Privacy Policy

Effective date: 28/11/2025

Last updated: 28/11/2025

Summary: We collect account emails, payment details via Stripe and M-Pesa (we don't store full card numbers), usage data, and images you upload to generate AI outputs. We use Google's Gemini models to process your inputs. We do not use your images to train our models. This Policy explains your rights and our practices under the Data Protection Act, 2019 (Kenya) and, where applicable, GDPR/UK GDPR/CPRA.

1) Who We Are & Scope

SokoShot (the Company, we, us) provides an AI image generation service (the Service). This Privacy Policy describes how we collect, use, disclose, and protect Personal Information (information about an identifiable individual) when you visit our website, create an account, or use the Service. By using the Service, you agree to this Policy and our Terms of Service.

2) Information We Collect

a) Information you provide

  • Account & profile. Email address, password, and optional profile details you provide.
  • Customer Content. Images, prompts, and other materials you upload so we can generate Outputs. We store these as needed to provide your account features (e.g., history, downloads), support, and abuse prevention.
  • Purchases. Billing name, email, and subscription details. Stripe and M-Pesa process payments on our behalf; we do not store full card numbers. These providers may collect device, fraud, and payment data subject to their own privacy policies.
  • Communications. Messages you send to support, feedback, survey responses, testimonials.

b) Information collected automatically

  • Usage & device data. IP address, device and browser type, operating system, language, referring URLs, pages viewed, buttons clicked, session duration, error logs, and similar diagnostic data.
  • Cookies & similar tech. We use cookies/local storage to keep you logged in, remember preferences, and understand usage. You can control cookies in your browser; disabling may affect functionality.

c) Information from third parties

  • Model providers. When generating Outputs, necessary input data (e.g., your uploaded image and prompt) may be transmitted to third‑party AI providers (currently Google's Gemini models) for processing.
  • Service providers. Hosting, analytics, customer support, email delivery, and anti‑abuse tools may receive limited Personal Information to perform services for us under contract.

3) How We Use Personal Information

We use Personal Information to:

  • Provide the Service: generate Outputs from your Inputs; operate, maintain, and secure accounts; provide customer support.
  • Billing & account administration: process payments, manage subscriptions, send invoices and renewal notices.
  • Improve the Service: monitor performance and usage trends, debug issues, enhance features, and develop new functionality. We may use aggregated or de‑identified data for analytics and benchmarking.
  • Communicate with you: send transactional emails (receipts, security alerts, service updates). With your consent or as permitted by law, we may send marketing emails—you can opt out at any time.
  • Safety, security, and legal compliance: detect and prevent fraud/abuse; enforce Terms; comply with laws and lawful requests; protect our rights and users.

4) Our Commitments About Your Content & Training

  • We do not use your Customer Content (including uploaded images) to train or retrain our models.
  • Third‑party model providers process Inputs only to generate Outputs and may retain limited logs for security, abuse prevention, or compliance, under their own policies and agreements with us.

5) Sharing & Disclosures

We do not sell your Personal Information. We share it only as follows:

  • Service providers / processors. Cloud hosting, storage/CDN, analytics, error monitoring, email delivery, customer support, payments (Stripe, M-Pesa), and AI model providers (e.g., Google for Gemini) receive Personal Information as needed to operate the Service under confidentiality and data‑protection obligations.
  • Business transfers. Personal Information may be transferred in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
  • Legal & safety. We may disclose information to comply with laws, regulations, court orders, or lawful requests; to enforce agreements; or to protect the rights, safety, and security of users and the public.
  • With your direction or consent. For example, if you connect a third‑party app or request data portability.

6) International Transfers

Your Personal Information may be stored or processed outside your country (e.g., in Kenya, Europe, and the United States) by us or our service providers, including Stripe, M-Pesa, and model providers. When transferring Personal Information internationally, we implement appropriate safeguards (such as contractual protections). By using the Service, you consent to such transfers.

7) Retention

We retain Personal Information only as long as reasonably necessary for the purposes in this Policy or as required by law.

  • Account data & Customer Content: retained while your account is active. If you delete an item or your account, we will delete or anonymize associated Personal Information within a reasonable time, subject to legal retention.
  • Transaction records: kept for at least the period required by tax and accounting laws (commonly up to 7 years).
  • Backups & logs: may persist for a limited time after deletion for security and continuity.

8) Security

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the information, including encrypted transport (HTTPS), access controls, and least‑privilege practices. No method is 100% secure; you are responsible for safeguarding your account credentials and using unique, strong passwords.

9) Your Rights & Choices

Depending on your location, you may have the following rights:

  • Access & correction. Request access to and correction of your Personal Information. We may ask for verification before responding.
  • Deletion. Request deletion of Personal Information, subject to legal retention obligations.
  • Portability. Request a copy of certain Personal Information in a portable format.
  • Consent withdrawal & marketing opt‑out. Withdraw consent where processing relies on consent; opt out of marketing emails using the unsubscribe link or by contacting us. Transactional/service emails will still be sent.

To exercise rights, contact hello@sokoshot.com. If we cannot resolve your concern, you may contact the Office of the Data Protection Commissioner (ODPC) in Kenya or your local data protection authority.

10) Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect Personal Information from children under 13. If you believe a child has provided Personal Information, contact us to request deletion.

11) Cookies & Tracking Technologies

We use necessary cookies for authentication and security, and functional/analytics cookies to understand usage and improve performance. You can control cookies via your browser. Some third parties (e.g., analytics or embedded services) may set their own cookies; their policies govern those cookies.

12) Third‑Party Links & Services

Our website may link to third‑party sites or integrate third‑party services. We are not responsible for their privacy practices. Review their privacy policies before providing information.

13) Changes to This Policy

We may update this Policy. We will update the "Effective date" and, if changes are material, notify you (e.g., email or in‑product notice). Your continued use after changes take effect indicates acceptance.

14) Contact & Privacy Officer

Questions, requests, or complaints about privacy may be directed to:

Privacy Officer — SokoShot.com
Email: hello@sokoshot.com

If you are in Kenya and remain unsatisfied, you may contact the Office of the Data Protection Commissioner (ODPC).