Privacy Policy
Last Updated: June 2026
Welcome to Privacy Prism Ltd (“we”, “us”, or “our”). We are a boutique data privacy consultancy firm. We treat your personal data with the highest standards of security, transparency, and integrity. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or engage with our services.
1. Data Controller and Contact Details
We are the Data Controller for the personal data processed through this website.
- Firm Name: Privacy Prism Ltd
- Physical Address: Embankment Plaza 7th Floor, Nairobi, Kenya
- Email Address: info@privacyprismconsulting.com
- Data Protection Officer (DPO): dpo@privacyprismconsulting.com
2. The Data We Collect
We are the Data Controller for the personal data processed through this website.
- Firm Name: Privacy Prism Ltd
- Physical Address: Embankment Plaza 7th Floor, Nairobi, Kenya
- Email Address: info@privacyprismconsulting.com
- Data Protection Officer (DPO): dpo@privacyprismconsulting.com
Category of Data
Specific Data Points
How We Collect It
Identity Data
First name, last name, job title, company name.
Contact and inquiry forms.
Contact Data
Email address, phone number.
Contact and inquiry forms.
Technical Data
IP address (anonymized), browser type, operating system.
Automated cookies (with consent).
Communication Data
Content of your messages, consultation requests.
Contact forms, emails, calendar bookings.
3. Purpose and Legal Basis for Processing
We only process your data when we have a valid legal baseline under Kenyan DPA Section 30
- Responding to Inquiries: To process your contact form queries and schedule consultations. (Legal Basis: Taking steps at your request prior to entering into a contract).
- Website Optimization: To monitor traffic trends and secure our infrastructure. (Legal Basis: Legitimate interest to maintain a secure and functional website).
- Legal Obligations: To comply with regulatory mandates, tax audits, or statutory requests. (Legal Basis: Legal obligation).
4. Data Sharing and Third-Party Disclosures
We do not sell, rent, or trade your personal data. We only share data with trusted service providers who act as our Data Processors:
- Cloud & IT Infrastructure: Secure hosting partners and email service providers.
- CRM & Scheduling Tools: Software used strictly to manage client consultations.
- Legal & Regulatory Authorities: Only when required by law or a valid order from the Office of the Data Protection Commissioner (ODPC).
All our data processors operate under strict Data Processing Agreements (DPAs) ensuring they match our security standards.
5. International Data Transfers
- From Kenya: Transfers comply with Section 48 of the Kenyan DPA, utilizing encrypted platforms and verified adequacy metrics.
- From the EEA: Transfers utilize Standard Contractual Clauses (SCCs) approved by the European Commission to ensure a mirrored level of protection.
6. Data Retention Periods
We do not keep data forever. We retain your information based on these timelines:
- Inquiry Data (No Contract Signed): Deleted or anonymized after 12 months from the last communication.
- Client Contract Data: Retained for 7 years following the termination of our service agreement to satisfy local corporate and tax laws.
- Marketing/Newsletter Data: Retained until you withdraw your consent by clicking “Unsubscribe.”
7. Technical and Organizational Security
We implement rigorous technical safeguards to shield your data from unauthorized access, loss, or alteration:
- Transit Encryption: Mandatory HTTPS and TLS 1.3 encryption across the website.
- Access Control: Strict role-based access limits (RBAC) enforced with Multi-Factor Authentication (MFA).
- Vendor Audits: Routine evaluations of our sub processors’ SOC 2 Type II or ISO 27001 postures.
8. Your Privacy Rights
Under both the Kenyan DPA and GDPR, you possess strong rights over your data. You may exercise these at any time free of charge:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure (“Right to be Forgotten”): Request deletion of your data under specific conditions.
- Right to Object/Restrict: Object to marketing materials or restrict processing activities.
- Right to Data Portability: Request your data be transferred to another provider in a structured format.
- Right to Withdraw Consent: Revoke your consent for optional processing (like newsletters) instantly.
To exercise any of these rights, please email our DPO at dpo@privacyprismconsulting.com. We will respond within thirty (30) days.
9. Right to Lodge a Complaint
- In Kenya: The Office of the Data Protection Commissioner (ODPC) via www.odpc.go.ke.

