Privacy Policy
1. Who We Are
SecureZaidi Ltd ("SecureZaidi", "we", "us", "our") is a cybersecurity and data protection compliance consultancy based in Nairobi, Kenya. We help small and medium-sized enterprises achieve compliance with the Data Protection Act, 2019 (the "DPA"), reduce risk, and build resilient security cultures.
For the personal data described in this notice, SecureZaidi is the data controller within the meaning of the DPA. You can reach us about anything in this notice at [email protected].
2. Scope of This Notice
This notice explains how we handle personal data belonging to visitors to our website, people who contact us or subscribe to our updates, representatives of our clients and prospective clients, and our suppliers. It does not cover personal data we process on behalf of our clients in the course of delivering our services — see section 4 below.
3. Personal Data We Collect
- Contact and enquiry data — name, email address, organisation, and the content of your message, when you contact us via our website, by email, or by phone
- Business relationship data — names, job titles, and business contact details of client and supplier representatives, and records of our engagements
- Subscription data — your email address and preferences, if you subscribe to our security insights and updates
- Website usage data — IP address, browser type, device information, and pages visited, collected automatically when you browse our website (see our Cookie Policy)
We collect this data directly from you. We do not collect sensitive personal data (as defined in section 2 of the DPA) through our website, and we ask that you do not send it to us unsolicited.
4. Data We Process on Behalf of Clients
In delivering compliance and security services, we may handle personal data contained in client systems and documents (for example, during a compliance gap assessment). For that data, our client is the data controller and SecureZaidi acts as a data processor on the client's documented instructions, under a written engagement agreement with appropriate confidentiality and security obligations. Questions about that data should be directed to the relevant client; we will assist them in responding.
5. How and Why We Use Your Data
We process personal data only where the DPA permits it, namely:
- To perform a contract with you — delivering our services, managing engagements, and billing
- With your consent — sending you security insights and marketing updates; you may withdraw consent at any time and every email we send includes an unsubscribe option
- To comply with legal obligations — including tax, accounting, and our own obligations under the DPA
- For our legitimate interests — responding to enquiries, maintaining the security of our website and systems, and developing our business, where those interests are not overridden by your rights
6. Sharing Your Data
We do not sell personal data, and we do not share it with third parties for their own marketing. We share personal data only with:
- Service providers who support our operations — such as our email provider (Zoho Mail), website hosting and content delivery providers — under contracts that require them to protect it
- Professional advisers (legal, accounting, insurance) where necessary
- Regulators, law enforcement, or courts where disclosure is required by law, including the Office of the Data Protection Commissioner (ODPC)
7. International Transfers
Some of our service providers store data outside Kenya — for example, our email is hosted in the European Union. Where personal data is transferred outside Kenya, we do so in accordance with sections 48 and 49 of the DPA, ensuring the recipient is subject to appropriate safeguards for the security and protection of the data.
8. How Long We Keep Your Data
- Enquiries that do not lead to an engagement — up to 2 years from last contact
- Client engagement records — for the duration of the engagement and up to 6 years thereafter, in line with limitation periods and statutory record-keeping requirements
- Subscription data — until you unsubscribe, after which we retain only the minimum needed to honour your opt-out
- Website logs — up to 12 months
When data is no longer required, we delete or anonymise it securely.
9. How We Protect Your Data
Security is our trade, and we apply the same standards to ourselves that we recommend to clients. Our measures include encryption of data in transit, multi-factor authentication and access controls on our systems, email authentication (SPF, DKIM, DMARC), vendor due diligence, and documented breach response procedures. In the unlikely event of a personal data breach affecting your rights, we will notify the ODPC and affected individuals as required by section 43 of the DPA.
10. Your Rights
Under the DPA you have the right to:
- Be informed about how your data is used (this notice)
- Access the personal data we hold about you
- Have inaccurate or misleading data corrected
- Have your data deleted where we no longer have a lawful basis to keep it
- Object to or restrict processing, including for direct marketing
- Data portability, where applicable
- Withdraw consent at any time, without affecting prior processing
To exercise any of these rights, email [email protected]. We will respond within a reasonable time and in any event within the periods required by the DPA. We may need to verify your identity before acting on a request.
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner: www.odpc.go.ke, [email protected], Britam Towers, 12th Floor, Hospital Road, Upperhill, Nairobi.
11. Automated Decision-Making and Children
We do not make decisions about you based solely on automated processing, and we do not use your data for profiling. Our services and website are directed at businesses; we do not knowingly collect personal data from children.
12. Changes to This Notice
We may update this notice from time to time. The "last updated" date at the top reflects the current version, and material changes will be highlighted on this page.
13. Contact
For any privacy-related questions or to exercise your rights, contact us at [email protected] or write to SecureZaidi Ltd, Nairobi, Kenya.