Beyond Beauty is a trading name of Urembo Luxe Ventures, registered in Kenya. Beyond Beauty (we, our, us) operates the online store at beyondbeauty.co.ke. This Privacy Policy explains how we collect, use, store, share and protect your personal information in compliance with Kenya's Data Protection Act, 2019 and its regulations. By using our website or placing an order, you agree to the practices described here.
We are registered as a Data Controller under the Data Protection Act, 2019. Our designated Data Protection Officer can be reached at hello@beyondbeauty.co.ke.
1. Information We Collect
1.1 Information You Provide Directly
- Name, email address, phone number, delivery address and billing address when you create an account or place an order.
- Payment information — we do not store card numbers. M-Pesa transaction references are stored for reconciliation only.
- Messages and enquiries you send via WhatsApp, email or our contact form.
- Survey responses, reviews or competition entries you submit.
1.2 Information Collected Automatically
- IP address, browser type, device identifiers and operating system.
- Pages visited, time on site, referral source and clickstream data via cookies and similar technologies (see Section 7).
- General location data derived from your IP address (country / city level — not GPS).
1.3 Information from Third Parties
- Payment processors (e.g. M-Pesa/Safaricom, Flutterwave, Pesapal) — transaction status only.
- Social media platforms (Instagram, TikTok) when you interact with our pages or use social login.
- Delivery partners for shipping status updates.
2. Legal Basis for Processing
Under the Data Protection Act, 2019 we process your data on the following lawful grounds:
- Contract performance — to fulfil your orders, process payments and arrange delivery.
- Legitimate interests — to prevent fraud, improve our services and conduct analytics.
- Consent — for marketing communications. You may withdraw consent at any time.
- Legal obligation — to comply with tax, consumer protection and other Kenyan law.
3. How We Use Your Information
- Process and fulfil your orders, including arranging courier delivery.
- Send order confirmations, dispatch notifications and delivery updates.
- Respond to your customer service enquiries via WhatsApp, email or phone.
- Send our weekly Sunday newsletter and promotional communications (with your consent).
- Personalise product recommendations and your browsing experience.
- Detect, investigate and prevent fraudulent transactions and abuse.
- Comply with our legal obligations under Kenyan law, including tax reporting to KRA.
- Conduct internal analytics to improve our product curation and content.
4. Sharing Your Information
We do not sell your personal data. We share it only in the following circumstances:
4.1 Service Providers
We engage trusted third-party service providers who process data on our behalf and are contractually bound to keep it confidential:
- Payment processors (Safaricom M-Pesa, Flutterwave or Pesapal) for transaction processing.
- Courier and logistics partners (Sendy, G4S, Posta Kenya) for delivery.
- Email service providers for newsletter delivery.
- Cloud hosting and website infrastructure providers.
- Analytics platforms (e.g. Google Analytics) — data is pseudonymised.
4.2 Legal Requirements
We may disclose your information to government authorities or law enforcement where required by Kenyan law, court order or to protect the rights and safety of Beyond Beauty, our customers or the public.
4.3 Business Transfers
In the event of a merger, acquisition or sale of all or part of our business, your data may be transferred as a business asset. We will notify you before your data is transferred and becomes subject to a different privacy policy.
5. Your Rights Under the Data Protection Act, 2019
As a data subject in Kenya, you have the following rights:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — request deletion of your data where we have no lawful basis to retain it.
- Right to object — object to processing for marketing purposes at any time.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to withdraw consent — withdraw consent for marketing at any time without affecting prior processing.
To exercise any of these rights, email us at hello@beyondbeauty.co.ke or WhatsApp +254 114 481515. We will respond within 21 days as required by law. If you are dissatisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.
6. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy or as required by law:
- Order records and transaction data: 7 years (Kenya Revenue Authority requirement).
- Account information: for the lifetime of your account plus 2 years after closure.
- Marketing consent records: until you withdraw consent plus 1 year.
- Server and access logs: 90 days.
7. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to enhance your experience. Types of cookies we use:
- Strictly necessary — required for the website and shopping cart to function. Cannot be disabled.
- Analytics — help us understand how visitors use the site (e.g. Google Analytics). You may opt out via your browser settings.
- Marketing / retargeting — enable us to show you relevant ads on Meta and TikTok. You may opt out via your social platform settings.
You may manage or disable non-essential cookies through your browser settings at any time. Note that disabling cookies may affect website functionality.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, loss, destruction or alteration. These include:
- SSL/TLS encryption for all data transmitted to and from our website.
- Restricted access to personal data — only authorised staff and service providers can access it.
- Regular security assessments of our systems and third-party providers.
Despite these measures, no internet transmission is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the ODPC within 72 hours of becoming aware of the breach, as required by the Data Protection Act, 2019.
9. Children's Privacy
Our services are intended for persons aged 18 and above. We do not knowingly collect personal data from children under 18. If you believe your child has provided us with personal data, please contact us immediately and we will delete it.
10. International Data Transfers
Where your data is transferred outside Kenya (e.g. to cloud servers or analytics providers), we ensure that adequate safeguards are in place, including standard contractual clauses or transfers to countries with equivalent data protection standards, in accordance with the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post the updated policy on this page with a revised effective date. Where changes are material, we will notify you by email or a prominent notice on our website. Your continued use of our services after changes are posted constitutes acceptance of the updated policy.
12. Contact Us
For any questions, requests or complaints relating to this Privacy Policy: