Privacy Policy
Who We Are
Jansen Tech Consultancy is the technology division of Jansen Group, operating in Kenya. We design, build, and maintain technology systems — including custom software, mobile applications, enterprise platforms, data analytics infrastructure, digital transformation programmes, and document management systems — for businesses, institutions, and organisations across East Africa.
When this policy refers to “Jansen Tech,” “we,” “us,” or “our,” it means Jansen Tech Consultancy operating as a division of Jansen Group.
We can be reached at: privacy@jansentech.co.ke
What This Policy Covers
This policy covers two distinct categories of data activity that Jansen Tech is involved in.
The first is data we collect about you as a visitor, enquirer, or client through our website and business operations. This is data we control — we decide how it is collected, stored, and used.
The second is data we process on your behalf as part of delivering a technology engagement. When we build or maintain a system that handles your organisation’s operational data — customer records, financial transactions, staff information, health data, or any other dataset — we act as a data processor under your instruction. That relationship is governed by a separate Data Processing Agreement (DPA), which is issued at the start of every client engagement. This policy sets the baseline standards that underpin every DPA we issue.
Both categories are covered here. If anything in a specific DPA conflicts with this policy, the DPA takes precedence for that engagement.
What Information We Collect About You
When you visit our website or make an enquiry, we collect the information you provide directly — your name, email address, phone number, job title, and organisation. We also collect the content of any form submission, message, or project description you send us, and any files or documents you attach.
When you become a client, we additionally collect information necessary to deliver your engagement — technical documentation, system architecture decisions, access credentials shared under confidentiality, billing and payment details, and all project correspondence.
When you visit our website, we automatically collect your IP address, browser and device type, pages visited, time spent on each page, and referral source. This is collected through web analytics tools and, where enabled, cookies.
We do not collect sensitive personal data — such as health information, biometric data, or financial account numbers — about website visitors or enquirers. Where such data is encountered within a client engagement, it is handled under the specific provisions of the applicable DPA and treated with the highest level of protection.
Why We Collect It
We collect and use your information for the following purposes:
To evaluate your enquiry and determine how we can help. To scope, design, build, test, and deliver the technology engagement you have contracted us for. To communicate with you throughout a project — progress updates, technical decisions, approvals, and handovers. To process invoices and payments. To maintain accurate records of our work, which may be required for audit, dispute resolution, or legal compliance. To improve our website using anonymised analytics. To contact you about services directly relevant to a prior or ongoing engagement, where you have not objected.
We do not use your data for profiling, automated decision-making with significant effects, or any form of advertising targeting. We do not sell your data. Ever.
When We Build Systems For You
When Jansen Tech builds or operates a system that processes personal data belonging to your customers, employees, or users, we act as a data processor. You remain the data controller — meaning you determine the purpose and legal basis for that processing, and we act only under your documented instructions.
Our obligations as a data processor include processing data only as instructed in the DPA, implementing appropriate technical and organisational security measures, not engaging sub-processors without your prior written consent, assisting you in responding to data subject rights requests relating to your system, notifying you without undue delay in the event of a data breach, and deleting or returning all data at the end of the engagement as instructed.
If your system handles health records, financial data, children’s data, biometric information, or any other category of sensitive personal data, this will be explicitly addressed in the DPA with additional protective measures.
Every technology engagement at Jansen Tech begins with a data mapping exercise as part of our diagnostic process. We identify what data the system will touch, who will have access to it, how it will move, and where it will be stored — before a single line of code is written.
Legal Basis for Processing
We process personal data under the Kenya Data Protection Act 2019. Where our clients operate under or are subject to other data protection frameworks — including the EU General Data Protection Regulation (GDPR), the UK GDPR, or South Africa’s POPIA — we are familiar with those frameworks and can build systems and processes that support your compliance obligations under them.
Our own processing activities are grounded in the following legal bases: your consent where you have actively submitted information to us; the performance of a contract where processing is necessary to deliver our services; our legitimate interests in operating a secure and effective consultancy practice; and legal obligation where Kenyan law requires us to retain or produce records.
