1. Our GDPR Commitment
Datacraft Limited is a Kenyan software company serving clients across Africa and internationally, including organisations established in the European Union and the European Economic Area. Where our products and services are directed at EU residents, or where we process personal data originating in the EU in the course of providing services to EU-based organisations, we recognise the applicability of Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — and commit to full compliance with its requirements.
This commitment extends to our role as both a data controller (when we determine the purposes and means of processing, for example when handling prospect and client contact data) and a data processor (when we process personal data on behalf of our clients under a Data Processing Agreement). This document primarily addresses our obligations as a data controller. Clients who require a Data Processing Agreement (DPA) should contact us at hello@datacraft.co.ke.
We apply the GDPR's core principles — lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability — to all personal data processing activities involving EU data subjects, regardless of where that processing physically occurs.
2. Data Controller Information
The data controller for personal data processed in connection with Datacraft's website, marketing communications, and direct client relationships is:
| Legal name | Datacraft Limited |
| Jurisdiction | Incorporated in Kenya under the Companies Act (Cap. 486) |
| Registered office | Nairobi, Kenya |
| hello@datacraft.co.ke | |
| Phone | +254 726 631 615 |
Kenya's data protection framework is governed by the Data Protection Act, 2019 and administered by the Office of the Data Protection Commissioner (ODPC). Datacraft is registered with the ODPC as a data controller. The GDPR applies to us in addition to, not in place of, the Kenyan framework where processing involves EU data subjects.
3. Legal Bases for Processing
We process personal data of EU data subjects only where a valid legal basis under Article 6 GDPR exists. The bases we rely on are:
Performance of a contract (Article 6(1)(b))
Where you or your organisation have entered into a contract with us — for software licences, professional services, support agreements, or similar — we process the personal data of relevant individuals (employees, administrators, named contacts) to the extent necessary to perform that contract. This includes account provisioning, service delivery, billing, and support communications.
Legitimate interests (Article 6(1)(f))
We process certain personal data on the basis of our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. Specific legitimate interests we rely on include:
- Responding to enquiries from prospective clients and partners;
- Maintaining records of business communications for legal and operational continuity;
- Marketing our products and services to organisations and individuals who have previously engaged with us or expressed professional interest;
- Protecting the security and integrity of our systems and services;
- Analysing aggregate usage patterns to improve our products.
You have the right to object to processing based on legitimate interests at any time. See Section 4 below.
Consent (Article 6(1)(a))
Where we rely on consent — for example, to send marketing communications to individuals who are not existing clients — we will obtain a clear, affirmative, freely given, and specific consent. You may withdraw consent at any time by contacting hello@datacraft.co.ke or by using the unsubscribe mechanism in any marketing communication. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.
Legal obligation (Article 6(1)(c))
We may process personal data where necessary to comply with a legal obligation under Kenyan law, EU law applicable to us, or the law of an EU member state — for example, to respond to a lawful court order or regulatory demand.
4. Data Subject Rights
EU data subjects whose personal data we process as a controller hold the following rights under Chapter III of the GDPR. We will respond to all verified requests within 30 calendar days (extendable by a further two months in complex cases, with notice).
Right of access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, a copy of that data together with information about the purposes, categories, recipients, retention periods, and the existence of your other rights.
Right to rectification (Article 16)
You have the right to have inaccurate personal data corrected without undue delay, and to have incomplete personal data completed, including by means of a supplementary statement.
Right to erasure — "right to be forgotten" (Article 17)
You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent and no other legal basis applies, where you have successfully objected to processing, or where processing was unlawful. This right is subject to applicable legal obligations requiring retention.
Right to data portability (Article 20)
Where processing is based on consent or a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance from us.
Right to restriction of processing (Article 18)
You have the right to request that we restrict processing of your data in certain circumstances: while the accuracy of the data is being contested; where processing is unlawful but you prefer restriction to erasure; where we no longer need the data but you need it for legal claims; or while your objection to legitimate-interests processing is being assessed.
Right to object (Article 21)
You have the right to object at any time to processing of your personal data based on legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims. You have an absolute right to object to processing for direct marketing purposes, including profiling for marketing.
Right not to be subject to automated decision-making (Article 22)
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects concerning you. Datacraft does not currently make such automated decisions about individuals. Should this change, we will update this document and implement appropriate safeguards.
