Introduction
DESMA Tech Limited ("DESMA", "we", "us", "our") is a company incorporated in Kenya under the Companies Act 2015. We operate the website desmatech.africa and related digital platforms including DESMA Learn, DESMA Consult, DESMA Comply, and DESMA Connect (collectively, the "Platform").
We are committed to protecting your personal data and handling it with transparency, fairness, and respect. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding it.
This Policy applies to:
- Visitors to desmatech.africa
- Individuals who register for launch notifications or complete contact forms on our website
- Clients, learners, and users of any DESMA platform or service
- Individuals whose data is shared with us by organisations that engage DESMA services
Legal Framework and Applicable Law
DESMA operates across multiple jurisdictions. This Policy is designed to comply with the following legislative frameworks:
| Jurisdiction | Legislation | Applicability |
|---|---|---|
| Kenya (primary) | Data Protection Act 2019 (Cap. 411C) | All operations and data subjects in Kenya |
| Kenya (primary) | Computer Misuse and Cybercrimes Act 2018 | Digital platform operations |
| European Union | General Data Protection Regulation (GDPR) 2016/679 | EU residents accessing our Platform |
| United Kingdom | UK GDPR and Data Protection Act 2018 | UK residents accessing our Platform |
| East Africa (EAC) | EAC Legal Framework on Cyberlaws (2008) | Regional cross-border operations |
| Africa (AU) | AU Convention on Cyber Security and Personal Data Protection (Malabo Convention) | Continental alignment |
| International | ISO/IEC 29100 — Privacy Framework | International best practice |
Where requirements conflict across jurisdictions, DESMA applies the higher standard of protection.
Data Controller Identity
Data Controller: DESMA Tech Limited
Registration: Incorporated in Kenya under the Companies Act 2015
Principal place of business: Nairobi, Kenya
Website: https://desmatech.africa
Data Protection Contact: hello@desmatech.africa
Under the Kenya Data Protection Act 2019, DESMA Tech Limited is registered as a data controller. Under GDPR (where applicable), DESMA Tech Limited acts as the data controller in respect of personal data processed through the Platform.
Personal Data We Collect
We collect only the minimum personal data necessary for the purposes described in this Policy.
4.1 Data you provide to us directly
- Contact enquiries: name, email address, organisation name, service interest, and the content of your message
- Launch notification registration: email address only
- DESMA Learn enrolment: name, email address, job title, country, and payment information (processed by our payment partner — not stored by DESMA)
- DESMA Consult engagement: name, organisation details, contact information, and project details
- DESMA Comply early access: name, email address, and organisation details
- DESMA Connect waitlist: name, email address, organisation type, and country
4.2 Data collected automatically
- Technical data: IP address, browser type and version, time zone, operating system
- Usage data: pages visited, time on site, referring URLs, click paths
- Cookie data: as described in Section 15
4.3 Data we do not collect
- Special category data (race, ethnicity, health data, biometric data, religious beliefs, political opinions)
- Data about children under the age of 18
- Financial account details (payments are processed by certified third-party processors)
How We Use Your Personal Data
We use your personal data only for the purposes for which it was collected, and only where we have a lawful basis to do so.
| Purpose | Lawful Basis | Retention Period |
|---|---|---|
| Responding to contact form enquiries | Legitimate interests / Contract performance | 3 years from last contact |
| Sending launch notifications | Consent | Until you unsubscribe |
| Delivering DESMA Learn courses and issuing certificates | Contract performance | 7 years |
| Providing DESMA Consult advisory services | Contract performance / Legal obligation | 7 years from end of engagement |
| DESMA Comply early access communications | Consent | Until product launches or you unsubscribe |
| DESMA Connect waitlist communications | Consent | Until platform launches or you unsubscribe |
| Improving our platform and services | Legitimate interests | 24 months (aggregated analytics) |
| Complying with legal obligations | Legal obligation | As required by law |
| Preventing fraud and ensuring security | Legitimate interests / Legal obligation | 6 years |
Consent and How to Withdraw It
Where we process your data based on consent (for example, launch notifications or early access lists), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.
To withdraw consent:
- Click the "unsubscribe" link in any email we send you, or
- Email us at hello@desmatech.africa with the subject line "Withdraw Consent" — we will remove your data within 5 working days
Sharing Your Personal Data
DESMA does not sell, rent, or trade your personal data to any third party. We share your data only in the following limited circumstances.
7.1 Service providers and processors
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Formspree Inc. (USA) | Contact and notification form processing | Name, email, message content |
| Wealthpro Africa | LMS infrastructure and platform hosting (DESMA Learn) | Name, email, course progress |
| Payment processor (TBC) | Processing course payments | Payment details (not stored by DESMA) |
| Analytics provider | Website usage analytics (anonymised) | Anonymised usage data only |
| Email delivery provider | Transactional and notification emails | Email address, name |
7.2 Legal disclosure
We may disclose your personal data where required by law, court order, or regulatory authority, including the Office of the Data Protection Commissioner of Kenya. We will, where lawful to do so, notify you before such disclosure.
7.3 Business transfers
In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the successor entity. We will notify you of any such transfer and your rights in relation to it.
