Privacy Policy

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"), including but not limited to name, identification number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
• Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
• Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
• Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of personal data.

2. Information We Collect

We collect various types of information to provide and improve our services:

2.1 Personal Information

We may collect the following personal information:

• Identity Data: Name, title, date of birth, gender, national identification number, passport number
• Contact Data: Email address, postal address, telephone number, mobile number
• Professional Data: Job title, company name, industry, work address
• Financial Data: Bank account details, payment card information, billing address (processed securely through third-party payment processors)
• Technical Data: Internet protocol (IP) address, browser type and version, time zone setting, browser plug-in types and versions, operating system, device information
• Usage Data: Information about how you use our website and services, including pages visited, time spent on pages, click patterns, and navigation paths
• Marketing and Communications Data: Your preferences in receiving marketing communications from us, communication preferences, and your responses to surveys and feedback

2.2 Sensitive Personal Data

We may collect sensitive personal data (as defined under the Kenya Data Protection Act) only when:

• You have given explicit consent
• It is necessary for the performance of a contract
• It is required by law
• It is necessary to protect vital interests

Sensitive personal data may include:

• Racial or ethnic origin
• Religious or philosophical beliefs
• Health information
• Biometric data
• Political opinions

3. How We Collect Information

We collect information through various methods:

3.1 Direct Collection

• When you fill out forms on our website (contact forms, service inquiries, newsletter subscriptions)
• When you communicate with us via email, phone, or other channels
• When you register for an account or use our services
• When you participate in surveys, contests, or promotional activities
• When you make a purchase or enter into a contract with us

3.2 Automated Collection

• Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to collect information about your browsing behavior
• Server Logs: Our servers automatically log information about your visit, including IP address, browser type, referring pages, and timestamps
• Analytics Tools: We use third-party analytics services to understand how visitors interact with our website

3.3 Third-Party Sources

• Public databases and directories
• Social media platforms (when you interact with us on social media)
• Business partners and service providers
• Credit reference agencies (where applicable)

4. Legal Basis for Processing

Under the Kenya Data Protection Act, 2019 and General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

4.1 Consent

We process your personal data when you have given clear consent for specific purposes, such as:

• Marketing communications
• Newsletter subscriptions
• Non-essential cookies
• Participation in surveys or research

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4.2 Contract Performance

We process personal data when it is necessary for:

• Performing a contract with you
• Taking steps at your request before entering into a contract
• Providing our services and fulfilling our obligations

4.3 Legal Obligation

We process personal data to comply with legal obligations, including:

• Tax and accounting requirements
• Regulatory compliance
• Court orders and legal proceedings
• Anti-money laundering and fraud prevention

4.4 Legitimate Interests

We process personal data based on our legitimate interests, balanced against your rights and freedoms, including:

• Business operations and administration
• Website security and fraud prevention
• Improving our services and user experience
• Direct marketing (where permitted by law)
• Network and information security

4.5 Vital Interests

We may process personal data to protect the vital interests of you or another natural person, particularly in emergency situations.

4.6 Public Task

Where applicable, we may process personal data in the public interest or in the exercise of official authority.

5. How We Use Your Information

We use your personal information for the following purposes:

5.1 Service Delivery

• Providing, maintaining, and improving our software solutions and services
• Processing transactions and managing payments
• Managing your account and customer relationship
• Responding to your inquiries, requests, and support needs
• Delivering technical support and customer service

5.2 Communication

• Sending service-related communications (notices, updates, security alerts)
• Responding to your communications and requests
• Sending marketing communications (with your consent or where permitted by law)
• Providing information about new products, services, and features

5.3 Business Operations

• Managing our business operations and administration
• Conducting market research and analysis
• Developing new products and services
• Analyzing usage patterns and trends
• Improving website functionality and user experience

5.4 Legal and Compliance

• Complying with legal obligations and regulatory requirements
• Enforcing our terms of service and policies
• Protecting our rights, property, and safety
• Preventing fraud, abuse, and illegal activities
• Responding to legal requests and court orders

5.5 Security and Safety

• Detecting and preventing security threats
• Protecting against unauthorized access and data breaches
• Monitoring and analyzing security incidents
• Maintaining the integrity and security of our systems

6. Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following circumstances:

6.1 Service Providers

We may share personal data with trusted third-party service providers who assist us in operating our business, including:

• Cloud Service Providers: For hosting and data storage
• Payment Processors: For processing payments and transactions
• Analytics Providers: For website analytics and performance monitoring
• Email Service Providers: For sending communications
• Customer Support Tools: For managing customer inquiries
• Marketing Platforms: For marketing automation and campaigns

All service providers are contractually obligated to protect your personal data and use it only for specified purposes.

6.2 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections.

6.3 Legal Requirements

We may disclose personal data when required by law or to:

• Comply with legal obligations and court orders
• Respond to government requests and regulatory inquiries
• Protect our rights, property, and safety
• Prevent or investigate fraud, abuse, or illegal activities
• Enforce our terms of service and policies

6.4 With Your Consent

We may share your personal data with third parties when you have given explicit consent for such sharing.

