support communications: 2 years
Security logs: 90 days rolling
When retention periods expire, data is securely deleted or anonymised.
09
Your Rights
Under the Data Protection Act 2019, you have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your data where there is no compelling reason to retain it.
Right to Restrict Processing
Ask us to limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is consent-based.
Right to Complain
Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) Kenya.
To exercise any of these rights, email us at privacy@franstat.com with your full name and account email. We will respond within 30 days.
10
Data Security
We take the security of your personal data seriously and implement industry-standard safeguards:
All passwords are hashed using bcrypt (cost factor 12) — we never store plain-text passwords
Authentication sessions use signed JWT tokens stored in HttpOnly, Secure cookies inaccessible to client scripts
All data is transmitted over HTTPS with TLS encryption
Our database is hosted on Supabase with encryption at rest
Access to admin functions is protected by role-based access control and re-validated on every request
Rate limiting is applied to all authentication endpoints to prevent brute-force attacks
Administrative actions are logged in an immutable audit trail
Despite these measures, no system is completely immune to breaches. In the event of a data breach affecting your rights, we will notify you and the ODPC within 72 hours as required by law.
11
Children's Privacy
Our services are not directed at persons under the age of 18. We do not knowingly collect personal data from children. If you believe a child under 18 has provided us with personal data without parental consent, please contact us and we will delete it promptly.
12
Third-Party Links
Our platform may contain links to third-party websites (e.g., Safaricom, social media). These sites have their own privacy policies and we are not responsible for their practices. We encourage you to read their policies before providing them with any personal information.
13
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.
Continued use of our services after the effective date of any changes constitutes acceptance of the updated policy.
14
Contact & Complaints
For any privacy-related queries or to exercise your rights, please contact our Data Protection point of contact:
Email: privacy@franstat.com
Phone: +254 700 000 000
If you are not satisfied with our response, you have the right to lodge a complaint with Kenya's data protection authority:
Office of the Data Protection Commissioner (ODPC) Website: odpc.go.ke · Email: info@odpc.go.ke P.O. Box 30030-00100, Nairobi, Kenya