Now available · Kenya DPA 2019

Compliance documents drafted for Kenyan law.

Not a GDPR template with "Kenya" swapped in. A privacy policy that references the Data Protection Act 2019, names the rights your users have under Kenyan law, and won't embarrass you when the ODPC comes looking.

Generate your policy — free →

Free preview · No credit card · Takes 5 minutes

SHERIADIGITALKENYA DPA 2019
PRIVACY POLICY■ KENYA-SPECIFIC

Privacy Policy for
[Your Business Name]

DPA 2019 · §§ 25–48
Kenya DPA 2019, Cap. 411CData Subject Rights · Section 26ODPC Registration · Section 18Breach Notification · Section 43Cross-Border Transfers · Section 48Data Protection by Design · Section 41Duty to Notify · Section 29Lawful Processing · Section 30Kenya DPA 2019, Cap. 411CData Subject Rights · Section 26ODPC Registration · Section 18Breach Notification · Section 43Cross-Border Transfers · Section 48Data Protection by Design · Section 41Duty to Notify · Section 29Lawful Processing · Section 30
KES 3M
Maximum fine per offence
10 yrs
Maximum prison term
2019
Act in force since
ODPC
Actively enforcing
The problem

Most Kenyan websites are using the wrong privacy policy.

What most businesses do

Copy a US or UK template from Google

It references GDPR, CCPA, and California law. It mentions "cookies" but not the Kenya DPA 2019. It doesn't name the ODPC. It doesn't mention data localization. It doesn't list the rights Kenyan data subjects have under Section 26 of the DPA 2019 — the right to be informed, to access, to object, to correct, and to delete. If the Data Commissioner's office audits you, this policy is worth nothing.

The expensive option

Pay an advocate four to five figures

A law firm will draft you a proper policy. It will be correct. It will also take 2–4 weeks, cost more than most small businesses can justify, and become outdated the moment the ODPC issues new guidance — which they do regularly.

What Sheria Digital does

Answer 15 questions. Get drafted documents.

Sheria Digital asks you what data you collect, why, from whom, where you store it, and who you share it with. In five minutes you get a privacy policy, cookie policy, and data subject request form that actually reference the Data Protection Act 2019 — the law that applies to your business.

SECTION-ACCURATE

Update when the law changes. Not when you remember.

When the ODPC issues new regulations or guidance notes, we update the templates. Your documents stay current. No advocate retainer needed.

How it works

Three steps. Five minutes.

1

Tell us about your business

Company name, what personal data you collect, why you collect it, where you store it, whether you transfer it outside Kenya, your DPO contact if you have one. Fifteen short questions — no legal jargon, no ambiguity.

2

Review your documents

Sheria Digital generates a privacy policy, cookie policy, and data subject request form tailored to your answers. Every clause references the specific DPA 2019 sections that apply to you. Read it, edit it, make it yours.

3

Download and publish

Export in Word, PDF, or HTML. Paste it on your website footer, send it to your app developer, include it in your ODPC registration application. Done.

Example output

What Sheria Digital actually produces.

An excerpt from a privacy policy generated for a fictional Kenyan e-commerce company. Every clause references specific sections of the Data Protection Act 2019.
SAMPLE
Section 29 requires data controllers to notify data subjects of eight specific items before collecting data — this is what your privacy policy must contain
Section 26 lists the five core rights: to be informed, to access, to object, to correct, and to delete
Section 48 governs cross-border transfers — your policy must address this if data leaves Kenya
Duka Digital Limited
Privacy Policy · Data Protection Act, 2019 (Cap. 411C)
Effective date: 17 April 2026 · Last updated: 17 April 2026

Duka Digital Limited ("we," "us," or "our") is committed to protecting the personal data of individuals who use our services. This Privacy Policy describes how we collect, use, store, and protect your personal data in compliance with the Data Protection Act, 2019 (Cap. 411C) and its subsidiary regulations, as enforced by the Office of the Data Protection Commissioner (ODPC).

In accordance with Section 29 of the Act, we are required to inform you, before collecting your personal data, of the matters set out in this policy.

1. Data Controller

The data controller responsible for your personal data is Duka Digital Limited, registered in Kenya under the Companies Act (Company No. PVT-2024-XXXXX), with its principal office at Westlands Business Park, Nairobi. For data protection inquiries, contact our Data Protection Officer at dpo@dukadigital.co.ke.

