Issued under the Data Protection Act, Cap. 411C of the Laws of Kenya.
Last updated: 12 May 2026 · Effective date: 12 May 2026 · Version 2.0
This Privacy Notice explains how Sheria Smart, the operating company behind the Sheria Smart platform, collects, uses, shares, retains and protects personal data, and the rights you have in relation to that data. The Notice applies whether you access Sheria Smart through the website at sheriasmart.com or through the application at app.sheriasmart.com, and wherever you are located.
Sheria Smart is purpose built for the Kenyan public, and most of the data we process is data of Kenyan residents protected under the Data Protection Act, Cap. 411C of the Laws of Kenya. Some of our service providers operate outside Kenya, and we accordingly comply with applicable cross-border data protection requirements. Where personal data is transferred outside Kenya, we ensure appropriate safeguards are in place under the Data Protection (General) Regulations, 2021.
1.1 This Notice applies to personal data we collect through the Sheria Smart website and application, including when you read the briefings library, use the LexAI legal information assistant, complete a self representation walkthrough, subscribe to a paid tier, or contact our support team.
1.2 This Notice does not apply to third party websites we link to. We do not control their privacy practices, and we encourage you to read their notices when you visit them.
1.3 In this Notice, "we", "us", and "our" mean Sheria Smart. "You" means the natural person whose personal data is processed.
2.1 The data controller for the personal data described in this Notice is:
Sheria Smart
A legal information and self help platform
Email: support@sheriasmart.com
Website: https://sheriasmart.com
2.2 Sheria Smart is built and operated for the Kenyan public. Our service providers, including hosting and payment processing, operate across multiple jurisdictions.
2.3 You may contact us at any time at support@sheriasmart.com with any question concerning this Notice, the personal data we hold, or the exercise of the rights described in this Notice. We endeavour to respond to all enquiries within fifteen days, and in any event within the response periods required by applicable law.
3.1 We collect the categories of personal data set out below. We do not collect more than we need, and we do not collect what we do not need.
(a) Account data: where you create an account, your email address, a magic link authentication identifier, your chosen subscription tier if any, and the date your account was created.
(b) Contact data: your email address (collected when you register an account, contact our support team or subscribe to our newsletter or briefings) and, where applicable, your telephone number (collected for account verification and security communications).
(c) Usage data: anonymous information about how you use the platform, including the pages you visit, the briefings you read, the duration of your visits and the application screens you open. We use this data for product analytics, and we do not link it to your identity unless you are logged in.
(d) LexAI interaction data: the legal questions you ask LexAI and the answers we return. This data is stored on your own device under the conversation history feature described at section 6 below; it is not stored on our servers except for transient processing during the generation of an answer.
(e) Technical data: the internet protocol address, browser type, device type, operating system and approximate geographic region (city or country level) of the device you use to access the platform. We collect this data automatically through standard server logs.
(f) Communication data: the content of any email, message or feedback you send to our support team.
(g) Payment metadata: the fact that a payment was attempted or completed, the amount, the currency, the time, the transaction reference and the payment channel. We do not store, process or have access to your full payment card number, card verification value (CVV), or card expiry. Card payments are processed by a licensed payment processor (Stripe) that is PCI DSS Level 1 certified; the processor sees the card data, not us.
(h) Cookies and similar technologies: see section 13 below.
3.2 Sensitive personal data. Some of the legal questions you ask LexAI, or the legal scenarios you describe in our self representation walkthroughs, may reveal information that is treated as sensitive personal data under one or more applicable laws. Examples include criminal allegations, immigration status, family disputes, employment grievances, health matters, religious affiliation, or sexual orientation. Where this is the case, we treat the data with heightened care: such data is processed only on your device for conversation history purposes, is not stored on our servers in identifiable form, and is not shared with any third party for any purpose other than the immediate generation of an answer by our artificial intelligence provider. You may at any time clear your conversation history using the controls described at section 6.
4.1 We process personal data for the following purposes, and only for these purposes:
(a) To operate the platform, including authenticating users, serving content, generating LexAI answers, processing payments where applicable, and providing customer support.
(b) To improve the platform, including understanding usage patterns through anonymous analytics, identifying common questions for which the briefings library can be expanded, and refining the prompts that guide LexAI.
