Privacy Policy

Welcome to Mshindi Labs' Privacy Policy. This policy explains how we collect, use, store, protect, and share your personal data when you interact with our services. **Who We Are:** Mshindi Labs is a custom software development and technology consulting firm registered and operating in accordance with the laws of the Republic of Kenya. We are committed to protecting your privacy and handling your personal data in accordance with the Data Protection Act, 2019 (No. 24 of 2019) and other applicable data protection laws. **Registration:** • Registered with the Office of the Data Protection Commissioner of Kenya • Registration Number: [DPR/XXX/XXXX] (renewal due every 3 years) • Data Protection Officer appointed and contactable at: tech@mshindilabs.com **Scope of This Policy:** This Privacy Policy applies to: • Personal data collected through our website (mshindilabs.com) • Information provided during consulting engagements • Data processed in the course of delivering software development services • Communications via email, phone, or other channels • Data collected through cookies and similar technologies This policy applies to all individuals whose personal data we process, including: • Prospective and current clients • Website visitors • Service users and end-users of client applications • Business contacts and partners • Job applicants • Contractors and suppliers **Our Commitment:** We are committed to: • Transparency in our data processing activities • Protecting your privacy rights • Complying with all applicable data protection laws • Implementing appropriate security measures • Respecting your choices regarding personal data Please read this policy carefully. If you do not agree with this policy, please do not use our services or provide us with your personal data.

We collect and process various categories of personal data depending on your relationship with us and the services we provide. **2.1 Information You Provide Directly:** **Contact and Account Information:** • Full name and professional title • Email address and phone number • Company name and business address • Job title and department • LinkedIn profile or professional social media **Business and Project Information:** • Project requirements and specifications • Business objectives and challenges • Budget and timeline preferences • Technical environment details • Stakeholder information **Communication Records:** • Correspondence via email, phone, or messaging platforms • Meeting notes and discussion records • Feedback and support requests • Contract negotiations and agreements **Payment and Billing Information:** • Billing address and contact details • Payment method information (processed through secure third-party providers) • Tax identification numbers (TIN, VAT registration) • Purchase orders and invoicing details • Payment history and transaction records **Employment and Recruitment Data (for job applicants):** • CV/Resume and cover letter • Educational qualifications and certifications • Employment history and references • Portfolio or work samples • Interview notes and assessments **2.2 Information Collected Automatically:** **Website Usage Data:** • IP address and device identifiers • Browser type and version • Operating system • Pages visited and time spent • Referral sources and exit pages • Date and time of access • Click-stream data and navigation patterns **Technical and Device Information:** • Device type (desktop, mobile, tablet) • Screen resolution and display settings • Language preferences • Time zone • Connection information (ISP, network type) **Cookies and Tracking Technologies:** • Session cookies for functionality • Analytics cookies for usage patterns • Performance cookies for optimization • Marketing cookies for targeting (with consent) See Section 13 for detailed cookie information. **2.3 Information from Third Parties:** **Business Information Providers:** • Company registry data (public records) • Professional networking platforms (LinkedIn) • Business verification services **Payment Processors:** • Transaction confirmation data • Payment status information • Fraud prevention data **Service Integration Partners:** • Authentication services (OAuth providers) • Communication platforms (email, video conferencing) • Project management tools **2.4 Sensitive Personal Data:** We generally do not collect sensitive personal data (as defined by the Data Protection Act, 2019) unless specifically required for service delivery and with your explicit consent. This may include: • Health information (only if relevant to project accommodations) • Biometric data (only if implementing biometric systems for clients) • Criminal records (only for security clearance where legally required) Any collection of sensitive personal data will be clearly identified, and separate explicit consent will be obtained. **2.5 Children's Data:** Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately so we can take appropriate action to remove such information.

We process your personal data only for specific, legitimate purposes in accordance with the Data Protection Act, 2019. Here's how and why we use your information: **3.1 Service Delivery and Contract Performance:** • Providing custom software development services • Delivering technology consulting and advisory services • Managing client relationships and projects • Communicating about project status, milestones, and deliverables • Providing technical support and maintenance • Training and knowledge transfer • Implementing and deploying solutions Legal Basis: Contractual necessity and legitimate business interests **3.2 Business Operations:** • Processing invoices and managing payments • Managing accounts and client records • Contract negotiation and administration • Vendor and supplier management • Internal record-keeping and reporting • Quality assurance and service improvement • Risk management and compliance Legal Basis: Contractual necessity, legal obligations, and legitimate business interests **3.3 Communication and Marketing:** • Responding to inquiries and requests • Sending service updates and announcements • Sharing industry insights, case studies, and thought leadership • Marketing our services to prospective clients • Conducting client satisfaction surveys • Event invitations and networking opportunities Legal Basis: Consent (for marketing), legitimate business interests, and contractual necessity Note: You can opt-out of marketing communications at any time by clicking "unsubscribe" in our emails or contacting us directly. **3.4 Website and Platform Operations:** • Operating and maintaining our website • Personalizing user experience • Analyzing website usage and performance • Improving website functionality and security • Troubleshooting technical issues • Preventing fraud and unauthorized access Legal Basis: Legitimate business interests and consent (for cookies) **3.5 Legal and Compliance:** • Complying with legal and regulatory obligations • Responding to legal requests and court orders • Protecting our rights and defending legal claims • Preventing fraud, illegal activities, and security threats • Enforcing our Terms of Service • Tax reporting and financial compliance (KRA requirements) Legal Basis: Legal obligations and legitimate business interests **3.6 Analytics and Improvement:** • Analyzing service usage patterns • Measuring service effectiveness and client satisfaction • Identifying areas for improvement • Developing new services and features • Benchmarking and performance metrics • Research and development activities Legal Basis: Legitimate business interests and consent **3.7 Recruitment and Human Resources:** • Evaluating job applications • Conducting interviews and assessments • Making hiring decisions • Managing employment relationships • Professional development and training Legal Basis: Contractual necessity (pre-employment) and legal obligations (employment) **3.8 Data Retention for Lawful Purposes:** We will only retain personal data for as long as necessary to fulfill the purposes for which it was collected, including: • Active client relationships: Duration of engagement plus 7 years for legal compliance • Prospective clients: 3 years from last contact • Website users: As per cookie settings (typically 1-2 years) • Job applicants: 1 year from application date • Accounting records: 7 years as required by Kenya Revenue Authority • Legal documents: 10 years or as required by law **3.9 Automated Decision-Making:** We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any automated processing (such as analytics) is used only for operational improvements and reporting, not for decisions affecting individuals.

