This Privacy Policy explains how AuctionsDuka, operated by NCBA Leasing LLP (“AuctionsDuka,” “we,” “us,” or “our”), a subsidiary of NCBA Group PLC, collects, uses, shares, retains, and protects your personal data when you access or use the AuctionsDuka platform (auctionsduka.co.ke and the AuctionsDuka mobile applications on iOS and Android).
This policy is issued in accordance with the Data Protection Act, No. 24 of 2019 (the “DPA”), the Data Protection (General) Regulations, 2021, and any related orders or guidance issued by the Office of the Data Protection Commissioner (“ODPC”). It should be read alongside our Terms and Conditions, which govern your use of the platform.
We encourage you to read this policy carefully. If you have questions, please contact us at hello@auctionsduka.co.ke or our Data Protection Officer at dpo@ncbagroup.com.
1. Who We Are and How to Contact Us
1.1 Data Controller
NCBA Leasing LLP (trading as AuctionsDuka) is the Data Controller for personal data collected through the AuctionsDuka platform. NCBA Leasing LLP is a limited liability partnership registered in Kenya, and a subsidiary of NCBA Group PLC.
| Legal entity | NCBA Leasing LLP |
| Trading name | AuctionsDuka |
| Registered address | NCBA Centre, Mara Road, Upper Hill, P.O. Box 44599-00100, Nairobi, Kenya |
| General support | hello@auctionsduka.co.ke |
| Data Protection Officer | dpo@ncbagroup.com |
| ODPC Registration No. | [Insert Registration Number] |
1.2 Data Protection Officer
We have appointed a Data Protection Officer (DPO) as required under the DPA and the Data Protection (General) Regulations, 2021. The DPO's contact details are published on our platform and registered with the ODPC. The DPO can be contacted at dpo@ncbagroup.com for any data protection queries, requests, or complaints.
2. Scope of This Policy
This Privacy Policy applies to all personal data processed by AuctionsDuka in connection with:
- (a)your use of the AuctionsDuka website and mobile applications;
- (b)your registration and maintenance of an AuctionsDuka Account;
- (c)your creation of, or participation in, auction listings and bids;
- (d)your use of BidwizAI, the Auction Calculator, and other platform tools;
- (e)your interaction with the Financial Services Hub referral channel;
- (f)communications between you and AuctionsDuka (email, chat, support); and
- (g)your linked access to other Duka Marketplaces platforms (CarDuka, PropertyDuka, GrowDuka, PartnerDuka) under the single sign-on framework.
This policy does not cover the data practices of third parties linked to or featured on the platform, including NCBA Bank Kenya PLC, licensed auctioneers, or any auction counterparties. Those parties operate under their own privacy policies.
3. Personal Data We Collect
3.1 Data You Provide Directly
We collect personal data that you actively provide to us, including:
- (a)Registration data — full name, date of birth, email address, phone number, and physical address provided when creating an Account.
- (b)Identity verification data — National ID number, passport number, or other government-issued identity document number, submitted for IPRS verification.
- (c)KRA PIN — collected where required for tax compliance purposes in connection with platform activity.
- (d)Listing data — item descriptions, photographs, pricing, condition reports, and other content you upload when creating an auction listing.
- (e)Communications — messages sent through the platform's enquiry system, support tickets, chatbot interactions, and feedback you submit.
- (f)Business documentation — for corporate sellers, company registration documents, tax compliance certificates, and auctioneer licences where applicable.
3.2 Data We Collect Automatically
When you access and use the platform, we automatically collect:
- (a)Device and technical data — IP address, browser type and version, operating system, device identifiers, app version, and network information.
- (b)Usage data — pages visited, auction listings viewed, bids placed, features used, time spent on the platform, click paths, and session duration.
- (c)Location data — GPS coordinates (where you grant location permission on the mobile app) and IP-based approximate geolocation.
- (d)Cookie and tracking data — data collected through cookies and similar technologies as described in Section 10.
3.3 Data We Receive from Third Parties
We may receive personal data about you from the following third-party sources:
- (a)IPRS (Integrated Population Registration System) — identity validation data returned in response to verification requests you initiate.
- (b)Other Duka Marketplaces platforms — where you have an existing verified account on CarDuka, PropertyDuka, GrowDuka, or PartnerDuka, we may receive your SSO profile, verification status, and trust/reputation scores under the cross-platform data sharing framework described in Section 6.
- (c)NCBA Bank Kenya PLC — where you use the Financial Services Hub referral channel, NCBA Bank may share limited data with us confirming referral outcomes for accounting and reconciliation purposes.