(c) To communicate with you, including delivering magic link authentication codes, sending receipts for paid subscriptions, responding to support enquiries, and (where you have specifically subscribed) sending briefings or product updates by email.
(d) To comply with legal obligations, including responding to lawful requests from regulatory authorities, retaining records required by law, and defending against legal claims.
(e) To protect the platform and our users, including detecting and preventing fraud, abuse, security incidents and violations of our Terms of Use.
4.2 We do not use personal data for any of the following purposes: targeted advertising; the sale or sharing of personal data for cross context behavioural advertising; profiling that produces legal or similarly significant effects concerning you; the training of artificial intelligence systems on identifiable personal data; or any purpose materially incompatible with the purposes set out above.
5.1 For users in Kenya, we rely on the following lawful bases under section 30 of the Data Protection Act, Cap. 411C of the Laws of Kenya:
(a) Performance of a contract: where the processing is necessary to provide you with the platform you have requested, including authenticating your account, processing your subscription and delivering LexAI answers.
(b) Consent: where you have given consent to a specific processing activity such as subscribing to the briefings newsletter or enabling optional cookies.
(c) Legitimate interest: where the processing is necessary to operate, secure and improve the platform, in a manner that is proportionate to the purpose and respectful of your interests, rights and freedoms.
(d) Legal obligation: where we are required by law to process the data, including responding to lawful regulatory requests and retaining records required by tax or accounting law.
5.2 For users outside Kenya, we limit our processing to purposes that are reasonable, transparent, and consistent with the categories disclosed in this Notice, in compliance with applicable data protection law of the user's jurisdiction.
6.1 What is stored. When you ask LexAI a question and receive an answer, your device stores the question and the answer locally in your browser, using a technology called localStorage. This allows you to view your past conversations under the History panel within the LexAI screen. The platform keeps only the most recent fifty conversations on your device; older ones are automatically removed.
6.2 What is not stored. Your conversation history is not transmitted to Sheria Smart, is not stored on any server we operate, and is not accessible to us, to any other user, or to any third party.
6.3 How to delete it. You may delete your conversation history at any time using the Clear all button at the bottom of the History panel. Clearing your browser data, switching to private or incognito browsing, switching to a different device, or uninstalling the application will also remove it. We cannot recover deleted history.
6.4 Export. You may export your conversation history as a plain text file using the Export button. The exported file is generated on your device and downloaded directly to your device. It is not transmitted through our servers.
6.5 Future cross device sync. We may, in a future version of the Platform, offer logged in subscribers an optional facility to synchronise their conversation history across devices. Where we offer such a facility, it will be strictly opt in, accompanied by a specific consent step under section 30(1)(a) of the Data Protection Act, Cap. 411C of the Laws of Kenya, and described in a future revision of this Notice before it takes effect. Until then, no conversation history leaves your device.
7.1 We share personal data only with the following categories of recipients, and only to the extent necessary for the purposes described at section 4:
(a) Anthropic, PBC, an artificial intelligence company that provides the language model that powers LexAI. We send LexAI queries to Anthropic for the limited purpose of generating an answer. Anthropic processes the query under its own privacy commitments and does not use Sheria Smart user queries to train its models.
(b) A licensed third party payment processor, for the processing of card payments and the receipt of subscription fees.
(c) Our hosting provider Cloudflare, Inc., for the technical operation of the website and the application.
(d) Email service providers, for the delivery of magic link authentication codes, transactional receipts, and any newsletter you have opted in to.
(e) Professional advisers, including our accountants and lawyers, where they need access to personal data to provide their services to us, under strict confidentiality obligations.
(f) Government and regulatory authorities, where we are required by law to disclose personal data in response to a lawful request.
(g) Acquirers or successors, in the event of a sale, merger, reorganisation or similar transaction affecting Sheria Smart, subject to the acquirer or successor agreeing to honour this Notice.
7.2 We do not sell personal data. We do not share personal data for cross context behavioural advertising. We do not lease, rent or otherwise commercially distribute personal data to third parties.
8.1 Because our service providers are located across multiple jurisdictions, the personal data we collect is transferred to, and processed in, countries other than the country where you are located. For users in Kenya, this means that your personal data may be transferred to and processed in jurisdictions where our service providers operate.