Under the Data Protection Act, 2019, we must have a valid legal basis for processing your personal data. We rely on the following legal grounds: **4.1 Consent:** Where we rely on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal. Examples: • Marketing communications and newsletters • Non-essential cookies and tracking • Participation in surveys and research • Sharing testimonials or case studies • Processing sensitive personal data How to withdraw consent: • Click "unsubscribe" in marketing emails • Adjust cookie preferences on our website • Contact us at tech@mshindilabs.com **4.2 Contractual Necessity:** Processing necessary for the performance of a contract with you or to take steps at your request before entering into a contract. Examples: • Delivering software development services • Project management and communication • Invoicing and payment processing • Providing technical support • Fulfilling service agreements **4.3 Legal Obligation:** Processing necessary to comply with legal or regulatory obligations under Kenyan or international law. Examples: • Tax reporting (Kenya Revenue Authority requirements) • Data protection registration (Data Commissioner) • Anti-money laundering checks • Retention of financial records (7 years) • Responding to lawful requests from authorities • Employment law compliance **4.4 Legitimate Interests:** Processing necessary for our legitimate business interests or those of a third party, except where overridden by your fundamental rights and freedoms. Examples: • Improving our services and website • Preventing fraud and security threats • Network and information security • Internal administration and reporting • Business development and marketing to businesses (B2B) • Enforcing legal rights Balancing Test: We have assessed that these interests are not overridden by your rights, given the nature of our business services and the safeguards we implement. **4.5 Vital Interests:** Processing necessary to protect someone's life (rarely applicable in our context). **4.6 Public Interest:** Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority (generally not applicable to our commercial operations). **Right to Object:** You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

We respect the confidentiality of your personal data and only share it with third parties in the following circumstances: **5.1 Service Providers and Processors:** We engage trusted third-party service providers to perform functions on our behalf. These providers are contractually bound to process data only as instructed and maintain appropriate security measures. **Categories of Service Providers:** **Cloud Infrastructure and Hosting:** • Amazon Web Services (AWS) - Cloud hosting and storage • Google Cloud Platform - Computing and storage services • Microsoft Azure - Cloud services and hosting • Digital Ocean - Server hosting Data location: Kenya (primary), with redundancy in EU/US data centers **Communication and Collaboration:** • Google Workspace - Email and productivity tools • Slack/Microsoft Teams - Internal communications • Zoom/Google Meet - Video conferencing • SendGrid/Mailgun - Transactional email delivery **Payment Processing:** • Stripe - Online payment processing • PayPal - International payments • M-PESA (Safaricom) - Mobile money (Kenya) • Flutterwave - African payment processing Note: Payment processors handle sensitive payment data directly; we do not store full credit card details. **Analytics and Performance:** • Google Analytics - Website analytics • Hotjar - User experience analytics • Sentry - Error tracking and monitoring **Security and Compliance:** • CloudFlare - DDoS protection and CDN • Auth0 - Authentication services • HackerOne - Security testing • Norton/Symantec - Security software **Development and Project Management:** • GitHub - Code repository • Jira/Asana - Project management • Figma - Design collaboration **5.2 Client-Authorized Sharing:** When providing services, we may share data with third parties as specifically authorized by you or required for service delivery: • Client's designated systems and platforms • Client's IT infrastructure and networks • Integration partners and APIs specified by client • Client's other vendors and service providers **5.3 Business Transfers:** In the event of a merger, acquisition, reorganization, asset sale, or similar transaction, personal data may be transferred to the acquiring entity, subject to: • Notification to affected individuals • Continued compliance with this Privacy Policy • Due diligence on data protection practices of the acquiring entity **5.4 Legal and Regulatory Disclosure:** We may disclose personal data when required or permitted by law: **Kenyan Authorities:** • Office of the Data Protection Commissioner • Kenya Revenue Authority (tax compliance) • National Police Service / Directorate of Criminal Investigations • Courts and judicial authorities • Competition Authority of Kenya **International Authorities:** • Interpol (for international criminal matters) • Foreign law enforcement (through official channels) • International arbitration bodies **Circumstances for Legal Disclosure:** • Valid court orders or subpoenas • Legal proceedings or litigation • National security or public safety concerns • Fraud investigation and prevention • Enforcement of our rights and Terms of Service • Protection of safety and property **5.5 Professional Advisors:** We may share data with professional advisors including: • Legal counsel (attorney-client privilege) • Accountants and auditors • Insurance providers • Business consultants • Tax advisors **5.6 Business Partners (with Consent):** With your explicit consent, we may share data with: • Co-marketing partners • Event co-hosts • Technology alliance partners • Referral partners **5.7 Aggregated and Anonymized Data:** We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you: • Industry benchmarks and reports • Market research and analysis • Public presentations and publications • Statistical reporting This data is not considered personal data and is not subject to this Privacy Policy. **5.8 Cross-Border Data Transfers:** **Data Localization Compliance:** In accordance with the Data Protection Act, 2019, we maintain at least one serving copy of personal data on servers or data centers physically located within Kenya. **International Transfers:** When transferring personal data outside Kenya, we ensure adequate safeguards through: • Standard Contractual Clauses approved by the Data Protection Commissioner • Adequacy decisions recognizing equivalent data protection standards • Explicit consent for specific transfers • Notification to the Office of the Data Protection Commissioner as required **Transfer Safeguards:** • Encryption of data in transit (TLS 1.3) • Contractual data protection obligations • Regular audits of data processing practices • Right to request details of international transfers **No Onward Transfer:** Our service providers are prohibited from further transferring personal data without explicit authorization and appropriate safeguards. **Third-Party Responsibilities:** While we carefully select service providers and impose contractual obligations, we are not responsible for their independent data processing activities beyond our instructions. We encourage you to review their privacy policies.

We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. **6.1 Technical Security Measures:** **Encryption:** • Data in transit: TLS 1.3 encryption for all data transmissions • Data at rest: AES-256 encryption for stored data • Database encryption: Encrypted database storage • Backup encryption: Encrypted backup archives **Access Controls:** • Multi-factor authentication (MFA) for all systems • Role-based access control (RBAC) limiting data access • Principle of least privilege - minimum necessary access • Strong password policies (minimum 12 characters, complexity requirements) • Single Sign-On (SSO) for centralized authentication • Regular access reviews and deprovisioning **Network Security:** • Firewall protection on all networks and systems • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) • Virtual Private Networks (VPN) for remote access • Network segmentation isolating sensitive systems • DDoS protection through CloudFlare • Regular vulnerability scanning and penetration testing **Application Security:** • Secure Software Development Lifecycle (SSDLC) • OWASP Top 10 security controls • Regular security code reviews • Automated security scanning in CI/CD pipeline • Input validation and sanitization • SQL injection and XSS protection • Content Security Policy (CSP) headers **Infrastructure Security:** • Hardened server configurations • Automated security patching • Container security (Docker/Kubernetes) • Regular security updates and patches • Infrastructure as Code (IaC) security scanning • Cloud security best practices (AWS/GCP/Azure) **6.2 Organizational Security Measures:** **Policies and Procedures:** • Comprehensive Information Security Policy • Data Classification and Handling Procedures • Incident Response and Breach Notification Plan • Business Continuity and Disaster Recovery Plan • Secure Development Policy • Acceptable Use Policy • Clean Desk and Clear Screen Policy **Employee Security:** • Background checks for all employees (as permitted by law) • Confidentiality and non-disclosure agreements • Regular security awareness training (quarterly) • Phishing simulation exercises • Security onboarding and offboarding procedures • Limited access to personal data on need-to-know basis **Vendor Management:** • Security assessments of service providers • Data Processing Agreements with all processors • Regular vendor security reviews • Contractual security obligations • Right to audit vendor security practices **Physical Security:** • Secure office premises with access control • Visitor management and logging • CCTV surveillance in sensitive areas • Secure document disposal (shredding) • Equipment security and tracking • Environmental controls (fire suppression, power backup) **6.3 Monitoring and Detection:** **Security Monitoring:** • 24/7 security monitoring and logging • Security Information and Event Management (SIEM) • Automated threat detection and alerting • Anomaly detection and behavioral analysis • Failed login attempt monitoring • Data exfiltration detection **Audit Logging:** • Comprehensive audit trails of data access • Immutable logs protected from tampering • Log retention for 2 years minimum • Regular log review and analysis • Compliance with audit requirements **6.4 Incident Response:** **Incident Response Plan:** • Dedicated incident response team • 24/7 security incident hotline • Defined escalation procedures • Communication protocols • Forensic investigation capabilities • Post-incident review and improvement **Breach Notification:** In the event of a personal data breach, we will: • Notify the Data Protection Commissioner within 72 hours of becoming aware • Notify affected individuals without undue delay if high risk to rights and freedoms • Document the breach, effects, and remedial actions taken • Cooperate with regulatory investigations • Implement corrective measures to prevent recurrence See Section 12 for detailed breach notification procedures. **6.5 Testing and Validation:** **Security Testing:** • Annual penetration testing by independent security firms • Quarterly vulnerability assessments • Continuous security scanning • Code security reviews • Social engineering testing • Disaster recovery testing **Certifications and Compliance:** We maintain alignment with: • ISO 27001 Information Security Management • OWASP Application Security Verification Standard • CIS Controls and Benchmarks • NIST Cybersecurity Framework • PCI DSS (for payment processing) **6.6 Secure Disposal:** **Data Destruction:** When personal data is no longer needed: • Secure deletion using DoD 5220.22-M standard (7-pass overwrite) • Physical destruction of storage media • Certificate of destruction for sensitive data • Audit trail of disposal activities • Secure deletion of backup copies **6.7 Limitations:** While we implement comprehensive security measures, no system is 100% secure. We cannot guarantee absolute security, but we commit to: • Implementing industry-leading security practices • Regularly reviewing and updating security measures • Promptly addressing identified vulnerabilities • Transparent communication about security incidents **Your Responsibility:** You also play a role in protecting your data: • Keep login credentials confidential • Use strong, unique passwords • Enable multi-factor authentication where available • Report suspected security incidents promptly • Keep your devices and software updated • Be cautious of phishing attempts **6.8 Security by Design:** We incorporate security considerations from the earliest stages of: • System design and architecture • Software development • Business process design • Vendor selection • Product development This "security by design" approach ensures protection is built-in, not bolted-on.

