1. Who We Are

SyncWave Technologies Ltd (“SyncWave”, “we”, “us”) is a technology services and consulting firm registered in Kenya. We deliver cloud engineering, cybersecurity, DevOps, custom software development, and AI solutions to enterprise clients across Kenya and East Africa. Our registered address is Mombasa Road, Nairobi, Kenya (P.O. Box 12001-00100).

When we collect and process personal data about website visitors or contact form respondents on our own behalf, we act as a data controller. When we process personal data on behalf of our enterprise clients during service delivery, we act as a data processor, and those clients are the data controllers. In such cases, a Data Processing Agreement (DPA) governs our obligations.

2. What Personal Data We Collect

2.1 Data You Provide Directly

• Contact Form Submissions: Name, email address, phone number, company name, and the message content you provide when you contact us.
• Business Communications: Information shared in emails, meeting notes, or proposal exchanges during pre-sales and onboarding discussions.
• Contract & SOW Onboarding: Signatory details, billing contacts, finance officer details, and authorised representatives named in Statements of Work and Master Service Agreements.

2.2 Data Collected Automatically

• Website Analytics: IP address (anonymised), browser type and version, device type, operating system, pages visited, session duration, and referral source — collected via analytics tools to help us understand how our website is used.
• Cookies: Session cookies, functional preference cookies, and (where you consent) analytics cookies. See our Cookie Policy for a full breakdown.

2.3 Data Processed During Service Delivery

In delivering contracted services, we may encounter or process:

• System access credentials, infrastructure configuration files, and network topology information
• Application source code, database schemas, architecture documentation, and CI/CD pipeline configurations
• Monitoring data, system logs, and security event streams from infrastructure we manage on the Client’s behalf
• For financial sector clients (SACCOs, banks, fintechs): transaction metadata and account-level identifiers as required by the engagement — never raw card numbers, CVVs, PINs, or full banking credentials
• For healthcare sector clients: patient identifiers or medical record references as strictly necessary for the agreed SOW, and only under a signed DPA and data protection schedule

3. How We Use Your Data

• Responding to enquiries: Contact form data is used exclusively to reply to your request, assess alignment with our services, and initiate a project conversation.
• Delivering contracted services: Client Data and system credentials are processed solely to fulfil obligations in signed Statements of Work.
• Billing and contract management: Contact and company details are used to issue invoices, manage agreements, maintain accounting records, and comply with KRA reporting requirements.
• Security monitoring and incident response: Log and event data from managed environments is analysed to detect, investigate, and respond to security incidents on behalf of Clients.
• Service improvement: Aggregated and anonymised usage data may be used to improve our internal processes and service quality. No individual profiling is performed for marketing purposes.
• Legal and regulatory compliance: We may process data as required to comply with Kenyan law, sector-specific regulatory obligations, or lawful requests from competent authorities.

4. Legal Basis for Processing

Under the Kenya Data Protection Act 2019, we process personal data on the following lawful bases:

• Contract performance: Processing of Client Data is necessary to deliver the services agreed in a signed Statement of Work or other contract.
• Legitimate interests: Website analytics and security log processing are carried out based on our legitimate interest in operating a secure, functional online presence and understanding our audience, provided these interests are not overridden by your rights and freedoms.
• Legal obligation: Certain processing — such as retention of financial records and tax documents — is required by Kenyan law (Companies Act 2015, Income Tax Act, VAT Act).
• Consent: For non-essential cookies and any direct marketing communications, we rely on your freely given, specific, and informed consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Sensitive & Special-Category Data

Two of our primary client sectors involve specially sensitive categories of data, which we handle with heightened controls:

5.1 Healthcare Sector Clients

Where our engagements involve hospital information systems, NHIF integrations, patient portals, or health analytics platforms, any health or medical data encountered is treated as special-category sensitive data. Such processing is governed by a signed DPA aligned with the Health Act 2017, the Kenya Data Protection Act 2019, and any applicable Ministry of Health data governance guidelines. Access is strictly limited to named personnel with a direct service-delivery requirement, and all access events are logged.

5.2 Financial Sector Clients (Banks, SACCOs, Fintechs, Insurance)

For clients in banking, microfinance, SACCO, insurance, or payment processing sectors, we apply controls consistent with Central Bank of Kenya (CBK) outsourcing and data governance guidelines, the National Payment System Act, and the Sacco Societies (Deposit-Taking) Regulations. We do not store raw payment card data, card verification values (CVV/CVC), PINs, or full account credentials. Any financial system access is governed by least-privilege principles, documented in the SOW security annex, and subject to mandatory access logging and periodic review.