3.4 Data We Do Not Collect
AuctionsDuka does not collect, hold, or process financial transaction data — including bank account numbers, M-PESA numbers, mobile money transaction records, or payment histories. All Transactions are concluded directly between Users outside the platform. AuctionsDuka does not process payment card data. We do not process sensitive personal data (health, biometric, or genetic data) except where a User voluntarily includes such data in a support query, in which case it is used solely to respond to that query.
4. How and Why We Use Your Personal Data
We only process your personal data where we have a lawful basis to do so under Section 30 of the DPA. The table below sets out each processing purpose, the personal data involved, and the lawful basis relied upon.
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Account registration and management | Registration data, contact data, identity verification data | Contract |
| Identity verification via IPRS | National ID / passport number, phone number | Contract; Legal obligation |
| Displaying your auction listings to other Users | Listing data, contact data | Contract |
| Facilitating bids and enquiries between Buyers and Sellers | Communication data, contact data | Contract |
| Fraud detection and platform security | All data categories | Legitimate interest |
| Improving platform features and performance | Usage data, device data (aggregated/anonymised) | Legitimate interest |
| BidwizAI responses and recommendations | Search queries, usage data, listing data | Contract; Legitimate interest |
| Financial Services Hub referral tracking | Account ID, referral outcome | Legitimate interest |
| Sending transactional communications (e.g. bid alerts, account notifications) | Contact data | Contract |
| Sending marketing communications | Contact data, usage data | Consent |
| Cross-platform personalisation (Duka Ecosystem) | Verification status, trust scores | Consent (optional) |
| Compliance with legal and regulatory obligations | Identity data, verification data, communications | Legal obligation |
| Responding to ODPC, law enforcement, or court orders | All relevant data | Legal obligation |
5. Consent — How We Obtain It and Your Right to Withdraw
Where we rely on consent as our lawful basis, we will always:
- (a)ask for consent separately from your acceptance of our Terms and Conditions — consent is never bundled into T&C acceptance;
- (b)use clear, plain-language descriptions of what you are consenting to, including the specific purpose and who your data will be shared with;
- (c)make consent granular — separate consent is requested for marketing communications and for optional cross-platform data sharing; and
- (d)make consent as easy to withdraw as it was to give.
You may withdraw consent at any time through your Account settings or by contacting hello@auctionsduka.co.ke. Withdrawal of consent does not affect the lawfulness of processing that took place before withdrawal, and it will not affect your ability to use AuctionsDuka for its core functions.
6. Who We Share Your Data With
6.1 Within the Duka Marketplaces Ecosystem
AuctionsDuka is part of the Duka Marketplaces Ecosystem operated by NCBA Leasing LLP. Your personal data may be shared across other Duka Marketplace platforms (CarDuka, PropertyDuka, GrowDuka, PartnerDuka) in two tiers:
- (a)Non-negotiable sharing — single sign-on (SSO) authentication, IPRS verification status, and security and fraud flags. This sharing is necessary for the performance of your contract with us and does not require separate consent.
- (b)Consent-based sharing — cross-platform personalisation, trust and reputation scores, and targeted recommendations across the Ecosystem. This sharing requires your separate explicit opt-in consent, managed through your Account settings.
6.2 NCBA Group Entities
As a subsidiary of NCBA Group PLC, NCBA Leasing LLP may share limited personal data with the following NCBA Group entities, strictly for the purposes set out below:
- (a)NCBA Bank Kenya PLC — for processing referrals through the Financial Services Hub for asset financing, personal loans, and business loans (account identifier and referral event only);
- (b)NCBA Bancassurance — for processing referrals through the Financial Services Hub for insurance products (account identifier and referral event only); and
- (c)all NCBA Group entities listed above — for group-level fraud prevention, risk management, and regulatory compliance.
All NCBA Group entities are bound by the NCBA Group's data protection policies and applicable Kenyan law. No data is shared with any NCBA Group entity for their independent marketing purposes without your separate consent.
6.3 Service Providers and Data Processors
We engage third-party service providers who process personal data on our behalf as Data Processors under written data processing agreements. These include:
- (a)cloud hosting and infrastructure providers (servers located in Kenya in compliance with Section 50 of the DPA);
- (b)identity verification services (IPRS integration);
- (c)analytics and platform performance tools;
- (d)customer support and communications platforms; and
- (e)AI and machine learning infrastructure providers (for BidwizAI and recommendation systems).
All Data Processors are subject to written contracts that restrict their use of your data to the specific services they provide to AuctionsDuka and require them to implement appropriate security measures.
