Privacy Policy
KAKI.MU Ltd. (“KAKI.MU”, “we”, “us”) is the data controller for the personal data we process when you use the KAKI.MU marketplace. This notice explains what we collect, why, how we keep it safe, and the rights you have under the Mauritius Data Protection Act 2017 and, where applicable, the EU/UK General Data Protection Regulation.
1. What we collect
We collect only what we need to run the marketplace:
- Account information — name, email, mobile number, password hash.
- Transaction history — orders, refunds, disputes, escrow events, reviews.
- Addresses — delivery and billing addresses you save.
- Device & usage data — IP address, browser/device identifiers, pages viewed, crash signals.
- Cookies & similar technologies — see our Cookie Policy.
- Seller KYC — for Sellers only, business registration, ID and payout bank details.
2. Why we use it (lawful bases)
- To operate the marketplace (contract): accounts, orders, escrow, delivery, customer support.
- To prevent fraud and abuse (legitimate interests & legal obligation): risk scoring, KYC, account safety.
- To comply with the Mauritius Revenue Authority and other regulators (legal obligation): tax records, reporting.
- To improve the service (legitimate interests, with consent for non-essential analytics): aggregate analytics, A/B testing.
- To send you marketing (consent): newsletters and offers, where you have opted in.
3. Your rights under the DPA 2017
You have the right to: access the personal data we hold about you; ask us to rectify inaccurate data; request erasure where we no longer need the data and no legal obligation requires us to keep it; receive a copy of your data in a portable format (data portability); object to or restrict certain processing; and withdraw consent at any time where processing is based on consent. To exercise any of these rights, write to dpo@kaki.mu.
You may also lodge a complaint with the Mauritian Data Protection Commissioner (dpo.govmu.org) or, if you are in the EU/UK, your local supervisory authority.
4. How long we keep your data
- Account data: while your account is active, plus 24 months after closure for fraud prevention.
- Order & escrow records: 7 years to satisfy MRA and accounting record-keeping rules.
- Dispute evidence: 3 years after the dispute is closed.
- Marketing consent logs: until consent is withdrawn, plus 12 months.
- Server logs: 90 days, then aggregated or deleted.
5. Who we share data with
We share data only with processors who help us run the marketplace, under written contracts that require them to protect your data:
- Payment processors: Stripe (cards, international) and, in future, MIPS and MCB Juice (Mauritius).
- Messaging: SMS gateway for OTP and delivery alerts; email provider for transactional and (opted-in) marketing.
- Error monitoring: Sentry (only when you have allowed analytics cookies).
- Sellers: receive the delivery name, address and contact phone necessary to fulfil orders you place.
- Authorities: where required by law or to protect the rights and safety of users.
6. International transfers
Some of our processors are based outside Mauritius (e.g. Stripe in Ireland/USA, Sentry in the EU/USA). When data is transferred outside Mauritius, we rely on the safeguards permitted under section 36 of the DPA 2017 — typically Standard Contractual Clauses and supplementary technical measures.
7. Security
We use TLS in transit, encryption at rest for sensitive fields, hashed passwords (Argon2), least-privilege access controls, and continuous monitoring. No system is perfectly secure; if we ever detect a breach that materially affects you, we will notify you and the Data Protection Commissioner within the time limits set by the DPA 2017.
8. Children
KAKI.MU is not directed at children under 18. We do not knowingly collect data from minors; if you believe a minor has created an account, please contact us so we can remove it.
9. Contact
Data protection enquiries: dpo@kaki.mu.
Postal: KAKI.MU Ltd., Data Protection Office, Port Louis, Mauritius.
Last updated: 2026-05-25