Data Protection Statement

Africorex Ltd is registered as a data controller in accordance with the requirements of the Kenya Data Protection Act, 2019. As data controller, we determine the purposes and means of processing personal data collected through our business activities. Contact for data protection matters: Africorex Ltd P.O. Box 3510-00100, Nairobi, Kenya Email: info@africorex.com

Africorex processes personal data in accordance with the following principles drawn from the Data Protection Act, 2019: Lawfulness, fairness, and transparency: Personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject. Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes. Data minimisation: Personal data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Accuracy: Personal data is accurate and, where necessary, kept up to date. Inaccurate data is rectified or erased without delay. Storage limitation: Personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the stated purposes. Integrity and confidentiality: Personal data is processed with appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage. Accountability: Africorex is responsible for, and able to demonstrate compliance with, these principles.

In the course of its business, Africorex may process the following categories of personal data: Client and prospect data: Names, company names, email addresses, telephone numbers, and postal addresses collected for service delivery, quotation, and invoicing purposes. Procurement and financial data: KRA PIN numbers, bank account details (of clients and suppliers), and transaction histories, collected for contractual and tax compliance purposes. Website interaction data: IP addresses and browser information collected for website security and basic analytics. Employment-related data: Information about employees and contractors, processed for HR and payroll purposes in accordance with separate internal policies. Operational records: Audit logs, security events, payment references, email delivery records, and document attachments needed to run client services securely. AI-assisted processing records: Content submitted by authorised staff for tender support, receipt scanning, quote assistance, collections drafting, and document workflows. Africorex does not use this data for unrelated marketing. Africorex does not process special categories of personal data, such as health data, religious beliefs, or biometric data, unless a specific client engagement requires it and appropriate safeguards are agreed in writing.

Africorex relies on the following lawful bases for processing personal data as set out in Section 30 of the Data Protection Act, 2019: Contractual necessity: Processing is necessary to perform a contract with the data subject or to take pre-contractual steps at the data subject's request. Legal obligation: Processing is necessary to comply with applicable Kenyan law, including tax, procurement, and company law obligations. Legitimate interests: Processing is necessary for Africorex's legitimate business interests, including fraud prevention, network security, and service improvement, provided those interests are not overridden by the data subject's rights and freedoms. Consent: For any processing not covered by the above, we will seek and record your freely given, specific, informed, and unambiguous consent.

Africorex recognises and upholds the following rights of data subjects under Part IV of the Data Protection Act, 2019: Right to be informed about how your personal data is processed. Right of access to personal data we hold about you. Right to rectification of inaccurate or incomplete personal data. Right to erasure of personal data where there is no legitimate reason to continue processing it. Right to restriction of processing in certain circumstances. Right to data portability where processing is automated and based on consent or contract. Right to object to processing based on legitimate interests. Right to withdraw consent at any time where consent is the basis for processing. To exercise any of these rights, submit a written request to info@africorex.com. We will acknowledge receipt within 7 days and respond fully within 21 days. Complex or numerous requests may take up to 45 days with prior notification. If you are dissatisfied with our handling of your request, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya.

Africorex implements appropriate technical and organisational security measures commensurate with the nature of the personal data processed and the risks involved. These measures include, without limitation: Access controls ensuring only authorised personnel can access personal data. Encryption of data in transit. Regular review and testing of security measures. Staff training on data protection obligations. Contractual requirements on third-party processors to maintain equivalent security standards. In the event of a personal data breach that is likely to result in risk to the rights and freedoms of data subjects, Africorex will notify the Office of the Data Protection Commissioner and affected data subjects in accordance with the requirements of the Data Protection Act, 2019.

Africorex engages third-party service providers to assist in delivering its services and operating its business. These may include Supabase or equivalent cloud database and storage providers, Resend for official email, M-Pesa and banking providers for payments, messaging providers for SMS or WhatsApp where configured, and AI providers where authorised staff enable assisted workflows. Where such providers process personal data on our behalf, they do so only under our instructions and subject to contractual or platform obligations designed to protect the data. Personal data may be processed outside Kenya where necessary to perform a contract, operate secure cloud services, deliver email or messaging, or use authorised AI-assisted workflows. In such cases, Africorex applies data minimisation, access controls, contractual safeguards, and other protections required by the Data Protection (General) Regulations.

Africorex retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are: Client and transaction records: Seven (7) years from the date of the last transaction, to meet Kenyan tax and accounting requirements. Portal account data: Duration of active engagement plus three (3) years. Website interaction logs: Maximum 90 days, after which logs are anonymised or deleted where they are not required for security investigation. Security, audit, and email logs: Retained for operational accountability, fraud prevention, legal defence, and compliance, then deleted or anonymised according to the applicable risk and legal retention schedule. Marketing communications opt-in records: Duration of consent plus three (3) years. On expiry of the applicable retention period, personal data is securely deleted or anonymised.

This Data Protection Statement is reviewed at least annually and updated as required by changes in law or our business practices. The current version is always available on our website at www.africorex.com/data-protection. Material changes will be communicated to affected data subjects directly.

For all data protection queries, subject access requests, or complaints, contact: Africorex Ltd Attn: Data Protection P.O. Box 3510-00100, Nairobi, Kenya Email: info@africorex.com Phone: +254 742 120 184 If you remain dissatisfied after contacting us, you may raise a complaint with: Office of the Data Protection Commissioner Republic of Kenya Website: www.odpc.go.ke