8.2 For transfers from Kenya, we rely on the lawful transfer mechanisms set out in section 48 of the Data Protection Act, Cap. 411C, including your consent where required, the necessity of the transfer for the performance of a contract with you, and the adoption of appropriate safeguards. We commit to so that any cross border transfer of personal data is subject to a level of protection at least equivalent to that provided by the Act.
8.3 European Economic Area and United Kingdom users. We do not target the European Economic Area or the United Kingdom within the meaning of Article 3(2) of Regulation (EU) 2016/679 (the General Data Protection Regulation) or the United Kingdom GDPR. Where, exceptionally, those regulations apply to a particular processing activity by reason of our offering services to a person in the EEA or monitoring their behaviour in the EEA, you may exercise the rights conferred by Articles 13 to 22 of the GDPR by contacting support@sheriasmart.com, and you may lodge a complaint with the supervisory authority in the EEA Member State of your habitual residence, place of work, or the place of the alleged infringement.
9.1 We retain personal data only for as long as necessary for the purposes set out at section 4, and in accordance with the retention principles in section 39 of the Data Protection Act, Cap. 411C and equivalent principles in any other applicable data protection law.
9.2 Specific retention periods:
(a) Account data: for the duration of your account, plus thirty days after closure to allow recovery in case of accidental deletion. After this period, account data is permanently deleted or anonymised.
(b) Subscription and payment metadata: for seven years after the relevant transaction, in compliance with applicable tax and accounting record retention requirements.
(c) Server logs containing technical data: for ninety days, after which the logs are permanently deleted.
(d) Communication data from support enquiries: for two years from the date of the last communication, after which it is permanently deleted.
(e) LexAI conversation history: stored only on your device and retained until you clear it (see section 6).
9.3 Where we are required by law to retain personal data for longer than the periods set out above (for example, in connection with litigation, regulatory investigation or legal hold), we will retain it only for the period required, after which it will be permanently deleted.
10.1 You have rights in relation to your personal data. The rights you can exercise depend on the law that applies to you. We honour every right that applies to you under any applicable law, regardless of which law gives you the right.
10.2 The following rights are generally available to you, with cross references to the specific laws that provide each right:
(a) Right to be informed about the processing of your personal data. This Notice fulfils that right. Provided by section 29 of the Data Protection Act, Cap. 411C.
(b) Right of access to the personal data we hold about you. Provided by sections 26 and 34 of the Data Protection Act.
(c) Right to correction of inaccurate or incomplete personal data. Provided by section 26(c) of the Data Protection Act; LexAI is an information assistant, not a decision maker.
(j) Right to lodge a complaint with a supervisory authority. See section 19 below.
11.1 You may exercise any right described at section 10 by sending an email to support@sheriasmart.com with the subject line Data subject rights request. We will:
(a) acknowledge receipt of your request within seven days;
(b) verify your identity using information already held against your account, or by asking for documentation reasonably necessary to confirm that you are the person whose data is the subject of the request;
(c) respond substantively within thirty days of verification, or within the time required by any other data protection law applicable to you;
(d) where we cannot meet your request, explain the reasons clearly and inform you of your right to appeal our decision and to lodge a complaint with the supervisory authority that protects your data.
11.2 Right of appeal. If we refuse to act on a request, you have the right to appeal our decision. To appeal, reply to our refusal email with the subject line Appeal of data subject rights decision. We will respond to your appeal within sixty days of receipt, in compliance with appeal procedures required by applicable laws.
12.1 We implement reasonable administrative, technical and physical safeguards to protect personal data from unauthorised access, disclosure, alteration or destruction. These safeguards include encryption of data in transit using Transport Layer Security version 1.2 or higher, encryption of data at rest where stored on our hosting provider's infrastructure, multi factor authentication for administrative access to our systems, principle of least privilege access controls, regular security reviews, and a documented incident response procedure.
12.2 No security measure is perfect. If, despite these measures, we discover an actual or suspected breach of security affecting your personal data, we will:
(a) assess the nature, scope, severity and likely consequences of the breach;
(b) where the breach is likely to result in a real risk to your rights and freedoms, notify you without undue delay and in any event within seventy two hours of discovery, in accordance with section 43 of the Data Protection Act, Cap. 411C;
(c) notify the Office of the Data Protection Commissioner of Kenya where required by section 43 of the Act;
(d) notify any other regulatory authority where required by applicable breach notification law, including Tex. Bus. and Com. Code, section 521.053;
(e) document the breach, the response and the lessons learned.