5. How to Exercise Your Rights
To exercise any of the rights described in Section 4, or to ask questions about how we process your personal data, contact our Data Protection Officer by email at hello@datacraft.co.ke with the subject line "GDPR Data Subject Request".
Please include:
- Your full name and the email address associated with any account or prior communication with Datacraft;
- A clear description of the right you wish to exercise and the specific data or processing activity your request relates to;
- Sufficient information to enable us to verify your identity (we may request additional verification before acting on a request to protect against unauthorised access to personal data).
Response SLA: We will acknowledge your request within 5 business days and provide a substantive response within 30 calendar days of receipt. Where a request is complex or numerous, we may extend this period by a further two months, in which case we will notify you within the initial 30-day period with an explanation of the delay.
We do not charge a fee for handling data subject requests unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request, with written reasons.
6. International Data Transfers
Datacraft is based in Kenya. Kenya is not currently subject to a European Commission adequacy decision under Article 45 GDPR. Accordingly, where we transfer personal data from the EU or EEA to Kenya in the course of providing our services, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission as the appropriate safeguard under Article 46(2)(c) GDPR.
Specifically, we rely on the SCCs set out in Commission Implementing Decision (EU) 2021/914, incorporating the relevant module(s) appropriate to the nature of the transfer (controller-to-processor or controller-to-controller as applicable).
We have conducted a Transfer Impact Assessment (TIA) to evaluate Kenyan law and practice as they affect the protection afforded by the SCCs. We concluded that, in the context of the types of data we process and the commercial nature of our relationships, the SCCs provide a level of protection essentially equivalent to that guaranteed within the EEA, and that the risk of governmental access to the transferred data in a manner incompatible with EU standards is remote and manageable through the contractual and technical safeguards we apply.
EU-based clients requiring a copy of our SCCs or TIA documentation should request these via hello@datacraft.co.ke.
7. Data Retention Schedule
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, to comply with applicable legal obligations, resolve disputes, and enforce our agreements. Our standard retention periods are set out below.
| Data category | Retention period | Basis |
|---|---|---|
| Contact and enquiry data (web forms, emails) | 2 years from last interaction | Legitimate interests (follow-up, records) |
| Product and platform data (data processed under client contracts) | Per contractual terms agreed with client | Performance of contract / DPA |
| Billing and financial records | 7 years | Legal obligation (Kenyan tax and accounting law) |
| Marketing consent records | Until consent withdrawn + 1 year | Accountability (proof of consent) |
| Security and audit logs | 90 days rolling | Legitimate interests (security) |
| Data subject rights request records | 3 years from closure | Legal obligation / accountability |
At the end of the applicable retention period, personal data is securely deleted or irreversibly anonymised. For data held in client environments under a DPA, deletion timelines are governed by the terms of the relevant agreement and the client's instructions as data controller.
8. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR or applicable data protection law, you have the right to lodge a complaint with a supervisory authority. You may choose to complain to:
The Office of the Data Protection Commissioner (ODPC) — Kenya
As Datacraft's primary supervisory authority under the Data Protection Act, 2019.
Your local EU/EEA supervisory authority
EU data subjects have the right to complain to the supervisory authority in their member state of habitual residence, place of work, or the place of the alleged infringement. A directory of EU supervisory authorities is available from the European Data Protection Board.
We ask that you contact us first before escalating to a supervisory authority. We are committed to resolving complaints directly and promptly, and in most cases this will be the fastest route to resolution.
9. Contact the Data Protection Officer
Datacraft has designated a Data Protection Officer (DPO) responsible for overseeing compliance with this document and with applicable data protection law. The DPO is your primary point of contact for all privacy-related matters, including data subject rights requests, questions about how we process your data, and requests for Data Processing Agreements or Standard Contractual Clauses.
When contacting the DPO about a data subject rights request, please use the subject line "GDPR Data Subject Request" to ensure prompt routing and handling within our 30-day SLA.
Effective date
June 2026
Version
1.0
Replaces
No prior version
We review this document annually and whenever there is a material change to our processing activities or applicable law. Material changes will be notified to relevant data subjects by email or prominent notice on this page. The current version is always available at datacraft.co.ke/legal/gdpr.html.