Privacy Policy

Effective Date: 1 April 2026

LEGAL NOTICE

This Privacy Policy is a legally binding document. It governs the collection, processing, storage, and transfer of personal data by Gwambo Digital in accordance with the laws of Kenya, including but not limited to the Data Protection Act, No. 24 of 2019 (Cap. 411C, Laws of Kenya), and applicable international data protection frameworks.

1. IDENTITY OF THE DATA CONTROLLER

The data controller responsible for your personal data under this Policy is:

Business Name

Gwambo Digital

Business Type

Sole proprietorship / Freelance content and SEO consultancy

Principal Place of Business

Nairobi, Kenya

Website

gwambodigital.com

Contact Email

privacy@gwambodigital.com

Data Protection Officer

The proprietor of Gwambo Digital (see contact above)

2. LEGAL FRAMEWORK

This Policy is made in compliance with the following legislative instruments and international frameworks:

2.1 Kenyan Law
  • Data Protection Act, No. 24 of 2019 (Cap. 411C, Laws of Kenya) — the primary legislation governing the processing of personal data in Kenya
  • The Data Protection (General) Regulations, 2021 (Legal Notice No. 46 of 2021)
  • The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021
  • The Computer Misuse and Cybercrimes Act, No. 5 of 2018 — governing unlawful access to and misuse of computer systems and personal data
  • The Kenya Information and Communications Act, Cap. 411A — governing electronic communications
  • The Consumer Protection Act, No. 46 of 2012 — governing fair dealing with clients
2.2 International Frameworks
  • General Data Protection Regulation (EU) 2016/679 (GDPR) — applied where Gwambo Digital processes personal data of individuals in the European Economic Area
  • United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 — applied where data subjects are located in the United Kingdom
  • Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) — applied where data subjects are located in Australia
  • The African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) — as a regional benchmark

Section 25 of the Data Protection Act, No. 24 of 2019 requires every data controller and data processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing.

3. SCOPE OF THIS POLICY

This Policy applies to:

  • All visitors to gwambodigital.com (the Website)
  • All prospective, current, and former clients of Gwambo Digital
  • All individuals whose personal data is collected in the course of Gwambo Digital’s business operations, including SEO research, content strategy, and outreach activities
  • All third parties whose data Gwambo Digital processes on behalf of clients, to the extent that Gwambo Digital acts as a data processor in those arrangements

This Policy does not apply to third-party websites linked from the Website. Gwambo Digital is not responsible for the privacy practices of third parties.


4. DATA COLLECTED
4.1 Data You Provide Directly

Gwambo Digital may collect the following categories of personal data that you provide voluntarily:

  • Full name and business name
  • Email address and telephone number
  • Business website URL and online profiles
  • Location data (city, country)
  • Professional information, including job title, industry, and business needs
  • Correspondence and communications exchanged with Gwambo Digital
4.2 Data Collected Automatically

When you visit the Website, certain data may be collected automatically, including:

  • IP address and device identifiers
  • Browser type, language, and version
  • Pages visited, time on site, and referral source
  • Cookie data and session identifiers (see Section 10)
4.3 Data Collected from Public Sources

In the course of conducting SEO audits and lead research, Gwambo Digital may collect publicly available data about businesses, including:

  • Business names, addresses, and contact details as published on business websites or public directories
  • Website ranking and performance data obtained from publicly accessible SEO tools
  • Content published on publicly accessible business blogs, websites, and social media profiles

Section 30 of the Data Protection Act, No. 24 of 2019 permits the processing of personal data without consent where processing is necessary for the legitimate interests of the data controller, provided such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.

5. PURPOSES AND LEGAL BASES FOR PROCESSING

Gwambo Digital processes personal data only where a lawful basis exists under Section 30 of the Data Protection Act, No. 24 of 2019. The applicable bases and corresponding purposes are set out below:

Purpose

Legal Basis

Statutory Reference

Responding to enquiries and providing services

Performance of a contract or pre-contractual steps

DPA s.30(b)

Conducting SEO audits and preparing case studies on prospective clients

Legitimate interests of the data controller

DPA s.30(f)

Sending cold outreach emails to business contacts

Legitimate interests — direct marketing to business contacts

DPA s.30(f); KICA s.84B

Sending service-related communications to active clients

Performance of a contract

DPA s.30(b)

Improving Website functionality and user experience

Legitimate interests

DPA s.30(f)

Complying with legal obligations

Compliance with a legal obligation

DPA s.30(c)

Maintaining records of client engagements

Legitimate interests / contractual necessity

DPA s.30(b)(f)

6. DATA RETENTION

Gwambo Digital retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law.