6.4 Regulatory and Law Enforcement Authorities
We may disclose your personal data to the ODPC, the Competition Authority of Kenya, the Kenya Revenue Authority, the Central Bank of Kenya, law enforcement agencies, or courts where:
- (a)we are legally required to do so;
- (b)we are responding to a valid court order or subpoena;
- (c)disclosure is necessary to prevent or detect crime or fraud; or
- (d)disclosure is necessary to protect the vital interests of any person.
We will notify you of any such disclosure unless we are legally prohibited from doing so or where doing so would compromise an ongoing investigation.
6.5 Auction Transaction Counterparties
When you place a bid or make an enquiry about a listing, your contact information (name, phone number, and email address) may be shared with the relevant Seller or auctioneer to enable them to contact you in connection with the transaction. This sharing is necessary for the performance of the service you have requested. Once your contact details are shared, their subsequent use is governed by that party's own data practices, not this policy.
6.6 What We Will Never Do
- •sell your personal data to third parties;
- •share your data with advertisers for targeted advertising on third-party platforms;
- •share your personal data with NCBA Group entities for their independent marketing without your consent; or
- •use your data for purposes that are incompatible with those described in this policy without first notifying you and obtaining any required consent.
7. Cross-Border Data Transfers
AuctionsDuka primarily stores and processes personal data in Kenya. We are committed to maintaining at least one serving copy of your personal data on a server or data centre located in Kenya, as required by Section 50 of the DPA.
In the event that any personal data is transferred to, or processed by service providers in, a country outside Kenya, we will ensure that:
- (a)the recipient country provides adequate data protection safeguards as determined by the ODPC, or we have put in place appropriate safeguards such as binding corporate rules or standard data protection clauses;
- (b)any such transfer is documented and, where required, notified to the ODPC; and
- (c)for transfers of Sensitive Personal Data outside Kenya, your explicit consent is obtained in advance.
8. How Long We Keep Your Data
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Category | Retention Period | Basis |
|---|---|---|
| Identity & verification data (IPRS) | Duration of account + 7 years | CBK/AML regulatory obligation |
| Contact information | Duration of account + 2 years | Contractual necessity; legitimate interest |
| Listing and bid records | Duration of account + 3 years | Legitimate interest; legal claims |
| Communication data (messages, support) | 2 years from last interaction | Legitimate interest; dispute resolution |
| Device and technical / cookie data | 13 months from collection | Legitimate interest (analytics) |
| Location data | 12 months from collection | Legitimate interest (platform features) |
| Consent records | Duration of account + 3 years | Legal obligation (demonstrating consent) |
| Data breach records | 5 years from incident | Legal obligation (ODPC reporting) |
When your Account is closed, we will delete or anonymise your personal data within ninety (90) days, except where we are required to retain it by law or where it is necessary for the resolution of outstanding disputes or legal claims.
9. Your Data Protection Rights
Under Section 26 of the DPA and the Data Protection (General) Regulations, 2021, you have the following rights in respect of your personal data. All requests should be submitted to hello@auctionsduka.co.ke or dpo@ncbagroup.com. We will respond within thirty (30) days. There is no fee for exercising your rights.
9.1 Right of Access
You have the right to request a copy of the personal data we hold about you, together with information about how it is processed, the categories of data held, who it has been shared with, and the retention period applicable.
9.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data. You can update most of your personal data directly through your Account settings. For data that cannot be updated self-service (such as IPRS-verified identity data), contact us and we will process the correction within thirty (30) days.
9.3 Right to Erasure
You have the right to request deletion of your personal data where:
- (a)the data is no longer necessary for the purpose for which it was collected;
- (b)you withdraw consent and no other lawful basis for processing exists;
- (c)you object to processing and there are no overriding legitimate grounds; or
- (d)the data has been unlawfully processed.
We will process erasure requests within thirty (30) days. Where legal retention obligations prevent full erasure, we will inform you of the specific obligation and when the data will be deleted.
9.4 Right to Restrict Processing
You have the right to request that we restrict processing of your personal data while a dispute about its accuracy, lawfulness, or our legitimate grounds for processing is being resolved.
9.5 Right to Data Portability
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another data controller.
9.6 Right to Object
You have the right to object to processing of your personal data where we rely on legitimate interest as our lawful basis. You have an unconditional right to object to processing for direct marketing purposes at any time.
9.7 Rights in Relation to Automated Decision-Making
Where AuctionsDuka uses automated systems (including BidwizAI and fraud detection algorithms) to make decisions that significantly affect you, you have the right to:
- (a)be informed that the decision was made by an automated system;
- (b)request a human review of the decision; and
- (c)contest the decision and provide your own representations.
No decision with a legal or similarly significant effect on your access to the platform will be made solely by automated means without the possibility of human review.
