Legal Document

Privacy Policy

Effective: 18 April 2025 Kenya DPA 2019 & GDPR [email protected]
01

Introduction

MwarandusLab ("we", "our", or "us") operates mwaranduslabs.com, a platform offering software and technology services and products. We are committed to protecting your personal data and your right to privacy.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have in relation to your data. It applies to all visitors and users of our website.

By using our website, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the site.

02

Who We Are (Data Controller)

For the purposes of applicable data protection law, the data controller is:

Business NameMwarandusLab
Websitemwaranduslabs.com
Contact Email[email protected]
LocationNairobi, Kenya

We are registered under the Kenya Data Protection Act, 2019 and comply with the EU General Data Protection Regulation (GDPR) to the extent it applies to our users in the European Economic Area.

03

What Personal Data We Collect

We collect only the minimum data necessary to provide our services. We do not require account registration. Data is collected through the forms on our website.

3.1 Booking and Contact Forms

When you submit a booking request or contact form, we collect:

  • Full name
  • Email address
  • Phone number
  • The content of your message or booking request
  • Date and time of submission

3.2 Payment Information

Payments are processed through M-Pesa via the Safaricom Daraja API. We do not collect, store, or process your M-Pesa PIN, card details, or full payment credentials. We only receive a payment confirmation reference.

3.3 Technical Data

When you visit our website, we automatically receive:

  • Your IP address (used for security and abuse prevention)
  • Browser type and version
  • Pages visited and time spent on pages
  • Referring URL (where you came from)

This is collected via Cloudflare Analytics and our own internal analytics system.

3.4 Cookies

We use only essential session cookies necessary for the website to function. This cookie is temporary and deleted when you close your browser. We do not use marketing, tracking, or advertising cookies.

04

How We Use Your Personal Data

We use your personal data only for the following purposes:

  • To respond to your enquiries and contact form submissions
  • To process and manage your service bookings
  • To process payments via M-Pesa
  • To send transactional emails related to your booking (confirmations and updates)
  • To maintain the security of our website and prevent abuse
  • To analyse website traffic and improve our services

We do not use your data for automated decision-making or profiling. We do not send marketing emails unless you have explicitly opted in.

05

Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract performance: Processing your booking and payment details to fulfil the service you requested.
  • Legitimate interests: Processing technical and analytics data to maintain security and improve services.
  • Legal obligation: Where required to comply with applicable law.

For users in Kenya, processing is conducted in accordance with the Kenya Data Protection Act, 2019.

06

Third Parties We Share Data With

We do not sell, rent, or trade your personal data. We share data only with the following trusted service providers:

Safaricom (M-Pesa Daraja)

Payment processing. Governed by Safaricom's Privacy Policy.

ZeptoMail by Zoho

Transactional email delivery. Your name and email are shared to send booking confirmations.

Cloudinary

Image storage and delivery. No personal user data is stored on Cloudinary.

Cloudflare

Website security, CDN, and analytics. May process your IP address per Cloudflare's Privacy Policy.

All third-party providers are required to handle your data securely and only for the purposes we specify.

07

International Data Transfers

Some of our third-party providers — including ZeptoMail/Zoho and Cloudflare — may process your data outside of Kenya and the EEA. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or equivalent mechanisms recognised under the Kenya Data Protection Act.

08

Data Retention

We retain your personal data only for as long as necessary:

  • Booking and contact submissions: retained for up to 2 years after your last interaction.
  • Payment confirmation references: retained for 7 years for financial and tax compliance.
  • Analytics data: aggregated and anonymised data retained indefinitely. IP-level data not stored beyond 30 days.
  • Session cookies: deleted at the end of your browser session.

Once data is no longer needed, it is securely deleted from our systems.

09

Your Rights

9.1 Rights Under GDPR (EEA Users)

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure — ask us to delete your personal data, subject to legal retention requirements.
  • Right to restriction — ask us to restrict how we process your data.
  • Right to data portability — request your data in a structured, machine-readable format.
  • Right to object — object to processing based on our legitimate interests.
  • Right to complain — lodge a complaint with your local data protection authority.

9.2 Rights Under Kenya Data Protection Act

  • Be informed about how your data is used.
  • Access your personal data held by us.
  • Correct any inaccurate personal data.
  • Object to processing of your personal data.
  • Delete or restrict processing of your personal data.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days and may need to verify your identity before processing your request.

10

Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data is encrypted in transit using TLS 1.2/1.3 (HTTPS).
  • SSL certificates issued and managed through Cloudflare.
  • Servers protected by firewalls, rate limiting, and intrusion detection.
  • Access to our systems is restricted to authorised personnel only.
  • Regular security audits of our infrastructure.

Despite these measures, no method of transmission over the internet is 100% secure. We will notify you promptly in the event of a data breach that affects your rights.

11

Children's Privacy

Our website and services are not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at [email protected] and we will promptly delete it.

12

Links to Third-Party Websites

Our website may contain links to external websites. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

13

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the effective date at the top of this document and post the revised policy on our website.

Your continued use of our website after any changes constitutes your acceptance of the updated policy.

14

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email[email protected]
Websitemwaranduslabs.com
BusinessMwarandusLab, Nairobi, Kenya

We aim to respond to all privacy-related enquiries within 30 days.

This Privacy Policy was last updated on 18 April 2025.