Privacy Policy

1 Introduction

Code Forge Kenya ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you engage our software development, business systems, KRA integration, and cybersecurity services.

By engaging our services, you consent to the practices described in this policy. If you do not agree, please refrain from engaging our services and contact us to discuss any concerns.

2 What We Collect

Contact & Business Information

• Name, business name, physical address, email, phone number
• KRA PIN, business registration number, industry type
• Billing and invoicing information

Technical & System Data (collected during service delivery)

• IP addresses, network configuration, hardware specifications
• System logs, error reports, and performance metrics
• Software configuration settings and device identifiers
• Network traffic data (for cybersecurity engagements, with explicit written consent)

Business Operational Data (depending on service type)

• Transaction and sales records (POS and billing systems)
• Customer and inventory databases (only as necessary to configure systems)
• Financial records relevant to the service being configured

3 How We Use Your Information

We use your information to:

• Install, configure, and deliver agreed software and systems
• Provide technical support, maintenance, and troubleshooting
• Process payments and manage billing
• Communicate with you about your project, updates, and scheduled maintenance
• Comply with KRA and other legal or regulatory requirements
• Conduct security audits and generate vulnerability reports (for cybersecurity clients)
• Improve our service quality and internal processes

We do not use your data for automated decision-making that has legal or similarly significant effects on you.

4 Data Sharing & Disclosure

We may share limited information with:

• Software vendors — for licensing, updates, and technical escalations
• Cloud hosting providers — for infrastructure and data processing relevant to your service
• Payment processors — for billing transactions
• Kenya Revenue Authority — where required by law for eTIMS and tax compliance
• Law enforcement / courts — only when legally compelled

5 Data Security

We implement industry-standard measures to protect your data, including:

• Encryption of sensitive data in transit (TLS/SSL) and at rest
• Role-based access controls — staff access data only as needed for their role
• Regular internal security reviews and vulnerability assessments
• Staff confidentiality agreements and data handling training
• Firewalls and intrusion detection on our infrastructure
• Secure offsite backups with tested recovery procedures

Data breach response: In the event of a breach affecting your data, we will notify you within 72 hours of discovery, report to the Office of the Data Protection Commissioner as required, and take immediate remedial action.

6 Data Retention

• Active client data: Retained for the duration of the service agreement plus 3 years
• Financial records: Minimum 7 years as required by Kenyan tax law
• System logs: 90 days to 12 months depending on the service and legal requirement
• Security assessment data: Securely deleted within 30 days of final report delivery
• Support records: 3 years after last interaction

When data is no longer required, it is securely deleted or anonymised. Backup copies are retained for disaster recovery for up to 12 months then purged.

7 Your Rights

Under the Kenya Data Protection Act, 2019, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at hello@codeforge.co.ke. We will respond within 21 days.

8 Client Obligations

Where Code Forge Kenya configures systems that process your customers' or employees' personal data, you (the Client) remain the data controller. You are responsible for:

• Maintaining the confidentiality of system login credentials
• Implementing appropriate access controls for your own staff
• Backing up critical data before system changes
• Notifying us promptly of any suspected security incidents
• Ensuring your own use of the delivered systems complies with the Kenya Data Protection Act
• Obtaining lawful consent from your customers where required for data collection

9 Legal Basis & Compliance

We process your data on the following legal bases:

• Contractual necessity — to deliver the agreed services
• Legal obligation — to comply with KRA, financial, and other regulatory requirements
• Legitimate interests — to improve our services and maintain security
• Consent — where specifically requested (e.g. network monitoring for cybersecurity services)

Code Forge Kenya complies with the Kenya Data Protection Act, 2019, and where applicable, aligns with GDPR principles. We act as a data processor when handling your clients' data on your behalf.

10 Cookies

Our website uses minimal cookies for:

• Session management and authentication
• Basic analytics to understand page performance
• Security and fraud prevention

We do not use third-party advertising cookies. You can manage cookie preferences through your browser settings at any time.

11 Children's Privacy

Our services are intended solely for businesses and individuals aged 18 and over. We do not knowingly collect personal information from minors. If you believe a minor has submitted data to us, please contact us immediately and we will delete it promptly.

12 International Data Transfers

Some of our infrastructure and third-party tools may process data outside Kenya (e.g. cloud servers). Where this occurs, we ensure:

• The recipient country has adequate data protection standards, or
• Appropriate contractual safeguards are in place (standard contractual clauses)

Client data is not transferred internationally without a lawful basis.

13 Service-Specific Notes

KRA eTIMS Integration

• Transaction data is transmitted to Kenya Revenue Authority as required by the Tax Procedures Act
• KRA API credentials are stored securely and never shared
• Compliance records are maintained per KRA retention requirements

POS & Billing Systems

• Customer transaction data is stored securely within the client's own infrastructure
• Payment card data, if any, is handled per PCI DSS guidelines — we do not store raw card numbers
• M-PESA transaction data is handled per Safaricom's data sharing requirements

Cybersecurity & Penetration Testing

• All vulnerability findings are treated as strictly confidential
• Security reports are shared only with named, authorised client personnel
• Test artefacts (captured traffic, exploit proofs-of-concept) are securely deleted within 30 days of report delivery
• No vulnerability data is retained, shared, or published without explicit written consent

Hotspot & WiFi Billing

• End-user (guest) data collected by hotspot systems is owned by the Client operator
• We configure systems to collect only what is necessary for session management and billing

14 Policy Updates

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to active clients via email at least 14 days before taking effect. The current version is always available on our website. Continued use of our services after an update constitutes acceptance.

15 Contact & Complaints

For questions, concerns, data requests, or to exercise your rights, contact our Data Protection contact:

If you believe your rights have been violated and we have not resolved your concern, you may lodge a complaint with:

• Office of the Data Protection Commissioner (Kenya) — odpc.go.ke
• Any other data protection authority with jurisdiction over your situation