Under the Data Protection Act, 2019 and the Constitution of Kenya (Article 31 - Right to Privacy), you have comprehensive rights regarding your personal data. **7.1 Right to Be Informed:** You have the right to clear, transparent information about: • What personal data we collect • How we use your data • Who we share your data with • How long we retain your data • Your rights and how to exercise them • How to complain to the Data Protection Commissioner This Privacy Policy serves as our primary transparency mechanism. **7.2 Right of Access (Subject Access Request):** You have the right to obtain: • Confirmation of whether we process your personal data • Copy of your personal data in our possession • Information about processing purposes, categories, and recipients • Data retention period or criteria • Information about data sources • Details of any automated decision-making **How to Exercise:** Submit a written request to tech@mshindilabs.com or contact@mshindilabs.com with: • Your full name and contact details • Description of the information requested • Proof of identity (copy of national ID, passport, or other government-issued ID) **Response Timeline:** We will respond within 30 days of receiving a valid request. This may be extended by 2 months for complex requests, with notification and explanation. **Cost:** The first copy is provided free of charge. Additional copies or manifestly unfounded/excessive requests may incur a reasonable administrative fee. **7.3 Right to Rectification:** You have the right to have inaccurate personal data corrected or incomplete data completed. **How to Exercise:** • Email tech@mshindilabs.com with corrections • Specify which data is inaccurate and provide correct information • Provide supporting evidence where appropriate We will respond within 30 days and notify any third parties to whom data was disclosed (unless impossible or involves disproportionate effort). **7.4 Right to Erasure ("Right to be Forgotten"):** You have the right to request deletion of your personal data when: • Data is no longer necessary for the purpose collected • You withdraw consent (where consent was the legal basis) • You object to processing and no overriding legitimate grounds exist • Data has been unlawfully processed • Erasure is required for legal compliance • Data relates to a child (under 18) **Limitations:** We may refuse erasure where processing is necessary for: • Exercising freedom of expression and information • Compliance with legal obligations • Public interest or official authority tasks • Public health purposes • Archiving, research, or statistical purposes • Establishment, exercise, or defense of legal claims **How to Exercise:** Submit a written request to tech@mshindilabs.com explaining the grounds for erasure. **7.5 Right to Restrict Processing:** You have the right to request restriction of processing when: • You contest the accuracy of personal data (for period enabling verification) • Processing is unlawful but you oppose erasure • We no longer need the data but you need it for legal claims • You have objected to processing (pending verification of legitimate grounds) **Effect of Restriction:** Data will be stored but not processed, except: • With your consent • For legal claims • For protection of another person's rights • For important public interest reasons **How to Exercise:** Email tech@mshindilabs.com with your restriction request and grounds. **7.6 Right to Data Portability:** You have the right to receive personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. **Conditions:** • Processing is based on consent or contract • Processing is carried out by automated means **Covered Data:** • Data you provided directly to us • Data generated through your use of services **Not Covered:** • Data derived or inferred from your data • Data that adversely affects others' rights and freedoms **Format:** We will provide data in JSON or CSV format (or other mutually agreed format). **How to Exercise:** Email tech@mshindilabs.com specifying: • What data you want to receive • Preferred format • Whether you want us to transmit directly to another controller (if technically feasible) **7.7 Right to Object:** You have the right to object to processing based on: • Legitimate interests (including profiling) • Performance of public interest tasks • Direct marketing (including profiling for marketing) • Scientific/historical research or statistics **Direct Marketing:** You have an absolute right to object to direct marketing at any time. We will cease processing immediately. **Other Processing:** We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for legal claims. **How to Exercise:** • For marketing: Click "unsubscribe" in emails or email tech@mshindilabs.com • For other processing: Email tech@mshindilabs.com with your objection and grounds **7.8 Rights Related to Automated Decision-Making:** You have the right not to be subject to automated decision-making, including profiling, that produces legal effects or similarly significantly affects you. **Our Practice:** We do not engage in automated decision-making with legal or significant effects. Any automated processing we use (analytics, etc.) does not make decisions about individuals. **7.9 Right to Withdraw Consent:** Where processing is based on consent, you have the right to withdraw consent at any time, as easily as consent was given. **Effect:** Withdrawal does not affect lawfulness of processing before withdrawal. We may continue processing on other legal bases (contract, legal obligation, etc.). **How to Withdraw:** • Click "unsubscribe" in marketing emails • Adjust cookie preferences on website • Email tech@mshindilabs.com • Contact us via any communication channel **7.10 Right to Lodge a Complaint:** You have the right to lodge a complaint with the supervisory authority: **Office of the Data Protection Commissioner** P.O. Box 63327 – 00619 Nairobi, Kenya Tel: +254 (020) 2604381 Email: info@odpc.go.ke Website: www.odpc.go.ke **Office Hours:** Monday - Friday: 8:00 AM - 5:00 PM (EAT) **Complaint Process:** 1. Submit complaint in writing (email or physical) 2. Include details of alleged violation 3. Provide supporting evidence 4. Data Commissioner will investigate 5. Resolution or enforcement action **Our Commitment:** We prefer to resolve concerns directly. Please contact us first at tech@mshindilabs.com before escalating to the Data Commissioner. We commit to responding promptly and addressing your concerns in good faith. **7.11 How to Exercise Your Rights:** **Primary Contact:** Email: tech@mshindilabs.com Subject Line: "Data Protection Rights Request - [Specify Right]" **Required Information:** • Your full name • Contact information (email, phone) • Proof of identity • Specific right you're exercising • Clear description of your request • Preferred communication method for response **Response Timeline:** • Acknowledgment within 5 business days • Substantive response within 30 days • Extension up to 2 additional months for complex requests (with notification) **No Fee:** Exercising your rights is free, except: • Manifestly unfounded or excessive requests • Additional copies beyond the first (reasonable administrative fee) **Refusal:** If we refuse your request, we will explain why and inform you of your right to complain to the Data Commissioner. **Verification:** We may request additional information to verify your identity before fulfilling requests, to protect against fraudulent requests.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, regulatory, tax, accounting, and reporting requirements. **8.1 Retention Periods by Category:** **Active Client Data:** • Duration: Length of active business relationship • Plus: 7 years after relationship ends • Rationale: Contract performance, legal compliance, audit requirements **Prospective Client Data:** • Duration: 3 years from last meaningful interaction • Rationale: Business development, legitimate interests • Deletion: Automated deletion after 3 years of inactivity **Website Users and Cookies:** • Session cookies: Deleted when browser closes • Analytics cookies: 1-2 years (based on cookie settings) • Marketing cookies: Until consent withdrawn or 2 years • IP addresses and logs: 12 months **Contract and Project Documentation:** • Duration: 10 years after project completion • Rationale: Legal compliance, dispute resolution, professional liability • Applicable Laws: Law of Limitation Act (Cap. 22) - 6 year limitation period **Financial and Accounting Records:** • Duration: 7 years from end of relevant tax year • Rationale: Kenya Revenue Authority (KRA) requirements • Applicable Laws: Tax Procedures Act, 2015 and Income Tax Act **Invoices and Payment Records:** • Duration: 7 years • Rationale: KRA audit requirements, VAT compliance • Format: Electronic or physical records **Employee and Contractor Records:** • Active employment: Duration of employment • Post-employment: 7 years after termination • Rationale: Employment law compliance, pension, reference requests **Job Application Data:** • Unsuccessful applicants: 1 year from application • Rationale: Consideration for future opportunities • Deletion: Automated deletion after 1 year unless consent for longer retention **Communication Records:** • Email: 3-7 years depending on content and context • Project communications: Retained with project documentation • Marketing communications: Until unsubscribe + 30 days **Legal and Compliance Records:** • Litigation files: 10 years after case closure • Regulatory correspondence: 7 years • Data breach records: 5 years • Audit reports: 7 years **Security and Audit Logs:** • System access logs: 2 years • Security incident logs: 5 years • Rationale: Security monitoring, forensic investigation, compliance **Consent Records:** • Duration: Proof of consent maintained for length of processing + 3 years • Purpose: Demonstrate compliance with consent requirements **8.2 Retention Criteria:** We determine retention periods based on: • Purpose of