Privacy Policy

VALDACE AI ("we", "us", "our") is the data controller responsible for your personal data. We provide AI automation, custom digital systems, and technology consultancy services. For any privacy-related enquiry, contact us at privacy@valdace.ai.

This Privacy Policy is prepared and enforced in compliance with: • Kenya Data Protection Act, 2019 (No. 24 of 2019) — the primary legislation governing personal data in Kenya • The Data Protection (General) Regulations, 2021 • The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 • Any directives, guidelines, or orders issued by the Office of the Data Protection Commissioner ("ODPC") As a data controller registered (or required to be registered) with the ODPC, we hold our data-handling practices to the standards set in Part III of the Act, including the data protection principles under Section 25.

We commit to processing your personal data in accordance with the eight data protection principles under Section 25 of the Act: 1. Lawfulness, fairness, and transparency — data is processed on a valid legal basis and you are always informed. 2. Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. 3. Data minimisation — only data that is adequate, relevant, and limited to what is necessary is collected. 4. Accuracy — data is kept accurate and, where necessary, up to date. 5. Storage limitation — data is retained only as long as necessary for the stated purposes. 6. Integrity and confidentiality — data is processed with appropriate security, protecting against unauthorised or unlawful processing, accidental loss, destruction, or damage. 7. Accountability — we are responsible for and can demonstrate compliance with all of the above. 8. Non-transfer to countries without adequate data protection — personal data is not transferred outside Kenya unless adequate protections exist (see Section 11 below).

We collect personal data only where it is necessary for the services we provide. The categories we may collect include: Identity & Contact Data • Full name, email address, telephone number, job title, and company name provided via our contact and booking forms. Technical Data • IP address, browser type and version, device type, operating system, and pages visited — collected automatically via server logs and analytics tools. Communications Data • Content of messages, notes from calls, and records of correspondence with our team. Financial Data • Billing name and address required to process invoices. We do not store payment card details — payments are processed by PCI-DSS-compliant third-party processors. Special Categories of Data (Section 44, DPA 2019) We do not intentionally collect special-category data (health, biometric, genetic, religious, political, or trade-union data). Please do not submit such data through our website.

We only process personal data when at least one of the following lawful bases under Section 30 applies: • Consent (Section 32) — you have given clear, informed, specific, and unambiguous consent for a particular purpose. You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing carried out before withdrawal. • Contract (Section 30(b)) — processing is necessary to perform a contract with you, or to take steps at your request prior to entering a contract. • Legal obligation (Section 30(c)) — processing is necessary to comply with a legal obligation to which we are subject under Kenyan law. • Legitimate interests (Section 30(f)) — processing is necessary for our legitimate interests or those of a third party, except where overridden by your interests or fundamental rights and freedoms. For each data processing activity, we maintain a Record of Processing Activities as required by the Act.

We use personal data to: • Respond to enquiries and provide the services you request • Schedule and conduct discovery calls and project meetings • Send service-related communications (proposals, updates, invoices) • Improve and secure our website and services • Comply with legal and regulatory obligations • Detect and prevent fraud or misuse of our services • Send marketing communications — only where you have consented (you can opt out at any time) We do not sell your personal data to any third party.

We share personal data only where necessary. Recipients may include: • Technology sub-processors — cloud hosting providers, email delivery services, and analytics platforms that process data on our behalf under written data-processing agreements requiring compliance with the DPA 2019. • Professional advisers — lawyers, auditors, and accountants bound by confidentiality obligations. • Regulatory and law-enforcement authorities — where we are required by law or court order. • Business transfers — if we are involved in a merger, acquisition, or asset sale, personal data may be transferred. We will notify you beforehand where practicable. We require all third parties to respect the security of your data and to treat it in accordance with the Act.

Under Section 25(e) of the Act, we retain personal data for no longer than is necessary for the purposes for which it was collected. Our default retention periods are: • Website enquiry data — 24 months from last interaction, unless converted to an active client. • Active client records — duration of the engagement plus 7 years (required by Kenyan tax and contract law). • Marketing contact data — until you withdraw consent or opt out. • Server and security logs — 90 days. Where retention beyond these periods is required by law (e.g., the Kenya Revenue Authority requirements), data is retained for the minimum period mandated, then securely deleted or anonymised.

