Privacy Policy - Sange Solutions Limited

Sange Solutions Limited is committed to respecting and safeguarding your privacy. Protecting your personal data and ensuring its security throughout our interactions is a core priority for us. We only use your information for legitimate purposes directly related to our products and services, taking rigorous measures to prevent unauthorized access or misuse. This Privacy Policy details how we collect, use, store, and share your personal information in compliance with the Kenya Data Protection Act, 2019, and by extension, aligns with the standards set by the EU General Data Protection Regulation (GDPR).

It outlines how we adhere to data privacy principles in handling the personal data of our customers, clients, employees, vendors, visitors, and other third parties engaging with our company. It also highlights with whom we might share your personal information with and how long we keep such information. It also makes you, as the data subject, aware of your rights under the privacy regulations.

Roles and Responsibilities

Sange Solutions Data Protection Officer (DPO) is responsible for ensuring that this document is correct and up-to-date. The DPO also ensures that data subjects are duly notified prior to the collection and processing of their personal data by the company, including data collected via the website.

All Sange Solutions employees/staff who interact with your personal data are expected to follow the provisions in this document.

Who we are

Sange Solutions Limited is a trusted partner, delivering bespoke cybersecurity and assurance services tailored to our clients’ unique needs. Our mission is to provide robust protection and personalized strategies that empower businesses to thrive in a fast-evolving digital landscape. At Sange Solutions, we do not just prioritize security – we are equally committed to safeguarding the privacy of our clients and their data. We take the responsibility of protecting personal information seriously, ensuring that all data is handled with the utmost care, in compliance with relevant privacy laws and best practices.

What Personal Data We Collect and How We Use the Data

Sange Solutions collects and processes different types of personal data for various purposes as explained below:

Providing Products and Services – Name, Contact Information (e.g., email address, phone number), Address, Account Information (e.g., payment details), Profile Data (username and password), Device Information and usage patterns.
Customer Service, Support, and Service Improvement – Name, Contact Information (e.g., email address, phone number), Service History, Product Usage Data, Communication Records (e.g., emails, call recordings, form feedback)
Marketing and Promotional Communications – Name, Contact Information (e.g., email address, phone number), Marketing Preferences, Purchase History, Demographic Information (e.g., age, gender)
Job Applications and Employee Management – Name, Contact Information (e.g., email address, phone number), Date of Birth, Address, National ID, Employment History and Information, Education and Professional Background, Financial Information (e.g., bank account details), Biometric Data (e.g., fingerprints for access control), Salary Income Details
Vendor Selection, Onboarding and Management – Name of Contact Person, Contact Information (e.g., email address, phone number), Business Details, Business References, Financial Information (e.g., bank account details, financial status), Compliance Information (e.g., certifications, licenses)
Visitor Management – Name, Contact Information (e.g., phone number), Date and Time of Visit, Identification Details (e.g., ID card number), Vehicle Registration Number, CCTV Footage.

Where the personal data we need to collect may fall under a special category of sensitive personal data, the company’s lawful basis of processing will be your explicit consent, or where applicable, compliance with a legal obligation, or for legal proceedings/advice.

The collection of your personal data shall be adequate, relevant and limited to the strict minimum. Before processing personal data, we will determine whether and to what extent the processing of personal data is necessary to achieve the purpose for which it is performed.

Legal Grounds for Processing

Sange Solutions Limited process your personal data based on the following legal bases:

Consent – Where you have given your explicit consent (e.g., for marketing communications).
Contract – When processing is necessary to fulfill our contract with you (e.g., delivering a product).
Legal Obligation – To comply with legal obligations (e.g., tax reporting).
Legitimate Interests – Where processing is necessary for our legitimate interests, provided they do not override your rights.
Vital Interests – To protect your vital interests, including the protection of your rights and freedoms.
Public Interests – Where there is an official authority of the company to carry out the processing that is in the public interest

Every processing purpose has at least one lawful basis for processing to safeguard the rights of the data subjects, as listed below:

Purpose of Processing	Lawful Basis of Processing
Providing products and services	Performance of a Contract, Consent, Legitimate Interest
Customer service, support, and service improvement	Performance of a Contract, Legitimate Interest
Marketing and promotional communications	Consent, Legitimate Interest
Job applications and employee management	Performance of a Contract, Legal Obligation, Legitimate Interest
Vendor selection, onboarding and management	Performance of a Contract, Legitimate Interest, Legal Obligation
Visitor management	Legitimate Interest, Legal Obligation, Consent

Lawful Bases for Processing Personal Data

Processing of Personal Data Based on Consent

Where applicable, Sange Solutions will require your explicit consent to process collected personal data.

Visitors to the our website are expected to read and understand the Privacy Policy, and then agreeing to the website’s terms of use. And by consenting to the privacy policy, data subjects are giving Sange Solutions the permission to use/process their personal data specifically for the purpose identified before collection.

On this ground, if you do not agree to Sange Solutions collecting and processing your personal data, you will not allowed to enjoy the company’s products(s) and service(s) where applicable.

If, for any reason, Sange Solutions is requesting sensitive personal data from its stakeholders (external and internal), the individuals will be rightly notified why and how the information will be used.