data collection • Nature and sensitivity of personal data • Legal and regulatory requirements • Statute of limitations periods • Industry best practices • Potential for legal claims • Operational business needs **8.3 Secure Deletion:** Upon expiry of retention periods, we securely delete or anonymize personal data: **Electronic Data:** • Secure deletion using DoD 5220.22-M standard • Overwriting with multiple passes • Deletion from all systems including backups • Verification of deletion completion • Certificate of destruction for sensitive data **Physical Records:** • Shredding using cross-cut shredders • Secure disposal through certified vendors • Certificate of destruction maintained **Backup Data:** Data in backups will be deleted when: • Backups reach retention expiry • Backups are cycled/rotated • Manual deletion is requested and feasible Note: Immediate deletion from backups may not be technically feasible; backup data will be deleted within the backup retention cycle (typically 90 days to 1 year). **8.4 Data Minimization:** We practice ongoing data minimization: • Regular reviews of data holdings (annual) • Deletion of unnecessary data • Anonymization where full identification not required • Aggregation for statistical purposes • Pseudonymization where appropriate **8.5 Legal Holds:** Retention periods may be extended when: • Litigation or investigation is reasonably anticipated • Regulatory inquiry is ongoing • Data is subject to a legal hold order • Dispute resolution is in progress Data subject to legal holds will be securely retained until release of the hold. **8.6 Your Right to Request Deletion:** Regardless of standard retention periods, you may request deletion of your personal data under the Right to Erasure (see Section 7.4), subject to legal limitations and obligations that may require continued retention. **8.7 Retention Schedule Review:** We review and update our retention schedules annually to ensure: • Compliance with current legal requirements • Alignment with business needs • Consistency with data protection principles • Incorporation of new data categories **8.8 Archiving:** For long-term retention requirements: • Data may be archived to secure offline storage • Access is restricted and logged • Encryption applied to archived data • Periodic integrity checks performed • Secure destruction at end of retention period

Our website uses cookies and similar technologies to provide functionality, analyze usage, and improve your experience. **9.1 What Are Cookies:** Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently and provide information to website owners. **9.2 Types of Cookies We Use:** **Strictly Necessary Cookies:** These cookies are essential for website operation and cannot be disabled. • Session management cookies • Authentication cookies • Security cookies • Load balancing cookies Purpose: Enable core functionality, maintain sessions, prevent fraud Duration: Session or up to 24 hours Legal Basis: Legitimate interest (website operation) **Performance and Analytics Cookies:** These cookies collect information about how visitors use our website. **Google Analytics:** • Purpose: Understand website usage, visitor behavior, traffic sources • Data Collected: Pages visited, time spent, referral sources, device type, IP address (anonymized) • Duration: 1-2 years • Provider: Google LLC • Opt-out: Available through browser settings or Google Analytics Opt-out Browser Add-on • Privacy Policy: https://policies.google.com/privacy **Hotjar:** • Purpose: Understand user experience through heatmaps and session recordings • Data Collected: Mouse movements, clicks, scroll behavior, form interactions (sensitive data masked) • Duration: 1 year • Provider: Hotjar Ltd. • Privacy Policy: https://www.hotjar.com/legal/policies/privacy Legal Basis: Consent (obtained via cookie banner) **Functional Cookies:** These cookies enable enhanced functionality and personalization. • Language preference cookies • Display preference cookies (theme, layout) • Recently viewed items • User interface settings Purpose: Remember your choices and provide enhanced experience Duration: 1 year Legal Basis: Consent or legitimate interest **Marketing and Advertising Cookies:** These cookies track your activity to deliver relevant advertising. • Google Ads • LinkedIn Insight Tag • Facebook Pixel Purpose: Deliver targeted advertising, measure ad effectiveness, retargeting Duration: 1-2 years Legal Basis: Explicit consent (obtained via cookie banner) **Note:** We only use marketing cookies if you explicitly consent via our cookie banner. **9.3 Cookie Management:** **Cookie Banner:** On your first visit, you'll see a cookie banner where you can: • Accept all cookies • Accept only necessary cookies • Customize cookie preferences by category • Review detailed information about each cookie type **Cookie Settings:** You can change your cookie preferences at any time by: • Clicking "Cookie Settings" in the website footer • Using the cookie preference center • Adjusting browser settings (see below) **Browser Controls:** You can control cookies through browser settings: **Google Chrome:** Settings > Privacy and Security > Cookies and other site data **Mozilla Firefox:** Settings > Privacy & Security > Cookies and Site Data **Safari:** Preferences > Privacy > Cookies and website data **Microsoft Edge:** Settings > Privacy, search, and services > Cookies and site data **Blocking Cookies:** You can block all cookies through browser settings, but this may affect website functionality. **9.4 Other Tracking Technologies:** **Web Beacons (Pixels):** Small transparent image files that track email opens and webpage visits. Use: Email campaign effectiveness, webpage analytics Opt-out: Block images in email client **Local Storage:** HTML5 local storage for maintaining data in your browser. Use: Caching for performance, preserving user preferences Management: Clear through browser settings **Device Fingerprinting:** We do NOT use device fingerprinting or other covert tracking methods. **9.5 Third-Party Cookies:** Some cookies are set by third-party services we use: • Video embeds (YouTube, Vimeo) • Social media plugins (LinkedIn, Twitter) • Content delivery networks We do not control these third-party cookies. Please review their privacy policies: • YouTube: https://policies.google.com/privacy • LinkedIn: https://www.linkedin.com/legal/privacy-policy • Twitter: https://twitter.com/privacy **9.6 Do Not Track (DNT):** Currently, there is no universally accepted standard for responding to Do Not Track signals. We do not currently respond to DNT signals, but you can control tracking through cookie preferences and browser settings. **9.7 Cookie Consent Management:** **Consent Recording:** We record your cookie preferences including: • Date and time of consent • Cookies accepted/rejected • IP address (hashed) • User agent **Consent Duration:** Your consent is valid for 12 months, after which you'll be asked to confirm preferences again. **Withdrawal of Consent:** You can withdraw consent at any time through: • Cookie settings in website footer • Browser cookie deletion • Email tech@mshindilabs.com **9.8 Mobile Applications:** If we develop mobile applications in the future, they may use: • Device identifiers (IDFA, AAID) • Mobile analytics SDKs • Push notification tokens Separate privacy notices and consent mechanisms will be provided in mobile apps. **9.9 Cookie List:** For a detailed list of specific cookies used on our website, including names, purposes, and durations, please visit our Cookie Policy page or contact tech@mshindilabs.com. **9.10 Updates:** Our cookie usage may change as we add new features or third-party services. We will: • Update this section accordingly • Re-obtain consent for new cookie purposes • Notify users of material changes **9.11 Questions:** For questions about our cookie practices, contact: Email: tech@mshindilabs.com Subject: Cookie Inquiry

Certain situations require additional data protection considerations and safeguards. **10.1 Client Application End-Users:** When we develop software applications for clients that collect personal data from end-users: **Our Role:** Data Processor **Client Role:** Data Controller **Our Obligations:** • Process data only as instructed by client • Implement appropriate technical and organizational measures • Assist client in responding to data subject requests • Assist client in ensuring compliance with security obligations • Delete or return data at end of engagement (per client instruction) • Notify client of data breaches within 24 hours • Make available information necessary to demonstrate compliance • Allow and contribute to audits **Data Processing Agreements:** We execute comprehensive Data Processing Agreements (DPAs) with clients, specifying: • Subject matter and duration of processing • Nature and purpose of processing • Type of personal data and categories of data subjects • Rights and obligations of parties • Security measures • Sub-processor arrangements • International transfers • Audit rights **Sub-Processors:** We will: • Obtain client authorization before engaging sub-processors • Maintain a list of sub-processors • Impose same data protection obligations on sub-processors • Remain liable for sub-processor performance **10.2 Sensitive Personal Data:** We generally do not process sensitive personal data (special categories under DPA 2019) unless necessary for specific projects and with explicit consent. **Sensitive Data Categories:** • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade union membership • Genetic data • Biometric data for unique identification • Health data • Sex life or sexual orientation • Criminal convictions or offenses **Additional Safeguards for Sensitive Data:** • Explicit, informed consent obtained separately • Clear documentation of necessity and purpose • Enhanced security measures (additional encryption, access restrictions) • Privacy impact assessment conducted • Data Protection Officer