Kyfaru — Designing Solutions Powering Africa's Future

01

Who We Are

Kyfaru is a technology company in Nairobi, Kenya. We are the Data Controller for personal data collected through the kyfaru.com website.

Email: hello@kyfaru.com

Website: kyfaru.com

Location: Nairobi, Kenya

02

What Data We Collect

On kyfaru.com:

Name and email address from contact and enquiry forms.
IP address and browser data collected automatically for analytics purposes.
Cookie and session data (see the Cookies section below).

Through client projects:

Where Kyfaru builds and maintains systems for clients, we may process personal data belonging to the client's customers as a Data Processor acting under the client's written instruction.

✅

We do NOT collect: sensitive personal data without explicit consent, or personal data of individuals under 18 years of age without verified guardian consent.

03

How We Use Your Data

We use the personal data we collect to:

Respond to enquiries and provide requested information about our services.
Deliver project services and manage ongoing client engagements.
Send invoices, project updates, and service-related communications.
Comply with legal and regulatory obligations under Kenyan law.

🚫

We do NOT: sell your data to any third party, use your data for advertising without consent, or share client data with competitors.

04

Legal Basis for Processing

Under the Kenya Data Protection Act 2019 (Section 30) and the EU General Data Protection Regulation (Article 6), our legal bases for processing personal data are:

Contractual Necessity

Processing required to perform a contract with you or take pre-contractual steps at your request.

Legal Obligation

Processing required to comply with Kenyan law, including tax and financial reporting obligations.

Legitimate Interests

Processing for our legitimate business interests, where these are not overridden by your rights.

Explicit Consent

Where required by law, we obtain your clear and specific consent before processing.

05

Data Retention

We retain personal data only for as long as necessary for its original purpose or as required by law:

Data Category	Retention Period
Project communications & contracts	5 years after project end
Financial records & invoices	7 years (Kenya tax requirements)
Enquiry data (no engagement follows)	12 months from last contact
Website analytics data	24 months rolling

When data is no longer required, it is securely deleted or anonymised.

06

Your Rights

Under the Kenya Data Protection Act 2019 (Part IV), you have the following rights regarding your personal data:

👁️

Right to Access

Request a copy of the personal data we hold about you.

✏️

Right to Correct

Request correction of inaccurate or incomplete data.

🗑️

Right to Deletion

Request deletion of your data where no legal basis for retention exists.

🚫

Right to Object

Object to processing of your data for specific purposes.

📦

Right to Portability

Receive your data in a structured, machine-readable format.

🏛️

Right to Complain

Lodge a complaint with the Office of the Data Protection Commissioner.

To exercise any of these rights, contact us at legal@kyfaru.com. We will respond within 21 days as required under the Kenya DPA 2019.

07

Data Sharing

Kyfaru does not sell your personal data. We share data only in the following limited circumstances:

Service Providers: trusted third parties (hosting providers, email delivery services) who process data on our behalf under written data processing agreements and confidentiality obligations.
Legal Authorities: when required by applicable Kenyan law, court order, or regulatory obligation.

🌍

International transfers: We do not transfer personal data outside Kenya or the European Economic Area (EEA) without appropriate safeguards in place, such as standard contractual clauses or adequacy decisions.

08

Cookies

Kyfaru uses cookies to ensure the website functions correctly and to understand usage patterns.

Essential Cookies

Always Active

Required for the website to function. Cannot be disabled.

Analytics Cookies

Optional

Help us understand how visitors use our site. Activated only with your consent.

Marketing Cookies

Not Used

We do not use marketing or advertising cookies on kyfaru.com.

A cookie consent banner is displayed on first visit. You can update your preferences at any time via the Cookie Settings link in the site footer.

09

Security Measures

Kyfaru implements appropriate technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction:

SSL/TLS encryption on all data transmission between clients and our systems.
Access controls, role-based authentication, and principle of least privilege.
Regular security reviews and vulnerability assessments.
Data breach notification within 72 hours of discovery, as required by the Kenya Data Protection Act 2019.

No method of electronic transmission or storage is 100% secure. While we take reasonable measures, we cannot guarantee absolute security.

10

Complaints

If you believe your data rights have not been respected, you have the right to lodge a complaint with the relevant supervisory authority:

🇰🇪 Kenya

Office of the Data Protection Commissioner (ODPC)

www.odpc.go.ke

🇪🇺 European Union

For EU-based individuals, complaints may be submitted to the relevant supervisory authority in your country of residence.

You may also contact us directly at legal@kyfaru.com before escalating to a supervisory authority.

11

Changes to This Policy

Kyfaru reserves the right to update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law.

We will notify active clients of any material changes at least 30 days before they take effect. Continued use of our website or services after the notice period constitutes acceptance of the updated policy.

The current version of this policy is always available at kyfaru.com/privacy-policy.

Privacy Policy .