Legal Effective: June 2026

GDPR Compliance

Datacraft's commitment to the General Data Protection Regulation (EU) 2016/679 — how we process personal data of EU data subjects, what rights you hold, and how to exercise them.

1. Our GDPR Commitment

Datacraft Limited is a Kenyan software company serving clients across Africa and internationally, including organisations established in the European Union and the European Economic Area. Where our products and services are directed at EU residents, or where we process personal data originating in the EU in the course of providing services to EU-based organisations, we recognise the applicability of Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — and commit to full compliance with its requirements.

This commitment extends to our role as both a data controller (when we determine the purposes and means of processing, for example when handling prospect and client contact data) and a data processor (when we process personal data on behalf of our clients under a Data Processing Agreement). This document primarily addresses our obligations as a data controller. Clients who require a Data Processing Agreement (DPA) should contact us at hello@datacraft.co.ke.

We apply the GDPR's core principles — lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability — to all personal data processing activities involving EU data subjects, regardless of where that processing physically occurs.

2. Data Controller Information

The data controller for personal data processed in connection with Datacraft's website, marketing communications, and direct client relationships is:

Legal name Datacraft Limited
Jurisdiction Incorporated in Kenya under the Companies Act (Cap. 486)
Registered office Nairobi, Kenya
Email hello@datacraft.co.ke
Phone +254 726 631 615

Kenya's data protection framework is governed by the Data Protection Act, 2019 and administered by the Office of the Data Protection Commissioner (ODPC). Datacraft is registered with the ODPC as a data controller. The GDPR applies to us in addition to, not in place of, the Kenyan framework where processing involves EU data subjects.

4. Data Subject Rights

EU data subjects whose personal data we process as a controller hold the following rights under Chapter III of the GDPR. We will respond to all verified requests within 30 calendar days (extendable by a further two months in complex cases, with notice).

Right of access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, a copy of that data together with information about the purposes, categories, recipients, retention periods, and the existence of your other rights.

Right to rectification (Article 16)

You have the right to have inaccurate personal data corrected without undue delay, and to have incomplete personal data completed, including by means of a supplementary statement.

Right to erasure — "right to be forgotten" (Article 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent and no other legal basis applies, where you have successfully objected to processing, or where processing was unlawful. This right is subject to applicable legal obligations requiring retention.

Right to data portability (Article 20)

Where processing is based on consent or a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit that data to another controller without hindrance from us.

Right to restriction of processing (Article 18)

You have the right to request that we restrict processing of your data in certain circumstances: while the accuracy of the data is being contested; where processing is unlawful but you prefer restriction to erasure; where we no longer need the data but you need it for legal claims; or while your objection to legitimate-interests processing is being assessed.

Right to object (Article 21)

You have the right to object at any time to processing of your personal data based on legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims. You have an absolute right to object to processing for direct marketing purposes, including profiling for marketing.

Right not to be subject to automated decision-making (Article 22)

You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects concerning you. Datacraft does not currently make such automated decisions about individuals. Should this change, we will update this document and implement appropriate safeguards.

5. How to Exercise Your Rights

To exercise any of the rights described in Section 4, or to ask questions about how we process your personal data, contact our Data Protection Officer by email at hello@datacraft.co.ke with the subject line "GDPR Data Subject Request".

Please include:

  • Your full name and the email address associated with any account or prior communication with Datacraft;
  • A clear description of the right you wish to exercise and the specific data or processing activity your request relates to;
  • Sufficient information to enable us to verify your identity (we may request additional verification before acting on a request to protect against unauthorised access to personal data).

Response SLA: We will acknowledge your request within 5 business days and provide a substantive response within 30 calendar days of receipt. Where a request is complex or numerous, we may extend this period by a further two months, in which case we will notify you within the initial 30-day period with an explanation of the delay.

We do not charge a fee for handling data subject requests unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request, with written reasons.

6. International Data Transfers

Datacraft is based in Kenya. Kenya is not currently subject to a European Commission adequacy decision under Article 45 GDPR. Accordingly, where we transfer personal data from the EU or EEA to Kenya in the course of providing our services, we rely on the Standard Contractual Clauses (SCCs) adopted by the European Commission as the appropriate safeguard under Article 46(2)(c) GDPR.

Specifically, we rely on the SCCs set out in Commission Implementing Decision (EU) 2021/914, incorporating the relevant module(s) appropriate to the nature of the transfer (controller-to-processor or controller-to-controller as applicable).

We have conducted a Transfer Impact Assessment (TIA) to evaluate Kenyan law and practice as they affect the protection afforded by the SCCs. We concluded that, in the context of the types of data we process and the commercial nature of our relationships, the SCCs provide a level of protection essentially equivalent to that guaranteed within the EEA, and that the risk of governmental access to the transferred data in a manner incompatible with EU standards is remote and manageable through the contractual and technical safeguards we apply.

EU-based clients requiring a copy of our SCCs or TIA documentation should request these via hello@datacraft.co.ke.

7. Data Retention Schedule

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, to comply with applicable legal obligations, resolve disputes, and enforce our agreements. Our standard retention periods are set out below.

Data category Retention period Basis
Contact and enquiry data (web forms, emails) 2 years from last interaction Legitimate interests (follow-up, records)
Product and platform data (data processed under client contracts) Per contractual terms agreed with client Performance of contract / DPA
Billing and financial records 7 years Legal obligation (Kenyan tax and accounting law)
Marketing consent records Until consent withdrawn + 1 year Accountability (proof of consent)
Security and audit logs 90 days rolling Legitimate interests (security)
Data subject rights request records 3 years from closure Legal obligation / accountability

At the end of the applicable retention period, personal data is securely deleted or irreversibly anonymised. For data held in client environments under a DPA, deletion timelines are governed by the terms of the relevant agreement and the client's instructions as data controller.

8. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR or applicable data protection law, you have the right to lodge a complaint with a supervisory authority. You may choose to complain to:

The Office of the Data Protection Commissioner (ODPC) — Kenya

As Datacraft's primary supervisory authority under the Data Protection Act, 2019.

www.odpc.go.ke

Your local EU/EEA supervisory authority

EU data subjects have the right to complain to the supervisory authority in their member state of habitual residence, place of work, or the place of the alleged infringement. A directory of EU supervisory authorities is available from the European Data Protection Board.

edpb.europa.eu — Member Authorities

We ask that you contact us first before escalating to a supervisory authority. We are committed to resolving complaints directly and promptly, and in most cases this will be the fastest route to resolution.

9. Contact the Data Protection Officer

Datacraft has designated a Data Protection Officer (DPO) responsible for overseeing compliance with this document and with applicable data protection law. The DPO is your primary point of contact for all privacy-related matters, including data subject rights requests, questions about how we process your data, and requests for Data Processing Agreements or Standard Contractual Clauses.

Data Protection Officer

Datacraft Limited

hello@datacraft.co.ke

+254 726 631 615

When contacting the DPO about a data subject rights request, please use the subject line "GDPR Data Subject Request" to ensure prompt routing and handling within our 30-day SLA.

Effective date

June 2026

Version

1.0

Replaces

No prior version

We review this document annually and whenever there is a material change to our processing activities or applicable law. Material changes will be notified to relevant data subjects by email or prominent notice on this page. The current version is always available at datacraft.co.ke/legal/gdpr.html.