involvement • Minimized collection and retention • Regular compliance reviews **Health Data Example:** If we develop healthcare applications: • Compliance with Health Act provisions • Additional confidentiality obligations • Medical professional privilege respected • Enhanced security and access controls • Regular security audits **10.3 Children's Data:** Our services are not directed to children under 18 years of age. **General Policy:** • We do not knowingly collect data from children • Age verification mechanisms where appropriate • Immediate deletion if child data discovered • Parental notification and consent requirements if child data necessary **Client Applications Targeting Children:** If we develop applications for clients that target children: • Enhanced consent mechanisms (parental consent) • Age-appropriate privacy notices • Stricter data minimization • No profiling or automated decision-making • Limited data retention • Enhanced security measures • Compliance with Children's Act, 2022 **10.4 Employee and HR Data:** For our employees and contractors, we process: • Employment and recruitment data • Performance and disciplinary records • Payroll and benefits information • Training and development records • Health and safety information **Legal Basis:** • Contract performance (employment) • Legal obligations (tax, labor law) • Legitimate interests (HR management) • Consent (optional benefits, photos) **Employee Rights:** Employees have all data subject rights under Section 7, plus: • Access to personnel files • Right to object to monitoring • Protection against automated employment decisions **Separate Employee Privacy Notice:** Our employees receive a dedicated Employee Privacy Notice detailing specific processing activities, rights, and procedures. **10.5 Job Applicant Data:** We process applicant data for recruitment purposes: • CV/resume and cover letter • Interview notes and assessments • References and background checks • Assessment test results **Legal Basis:** Consent and pre-contractual processing **Retention:** 1 year from application (see Section 8) **Rights:** • Access to application materials • Rectification of inaccurate information • Erasure (unless legitimate grounds to retain) • Explanation of rejection (upon request) **10.6 Website Contact Forms:** Data submitted via website contact forms: • Name, email, phone, company, message • Processed for responding to inquiries • Retained for 3 years or until request fulfilled • Not used for marketing without separate consent **10.7 Newsletter and Marketing:** **Opt-In Requirement:** We only send marketing communications to those who have: • Explicitly opted in via checkbox or form • Provided consent during business relationship (with easy opt-out) **Content:** • Company news and updates • Industry insights and thought leadership • Service announcements • Event invitations • Case studies and success stories **Frequency:** Maximum 2-4 emails per month **Unsubscribe:** • "Unsubscribe" link in every email • One-click unsubscribe (no login required) • Processed within 48 hours • Confirmation of unsubscribe provided **Suppression List:** Unsubscribed contacts maintained on suppression list to prevent re-subscription. **10.8 Event Participants:** For webinars, workshops, and events: • Registration data collected • Attendance tracked • Recording consent obtained separately • Photos/videos only with explicit consent • Participant lists not shared without consent **10.9 Social Media and Public Content:** If you interact with us on social media: • Your interactions are subject to platform privacy policies • We may respond publicly to public posts • Public content may be shared (with attribution) • Direct messages treated as private communication **10.10 Video Conferencing:** For virtual meetings (Zoom, Google Meet, Teams): • Meeting recordings only with participant consent • Consent obtained at meeting start • Recording notification displayed • Recordings retained per retention policy • Access restricted to authorized personnel • Deletion upon request (subject to business need) **10.11 Testimonials and Case Studies:** Before using client testimonials or case studies: • Explicit written consent obtained • Opportunity to review and approve content • Right to withdraw consent • Anonymization if preferred • No sensitive business information without approval **10.12 International Clients and Data Transfers:** **Data Localization:** We maintain primary data storage in Kenya with at least one serving copy on Kenya-based servers (DPA 2019 requirement). **International Transfers:** When working with international clients: • Standard Contractual Clauses (SCCs) executed • Adequacy assessment conducted • Transfer notification to Data Commissioner (where required) • Additional security measures for international transfers • Client consent obtained for transfers outside Kenya **Adequate Jurisdictions:** We recognize adequacy decisions from the Kenya Data Commissioner for transfers to jurisdictions with equivalent data protection standards. **10.13 Third-Party Data Sources:** When we receive personal data from third parties: • Verification of lawful collection • Confirmation of legal basis for transfer • Notification to data subjects (where feasible) • Same protection standards applied • Documentation of data source and legal basis **10.14 Automated Processing and AI:** **Current Practice:** We do not currently use AI or automated decision-making that produces legal or significant effects on individuals. **Future Use:** If we implement AI or automated processing: • Privacy impact assessment conducted • Data minimization and anonymization • Algorithm transparency and explainability • Human review of decisions • Right to object and request human intervention • Regular bias and fairness audits • Clear disclosure to affected individuals **AI Development for Clients:** When developing AI systems for clients: • Ethical AI principles followed • Fairness, accountability, transparency prioritized • Data protection by design • Bias detection and mitigation • Documentation of training data sources • Model explainability where required

We take data security seriously and have comprehensive procedures for detecting, responding to, and notifying stakeholders about personal data breaches. **11.1 What Constitutes a Data Breach:** A personal data breach is a security incident leading to: • Accidental or unlawful destruction of personal data • Loss of personal data • Unauthorized alteration of personal data • Unauthorized disclosure of personal data • Unauthorized access to personal data **Examples:** • Hacking or cyberattack accessing personal data • Ransomware encrypting personal data • Lost or stolen devices containing personal data • Accidental emailing data to wrong recipient • Insider threat or unauthorized employee access • Physical theft of documents • Malware infection compromising data • Improper disposal of data-containing materials **11.2 Breach Detection:** We maintain 24/7 security monitoring to detect breaches through: • Security Information and Event Management (SIEM) • Intrusion Detection Systems (IDS) • Automated alerting for anomalous activity • Log analysis and correlation • User behavior analytics • Endpoint detection and response (EDR) • Regular security audits • Employee reporting mechanisms **11.3 Incident Response Process:** **Immediate Response (0-24 hours):** 1. **Detection and Confirmation** • Incident reported or detected • Initial assessment and verification • Incident response team activated • Containment measures implemented 2. **Containment** • Isolate affected systems • Prevent further unauthorized access • Secure affected data • Preserve evidence for investigation 3. **Assessment** • Determine scope and severity • Identify affected data categories • Assess number of affected individuals • Evaluate potential consequences • Document all actions taken **Investigation (24-72 hours):** 4. **Forensic Investigation** • Root cause analysis • Entry point identification • Extent of compromise assessment • Data exfiltration analysis • Timeline reconstruction • External forensics (if necessary) 5. **Risk Assessment** • Likelihood of harm to individuals • Severity of potential consequences • Type and sensitivity of data involved • Ease of identifying affected individuals • Breach duration and detection delay • Available technical protections (encryption) **11.4 Notification to Data Protection Commissioner:** **Legal Requirement:** Under Section 43 of the Data Protection Act, 2019, we must notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to rights and freedoms. **Notification Contents:** • Nature of the breach • Categories and approximate number of data subjects affected • Categories and approximate number of personal data records concerned • Name and contact details of Data Protection Officer • Description of likely consequences • Description of measures taken or proposed to address breach • Description of measures taken to mitigate possible adverse effects **Notification Method:** • Online breach notification portal (if available) • Email to info@odpc.go.ke • Physical delivery to ODPC offices • Follow-up with additional details if not available within 72 hours **ODPC Contact:** Office of the Data Protection Commissioner P.O. Box 63327 – 00619, Nairobi, Kenya Tel: +254 (020) 2604381 Email: info@odpc.go.ke **11.5 Notification to Affected Individuals:** **When Required:** If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected individuals without undue delay. **High Risk Factors:** • Financial loss or identity theft potential • Sensitive personal data compromised • Unencrypted data accessed • Large-scale breach affecting many individuals • Vulnerable populations affected (children, etc.) • Data could enable impersonation or fraud **Notification Contents:** • Description of the breach in clear, plain language • Name and contact of Data Protection Officer • Description of likely consequences • Measures taken