How We Protect Your Data
Security is a foundation at Jansen Tech. Every system we build and every client relationship we hold is subject to the following baseline security standards.
Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted on all cloud and hosted infrastructure we manage. Access to client data is granted on a strict need-to-know basis, with role-based access controls enforced across all projects. All Jansen Tech staff and contractors are required to operate under confidentiality agreements. We conduct security reviews at key stages of every build. Systems we deliver include documented security recommendations for the client’s ongoing operations.
For clients who require formal security assurance, we can conduct or facilitate vulnerability assessments, penetration testing, and compliance reviews as part of or alongside an engagement.
In the event of a security incident affecting your data, we will notify you within 72 hours of becoming aware of it, consistent with best practice and applicable legal requirements.
Where Your Data Is Stored
Our own business data — enquiries, client records, project documentation — is stored on cloud infrastructure hosted within or with providers operating under adequate data protection standards. We use reputable providers with established security certifications.
For client systems we build, data residency is determined during the architecture phase of the engagement. Where Kenyan data sovereignty is a requirement — for regulated industries including financial services, healthcare, and government — we design for local or hybrid infrastructure from the outset, not as an afterthought.
We do not transfer personal data outside Kenya or to jurisdictions without adequate data protection frameworks unless this has been explicitly agreed and documented in the applicable DPA.
How Long We Keep It
Enquiry and pre-engagement records are retained for 24 months from the date of last contact. Active client engagement records — contracts, project files, technical documentation, correspondence — are retained for a minimum of 7 years from project completion, in line with Kenyan legal and financial record-keeping requirements. Source code, system documentation, and handover materials are transferred to the client at project completion and removed from our systems unless a maintenance agreement is in place. Post-engagement maintenance and support records are retained for the duration of the support agreement plus 3 years. Website analytics data is held in anonymised form indefinitely and in identifiable form for no longer than 26 months.
Who We Share It With
We share your information only where necessary and only with parties bound by appropriate confidentiality and data protection obligations.
This includes cloud infrastructure and hosting providers who store data on our behalf, development tools and project management platforms used to deliver engagements, accounting and payment processing platforms for billing purposes, and legal or professional advisors where required under strict confidentiality.
We do not share client data with any third party for commercial, marketing, or research purposes. We do not share your data with other clients. We do not use client engagement data to train AI models or improve any product beyond your own engagement.
If we are required to disclose data by Kenyan law, a court order, or a regulator, we will notify you to the extent legally permitted before complying.ally permitted before complying.
Cookies
Our website uses a minimal set of cookies. Essential cookies are necessary for the site to function correctly and are always active. Analytics cookies, where enabled, help us understand how visitors use our site in aggregate — this data is anonymised and not linked to any individual. We do not use advertising cookies, retargeting pixels, or any third-party tracking for commercial purposes.
You can manage your cookie preferences on your first visit to the site or at any time through your browser settings.
Your Rights
Under the Kenya Data Protection Act 2019, you have the right to know what personal data we hold about you, to access that data, to correct inaccuracies, to request deletion subject to our legal retention obligations, to restrict or object to certain processing, to data portability where feasible, and to withdraw consent where consent was the basis for processing.
To exercise any of these rights, contact us at privacy@jansentech.co.ke. We will acknowledge your request within 5 business days and respond in full within 30 days. We may ask you to verify your identity before acting on a request.
If you believe we have handled your data improperly, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya at www.odpc.go.ke..
Changes to This Policy
We review this policy at least annually and update it when our services, legal obligations, or data practices change. The effective date at the top of this page reflects the current version. Active clients will be notified directly of any material changes that affect their engagement.
Contact
Jansen Tech Consultancy — Data & Privacy Email: privacy@jansentech.co.ke Location: Nairobi, Kenya
For data processing enquiries specific to an active client engagement, please contact your project lead directly or write to the address above with your organisation name and project reference.