6.5 Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot be used to identify you for research, analytics, and business purposes.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with the Kenya Data Protection Act and international best practices.

7.1 Technical Safeguards

• Encryption: We use industry-standard encryption (SSL/TLS) for data in transit and encryption at rest for sensitive data
• Access Controls: We implement strict access controls and authentication mechanisms to limit access to personal data
• Network Security: We use firewalls, intrusion detection systems, and other network security measures
• Secure Infrastructure: Our systems are hosted on secure, monitored infrastructure with regular security updates
• Data Backup: We maintain regular backups of data with secure storage and recovery procedures

7.2 Organizational Safeguards

• Employee Training: Our staff receive regular training on data protection and privacy
• Confidentiality Agreements: All employees and contractors are bound by confidentiality obligations
• Data Protection Officer: We have designated personnel responsible for data protection compliance
• Incident Response: We have procedures in place to detect, respond to, and report data breaches
• Regular Audits: We conduct regular security audits and assessments

7.3 Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify the Office of the Data Protection Commissioner (ODPC) in Kenya within 72 hours (where feasible)
• Notify affected individuals without undue delay
• Provide clear information about the nature of the breach and measures taken
• Comply with all applicable breach notification requirements under relevant data protection laws

Note: While we implement robust security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

• Active Customer Data: Retained for the duration of our business relationship and for a reasonable period thereafter (typically 7 years for accounting and legal purposes)
• Marketing Data: Retained until you withdraw consent or opt-out, or for a maximum of 3 years of inactivity
• Website Analytics Data: Retained for up to 26 months (as per standard analytics practices)
• Legal and Compliance Records: Retained as required by applicable laws (e.g., 7 years for tax records in Kenya)
• Support Communications: Retained for 3 years after the resolution of the support request

8.2 Deletion Criteria

We will delete or anonymize your personal data when:

• The purpose for which it was collected has been fulfilled
• The retention period has expired
• You request deletion and we have no legal basis to retain it
• It is no longer necessary for legal or business purposes

8.3 Exceptions

We may retain certain personal data for longer periods when:

• Required by law or regulatory obligations
• Necessary for legal claims or proceedings
• Required for legitimate business interests (e.g., fraud prevention)
• Data has been anonymized and cannot be used to identify you

9. Your Rights Under Data Protection Laws

Under the Kenya Data Protection Act, 2019, General Data Protection Regulation (GDPR), and other applicable data protection laws, you have the following rights:

9.1 Right of Access

You have the right to obtain confirmation as to whether we process your personal data and to access your personal data, including:

• Copies of your personal data
• Information about the purposes of processing
• Categories of personal data processed
• Recipients or categories of recipients
• Retention periods
• Your rights regarding the data

9.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification.

9.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the original purpose
• You withdraw consent and there is no other legal basis
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required to comply with legal obligations

Note: We may not be able to delete data if we have a legal obligation to retain it.

9.4 Right to Restrict Processing

You have the right to request restriction of processing when:

• You contest the accuracy of the data
• Processing is unlawful, but you oppose erasure
• We no longer need the data, but you require it for legal claims
• You have objected to processing, pending verification

9.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.

9.6 Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

9.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) in Kenya or your local data protection authority if you believe your rights have been violated.

ODPC Contact Information:

• Website: www.odpc.go.ke
• Email: info@odpc.go.ke
• Phone: +254 20 490 6000

9.9 Exercising Your Rights

To exercise any of these rights, please contact us using the information provided in the "Contact Us" section below. We will respond to your request within 30 days (or as required by applicable law).

We may require verification of your identity before processing your request to protect your privacy and security.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your preferences and browsing behavior.

10.1 Types of Cookies

• Essential Cookies: Required for the website to function properly (e.g., authentication, security)
• Analytics Cookies: Help us understand how visitors use our website (e.g., Google Analytics)
• Functional Cookies: Remember your preferences and settings
• Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness

10.2 Cookie Management

You can control cookies through your browser settings. However, disabling certain cookies may affect website functionality.

For more information about our cookie practices, please refer to our Cookie Policy (if applicable) or contact us.

11. International Data Transfers

Your personal data may be transferred to and processed in countries outside Kenya, including countries that may not have the same data protection laws.

11.1 Transfer Safeguards

When transferring personal data internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): Approved by the European Commission and ODPC
• Adequacy Decisions: Transfers to countries with adequate data protection laws
• Binding Corporate Rules: For transfers within our corporate group
• Certification Schemes: Such as Privacy Shield (where applicable)
• Explicit Consent: Where you have provided informed consent

11.2 Your Rights

You have the right to be informed about international transfers and to request information about the safeguards in place.

12. Children's Privacy

Our services are not directed to individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children without parental consent.

If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

13. Third-Party Links and Services

Our website may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices or content of these third parties.

We encourage you to review the privacy policies of any third-party services you access through our website.

This Privacy Policy applies only to information collected by Nocturnal Software Solutions.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification (for significant changes)
• Displaying a prominent notice on our website

Your continued use of our services after the effective date of the updated policy constitutes acceptance of the changes.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We are committed to addressing your concerns and will respond to your inquiries within 30 days (or as required by applicable law).