ParcelPoint

Privacy Policy

Last updated: 28 May 2026

This Privacy Policy describes how Squared (“Squared”, “we”, “us”, or “our”), trading as ParcelPoint, collects, uses, and protects personal data in connection with the ParcelPoint smart locker network, the ParcelPoint mobile application, the partner web portal, and related services (together, the “Service”).

Who we are

Squared is the operator of ParcelPoint in Kenya and the data controller for personal data processed in connection with the Service. You can contact us at hello@squared.co.ke.

Scope

This Policy applies to:

  • Consumers who collect or deposit parcels at a ParcelPoint locker, or who make a booking through this website.
  • Operators of the Service — partner organisations, their staff, couriers, and Squared employees — who use the ParcelPoint mobile application or web portal.

Personal data we collect

When you make a booking or use a locker

  • Phone number (used for M-PESA payment, SMS pickup codes, and recipient identification).
  • Email address, if you provide one.
  • Locker location, parcel size, drop-off and pickup timestamps, and the access codes associated with your parcel.
  • M-PESA transaction reference and amount.

When you hold an operator account

  • Email address, name, and role within your organisation.
  • Authentication artefacts: magic-link tokens, session refresh tokens, and — where multi-factor authentication is enabled — TOTP secrets.
  • Audit-log records of sign-in activity and administrative actions.
  • For couriers and logistics users: trip identifiers, parcel scans, and locker interaction events.

For all visitors

  • IP address, user-agent, and approximate device information, retained for security, abuse prevention, and audit.
  • Storage strictly necessary to keep you signed in and to remember your theme preference. We do not use third-party advertising cookies.

We do not knowingly collect personal data from children under 18.

Lawful basis for processing

We process personal data on the following bases under the Kenya Data Protection Act, 2019, and, where applicable, the GDPR:

  • Performance of a contract — to authenticate you, hold or release your parcel, and process payments.
  • Legitimate interests — to secure the Service, prevent abuse, audit administrative actions, and improve reliability.
  • Legal obligation — to retain payment and tax records as required by law.
  • Consent — where applicable, for any communications you opt in to. We do not currently send marketing emails.

How we share personal data

We share personal data only as needed to provide the Service:

  • Safaricom (M-PESA) — to initiate and complete payments.
  • Partner organisations — your phone number and parcel details are visible to the partner whose locker reservation you interact with.
  • Hosting and infrastructure providers — including Vercel (this website) and alwaysdata (production application and database). These providers process data on our instructions.
  • Law enforcement and regulators — when required by valid legal process.

We do not sell personal data.

International transfers

The Service is hosted partially outside Kenya. Where personal data is transferred internationally we rely on the hosting provider’s standard safeguards. Contact us if you have questions about a specific transfer.

Retention

  • Active operator accounts: for as long as the account is active. On deletion or deactivation, identifying fields are removed; certain records (audit logs, payment records) are retained for periods required by law or for legitimate security purposes.
  • Consumer parcel records: retained for the period needed to operate the locker network, settle disputes, and meet payment-related obligations.

Your rights

Under the Kenya Data Protection Act, 2019 (and the GDPR where it applies to you), you may:

  • Request a copy of the personal data we hold about you.
  • Ask us to correct inaccurate data.
  • Ask us to erase your data, subject to legal exceptions.
  • Object to or restrict processing in certain cases.
  • Lodge a complaint with the Office of the Data Protection Commissioner of Kenya, or the supervisory authority in your country of residence.

To exercise any of these rights, email hello@squared.co.ke. We will respond within the timeframe set by applicable law (typically 30 days).

To delete your account, see our account-deletion page.

Security

We use transport-layer encryption for traffic to and from the Service, role-based access controls for administrative actions, multi-factor authentication for administrator accounts, and audit logging of sensitive operations.

Changes to this Policy

We may update this Policy from time to time. The “Last updated” date above indicates when changes were last made.

Contact

Squared — hello@squared.co.ke

Back to ParcelPoint