The Data Protection Act, 2019 grants you the following rights: Right to be Informed (Section 26) You have the right to know — before or at the time we collect your data — the purposes of collection, the legal basis, who we may share it with, and your rights. Right of Access (Section 27) You may request a copy of the personal data we hold about you, along with information about how and why it is processed. Right to Rectification (Section 28) You may ask us to correct inaccurate personal data or complete incomplete data without undue delay. Right to Erasure (Section 29) Also known as the "right to be forgotten." You may request deletion of your personal data where: (a) it is no longer necessary for the original purpose; (b) you withdraw consent and there is no other lawful basis; (c) you object to processing and there are no overriding legitimate grounds; (d) the data was unlawfully processed. Right to Restrict Processing (Section 30) You may ask us to suspend processing of your data in certain circumstances — for example, while accuracy is contested. Right to Data Portability (Section 34) Where processing is based on consent or contract, and is carried out by automated means, you may request your data in a structured, commonly used, machine-readable format and have it transmitted to another controller. Right to Object (Section 35) You may object at any time to processing based on legitimate interests, including direct marketing. We will stop processing unless we demonstrate compelling legitimate grounds that override your interests. Rights Related to Automated Decision-Making (Section 36) You have the right not to be subject to a decision based solely on automated processing — including profiling — that significantly affects you, without meaningful human involvement. How to Exercise Your Rights Submit a request to privacy@valdace.ai. We will respond within 21 days of verification of identity. No fee is charged for exercising these rights unless requests are manifestly unfounded or excessive.

We use cookies and similar technologies on our website. Cookies are small text files stored on your device that help us understand how you use our site. Types of cookies we use: • Strictly necessary — required for the website to function (e.g., session management). These cannot be disabled. • Analytics — help us understand how visitors interact with the site (e.g., pages visited, session duration). Used in anonymised or aggregated form. • Preferences — remember your settings and choices. We do not use advertising or cross-site tracking cookies. Where consent is required for non-essential cookies, we obtain it via our cookie consent mechanism before placing them. You may withdraw consent at any time through your browser settings or our consent manager.

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@valdace.ai and we will delete it promptly.

We may transfer personal data outside Kenya to service providers or partners in other countries. When we do, we ensure adequate protections are in place as required by Sections 48–49 of the Act. Specifically, we transfer data only to: • Countries that the ODPC has determined offer an adequate level of data protection; or • Recipients with whom we have entered standard contractual clauses or binding corporate rules that provide equivalent protections; or • Where the transfer is necessary for the performance of a contract with you. We do not transfer personal data to high-risk jurisdictions without specific, documented safeguards.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Measures include: • Encryption of data in transit (TLS 1.2+) and at rest • Role-based access controls with least-privilege principles • Regular security assessments and penetration testing • Employee data-protection training • Incident response procedures with escalation protocols In the event of a personal data breach, we will notify the ODPC within 72 hours of becoming aware of the breach, as required by Section 43 of the Act. Where the breach is likely to result in high risk to your rights and freedoms, we will also notify you without undue delay.

We have appointed a Data Protection Officer (DPO) as required under Section 24 of the Act and the Data Protection (General) Regulations, 2021. The DPO is responsible for: • Monitoring compliance with the DPA 2019 and related regulations • Acting as a point of contact for data subjects and the ODPC • Advising on data protection impact assessments Contact the DPO at: dpo@valdace.ai

If you are not satisfied with how we handle your personal data or respond to a rights request, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC). Office of the Data Protection Commissioner Upper Hill, P.O. Box 30456-00100, Nairobi, Kenya Website: www.odpc.go.ke Email: info@odpc.go.ke We encourage you to contact us first so we can resolve any concern directly and promptly at privacy@valdace.ai.

We review this Privacy Policy at least annually and whenever there is a material change in our data processing activities or applicable law. When we make significant changes, we will notify you by: • Updating the "Last Updated" date at the top of this page • Displaying a prominent notice on our website • Sending a notification to the email address on record if you are a client Continued use of our services after the effective date of a revised policy constitutes acceptance of the updated terms.