6. Data Storage & Security

We implement technical and organisational security measures aligned with ISO/IEC 27001 principles:

• Encryption: All data transmitted between systems is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent standards on all managed infrastructure.
• Access Control: Role-based access control (RBAC) and multi-factor authentication (MFA) are enforced on all internal systems and client-facing portals that handle personal or sensitive data.
• Least Privilege: Personnel are granted only the minimum access necessary to perform their specific role in an engagement. Access is reviewed and revoked promptly upon role change or departure.
• Vulnerability Management: Our own infrastructure undergoes regular automated vulnerability scanning and periodic penetration testing by qualified professionals.
• Incident Response: We maintain a documented incident response plan. In the event of a personal data breach that affects your data, we will notify affected Clients within 72 hours of becoming aware, in line with our obligations under the Kenya Data Protection Act 2019.
• Awareness Training: All personnel with access to personal or Client data receive mandatory data protection and information security training at onboarding and annually thereafter.

7. Third-Party Sub-Processors

In delivering our services, we engage the following categories of third-party sub-processors, each bound by data processing obligations consistent with this policy:

• Cloud Infrastructure Providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform — used for compute, storage, managed databases, and networking services on behalf of Clients.
• Communication & Collaboration Tools: Business email, video conferencing, and project management platforms used for service-related communication with Clients and within our team.
• Monitoring & Observability Platforms: Logging, alerting, application performance monitoring (APM), and SIEM tools deployed within managed client environments.
• Source Code & DevOps Platforms: Git-based version control and CI/CD platforms used for project development and delivery.
• AI & LLM API Providers: Where AI solutions are delivered, third-party model inference APIs may be used under strict data minimisation and contractual data protection controls.

We do not sell, rent, broker, or share personal data with any third party for advertising, marketing, or commercial profiling purposes.

8. Data Retention

• Website Contact Enquiries: Retained for 12 months from last interaction, unless a formal engagement commences.
• Active Client Data: Retained for the duration of the engagement plus 5 years for contract, compliance, and audit purposes.
• Financial & Billing Records: Retained for 7 years as required by the Kenya Revenue Authority (KRA), the Companies Act 2015, and applicable VAT regulations.
• Security & Audit Logs: Retained for a minimum of 90 days for operational review; longer periods (up to 12 months or as specified in sector guidelines) may apply for forensic investigations, CBK compliance, or client-specific requirements.
• Website Analytics Data: Session-level identifiable data is purged after 26 months; aggregated anonymised statistics may be retained indefinitely.

Upon expiry of applicable retention periods, data is securely deleted using industry-standard erasure methods or anonymised such that it can no longer be linked to an individual.

9. International Data Transfers

Our primary operations are based in Kenya. Where Client Data is processed on cloud infrastructure located outside Kenya — for example, on AWS (Cape Town / af-south-1), Azure (South Africa North), or GCP (Johannesburg) — we ensure such transfers are governed by appropriate safeguards including contractual data processing terms consistent with the Kenya Data Protection Act 2019 and, where applicable, the EU GDPR Standard Contractual Clauses for cross-border clients. Clients who require strict in-country data residency within Kenya must specify this requirement before engagement commencement, and we will design the architecture accordingly.

10. Your Rights

Under the Kenya Data Protection Act 2019, you have the following rights with respect to personal data we hold about you:

• Right of Access: Request a copy of the personal data SyncWave holds about you, along with information about how it is processed.
• Right to Rectification: Request correction of inaccurate or incomplete personal data without undue delay.
• Right to Erasure: Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to any overriding legal retention obligations.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object: Object to processing based on legitimate interests, or to any profiling related to direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) if you believe your rights have been infringed.

To exercise any of these rights, contact us at info@syncwave.co.ke. We will acknowledge your request within 5 business days and respond within 21 days (or notify you of any extension). For regulatory complaints, contact the ODPC at odpc.go.ke.

11. Children’s Privacy

Our services are directed exclusively at business organisations and professionals. We do not knowingly collect personal data from individuals under 18 years of age. If you believe we have inadvertently processed the personal data of a minor, please notify us immediately at info@syncwave.co.ke and we will take prompt steps to delete it.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our data practices, technology, legal requirements, or business operations. We will notify active clients of material changes by email at least 14 days before the change takes effect, and post the updated policy on this page with a revised effective date. Your continued engagement with our services following notification constitutes acceptance of the updated policy unless you notify us otherwise.