Data
Governance.
Effective as of April 7, 2026. This protocol outlines how Welsh Motors Ltd manages, encrypts, and secures your digital assets and identity.
Executive Summary
Encryption at rest and in transit.
Zero third-party monetization.
Authorized peer-to-peer data flow.
User-governed data deletion.
Verified dealer access control.
Asset Classification
Account Data
- Name
- Phone
- Password (hashed)
Profile Data
- Avatar
- Business Name
- Location
- Verification Status
Inventory Data
- Vehicle Details
- Photos
- Availability
- Pricing
Activity Data
- Enquiries Made
- Lead Interactions
- Login History
- Device Info
Authorized Sub-Processors
| Entity | Protocol Purpose | Data Variable |
|---|---|---|
| PostgreSQL Database | Data storage and retrieval | All encrypted data |
| AWS / Cloud Provider | Infrastructure and backups | Encrypted backups, activity logs |
| SendGrid | Email delivery | Email, name, transaction data |
| M-Pesa API | Payment processing | Phone, amount, transaction ID |
| Pesapal | Card payments | Card tokens (never raw cards) |
| Cloudflare | Security and CDN | IP address, page requests (anonymized) |
1. Who We Are
Welsh Motors ("we", "us", "our") is operated by Welsh Motors Ltd, a Kenyan automotive marketplace. This Privacy Policy describes how we collect, use, protect, and share your personal data when you use our platform at welsh-motors.com ("Platform").
2. What Data We Collect
2.1 Account Information
2.2 Dealer Profile Data
2.3 Inventory & Listing Data
2.4 Interaction & Activity Data
2.5 Payment Data
3. How We Collect Data
3.1 Direct Collection
Data you provide when creating accounts, updating profiles, uploading listings, sending enquiries, or subscribing to plans.
3.2 Automatic Collection
IP addresses, browser cookies, device identifiers, and page click tracking via server logs and analytics tools.
3.3 Third-Party Sources
M-Pesa verification for phone numbers, KRA records for dealer validation, and analytics partners for aggregated usage data.
4. How We Use Your Data
4.1 Core Service Operations
4.2 Platform Improvement
4.3 Security & Compliance
4.4 Communication
5. Who We Share Data With
5.1 The Core Rule
We never sell, rent, or trade your personal data to third parties for marketing purposes. Full stop.
5.2 Service Providers (Data Processors)
We share limited data with essential service providers who are contractually bound to protect it and use it only for specified purposes (see list below).
5.3 Legal Requirements
We may disclose data if required by Kenyan law, court order, or government agency request. We will notify you unless legally prohibited.
5.4 Business Transfers
If Welsh Motors is acquired or merged, your data may transfer to the successor company under the same privacy obligations.
6. Buyer-to-Dealer Data Sharing
6.1 What Dealers See
When you (as a buyer) send an enquiry, the dealer receives your name, phone number, email, and enquiry message. This is necessary to facilitate the transaction.
6.2 Your Control
You can opt out of receiving dealer contact via your account settings. Dealers will still see your enquiry but will not be able to call/message you directly.
6.3 Dealer Responsibilities
Dealers are responsible for using your contact info only to respond to your enquiry. Welsh Motors is not liable for dealer misuse of your data. Report abuse to sec@welsh.co.ke.
7. Cookies and Tracking
7.1 Session Cookies
We use session cookies to keep you logged in and maintain security. These are deleted when you close your browser.
7.2 Analytics Cookies
Tools like Google Analytics track page views and user behavior to help us improve the platform. These data are anonymized and aggregated.
7.3 Opt-Out
Most browsers allow you to disable cookies via settings. Some platform features may not work without cookies (like login). You can also opt out of analytics tracking—contact sec@welsh.co.ke.
8. Data Security
8.1 Encryption
Data in transit is encrypted using HTTPS/TLS. Sensitive data at rest (passwords, payment info) is hashed or tokenized—we never store raw credit card or full M-Pesa data.
8.2 Access Controls
Only authorized employees with a business need can access personal data. Access is logged and monitored.
8.3 Limitations
While we implement industry-standard security, no system is 100% risk-free. Welsh Motors is not liable for breaches caused by factors beyond our reasonable control (e.g., zero-day exploits, stolen credentials shared with third parties).
8.4 Incident Response
If we discover a breach affecting your data, we will notify affected users within 30 days and describe the breach, data involved, and remediation steps.
9. Data Retention
9.1 Active Accounts
While your account is active, we retain account, profile, and activity data to provide services and maintain platform history.
9.2 After Deletion
If you delete your account, we retain core data (transactions, enquiries) for 90 days for dispute resolution, then archive or anonymize it. Backups may contain older copies for up to 12 months.
9.3 Legal Holds
If you are involved in a dispute or investigation, we retain all relevant data indefinitely until the matter is resolved.
9.4 Aggregated Data
We may retain anonymized, aggregated data ("5,000 dealers listed 100K cars") indefinitely for analytics and market research.
10. Your Rights (GDPR-Inspired)
10.1 Access
You can request a copy of all personal data we hold about you. Contact sec@welsh.co.ke with "Data Subject Access Request." We will respond within 30 days.
10.2 Correction
You can update your profile information directly in your account settings. Contact support if you need help correcting locked fields.
10.3 Deletion
You can request deletion of your account and associated data. Some data (transaction records) may be retained for legal/audit purposes but will be anonymized.
10.4 Portability
You can request your data in a portable format (CSV). We will provide it within 30 days.
10.5 Opt-Out of Marketing
Unsubscribe from promotional emails by clicking the link in any marketing email or updating your notification preferences.
11. International Data Transfers
11.1 Kenya-Based Operations
Welsh Motors primarily operates from Kenya and stores data in Kenyan and regional African data centers. Some backup copies may be stored in secure international locations for redundancy.
11.2 GDPR Compliance
If you are in the EU, we comply with GDPR requirements including data processing agreements and legitimate interest assessments.
12. Children's Privacy
12.1 Age Requirement
The Platform is not intended for users under 18 years old. We do not knowingly collect data from minors.
12.2 Parental Consent
If a minor has created an account, we will delete it upon request from a parent or guardian.
13. Third-Party Links and Services
13.1 External Links
The Platform may link to external websites (Google Maps, news sites, etc.). We are not responsible for their privacy practices. Review their privacy policies separately.
13.2 Embedded Content
Embedded maps, videos, or widgets from third parties may collect data independently. Refer to their privacy policies.
14. Policy Changes
14.1 Updates
We may update this Privacy Policy at any time. Changes are effective when posted. Your continued use of the Platform constitutes acceptance of updated policy.
14.2 Significant Changes
If changes materially affect how we use your data, we will email you at least 30 days before the effective date and allow you to opt-out by deleting your account.
15. Contact & Requests
15.1 Privacy Officer
Welsh Motors Ltd Privacy Officer: sec@welsh.co.ke
15.2 Support
General inquiries: sec@welsh.co.ke
15.3 Legal Requests
Formal data requests or legal matters: sec@welsh.co.ke
15.4 Response Time
We will respond to data requests within 30 days. Complex requests may require more time.