Privacy Policy

Tukoweb Solutions Limited is a software development and technology company registered in Kenya. Our registered address is Senteu Plaza, Galana Road, Nairobi, Kenya 00100. When this policy refers to "Tukoweb", "we", "us", or "our", it means Tukoweb Solutions Limited and any subsidiaries or affiliated entities operating under the same brand.

We are the data controller for the personal information collected through our website at tukoweb.com and through the services we deliver to clients. As a company that builds software for businesses across Kenya and East Africa, we understand that data privacy is not just a legal obligation but a matter of trust. The way we handle your information reflects how seriously we take that trust.

If you have questions about this policy or about how we handle your data, you can reach our Data Protection Officer at privacy@tukoweb.com.

We only collect information that is necessary for a specific purpose. Here is a breakdown of the categories of data we may collect:

We use the information we collect for the following purposes:

• 1To respond to your enquiries and provide the services you have requested from us.
• 2To prepare and send proposals, quotations, contracts, and invoices.
• 3To deliver, manage, and improve the software development projects we undertake on your behalf.
• 4To send you newsletters and marketing updates about our services, case studies, and technology insights, but only if you have given us consent to do so.
• 5To improve our website by analysing how visitors use it, which pages are most popular, and where people encounter difficulties.
• 6To meet our legal and regulatory obligations, including maintaining proper accounting records and complying with Kenyan tax requirements.
• 7To protect the security and integrity of our systems and to detect and prevent fraud.
• 8To follow up after project completion for client satisfaction feedback.

We will never use your personal information for purposes that are incompatible with the purpose for which it was originally collected without informing you first and, where required, obtaining your consent.

Under the Kenya Data Protection Act 2019, we are required to have a valid legal basis for processing your personal data. Depending on the situation, we rely on one or more of the following grounds:

There are limited circumstances in which we may share your information with others:

• ›Service providers and subcontractors: We work with trusted third-party providers for services like email delivery (e.g., Mailchimp), cloud hosting (e.g., AWS, Google Cloud), project management tools, and analytics. These providers are only given the data they need to perform their specific task and are bound by data processing agreements that require them to protect your information.
• ›Professional advisors: Our lawyers, accountants, and auditors may access certain information in the course of providing professional services to us. They are bound by professional confidentiality obligations.
• ›Legal and regulatory requirements: We may disclose your information if required to do so by law, court order, or at the request of a competent authority such as the Kenya Revenue Authority or law enforcement agencies acting within their legal mandate.
• ›Business transfers: If Tukoweb Solutions is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.

Cookies are small text files that a website places on your device when you visit. They help the website remember your preferences and understand how you use the site. Here is how we use them:

Most browsers allow you to control cookies through their settings. If you choose to block all cookies, some features of our website may not work as intended. To learn more about how to manage cookies, visit allaboutcookies.org.

We only keep your personal data for as long as it is necessary for the purpose it was collected, or as required by law. Here is a summary of our retention periods:

Once the retention period expires, we will securely delete or anonymise your personal data. If you request deletion before the retention period ends, we will comply unless we have a legal obligation to retain the data.

Some of the third-party service providers we use are based outside Kenya, which means your personal data may be transferred to and processed in countries other than Kenya. For example, Google Analytics processes data on servers in the United States, and some of our cloud infrastructure may be hosted in South Africa or Europe.

Where your data is transferred outside Kenya, we take steps to ensure it receives an equivalent level of protection. These steps may include:

• Using service providers that are certified under recognised privacy frameworks such as the EU-US Data Privacy Framework.
• Entering into standard contractual clauses approved by the Office of the Data Protection Commissioner (ODPC) of Kenya.
• Choosing cloud providers that offer data residency in African regions where available, such as AWS af-south-1 (Cape Town) and Azure South Africa North.

Under the Kenya Data Protection Act 2019, you have specific rights regarding your personal data. We are committed to honouring these rights and will respond to any request within 21 days as required by law.

Our website and services are intended for businesses and individuals who are at least 18 years old. We do not knowingly collect or solicit personal data from anyone under the age of 18. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@tukoweb.com and we will take steps to delete it as quickly as possible.

We implement a range of technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

• Encryption of data in transit using TLS 1.2 or higher.
• Access controls that limit who within our team can access personal data, based on the principle of least privilege.
• Regular security training for all team members who handle personal data.
• Secure, password-protected systems with multi-factor authentication required for access to sensitive systems.
• Regular security audits and vulnerability assessments of our systems and the systems we build for clients.
• Documented incident response procedures in case of a data breach.

While we take all reasonable steps to protect your data, no method of transmission over the internet or method of electronic storage is completely secure. If you have reason to believe that your data has been compromised in connection with our services, please notify us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will update the "Last Updated" date at the top of this page. If we make material changes that significantly affect how we use your personal data, we will notify you by email (if we have your email address) or by posting a prominent notice on our website before the changes take effect.

We encourage you to review this policy periodically to stay informed about how we protect your data. Your continued use of our website after any changes constitutes your acceptance of the updated policy.

If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your personal data, please reach out to our Data Protection Officer. We are committed to addressing your concerns promptly and transparently.