Legal

Privacy Policy

Last updated: April 18, 2026

Compliant with the Kenya Data Protection Act, 2019

ContextEngine Limited ("Company", "we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use ContentHub ("Service") in compliance with the Kenya Data Protection Act, 2019 ("DPA") and its subsidiary regulations.

1. Data Controller Information

For the purposes of the Kenya Data Protection Act, 2019, the Data Controller is:

ContextEngine Limited
Nairobi, Kenya
Email: support@contextengine.tech
Data Protection Officer: support@contextengine.tech

2. Legal Basis for Processing

Under Section 30 of the DPA, we process your personal data based on the following legal grounds:

  • Consent: Where you have given explicit consent for processing;
  • Contract: Where processing is necessary for the performance of our contract with you;
  • Legal Obligation: Where we are required to comply with Kenyan law;
  • Legitimate Interest: Where processing is necessary for our legitimate business interests, provided these do not override your rights.

3. Personal Data We Collect

3.1 Information You Provide

Category Examples Purpose
Account Information Name, email address, organization name Account creation and management
Authentication Data Password (encrypted), SSO tokens Secure access to Service
Payment Information M-Pesa number, billing address Processing payments
Document Content Files, documents you upload Providing the Service
Communications Support requests, feedback Customer support

3.2 Information Collected Automatically

Category Examples Purpose
Device Information IP address, browser type, device type Security and optimization
Usage Data Pages visited, features used, timestamps Service improvement
Log Data Access logs, error logs Troubleshooting and security

3.3 Sensitive Personal Data

We do not intentionally collect sensitive personal data as defined in Section 2 of the DPA (including data relating to race, health, sexual orientation, political opinion, religious belief, or genetic/biometric data). If your uploaded documents contain such information, you are responsible for ensuring you have appropriate consent and legal basis to process such data.

4. How We Use Your Personal Data

We use your personal data for the following purposes:

  1. Service Delivery: To provide, maintain, and improve ContentHub;
  2. Account Management: To create and manage your account;
  3. Communication: To send you service-related notifications, updates, and support;
  4. Security: To protect against unauthorized access and maintain data integrity;
  5. Compliance: To comply with legal obligations under Kenyan law;
  6. Analytics: To analyze usage patterns and improve user experience;
  7. Billing: To process payments and manage subscriptions.

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We may share your data with trusted third parties who assist us in operating the Service:

  • Cloud Infrastructure: For secure data storage and processing;
  • Payment Processors: For processing M-Pesa and card payments;
  • Authentication Providers: For secure single sign-on (SSO);
  • Analytics Services: For understanding Service usage.

All third-party providers are bound by data processing agreements that ensure compliance with the DPA.

5.2 Legal Requirements

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities, including:

  • Court orders or legal processes;
  • Requests from the Office of the Data Protection Commissioner;
  • Law enforcement requests in accordance with applicable law;
  • To protect our rights, privacy, safety, or property.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

In accordance with Section 48 of the DPA, where we transfer personal data outside Kenya, we ensure:

  • The recipient country has adequate data protection laws; or
  • Appropriate safeguards are in place (such as Standard Contractual Clauses); or
  • You have provided explicit consent to the transfer; or
  • The transfer is necessary for the performance of our contract with you.

Our primary data processing occurs in secure data centers. Upon request, we can provide information about specific data transfer mechanisms used.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Data Type Retention Period
Account Information Duration of account + 2 years
Document Content Until deletion by user + 30 days backup
Payment Records 7 years (Kenya Tax Procedures Act)
Log Data 12 months
Support Communications 3 years

8. Your Rights Under the DPA

Under the Kenya Data Protection Act, 2019, you have the following rights:

8.1 Right to Access (Section 26)

You have the right to request a copy of the personal data we hold about you.

8.2 Right to Rectification (Section 26)

You have the right to request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure (Section 26)

You have the right to request deletion of your personal data, subject to legal retention requirements.

8.4 Right to Object (Section 26)

You have the right to object to processing of your personal data for direct marketing or based on legitimate interests.

8.5 Right to Data Portability (Section 26)

You have the right to receive your personal data in a structured, commonly used, machine-readable format.

8.6 Right to Withdraw Consent (Section 32)

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.7 How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer at support@contextengine.tech. We will respond to your request within 30 days as required by the DPA.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256);
  • Access Controls: Role-based access control and multi-factor authentication;
  • Monitoring: Continuous security monitoring and intrusion detection;
  • Backups: Regular encrypted backups with secure storage;
  • Auditing: Comprehensive audit logs of data access;
  • Training: Regular security awareness training for staff.

10. Data Breach Notification

In accordance with Section 43 of the DPA, in the event of a personal data breach that is likely to result in high risk to your rights and freedoms, we will:

  • Notify the Office of the Data Protection Commissioner within 72 hours;
  • Notify affected data subjects without undue delay;
  • Document the breach and remedial actions taken.

11. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

12. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Essential Cookies: Required for Service functionality;
  • Analytics Cookies: To understand how users interact with the Service;
  • Preference Cookies: To remember your settings and preferences.

You can control cookie preferences through your browser settings. Note that disabling certain cookies may affect Service functionality.

13. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page;
  • Updating the "Last updated" date;
  • Sending you an email notification for significant changes.

15. Complaints

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Office of the Data Protection Commissioner
P.O. Box 30566-00100
Nairobi, Kenya
Website: www.odpc.go.ke

We encourage you to contact us first at support@contextengine.tech so we can address your concerns directly.

16. Contact Us

For any questions about this Privacy Policy or our data practices, please contact:

Data Protection Officer
ContextEngine Limited
Email: support@contextengine.tech
Phone: +254 (0) 700 000 000

General Inquiries
Email: support@contextengine.tech