Sange Solutions does not process any data relating to persons under the age of 18 years old.

Withdrawal of Consent

Irrespective of initial consent given, you can withdraw your consent at any time by making a withdrawal of consent request directly to our data protection officer at privacy@sangesolutions.com

Sange Solutions demonstrates that you have withdrawn consent to the processing of your personal data with a written instruction from you.

Where applicable, the Data Protection Officer will inform the relevant process owner of this change, and the processing activities that relied upon the consent is stopped immediately, in accordance with the relevant process.

Marketing

We strive to ensure your consent regarding certain personal data uses, specifically in so far as marketing and advertising. We have established the following personal data control mechanisms:

Promotional offers from us: We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant to you. You will receive marketing communication from us if you have requested such information and provided express consent to receiving such information based on the use of our products and services.
Third-party marketing: We may share your personal data with any third party for marketing purposes where we believe that the marketing information from such third parties will be relevant to you and where we have obtained your prior consent.

Opting Out

You can ask us or our third parties to stop sending you marketing messages at any time by writing to us or logging into the relevant website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time through the provided contacts.
Please note that opting out of marketing messages does not affect the use of your personal data related to existing products, services, or transactions with us.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

We may disclose your personal data to other entities with the affiliates of Sange Solutions Limited, for legitimate business purposes (including offering products and services to you and operating our sites and systems), in accordance with applicable law.

In addition, we may disclose your personal data to:

Third party companies that we work with to provide services to you e.g., outsourced services, service providers who assist with IT support, and payment processing.
Third parties who are service providers acting as data processors, professional advisers including lawyers, auditors and those who provide consultancy, and legal services.
Legal authorities, when and where required by law.
In the instance of a merger or acquisition. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.

These third parties are bound by confidentiality agreements and are required to use your data only as instructed.

In situations where the processing of personal data will involve investigation of potential violations of the company’s Terms and Conditions, fraud prevention/mitigation, security issues management, and the preservation of your rights and freedom, Sange Solutions shall establish appropriate legal grounds for such data sharing and transfers.

Sange Solutions has put in place, to the best of its ability and in line with standard global practices, physical, technical, and organizational measures (including secure encryption and anonymization) to ensure the optimum protection of personal data, which also extends to data transferred or shared with third-parties.

Cross-Border Transfers

Sange Solutions may also engage third parties abroad (such as other banks, contractors, government-authorized agencies, etc.) that will receive personal data for certain purpose(s) as part of the company’s processing activities and process them on the company’s behalf. Where this is the case, Sange Solutions will enter into a Data Processing Agreement with the third party and also ask for consent if the purpose of processing was not initially stated on inception and be satisfied that the third party has adequate measures in place to protect the data against accidental or unauthorized access, use, disclosure, loss, or destruction.

In such a case where the disclosure is to third parties outside the jurisdiction of the Kenya Data Protection Act, 2019, Sange Solutions will ensure that the third party meets the core global regulatory standards prior to the transfer. This may include transferring the personal data to the third party where Sange Solutions is satisfied that the country of the recipient has adequate data protection controls established by legal or self-regulatory regime.

How long we retain your data

Sange Solutions will retain your personal data as long as the information is active on the company’s systems and necessary for Sange Solutions’ product and service delivery purposes. This retention period is verified and established with special considerations to the following areas:

The requirements of the company
The type of personal data
The purpose of processing
Lawful basis for processing
The categories of data subjects

In accordance with the company data retention policy, Sange Solutions will retain your personal data for seven (7) years after exit of relationship.

When the personal data is no longer needed or beyond the stipulated retention period, Sange Solutions will take the steps to securely delete or archive it while protecting your identity and privacy rights as the case may be.

What rights you have over your data

At any point while Sange Solutions is in possession of or processing your personal data, you have the right to:

Request a copy of the information that we hold about you
Correct the data that is inaccurate or incomplete
Ask for your data to be erased from the company’s systems/records. However, there are certain legal and regulatory obligations that may require the company to retain your information even after such a request is made. In such case, any retained information will only be used to meet legal or regulatory obligations.
Restrict processing of your personal data where certain conditions apply
Have your data transferred to another organization.
Object to certain types of processing like direct marketing
Object to automated processing like profiling, as well as the right to be subject to the legal effects of automated processing or profiling
Complain and pursue judicial review in the event that the company refuses your request under rights of access without a clear and justifiable reason as to why.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within a reasonable time. Occasionally it could take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Changes to This Privacy Policy

We reserve the right to modify, alter or otherwise update this Privacy Policy at any time, by either posting such changes, updates or modifying the Privacy Notice on our Website and/or any other of our platforms.

We will provide you with notice period of two months for any such changes to this Privacy Policy, by email at the same email address you have provided to us.

If we do not hear from you, your continued use of our products and services constitutes your acceptance of any amendment of this Privacy Policy.

Complaints

If for any reason you wish to make a complaint about how we or any of our third parties handles or have handled your personal data, or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and our Data Protection Officer.

Below are the details for each of these contacts:

Supervisory Authority – Complaint Portal: https://dataportal.odpc.go.ke/#raise

Data Protection Officer (DPO) – Email: privacy@sangesolutions.com