International Data Transfers
DESMA is based in Kenya and your data is primarily processed within Kenya. However, some of our service providers (such as Formspree, which is based in the United States) process data outside Kenya.
Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including:
- Adequacy decisions or equivalent protections recognised under Kenyan law
- Standard Contractual Clauses (SCCs) approved by relevant supervisory authorities
- Binding corporate rules where applicable
- Explicit consent for specific transfers where required
Formspree Inc. processes data under the EU-US Data Privacy Framework and Standard Contractual Clauses.
Data Security
DESMA implements appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. Our measures include:
- SSL/TLS encryption for all data transmitted through our website
- Access controls limiting data access to authorised personnel only
- Regular security reviews of our platform and third-party processors
- Secure deletion of data that is no longer required
- Incident response procedures for personal data breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner of Kenya within 72 hours of becoming aware of the breach, and will notify affected individuals without undue delay, as required under the Kenya Data Protection Act 2019.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The specific retention periods applicable to each category of processing are set out in the table in Section 5.
When data is no longer required, it is securely deleted or anonymised. Where data is anonymised, it may be retained indefinitely for statistical or research purposes.
Your Rights Under the Kenya Data Protection Act 2019
Under the Kenya Data Protection Act 2019, you have the following rights:
- Right to be informed — you have the right to know that your data is being collected and how it will be used
- Right of access — you have the right to request a copy of the personal data we hold about you
- Right to rectification — you have the right to have inaccurate or incomplete personal data corrected
- Right to erasure — you have the right to request deletion of your personal data in certain circumstances
- Right to restriction of processing — you have the right to request that we limit how we use your data in certain circumstances
- Right to data portability — you have the right to receive your data in a structured, machine-readable format
- Right to object — you have the right to object to processing based on legitimate interests or for direct marketing
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, contact us at hello@desmatech.africa. We will respond within 21 days as required under the Kenya Data Protection Act 2019.
Office of the Data Protection Commissioner (ODPC)
Website: www.odpc.go.ke
Email: info@odpc.go.ke
P.O. Box 30274-00100, Nairobi, Kenya
Additional Rights for EU and UK Data Subjects
If you are located in the European Union or United Kingdom, you have the following additional rights under GDPR and UK GDPR respectively:
- Right not to be subject to automated decision-making — you have the right not to be subject to decisions based solely on automated processing, including profiling. DESMA does not currently carry out such processing.
- Right to object to direct marketing — you have an absolute right to object to your data being used for direct marketing at any time.
- Right to lodge a complaint — EU data subjects may contact their national data protection authority. UK data subjects may contact the Information Commissioner's Office (ICO) at ico.org.uk.
Children's Data
Our Platform is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided personal data to us, please contact us at hello@desmatech.africa and we will delete that data promptly.
Third-Party Links
Our Platform may contain links to third-party websites. This Privacy Policy does not apply to those websites. We encourage you to read the privacy policies of any third-party website you visit. We are not responsible for the privacy practices or content of any third-party sites.
Cookies
15.1 What are cookies?
Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work efficiently and to provide information to the website owner.
15.2 Cookies we use
| Category | Always on? | Purpose |
|---|---|---|
| Strictly necessary | Yes | Required for the website to function. Cannot be switched off. Includes session management and security cookies. |
| Analytics | No (opt-in) | Allow us to understand how visitors use our site so we can improve it. All data is aggregated and anonymised. |
| Functional | No (opt-in) | Enable enhanced features such as remembering your preferences. |
| Marketing | Not used | We do not currently use marketing cookies. |
You can control cookies through your browser settings. Note that disabling certain cookies may affect the functionality of our website. For more information visit www.allaboutcookies.org.
Third-Party Processing — Formspree
Our contact and notification forms are processed by Formspree Inc., a third-party form processing service. When you submit a form on our website, your data (including name, email address, and message content) is transmitted to and stored on Formspree's servers.
Formspree processes data in accordance with its own Privacy Policy, available at formspree.io/legal/privacy-policy. Formspree is certified under the EU-US Data Privacy Framework and processes data under Standard Contractual Clauses for transfers from the EU and UK.
Our two Formspree forms:
Contact enquiries: endpoint mrerdgpa
Launch notifications: endpoint xrerdboz
Data submitted through these forms is transmitted securely and delivered to hello@desmatech.africa.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will update the "Last reviewed" date at the top of this page and, where the changes are material, we will notify you by email (if we hold your email address) or by posting a prominent notice on our website.
We encourage you to review this Policy periodically. Your continued use of our Platform following the posting of changes constitutes your acceptance of those changes, to the extent permitted by applicable law.
Contact and Complaints
If you have any questions about this Privacy Policy, wish to exercise your rights, or wish to make a complaint about how we have handled your personal data, please contact us:
DESMA Tech Limited — Data Protection
Email: hello@desmatech.africa (subject: "Data Protection Enquiry")
Website: desmatech.africa
Address: DESMA Tech Limited, Nairobi, Kenya
We aim to respond to all data protection enquiries within 21 days.
If you are not satisfied with our response, you have the right to complain to the relevant supervisory authority for your jurisdiction, as set out in Sections 11 and 12 of this Policy.