or proposed to address breach • Measures individuals can take to protect themselves • Available support and assistance **Notification Method:** • Direct email to affected individuals • Registered mail (for serious breaches) • Phone call (for small numbers of affected individuals) • Public communication (if direct contact impossible or disproportionate effort) • Website notice (supplementary to direct notification) **Exceptions to Individual Notification:** We may not need to notify individuals if: • Appropriate technical protection measures were applied (e.g., encryption) • Subsequent measures eliminate high risk • Public notification would involve disproportionate effort (in which case we will use public communication) **11.6 Notification to Clients (for Data Processor Breaches):** When we process data on behalf of clients as a data processor: • Notification to client within 24 hours of becoming aware • Detailed incident report provided • Cooperation with client's breach response • Assistance with client's notifications to ODPC and individuals • Forensic support and evidence preservation **11.7 Documentation:** We maintain comprehensive breach records including: • Facts of breach (date, time, scope) • Effects and consequences • Remedial actions taken • Notification records (ODPC, individuals, clients) • Investigation reports • Corrective measures implemented **Retention:** 5 years minimum **Access:** Available to ODPC upon request **11.8 Post-Incident Actions:** **Remediation:** • Root cause correction • Security improvements implementation • Vulnerability patching • Policy and procedure updates • Additional staff training **Lessons Learned:** • Post-incident review meeting • Incident report preparation • Improvement recommendations • Action plan for prevention • Monitoring of effectiveness **Communication:** • Follow-up with affected individuals • Status updates to ODPC • Internal communication to staff • External communication (if appropriate) **11.9 Your Rights Following a Breach:** If your personal data is affected by a breach: • Right to be informed about the breach • Right to know what data was affected • Right to understand potential consequences • Right to know protective measures taken • Right to lodge complaint with ODPC • Right to seek compensation for damages **Support We Provide:** • Clear communication about the breach • Guidance on protective measures • Credit monitoring services (for financial data breaches) • Identity theft protection (if applicable) • Dedicated support contact person • Regular updates on remediation **11.10 Breach Prevention:** We proactively prevent breaches through: • Regular security assessments and audits • Penetration testing (annual) • Vulnerability scanning (continuous) • Security awareness training (quarterly) • Access controls and monitoring • Encryption and data protection • Incident response drills • Vendor security assessments • Backup and recovery procedures **11.11 Contact for Breach Reporting:** **If you become aware of a potential breach or security incident:** **Security Incident Hotline:** Email: tech@mshindilabs.com Subject: "URGENT: Security Incident Report" **Data Protection Officer:** Email: tech@mshindilabs.com **Phone:** +254 742 591675 (24/7 for security incidents) **What to Report:** • Description of incident • Date and time observed • Affected systems or data • Any evidence or screenshots • Your contact information **Our Response:** • Immediate acknowledgment • Investigation within 24 hours • Status updates provided • Confidential handling • No retaliation for good-faith reporting **11.12 Regulatory Enforcement:** **Penalties for Non-Compliance:** Under the Data Protection Act, 2019, failure to notify breaches can result in: • Administrative fines up to KES 5 million • For undertakings: Up to 1% of annual turnover • Enforcement notices and corrective actions • Temporary or permanent processing bans • Criminal liability for willful violations **Our Commitment:** We commit to full compliance with breach notification requirements and transparent communication with all stakeholders.

As a technology company operating in Kenya with international clients and service providers, cross-border data transfers are sometimes necessary. We ensure all international transfers comply with the Data Protection Act, 2019. **12.1 Data Localization Requirement:** **Primary Obligation:** Section 48A of the Data Protection Act, 2019 requires that: • At least one serving copy of personal data must be stored on a server or data center physically located in Kenya • This applies to all data controllers and processors in Kenya • Compliance is mandatory regardless of international transfers **Our Compliance:** We maintain primary data storage infrastructure in Kenya: • AWS Africa (Cape Town) region with Kenya presence • Locally hosted servers in Nairobi data centers • Real-time replication to Kenya-based storage • Regular verification of data localization compliance • Documentation of data location for audit purposes **12.2 When International Transfers Occur:** We may transfer personal data internationally in the following circumstances: **Cloud Infrastructure:** • AWS (US, EU, South Africa regions) • Google Cloud Platform (global infrastructure) • Microsoft Azure (global infrastructure) • Backup and disaster recovery (international locations) **Service Providers:** • Email and communication services (US-based providers) • Payment processors (international gateways) • Analytics and monitoring tools • Development and collaboration tools **Client Requirements:** • International clients accessing project data • Client-specified cloud regions or services • Integration with client international systems **Business Operations:** • International contractors and remote staff • Global technology partners • Professional service providers (legal, accounting) **12.3 Legal Requirements for International Transfers:** **Conditions for Lawful Transfer:** Under Section 48 of the Data Protection Act, 2019, cross-border transfer of personal data is prohibited unless: 1. **Adequate Protection Exists:** • Destination country has been deemed to provide adequate level of protection by the Data Commissioner • Adequate protection standards equivalent to Kenya's DPA 2019 2. **Appropriate Safeguards Implemented:** • Standard data protection clauses approved by the Data Commissioner • Binding corporate rules approved by the Data Commissioner • Contractual obligations ensuring data protection 3. **Data Subject Consent:** • Explicit, informed consent obtained from data subject • Clear explanation of transfer and risks • Freely given, specific consent 4. **Other Permitted Reasons:** • Transfer necessary for performance of contract with data subject • Transfer necessary for important reasons of public interest • Transfer necessary for establishment, exercise, or defense of legal claims • Transfer necessary to protect vital interests of data subject • Transfer made from public register (where legally accessible) **12.4 Notification to Data Commissioner:** We notify the Office of the Data Protection Commissioner regarding: • International data transfer arrangements • Countries or regions to which data is transferred • Categories of data transferred • Purposes of international processing • Safeguards implemented • Duration of transfers **Ongoing Compliance:** • Annual reporting of international transfers • Updates when transfer arrangements change • Cooperation with ODPC investigations • Documentation available for inspection **12.5 Safeguards We Implement:** **Standard Contractual Clauses (SCCs):** • We use SCCs approved by the Data Protection Commissioner • SCCs modeled on EU Standard Contractual Clauses • Legally binding obligations on data importers • Enforceable data subject rights • Audit and inspection rights included **Data Processing Agreements:** All international service providers must sign comprehensive DPAs including: • Data protection obligations • Security requirements • Sub-processing restrictions • Data subject rights support • Breach notification requirements • Return or deletion of data upon termination **Technical Safeguards:** • Encryption in transit (TLS 1.3) • Encryption at rest (AES-256) • Pseudonymization and anonymization where possible • Access controls and authentication • Monitoring and logging of international access **Organizational Safeguards:** • Data minimization (only necessary data transferred) • Limited access (need-to-know basis) • Confidentiality agreements • Staff training on international transfers • Regular audits of transfer compliance **12.6 Adequacy Decisions:** **Recognition of Adequate Countries:** We monitor adequacy decisions issued by: • Office of the Data Protection Commissioner (Kenya) • European Commission (for guidance) • Other recognized data protection authorities **Current Status:** • EU/EEA: Generally recognized as providing adequate protection • EAC Partner States: Mutual recognition under EAC frameworks • Other countries: Assessed case-by-case **Impact:** Transfers to adequate countries require fewer additional safeguards but still require notification and compliance with data localization requirements. **12.7 Specific Transfer Scenarios:** **AWS International:** • Primary storage: Kenya/South Africa region • Backup: EU region (with SCCs) • Encryption: All data encrypted • Access: Geographically restricted where possible **Google Services (Email, Analytics):** • SCCs executed with Google • Data residency options selected where available • Kenya data localization maintained • EU data centers preferred for international processing **Payment Processors:** • PCI DSS compliant processors • Minimal data shared (transaction data only) • Encrypted transmission • Processor contractual obligations **Client Access:** • International client access via secure VPN • Authentication and access controls • Audit logging of access • Data stays on Kenya servers where possible **12.8 Data Subject Consent for Transfers:** When