2. Personal Data We Collect

We collect the following categories of personal data:

  • Identity data: full name, national ID or passport number, date of birth
  • Contact data: email address, phone number, delivery address
  • Transaction data: order history, payment method (M-Pesa, card), amounts
  • Technical data: IP address, browser type, device identifiers, cookies
3. Your Rights Under the Data Protection Act 2019

As a data subject, you have the following rights under the Data Protection Act 2019:

  • The right to be informed of the use to which your personal data is put (Section 26(a))
  • The right to access your personal data in our custody (Section 26(b))
  • The right to object to the processing of your personal data (Section 26(c))
  • The right to correction of false or misleading data (Section 26(d))
  • The right to deletion of false or misleading data (Section 26(e))

To exercise any of these rights, contact our Data Protection Officer at dpo@dukadigital.co.ke. We will respond within 30 days. If you are not satisfied, you may lodge a complaint with the Office of the Data Protection Commissioner.

4. International Data Transfers

Where we transfer personal data outside Kenya, we ensure that adequate safeguards are in place in accordance with Section 48 of the Data Protection Act 2019. We maintain at least one serving copy of personal data on servers located within Kenya.

Generated by Sheria Digital · Fictional company · Not legal advice
Excerpt from a sample privacy policy · Full version includes all DPA 2019 requirements
What you get

Generate three documents. One form.

Coming next

More documents. Same simplicity.

Extended (coming soon)
Data Processing Agreement § 42
DPIA template § 31
Breach notification letter § 43
Operations (planned)
Employee data protection policy
Consent form templates
ODPC registration checklist

Want to be first?

Get notified when new documents launch.

Join the list ↓
Pricing

Less than one hour of advocate time.

Preview
Free
See your documents before you pay
  • All 3 documents (watermarked)
  • Full preview
  • No account required
Best value
Starter
KES 2,000 one-time
For startups and small businesses
  • Privacy policy (no watermark)
  • Cookie & consent policy
  • Data subject request form
  • Word + PDF + HTML export
  • Free updates for 12 months
Professional
KES 5,000 one-time
For companies handling sensitive data
  • Everything in Starter
  • Data Processing Agreement
  • DPIA template
  • Breach notification letter
  • Employee data policy
  • Free updates for 24 months

Compare: A KENYAN ADVOCATE WILL DRAFT THESE FOR YOU. THEY WILL ALSO CHARGE FOUR TO FIVE FIGURES AND TAKE WEEKS.

Questions

Answered honestly.

No. Sheria Digital generates compliance documents based on the requirements of the Data Protection Act 2019 (Cap. 411C) and its subsidiary regulations. The documents are drafting assistance, not legal advice. For complex or high-risk data processing, we recommend having an advocate review the documents before publishing them.

Termly and iubenda are built for US and EU law. They reference GDPR, CCPA, and CalOPPA. Sheria Digital is built specifically for the Kenya Data Protection Act 2019. Our documents reference the correct Kenyan statute (Cap. 411C), name the ODPC as the supervisory authority, address Kenya's data localization provisions under Sections 48 and 50, and list the specific rights data subjects have under Section 26 of the Act. These are not the same as GDPR rights.

Yes. The Office of the Data Protection Commissioner has been issuing enforcement notices under Section 58, conducting compliance audits under Section 23, and publishing guidance notes for specific sectors. Non-compliance can result in administrative fines of up to KES 5 million or 1% of annual turnover under Section 63, and criminal penalties of up to KES 3 million and 10 years imprisonment under Section 73.

When the ODPC issues new regulations or guidance, we update the templates. The Act was revised by the 24th Annual Supplement (Legal Notice 221 of 2023) and we track subsequent amendments. If you purchased a Starter or Professional package, you receive updated documents at no additional cost during your update period.

Yes. You can copy the text and paste it into Word, Google Docs, or any editor. You can also copy the HTML to embed directly on your website. The generated document is a starting point, not a locked file — add clauses, change wording, incorporate advice from your advocate.

§

The ODPC won't wait.
Neither should you.

Generate your first document free. No credit card required.

Generate your policy — free →

Free preview · No credit card · Takes 5 minutes

Get notified when we launch new documents

DPA templates, breach notification letters, and more — coming soon.