8thMay

Privacy Policy

Last updated: 04 June 2026

PRIVACY POLICY

At Eighth May Ltd (“Eighth May”, “we”, “us”, or “our”), we are committed to protecting your personal data and respecting your right to privacy. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your personal information in connection with your use of our website and services, and in the course of our business as a manufacturer and wholesale supplier of diapers, sanitary pads, wet wipes, and personal hygiene products in Kenya.

This Policy is issued in compliance with the Data Protection Act, 2019 ("DPA 2019"), the Data Protection (General) Regulations, 2021, and the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021.

Please read this Policy carefully. If you do not agree with its terms, please discontinue your use of our website and services. This Policy should be read alongside our Terms and Conditions of Sale & Website Use.

1. Identity and Contact Details

Who is responsible for your personal data:

Company Name:  Eighth May Ltd

Registration:  Incorporated in Kenya under the Companies Act, 2015

Registered Office:  Mavoko, Kenya

Contact:  privacy@eighthmay.com

Website:  www.eighthmay.com/contact-us

Eighth May Ltd has designated a point of contact for all data protection enquiries. You may reach our data protection contact at the email address above for any queries relating to this Policy or the exercise of your rights under the DPA 2019.

2. Personal Data We Collect

We collect and process the following categories of personal data, to the extent relevant to our interactions with you:

2.1 Data You Provide to Us

       Contact and identity information: first name, last name, job title, email address, telephone number, and company name, collected when you fill out our enquiry form, register as a customer, or correspond with us

       Order and transaction data: purchase history, product preferences, delivery addresses, payment records, and correspondence relating to orders

       Marketing preferences: your consent or opt-out choices for receiving product updates, promotions, and communications from us

       Complaints and feedback: information you provide when raising a complaint, returning goods, or submitting feedback about our products (including diapers or wet wipes)

2.2 Data We Collect Automatically

       Technical data: IP address, browser type and version, operating system, device identifiers, and pages visited on our website, collected via cookies and similar technologies

       Usage data: time and date of visits, pages viewed, time spent on pages, and referring URLs

We do not intentionally collect sensitive personal data (as defined under Section 2 of the DPA 2019) such as health data, biometric data, or data concerning minors. Where any such data is inadvertently received, it will be deleted promptly.

3. Legal Basis for Processing

In accordance with Section 30 of the DPA 2019, we process your personal data only where we have a lawful basis for doing so. The legal bases we rely on are:

       Performance of a contract: processing necessary to fulfil your order, manage your account, or take steps at your request prior to entering into a contract (e.g., responding to a product enquiry)

       Legal obligation: processing necessary to comply with applicable Kenyan law, including tax obligations under the Income Tax Act (Cap. 470), VAT obligations under the Value Added Tax Act, 2013, and record-keeping requirements under the Companies Act, 2015

       Legitimate interests: processing for our legitimate business interests, such as fraud prevention, improving our website, and communicating with existing business customers about similar products, where such interests are not overridden by your rights and interests

       Consent: where you have given clear, specific, and informed consent, for example, to receive our marketing communications or newsletter. You may withdraw consent at any time without affecting the lawfulness of prior processing

4. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

       To respond to your product enquiries and provide pre-sale and after-sale customer support

       To process, confirm, and fulfil your wholesale orders for diapers, wet wipes, and related hygiene products

       To manage our ongoing business relationship, including issuing invoices, processing payments, and handling returns or complaints

       To send you product information, updates, and promotional communications where you have consented or where we have a legitimate interest in doing so as an existing customer

       To improve and personalise your experience on our website through analytics and user behaviour data

       To comply with our legal and regulatory obligations, including obligations under the Consumer Protection Act, 2012, the Standards Act, and applicable tax laws

       To detect, prevent, and investigate fraud, unauthorised access, or other harmful activities

       To maintain accurate business records as required by law

We will not use your personal data for any purpose that is incompatible with the purposes set out above without first obtaining your consent or establishing a separate lawful basis.

5. Sharing and Disclosure of Personal Data

We do not sell, rent, or trade your personal data to third parties. We may share your data only in the following limited and controlled circumstances:

       Service providers and data processors: we engage trusted third-party service providers (including logistics companies, payment processors, IT service providers, and marketing platforms) who process data on our behalf and under our instructions, bound by written data processing agreements in accordance with Section 48 of the DPA 2019

       Regulatory and legal compliance: where disclosure is required by law, court order, or a valid request from a public authority, including the Office of the Data Protection Commissioner (ODPC), the Kenya Revenue Authority (KRA), or any other competent authority

       Business transfers: in the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the successor entity, and you will be notified in advance where required by law

       Professional advisors: our lawyers, auditors, and insurers, to the extent necessary for the conduct of their professional services and subject to duties of confidentiality

All third parties with whom we share data are required to process such data only for the specified purpose and in compliance with the DPA 2019 and applicable Kenyan data protection regulations.

6. International Data Transfers

Where we transfer personal data outside Kenya (for example, to cloud hosting providers or international logistics partners), we do so only in compliance with the requirements of Section 49 of the DPA 2019. Specifically, such transfers will only occur to:

       Countries or organisations that have been designated as providing an adequate level of data protection by the Cabinet Secretary responsible for data protection; or

       Recipients who have entered into appropriate contractual safeguards (including standard contractual clauses approved by the ODPC) that ensure your personal data receives protection equivalent to that required under Kenyan law

You may request details of any international data transfers and the safeguards in place by contacting our data protection contact.

