Skip to main content

Privacy Policy

Last updated: 1 April 2026

1. Who we are

Doodle ("we", "us", "our") operates the food and grocery delivery platform available at doodle.co.ke and through our mobile applications. This Privacy Policy explains how we collect and use your personal data in accordance with the Kenya Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021.

2. Data we collect

  • Account data — name, phone number, email address (optional), delivery addresses.
  • Order data — items ordered, order history, delivery preferences, dietary profiles.
  • Payment data — M-Pesa phone number and transaction references. We do not store card numbers or PINs.
  • Location data — GPS coordinates when you use the app (delivery address, live tracking). Drivers share location while online.
  • Device data — device type, operating system, push notification tokens and app version.
  • Support data — messages and photos you share with our support team.

3. How we use your data

  • To process and deliver your orders.
  • To send order notifications, delivery updates and receipts.
  • To improve our services through aggregated analytics (never sold to third parties).
  • To personalise your homepage and menu recommendations.
  • To detect and prevent fraud.
  • To comply with legal obligations (e.g. tax records, pharmacy regulations).

4. Who we share data with

We share the minimum data necessary with the following parties:

  • Merchants — your name and delivery address (for order preparation).
  • Delivery riders — your delivery address and contact number (for delivery coordination).
  • Payment processors — Safaricom M-Pesa for payment processing.
  • Cloud infrastructure — our servers are hosted on secure, encrypted cloud providers.

We never sell your personal data to advertisers or data brokers.

5. Data security

We protect your data using industry-standard measures including TLS 1.2/1.3 encryption in transit, encrypted storage at rest, role-based access controls and regular security audits. Authentication tokens are stored in secure device storage and never in plain-text cookies or local storage.

6. Data retention

We retain your account data for as long as your account is active. Order history is retained for 3 years for tax and dispute resolution purposes. You may request deletion of your account and associated data at any time.

7. Your rights

Under the Kenya Data Protection Act 2019, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data ("right to be forgotten").
  • Object to processing of your data for certain purposes.
  • Withdraw consent at any time.

To exercise any of these rights, email privacy@doodle.co.ke with your registered phone number.

8. Cookies

This website uses essential cookies for authentication and security. We do not use tracking or advertising cookies. See our Cookie Policy for details.

9. Children

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal data from children.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform or email. Continued use after notification constitutes acceptance.

11. Contact

Data Protection Officer: privacy@doodle.co.ke
General enquiries: support@doodle.co.ke