ShieldStep Limited — Registered in Kenya (PVT-A71MBLRO)
The Short Version: ShieldStep is built on a privacy-first architecture. We never read your SMS messages, we never access your M-Pesa balance or transaction history, and we never share your personal data with third parties for advertising. All financial detection happens entirely on your device.
ShieldStep Limited ("ShieldStep", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have regarding your information.
Account Information: When you create a ShieldStep account, we collect your phone number (used for M-Pesa subscription payment verification), a chosen display name, and your subscription tier and dates.
Usage Analytics (Anonymized): We collect anonymized, aggregated statistics such as the number of interception events triggered, app open frequency, and feature usage rates. This data contains no personally identifiable information and is used solely to improve the ShieldStep product.
Device Information: We collect your device model, Android OS version, and a randomly generated device identifier for licensing and anti-fraud purposes. We do not collect your IMEI or any hardware serial numbers.
We use the information we collect to:
We will never sell, rent, or share your personal information with third-party advertisers or data brokers.
ShieldStep's core protection technology operates entirely on your device. The detection engine that monitors for gambling-related STK push requests, payment prompts, and M-Pesa transaction flows runs locally on your Android phone.
When ShieldStep detects a payment attempt directed at a gambling operator, the interception occurs on-device, in real-time, without any data being sent to our servers first. Your financial activity is never logged, transmitted, or stored by ShieldStep.
Technical Note: Our blocklist (the registry of gambling operators) is downloaded to your device as an encrypted local database. Matching is performed locally. The only network request involved is periodically fetching blocklist updates — which contains no user data.
We want to be explicit about what ShieldStep does not do:
ShieldStep requests Device Administrator permission as a core part of its protective function. This permission is used exclusively to:
This permission does not give ShieldStep access to your data, the ability to wipe your device, or control over any other device functionality. You can revoke this permission at any time through your device's Settings → Security → Device Administrators, which will allow normal uninstallation.
We retain your account information (phone number and subscription records) for the duration of your active subscription plus 12 months thereafter, for billing dispute resolution. Anonymized analytics data is retained for up to 24 months.
Upon written request to admin@shieldstep.co.ke, we will delete all personally identifiable information associated with your account within 30 days.
Under Kenyan data protection law (the Data Protection Act, 2019) and applicable regulations, you have the right to:
To exercise any of these rights, contact us at admin@shieldstep.co.ke. We will respond within 30 days.
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes via in-app notification at least 14 days before the changes take effect. Your continued use of ShieldStep after the effective date of any changes constitutes your acceptance of the revised policy.
ShieldStep Limited is registered in the Republic of Kenya (Company No: PVT-A71MBLRO, KRA PIN: P052552576N). Our designated Data Protection Officer can be reached at:
Email: admin@shieldstep.co.ke
We aim to respond to all privacy inquiries within 5 business days.