9.8 Rights of Minors
AuctionsDuka is not directed at persons under eighteen (18) years of age. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data, we will promptly delete it. If you believe a minor has registered on our platform, please notify us at hello@auctionsduka.co.ke.
9.9 How to Exercise Your Rights
To exercise any of the above rights, contact us at hello@auctionsduka.co.ke or dpo@ncbagroup.com with the subject line "Data Subject Rights Request." We may need to verify your identity before processing your request. If you are not satisfied with our response, you have the right to lodge a complaint with the ODPC at www.odpc.go.ke.
11. AI and Automated Processing
AuctionsDuka uses artificial intelligence in the following ways:
- (a)BidwizAI — a conversational assistant that uses your search queries and platform activity to help you discover auctions, learn to bid, and manage listings. BidwizAI outputs are informational only and do not constitute professional advice.
- (b)Listing recommendations — algorithms that surface auction listings relevant to your stated preferences and browsing behaviour.
- (c)Fraud and anomaly detection — automated monitoring of platform activity to identify suspicious behaviour, fraudulent listings, or security threats.
- (d)Trust and reputation scoring — where applicable, automated assessments of User behaviour patterns to generate platform trust scores.
We do not use your personal data to train AI models for purposes outside of the platform services described in this policy. We do not share your data with third-party AI providers for their own model training.
12. How We Protect Your Data
As a platform operated within the NCBA Group, AuctionsDuka applies banking-grade information security standards. Our security measures include:
- (a)Encryption — all personal data is encrypted in transit using TLS 1.2 or higher, and encrypted at rest using AES-256 or equivalent.
- (b)Access controls — personal data is accessible only to NCBA Leasing LLP staff and authorised Data Processors who require it for their specific role, governed by role-based access controls and the principle of least privilege.
- (c)Authentication — platform accounts are protected by multi-factor authentication options and IPRS-verified identity.
- (d)Security audits — we conduct regular security assessments, penetration testing, and vulnerability scanning.
- (e)Staff training — all staff with access to personal data receive regular data protection and information security training.
- (f)Incident response — we maintain a documented data breach response plan aligned with the 72-hour ODPC notification requirement.
No internet-based platform can guarantee absolute security. While we implement robust measures, you should also protect your Account — use a strong PIN, do not share your credentials, and log out after each session on shared devices.
13. Data Breach Notification
In the event of a personal data breach, we will:
- (a)notify the ODPC within seventy-two (72) hours of becoming aware of the breach, in accordance with Section 43 of the DPA;
- (b)notify affected Users in writing within a reasonably practicable period where the breach is likely to result in a high risk to their rights and freedoms; and
- (c)provide affected Users with a description of the breach, the likely consequences, the measures taken or proposed to address it, and the contact details of our DPO.
14. Children's Privacy
AuctionsDuka is not intended for use by persons under eighteen (18) years of age. We do not knowingly collect personal data from children. Our IPRS-based identity verification provides an additional safeguard against underage registration.
If you are a parent or guardian and believe your child has created an Account, please contact us immediately at hello@auctionsduka.co.ke. We will delete the Account and all associated personal data promptly upon verification.
15. Third-Party Links and Services
The AuctionsDuka platform contains links to, or integrations with, third-party websites and services, including NCBA Bank Kenya PLC's financing portals and any other external resources referenced on the platform.
Once you click through to a third-party site or service, this Privacy Policy no longer applies. AuctionsDuka is not responsible for the data practices of third parties, including auction counterparties, sellers, or financial service providers, even where they are featured on or linked from the platform.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will:
- (a)publish the updated policy on the platform with a revised effective date;
- (b)notify you of material changes by email and via an in-platform notification at least thirty (30) days before they take effect; and
- (c)where a material change requires new consent, present a fresh consent request before the change takes effect.
17. Contact Us and How to Complain
If you have any questions about this Privacy Policy, wish to exercise your data rights, or wish to make a complaint, please contact us using the details below.
| General Support | hello@auctionsduka.co.ke |
| Data Protection Officer | dpo@ncbagroup.com |
| Registered Address | NCBA Leasing LLP, c/o NCBA Group PLC, NCBA Centre, Mara Road, Upper Hill, P.O. Box 44599-00100, Nairobi, Kenya |
| ODPC (regulator) | www.odpc.go.ke | Britam Towers, 12th Floor, Hospital Road, Upper Hill, Nairobi |
If you are not satisfied with our response to a complaint, you have the right to escalate the matter to the ODPC. You also have the right to seek compensation through the courts for any damage suffered as a result of a breach of the DPA.
© 2026 AuctionsDuka (NCBA Leasing LLP, a subsidiary of NCBA Group PLC). All rights reserved.