relying on consent for international transfers, we ensure: • Clear explanation of transfer in plain language • Disclosure of destination countries or regions • Explanation of risks (if transferring to non-adequate country) • Explanation of safeguards implemented • Separate, explicit consent (not bundled with other consents) • Easy withdrawal of consent **Consent Process:** 1. Present clear information about transfer 2. Explain why transfer is necessary 3. Disclose destinations and risks 4. Obtain explicit consent via checkbox or signature 5. Record consent and timestamp 6. Allow easy withdrawal **12.9 Onward Transfers:** **Restrictions:** Our international service providers are prohibited from: • Onward transfer without our authorization • Processing data for their own purposes • Sharing data with sub-processors without approval **Sub-Processor Requirements:** • Written authorization required • Same level of data protection obligations • Our liability for sub-processor compliance • Maintenance of sub-processor list • Client notification of sub-processor changes (for data processor engagements) **12.10 Transfer Impact Assessments:** For high-risk international transfers, we conduct Transfer Impact Assessments (TIAs): • Assess laws and practices in destination country • Evaluate effectiveness of safeguards • Identify any risks to data subject rights • Implement supplementary measures if necessary • Document assessment and decisions **Factors Considered:** • Destination country's data protection laws • Government access to data (surveillance laws) • Data subject rights and remedies • Regulatory enforcement • Political and security situation • Our practical experience with transfers **12.11 Your Rights Regarding International Transfers:** You have the right to: • Be informed about international transfers of your data • Know destination countries and safeguards • Object to international transfers (in certain circumstances) • Withdraw consent for transfers based on consent • Lodge complaints with ODPC regarding transfers • Request data not be transferred internationally (subject to service limitations) **12.12 Alternative Arrangements:** If you prefer your data not be transferred internationally: • Kenya-only hosting may be available (additional cost may apply) • Limited service functionality where international tools required • Alternative service providers (Kenya-based only) • Discuss requirements with us at tech@mshindilabs.com **12.13 Monitoring and Compliance:** We continuously monitor: • Changes in destination country laws • Data Commissioner guidance and decisions • Service provider compliance • Effectiveness of safeguards • Breach incidents related to transfers **Regular Reviews:** • Annual review of transfer arrangements • Re-assessment of adequacy and safeguards • Updates to transfer documentation • Staff training on transfer requirements **12.14 Transfer Documentation:** We maintain comprehensive records: • Transfer recipients and locations • Categories of data transferred • Purposes of transfers • Legal basis for each transfer • Safeguards implemented • Data subject consents • Notification to Data Commissioner • Transfer impact assessments **Access:** Available to ODPC and data subjects upon request **12.15 Brexit and UK Transfers:** **Post-Brexit Status:** • UK adequacy decision monitored • SCCs used for UK transfers • GDPR and UK DPA compliance maintained • Alignment with EU standards **12.16 US Transfers:** **Special Considerations:** • No general adequacy decision for USA • SCCs required for US transfers • Additional safeguards for US cloud providers • FISA 702 and government access considerations • Transparent government access policies reviewed **12.17 EAC Regional Transfers:** **East African Community:** • Mutual recognition under EAC frameworks • Common Market Protocol provisions • Regional data protection harmonization • Simplified transfer mechanisms within EAC **EAC Partner States:** • Kenya, Uganda, Tanzania, Rwanda, Burundi, South Sudan • Harmonized data protection standards (developing) • Regional cooperation on enforcement **12.18 Contact for Transfer Questions:** For questions about international data transfers: **Data Protection Officer:** Email: tech@mshindilabs.com Subject: International Data Transfer Inquiry We will provide: • List of countries to which your data is transferred • Safeguards implemented for your data • Copies of relevant SCCs or other safeguards • Explanation of transfer necessity • Alternative options (if available)

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. **13.1 When We Update:** We may update this policy when: • Legal or regulatory requirements change • We introduce new services or features • We adopt new technologies or processing activities • Industry best practices evolve • We receive feedback from users or regulators • Business operations change significantly • Data protection laws are amended • Office of the Data Protection Commissioner issues new guidance **13.2 Types of Changes:** **Minor Changes:** • Clarifications of existing practices • Formatting and typographical corrections • Contact information updates • Links and reference updates • Minor wording improvements Minor changes may be made without notice but will be reflected in the "Last Updated" date. **Material Changes:** • New categories of personal data collected • New purposes for data processing • Changes to data retention periods • New international data transfers • Changes to data sharing practices • Reduction in your rights or protections • New technologies with privacy implications Material changes will be communicated with advance notice (see Section 13.3). **13.3 How We Notify You:** **Material Changes - 30 Days Advance Notice:** • Email notification to registered users • Prominent website banner for 30 days • Pop-up notification upon next login • Summary of key changes highlighted • Link to updated policy and change log **All Changes:** • Updated policy posted on website • "Last Updated" date modified • Change history maintained (available upon request) • Previous versions archived **13.4 Your Options When Policy Changes:** **For Material Changes:** • Review updated policy carefully • Contact us with questions or concerns • Accept changes by continuing to use services • Object to changes (may limit service availability) • Withdraw consent if processing based on consent • Exercise right to erasure if you disagree with changes **Continued Use = Acceptance:** If you continue to use our services after the effective date of updated policy, you are deemed to have accepted the changes. **Objection to Changes:** If you object to material changes: • Contact tech@mshindilabs.com within 30 days • Discuss alternative arrangements • Request deletion of your data (right to erasure) • Discontinue use of services **13.5 Version Control:** Each version of this policy includes: • Version number (e.g., v1.0, v2.0) • Effective date • Last updated date • Summary of changes (for new versions) **Current Version:** • Version: 1.0 • Effective Date: October 23, 2025 • Last Updated: October 23, 2025 **13.6 Change History:** We maintain a change log documenting: • Date of each revision • Nature of changes made • Sections affected • Reason for change **Access:** Request change history at tech@mshindilabs.com **13.7 Previous Versions:** Previous versions of this policy are archived and available upon request for: • Users wanting to review historical practices • Compliance and audit purposes • Legal or dispute resolution needs **13.8 Regulatory Changes:** **Data Protection Act Amendments:** If the Data Protection Act, 2019 is amended, we will: • Review policy for compliance with amendments • Update policy within 60 days of amendments taking effect • Notify users of compliance changes • Seek additional consents if required by new law **ODPC Guidance:** We monitor guidance from the Office of the Data Protection Commissioner and update our practices and policy accordingly. **13.9 Questions About Changes:** If you have questions about policy changes: • Email tech@mshindilabs.com • Subject: "Privacy Policy Changes Inquiry" • We will respond within 5 business days • Explanations provided in clear, plain language • One-on-one discussion available for complex concerns **13.10 Your Responsibility:** We encourage you to: • Review this policy periodically • Check the "Last Updated" date when visiting our website • Read notification emails about policy changes • Contact us if anything is unclear • Keep your contact information up-to-date for notifications **13.11 No Retroactive Changes:** We will not apply material changes retroactively to data collected under previous versions of this policy without: • Your explicit consent, or • Legal obligation requiring retroactive application **13.12 Regulatory Approval:** If any policy changes require approval from the Office of the Data Protection Commissioner, we will: • Seek approval before implementation • Delay effective date pending approval • Notify users of regulatory approval status **13.13 Implementation Timeline:** **Standard Process:** 1. Policy update drafted and reviewed internally 2. Legal review for compliance 3. Data Protection Officer approval 4. 30-day notice period for material changes 5. Policy published on effective date 6. Ongoing monitoring and compliance **Emergency Changes:** In rare circumstances (e.g., urgent security needs, immediate legal compliance): • Changes may be implemented with shorter notice • Explanation provided for urgency • Full notice provided as soon as feasible • Users notified via all available channels **13.14 Continuous Improvement:** We are committed to: • Regularly reviewing and updating this policy • Incorporating user feedback • Adopting privacy best practices • Maintaining transparency in our data practices • Protecting your privacy rights Your trust is important to us, and we will continue to earn it through transparent communication and strong data protection practices.