7. Data Retention

We retain personal data for no longer than is necessary for the purposes for which it was collected, taking into account our legal obligations and business requirements. Our general retention periods are:

       Customer order and transaction records: seven (7) years from the date of the last transaction, in accordance with tax record-keeping requirements under the Income Tax Act and the Value Added Tax Act, 2013

       Enquiry and contact form data (non-customers): twelve (12) months from the date of the enquiry, unless the enquiry converts to a customer relationship

       Website analytics and technical data: twenty-four (24) months

       Marketing consent records: for the duration of the marketing relationship, plus three (3) years after the last interaction

       Complaints and dispute records: six (6) years from resolution, in line with applicable limitation periods under the Limitation of Actions Act (Cap. 22)

At the expiry of the applicable retention period, personal data will be securely deleted, anonymised, or archived in accordance with our internal data retention procedures. Where data is anonymised rather than deleted, the anonymised data is no longer personal data and may be retained indefinitely for analytical purposes.

8. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience and collect analytics data. Cookies are small text files stored on your device when you visit our website.

We use the following categories of cookies:

       Strictly necessary cookies: essential for the operation of the website (e.g., session management). These cannot be disabled

       Analytics cookies: used to understand how visitors interact with our website (e.g., pages visited, time on site). These are only set with your consent

       Preference cookies: used to remember your settings and choices. These are only set with your consent

On your first visit to our website, you will be presented with a cookie consent banner allowing you to accept or decline non-essential cookies, consistent with your rights under the DPA 2019. You may also manage or withdraw cookie consent at any time through your browser settings or our cookie preference centre. Disabling certain cookies may affect the functionality of the website.

9. Security of Personal Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, disclosure, or destruction, in accordance with the requirements of Section 41 of the DPA 2019. These measures include:

           Encryption of data in transit using industry-standard TLS/SSL protocols

           Access controls and role-based permissions limiting access to personal data to authorised personnel only

           Regular security assessments and staff training on data protection obligations

           Physical security measures at our premises in Nairobi

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner (ODPC) within seventy-two (72) hours of becoming aware of the breach, as required under Section 43 of the DPA 2019, and will notify affected individuals without undue delay where required.

Notwithstanding the above, no method of data transmission over the internet or electronic storage is entirely secure. We cannot guarantee absolute security, and you transmit data to us at your own risk.

10. Your Data Protection Rights

Under the Data Protection Act, 2019, you have the following rights in respect of your personal data held by Eighth May Ltd:

       Right of access (Section 26): you have the right to request a copy of the personal data we hold about you and information about how it is processed

       Right to rectification (Section 27): you have the right to request correction of any inaccurate, incomplete, or misleading personal data

       Right to erasure (Section 38): you have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent, subject to overriding legal obligations

       Right to object (Section 35): you have the right to object to the processing of your personal data for direct marketing purposes or where processing is based on our legitimate interests

       Right to data portability (Section 39): you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another data controller, where technically feasible

       Right to restriction of processing (Section 36): you have the right to request that we restrict processing of your personal data in certain circumstances

       Right to withdraw consent: where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal

To exercise any of these rights, please submit a written request to our data protection contact at privacy@eightmay.com. We will respond to your request within thirty (30) days in accordance with Section 26(4) of the DPA 2019. We may request proof of identity before processing your request.

If you are unsatisfied with our handling of your request or our data protection practices, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke, in accordance with Section 56 of the DPA 2019.

11. Children’s Data

Our website and services are directed at businesses and adult individuals engaged in wholesale trade. We do not knowingly collect or process personal data of children under the age of eighteen (18) through our website.

While our manufactured products (including baby diapers and baby wet wipes) are designed for use by infants and children, the personal data we process in connection with such products relates to our business customers (distributors, retailers, and wholesalers) and not to end-consumer children or their guardians. We do not collect health or biometric data concerning infants or children in connection with our manufacturing or sales activities.

If you believe that we have inadvertently collected personal data concerning a child, please contact us immediately at privacy@eighthmay.com and we will take prompt steps to delete such data.

12. Third-Party Websites

Our website may contain links to third-party websites, including those of our logistics partners, regulatory bodies, and industry associations. Eighth May Ltd has no control over, and accepts no responsibility for, the content, privacy practices, or data handling of any third-party websites. We encourage you to review the privacy policy of any external site you visit before providing your personal data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance from the ODPC, or our business practices. When we do so, we will revise the effective date at the top of this document and, where changes are material, we will notify you by email or by a prominent notice on our website.

We encourage you to review this Policy periodically to stay informed about how we protect your personal data. Your continued use of our website or services following any update constitutes acceptance of the revised Policy.

14. Contact and Complaints

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us:

Eighth May Ltd

Email: privacy@eightmay.com

Website: www.eighthmay.com/contact-us

Nairobi, Kenya

Log in

Enter your credentials to continue

Or login with
Google

Don't have an account?

Register

Create your account to get started

Or Register with
Google

Already have an account?

Verify your email

Enter the 6-digit code we emailed you to finish creating your account.

Didn't get a code?

Reset password

Enter your email and we'll send you a reset code.

Remembered your password?

Enter reset code

Enter the 6-digit code we emailed you to reset your password.

Didn't get a code?

New password

Choose a new password for your account.