13.1 We use a minimal set of technologies to operate the platform:
(a) Strictly necessary cookies and tokens: used to authenticate your session if you are logged in, to remember your language preference, and to enable basic platform functions. These cannot be disabled without breaking the platform.
(b) localStorage: used to store your LexAI conversation history on your own device (see section 6). This is not a cookie and is not transmitted to us.
(c) Privacy respecting analytics: we use Cloudflare Web Analytics, which is a cookieless, privacy preserving analytics product that does not track individual users or build behavioural profiles.
13.2 We do not use third party advertising cookies, behavioural tracking pixels, cross site tracking technologies, fingerprinting, session replay tools, or any other technology designed to identify or profile you across the web. We do not honour the global privacy control signal because there is nothing for it to limit; we do not sell or share data for advertising purposes in any case.
14.1 The platform is intended for adults, that is, persons of the age of majority in their place of residence. For users in Kenya, this means persons who have attained the age of eighteen years (Article 260 of the Constitution of Kenya, 2010; Children Act, No. 29 of 2022). For users in jurisdictions where the age of majority is eighteen years, this means persons who have attained that ageears, or the higher age applicable in their state of residence.
14.2 We do not knowingly collect personal data from any child under the age of thirteen, in compliance with internationally recognised standards for protecting children online. If we become aware that we have inadvertently collected personal data from a child under thirteen, we will delete that data without undue delay.
14.3 We do not knowingly collect personal data from any child under the age of eighteen without verified parental consent. If you are aware that a child has provided personal data to us, please notify us at support@sheriasmart.com and we will take appropriate action.
16.1 If you access Sheria Smart from a jurisdiction outside Kenya, your local data protection law may give you additional rights beyond those listed at section 10. We honour any right that applies to you under any data protection law applicable to your location.
16.2 To exercise jurisdiction specific rights, contact support@sheriasmart.com with the subject line Data subject rights request and identify the jurisdiction whose law you are relying upon. We will respond within the timeframe required by that law.
17.1 If you are a Kenyan resident, this section supplements the rights described at section 10 with the specific procedures provided by the Data Protection Act, Cap. 411C of the Laws of Kenya.
17.2 Right to lodge a complaint with the Office of the Data Protection Commissioner. Where you consider that our processing of your personal data infringes the Act, you may at any time lodge a complaint with the Office of the Data Protection Commissioner of Kenya:
Office of the Data Protection Commissioner
Britam Tower, 12th Floor
Hospital Road, Upper Hill
Nairobi, Kenya
Telephone: +254 20 780 1800
Email: info@odpc.go.ke
Website: https://www.odpc.go.ke
17.3 Compliance with the Act. We commit to compliance with the substantive requirements of the Act, including the data processing principles in section 25, the rights of data subjects in sections 26 to 41, the obligations of controllers in sections 41 to 45, and the cross border transfer requirements in sections 48 and 49.
17.4 Registration of the controller. Sheria Smart is not currently registered with the Office of the Data Protection Commissioner because it does not maintain an establishment in Kenya and the volume of personal data processed does not meet the registration thresholds set out in the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. We monitor our processing volume and we will register if and when registration becomes mandatory.
18.1 We may update this Notice from time to time to reflect changes in our practices, applicable law or industry standards. The current version of the Notice is always available at https://sheriasmart.com/privacy.html, dated with the version number and effective date.
18.2 Where a change to the Notice is material, we will notify you in advance of the change taking effect, either by email (if you have a registered account with us) or by a prominent notice on the platform. Material changes include, without limitation, changes to the categories of personal data we collect, the purposes of processing, the lawful bases relied on, the categories of recipients, and your rights.
19.1 If you have any question concerning this Notice, the personal data we hold, the exercise of your rights, or any other matter relating to our processing of personal data, please contact us:
Privacy enquiries
Email: support@sheriasmart.com
Subject line: Privacy enquiry
19.2 We will respond to your enquiry within fifteen days, and in any event within the response periods required by applicable law.