Data Category

Retention Period

Client contract and engagement records

7 years from the end of the engagement (Kenya Income Tax Act compliance)

Cold outreach prospect data

Until the prospect responds, opts out, or 24 months from first contact — whichever is sooner

Website analytics data

26 months from collection

Email correspondence

5 years from the date of correspondence

Unpublished SEO audit notes on third parties

12 months from date of creation or date of last contact attempt

Section 39 of the Data Protection Act, No. 24 of 2019 provides that personal data shall not be kept in a form which permits identification of a data subject for longer than is necessary for the purpose for which it was collected.

7. DATA SHARING AND DISCLOSURE

Gwambo Digital does not sell, rent, or trade personal data to third parties. Personal data may be disclosed in the following limited circumstances:

7.1 Service Providers

Gwambo Digital engages third-party service providers to assist in business operations, including cloud storage providers, email delivery platforms, WordPress hosting services, and SEO tools. These providers act as data processors and are contractually bound to process data only on Gwambo Digital’s instructions and in compliance with applicable data protection law, pursuant to Section 43 of the Data Protection Act, No. 24 of 2019.

7.2 Legal Obligation

Gwambo Digital may disclose personal data where required by law, court order, or lawful request by a competent authority in Kenya or in any jurisdiction in which Gwambo Digital operates or where a data subject is located.

7.3 International Transfers

Where Gwambo Digital transfers personal data outside Kenya — including to service providers located in the European Union, United Kingdom, Australia, or the United States — such transfers are made only where:

  • The recipient country has been determined to provide an adequate level of data protection, or
  • Appropriate safeguards are in place, including standard contractual clauses approved by the Office of the Data Protection Commissioner of Kenya (ODPC), or
  • The transfer is necessary for the performance of a contract to which the data subject is a party

Sections 47 and 48 of the Data Protection Act, No. 24 of 2019 govern the transfer of personal data outside Kenya and require that adequate safeguards be in place before such transfer occurs.

8. YOUR RIGHTS AS A DATA SUBJECT

Under the Data Protection Act, No. 24 of 2019 and, where applicable, the GDPR and Australian Privacy Act, you are entitled to exercise the following rights in respect of your personal data:

Right

Description

Legal Authority

Right of Access

You have the right to request confirmation of whether Gwambo Digital processes your personal data, and to receive a copy of that data.

DPA s.26; GDPR Art.15

Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data held about you.

DPA s.35; GDPR Art.16

Right to Erasure

You have the right to request deletion of your personal data where it is no longer necessary, or where you withdraw consent and no other lawful basis applies.

DPA s.36; GDPR Art.17

Right to Restriction

You have the right to request that processing of your personal data be restricted in certain circumstances.

DPA s.38; GDPR Art.18

Right to Object

You have the right to object to processing based on legitimate interests, including direct marketing.

DPA s.37; GDPR Art.21

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, machine-readable format.

DPA s.40; GDPR Art.20

Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

DPA s.31; GDPR Art.7(3)

To exercise any of the above rights, submit a written request to privacy@gwambodigital.com. Gwambo Digital will respond within thirty (30) days of receipt, as required by Section 26(3) of the Data Protection Act, No. 24 of 2019.

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC) at www.odpc.go.ke, or with the relevant supervisory authority in your country of residence.

9. DIRECT MARKETING AND OUTREACH

Gwambo Digital conducts cold email outreach to business contacts as part of its client acquisition activities. This outreach constitutes direct marketing within the meaning of the Data Protection Act, No. 24 of 2019 and applicable communications legislation.

