Privacy Policy

Last updated: February 2026

The Grit Agencies (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data in line with the Constitution of Kenya 2010 (right to privacy), the Data Protection Act 2019 (Kenya), the Data Protection (General) Regulations 2021, and other applicable Kenyan and international data protection standards. This Privacy Policy explains how we collect, use, store, and protect your information when you use our website or our services.

We are the data controller in respect of personal data collected through this website and in the course of providing our services. Our contact details are at the end of this policy.

1. Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity and contact data: name, email address, phone number, company name, job title, and postal or physical address when you contact us, request a quote, or enter into a contract.
• Technical and usage data: IP address, browser type and version, device information, time zone, and how you use our website (e.g. pages visited, time spent), including through cookies or similar technologies where we use them.
• Communication data: content of emails, contact form submissions, and other correspondence you send to us.
• Contract and project data: information necessary to perform our services, including business requirements, user roles, and (where relevant and agreed) end-user or employee data that you provide to us as part of a project.

We do not knowingly collect personal data from children. If you believe we have collected such data, please contact us so we can delete it.

2. Lawful Basis and Purposes for Processing

Under the Data Protection Act 2019 (Kenya), we process your personal data only where we have a lawful basis. We use your data for the following purposes and on the following bases:

• Performance of a contract: to provide our services, manage projects, deliver software, and communicate with you in relation to an agreement.
• Legitimate interests: to operate and improve our website, respond to enquiries, conduct analytics (where not overriding your rights), and protect our business and users (e.g. security, fraud prevention).
• Consent: where we rely on consent (e.g. for certain cookies or marketing communications), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation: where we must retain or disclose data to comply with Kenyan or other applicable law (e.g. tax, regulatory, or court orders).

3. How We Collect Your Data

We collect data:

• When you fill in forms on our website (e.g. contact form).
• When you email or call us, or communicate with us in any other way.
• When you enter into a contract with us or during the delivery of our services.
• Automatically when you use our website (e.g. IP address, browser type), including via cookies or similar technologies where applicable.

4. Sharing and Disclosure of Personal Data

We may share your personal data only in the following circumstances:

• Service providers: with trusted third parties who assist us in operating our website, hosting, email delivery, or providing our services, under strict confidentiality and data processing agreements where required by law.
• Legal and regulatory: with courts, regulators, or law enforcement in Kenya or elsewhere when required by law or to protect our rights and safety.
• With your consent or at your direction: for example, where you ask us to integrate with a third-party service.

We do not sell your personal data. Where we act as a data processor (e.g. processing data on behalf of a client under a contract), we process data only in accordance with the client’s instructions and our contractual and legal obligations.

5. International Transfers

Your data may be stored or processed in Kenya or in other countries where our service providers operate. Where we transfer personal data outside Kenya, we ensure appropriate safeguards are in place as required by the Data Protection Act 2019 and the Office of the Data Protection Commissioner (ODPC), such as standard contractual clauses or your consent where applicable.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in line with the Data Protection Act 2019 and industry practice. These measures include access controls, encryption where appropriate, and secure hosting. Despite our efforts, no method of transmission or storage over the internet is completely secure; we cannot guarantee absolute security.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Retention periods may include:

• Contact and enquiry data: for the duration of our communication and a reasonable period thereafter (e.g. up to 2 years) unless a longer period is required by law or contract.
• Contract and project data: for the term of the contract and as required by law (e.g. tax and commercial records) thereafter.
• Technical and usage data: as needed for analytics and security, typically in aggregated or anonymised form where possible.

After the retention period, we securely delete or anonymise your data where possible.

8. Your Rights Under the Data Protection Act 2019 (Kenya)

Under Kenyan data protection law, you have the right to:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete personal data.
• Erasure: request deletion of your personal data in certain circumstances (e.g. where it is no longer necessary or you withdraw consent where consent was the basis).
• Restriction: request restriction of processing in certain situations.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Data portability: where applicable, receive your data in a structured, commonly used format.

To exercise any of these rights, please contact us at info@gritagencies.co.ke. We will respond within the timeframes required by the Data Protection Act 2019. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya if you believe our processing of your personal data violates the law.

9. Cookies and Similar Technologies

Our website may use cookies or similar technologies to improve functionality, analyse usage, or remember preferences. Where required by law, we will obtain your consent before placing non-essential cookies. You can adjust your browser settings to refuse or delete cookies; some features of the website may not function fully if you do so.

10. Third-Party Links

Our website may contain links to third-party websites (e.g. social media, partners). We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before providing any personal data.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The “Last updated” date at the top of this page will be revised when changes are made. We encourage you to review this policy periodically. Where changes are material, we may notify you by email or through a notice on our website where appropriate.

12. Contact and Data Protection Enquiries

For any questions about this Privacy Policy, your personal data, or to exercise your rights under the Data Protection Act 2019 (Kenya), please contact:

The Grit Agencies
Email: info@gritagencies.co.ke
Location: Nairobi, Kenya

You may also use our Contact page. We will respond to your request in accordance with applicable law.