We are committed to addressing your privacy questions, concerns, and complaints promptly and effectively. **14.1 Data Protection Officer:** We have appointed a Data Protection Officer (DPO) responsible for overseeing data protection strategy and compliance with the Data Protection Act, 2019. **Contact Data Protection Officer:** **Name:** [DPO Name] **Email:** tech@mshindilabs.com **Phone:** +254 742 591675 (ext. 101) **Address:** Mshindi Labs Data Protection Officer [Physical Address] Nairobi, Kenya **Office Hours:** Monday-Friday, 9:00 AM - 5:00 PM EAT **DPO Responsibilities:** • Monitoring data protection compliance • Data protection advice and guidance • Cooperation with Data Protection Commissioner • Acting as contact point for data subjects and ODPC • Conducting data protection impact assessments • Maintaining data protection policies and procedures **14.2 General Inquiries:** **For general privacy inquiries:** **Email:** tech@mshindilabs.com, tech@mshindilabs.com **Phone:** +254 742 591675 **Website:** https://mshindilabs.com/contact **Business Hours:** Monday-Friday, 9:00 AM - 6:00 PM EAT **Response Time:** • Email inquiries: Within 48 business hours • Phone inquiries: Immediate assistance during business hours • Complex matters: Within 5 business days **14.3 Exercising Your Rights:** **To exercise your data protection rights (see Section 7):** **Email:** tech@mshindilabs.com **Subject Line:** "Data Subject Rights Request - [Specify Right]" **Include:** • Your full name and contact information • Specific right you're exercising • Details of your request • Proof of identity (copy of government-issued ID) • Preferred communication method for response **Response Timeline:** • Acknowledgment: Within 5 business days • Substantive response: Within 30 days • Extension: Up to 2 additional months for complex requests (with notification) **14.4 Privacy Complaints:** If you believe we have violated your privacy rights or mishandled your personal data: **Internal Complaint Process:** **Step 1: Contact Us** Email: tech@mshindilabs.com Subject: "Privacy Complaint" **Include:** • Detailed description of complaint • Date and circumstances of incident • Personal data involved • Impact or harm experienced • Desired resolution • Supporting evidence or documentation **Step 2: Investigation** • We will acknowledge your complaint within 3 business days • Thorough investigation conducted • Relevant personnel interviewed • Evidence and records reviewed • Root cause analysis performed **Step 3: Response** • Substantive response within 15 business days • Explanation of findings • Actions taken or planned • Measures to prevent recurrence • Compensation or remedies (if applicable) **Step 4: Escalation (if unresolved)** • Escalate to senior management • Independent review conducted • Final response within additional 15 business days **14.5 Complaint to Data Protection Commissioner:** If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority: **Office of the Data Protection Commissioner (ODPC)** **Physical Address:** Integrity Centre, 3rd Floor Corner of Milit Avenue and Makindi Road Off Ngong Road Nairobi, Kenya **Postal Address:** P.O. Box 63327 – 00619 Nairobi, Kenya **Contact:** **Phone:** +254 (020) 2604381 **Mobile:** +254 721 469 842 / +254 730 188 888 **Email:** info@odpc.go.ke, complaints@odpc.go.ke **Website:** www.odpc.go.ke **Office Hours:** Monday - Friday: 8:00 AM - 5:00 PM (EAT) (Closed on public holidays) **Filing a Complaint:** • Complete complaint form (available on ODPC website) • Provide detailed information about the complaint • Include evidence of your efforts to resolve with us • Submit via email, post, or in-person at ODPC offices • ODPC will investigate and may take enforcement action **ODPC Powers:** • Investigate complaints • Conduct audits and inspections • Issue enforcement notices • Impose administrative fines • Order corrective actions • Refer criminal violations to law enforcement **Timeline:** ODPC will acknowledge complaints and conduct investigations according to their procedures, typically within 30-90 days depending on complexity. **14.6 Alternative Dispute Resolution:** Before formal complaints, consider: • Mediation through neutral third party • Discussion with senior management • Engagement with our Data Protection Officer • Clarification of concerns and expectations We are committed to resolving concerns amicably and efficiently. **14.7 Legal Action:** You have the right to seek judicial remedies through: • Civil action for damages in Kenyan courts • Commercial and Tax Division of the High Court (data protection matters) • Small Claims Court (for claims under KES 1 million) **Legal Remedies Available:** • Compensation for damages suffered • Injunctions to stop unlawful processing • Orders for rectification or erasure • Enforcement of your data protection rights • Costs and legal fees (at court's discretion) **Statute of Limitations:** Generally 6 years under the Law of Limitation Act (Cap. 22), but consult legal advisor for specifics. **14.8 Feedback and Suggestions:** We welcome your feedback on our privacy practices: **Email:** tech@mshindilabs.com **Subject:** "Privacy Feedback" Your input helps us: • Improve our data protection practices • Enhance transparency and communication • Identify areas for policy improvement • Better serve our users' privacy needs **14.9 Security Incidents:** **To report security incidents or vulnerabilities:** **Security Team:** **Email:** tech@mshindilabs.com **Subject:** "URGENT: Security Incident Report" **Phone:** +254 742 591675 (24/7 emergency line) **Incident Reporting:** We take security seriously and appreciate responsible disclosure. If you discover a security vulnerability, we will: • Respond promptly (within 24 hours) • Investigate thoroughly • Provide updates on remediation • Recognize responsible disclosure (with permission) • Not pursue legal action for good-faith security research **14.10 Media Inquiries:** **For media or press inquiries regarding data protection:** **Press Contact:** **Email:** press@mshindilabs.com **Phone:** +254 742 591675 **14.11 Business Inquiries:** **For partnership or business inquiries:** **Business Development:** **Email:** tech@mshindilabs.com **Phone:** +254 742 591675 **Website:** https://mshindilabs.com **14.12 Correspondence:** **Preferred Methods:** • Email (fastest response) • Phone (for urgent matters) • Website contact form • Postal mail (for formal notices) **Postal Address:** Mshindi Labs [Physical Address] [City, Postal Code] Nairobi, Kenya **14.13 Languages:** This Privacy Policy and communications are primarily in English. Translation services may be available upon request for major Kenyan languages (Swahili, etc.). **14.14 Accessibility:** If you need this Privacy Policy in an alternative format (large print, audio, etc.), please contact: **Email:** tech@mshindilabs.com **Subject:** "Accessibility Request" We will provide accessible formats within 10 business days. **14.15 Our Commitment:** We are committed to: • Responding to all inquiries promptly • Treating complaints seriously and investigating thoroughly • Transparent communication about data practices • Continuous improvement of privacy protections • Respecting and upholding your data protection rights • Cooperation with regulatory authorities **14.16 No Retaliation:** We will not retaliate against anyone who: • Exercises their data protection rights • Files a privacy complaint • Reports security incidents • Contacts the Data Protection Commissioner • Participates in investigations Your rights are protected, and we encourage you to speak up about privacy concerns. **Thank you for trusting Mshindi Labs with your personal data. Your privacy matters to us.** --- **Last Updated:** October 23, 2025 **Version:** 1.0 **Effective Date:** October 23, 2025 **Registration:** Registered Data Controller/Processor with the Office of the Data Protection Commissioner, Republic of Kenya Registration Number: [DPR/XXX/XXXX] This Privacy Policy complies with the Data Protection Act, 2019 (No. 24 of 2019) and the Constitution of Kenya (Article 31 - Right to Privacy).