In conducting this outreach, Gwambo Digital:

  • Relies on the legitimate interests basis pursuant to Section 30(f) of the Data Protection Act, No. 24 of 2019, having assessed that its interests in marketing its services to businesses are proportionate and do not override the rights and freedoms of recipients
  • Complies with Section 84B of the Kenya Information and Communications Act, Cap. 411A (as amended) regarding unsolicited electronic communications
  • Ensures every outreach email contains a clear and functional opt-out mechanism
  • Immediately ceases all outreach to any recipient who objects or requests removal, in compliance with Section 37 of the Data Protection Act, No. 24 of 2019
  • Does not send outreach to individuals registered on any applicable do-not-contact registry

Where Gwambo Digital sends outreach to recipients located in Australia, it complies with the Spam Act 2003 (Cth), including the requirements to identify the sender, include a functional unsubscribe mechanism, and honour opt-out requests within five (5) business days.

Where Gwambo Digital sends outreach to recipients located in the European Economic Area or United Kingdom, it relies on the B2B legitimate interests exemption under GDPR Recital 47 and UK ICO guidance, and ensures all outreach meets the requirements of the Privacy and Electronic Communications Regulations 2003 (UK PECR) where applicable.

10. COOKIES

The Website may use cookies and similar tracking technologies to improve user experience and collect analytics data. By continuing to use the Website, you consent to the use of cookies in accordance with this Policy.

Cookie Type

Purpose

Legal Basis

Strictly Necessary

Session management and security

Necessary — no consent required

Analytics

Aggregate visitor behaviour statistics

Legitimate interests / consent where required by applicable law

Functional

User preferences and settings

Legitimate interests

You may disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Website.

11. SECURITY OF PERSONAL DATA

Gwambo Digital implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration, in compliance with Section 41 of the Data Protection Act, No. 24 of 2019.

These measures include, but are not limited to:

  • Use of encrypted communication channels for data transmission
  • Access controls limiting data access to authorised personnel only
  • Use of reputable, security-certified third-party service providers
  • Regular review of data handling practices and system security

Gwambo Digital will notify the Office of the Data Protection Commissioner of Kenya and affected data subjects of any personal data breach in accordance with Section 43(3) of the Data Protection Act, No. 24 of 2019, where the breach is likely to result in a risk to the rights and freedoms of data subjects.

12. CHILDREN’S DATA

Gwambo Digital’s services are directed exclusively at business clients and adult professionals. Gwambo Digital does not knowingly collect or process personal data of persons under the age of eighteen (18) years. In the event Gwambo Digital becomes aware that it has inadvertently collected data from a minor, it will delete such data promptly.

13. AUTOMATED DECISION-MAKING

Gwambo Digital uses automated processes (including the Manus outreach automation system) to identify prospective clients and initiate outreach. However, no significant decisions that produce legal effects or similarly significant effects on individuals are made solely by automated means without human review.

Where automated processing forms part of Gwambo Digital’s operations, data subjects retain the right to request human review of any decision that materially affects them, pursuant to Section 33 of the Data Protection Act, No. 24 of 2019 and Article 22 of the GDPR where applicable.

14. UPDATES TO THIS POLICY

Gwambo Digital may update this Privacy Policy from time to time to reflect changes in law, business practice, or operational requirements. The effective date at the top of this document will be revised accordingly. Where changes are material, Gwambo Digital will provide notice by email to active clients or by prominent notice on the Website.

Continued use of the Website or Gwambo Digital’s services following any update constitutes acceptance of the revised Policy.

15. CONTACT AND COMPLAINTS

All enquiries, requests, and complaints regarding this Privacy Policy or Gwambo Digital’s data processing practices should be directed to:

Data Controller

Gwambo Digital

Email

privacy@gwambodigital.com

Response Time

Within 30 days of receipt of a valid written request

If you are located in Kenya and are dissatisfied with Gwambo Digital’s response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC):

  • Website: www.odpc.go.ke
  • Email: info@odpc.go.ke
  • Physical Address: Teleposta Towers, 6th Floor, Kenyatta Avenue, Nairobi

If you are located in Australia, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

If you are located in the European Economic Area, you may lodge a complaint with the supervisory authority in your Member State of residence.

GWAMBO DIGITAL — PRIVACY POLICY — EFFECTIVE 1 APRIL 2026

Governed by the Data Protection Act, No. 24 of 2019 (Kenya) and applicable international frameworks