Privacy Policy
Last updated: 27 May 2026
Effective Date: 27th May 2026
Version: 1.0
Company: Kratos Systems
Contact: info@kratosystems.africa
ODPC Registration No: [TBC — registration in progress under the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021]
This Privacy Policy explains how Kratos Systems collects, uses, shares, retains, and protects your personal data. It also tells you about your rights under the Kenya Data Protection Act, 2019 (DPA 2019) and how to exercise them. We have written this policy in plain English so that it is easy to understand. Please read it carefully.
Who We Are — Identity of the Data Controller
Kratos Systems is a software engineering company incorporated in Kenya, providing Software Engineering, AI & Machine Learning, Cloud Infrastructure, Automation Systems, Data Engineering, and Cybersecurity services.
Depending on the context of our work, Kratos Systems acts in one of two roles:
Data Controller — when we determine the purposes and means of processing personal data ourselves (for example, when we manage our website, respond to enquiries, send marketing communications, or process invoicing data for our own business). In this role, this Privacy Policy applies directly to you.
Data Processor — when we process personal data on behalf of a client who remains the data controller of their own users' or employees' data (for example, when we build software systems or AI pipelines that handle a client's end-user data). In this role, our processing is governed by a separate Data Processing Agreement (DPA) signed with that client, not by this policy. If you are an end-user of a system built by us for one of our clients, please contact that client directly regarding your data rights.
Our contact details are:
Email: info@kratosystems.africa
Website: www.kratosystems.africa
Registered Address: Golf course phase 2, Nairobi, Kenya.
We are registered (or in the process of registering) with the Office of the Data Protection Commissioner (ODPC) under the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021. Our registration number is [ODPC Registration No: TBC].
Scope — Who This Policy Applies To
This policy applies to the following people whose personal data we process as a data controller:
Website visitors — anyone who visits www.kratosystems.africa or any other website we operate.
Prospective clients — individuals or representatives of organisations who enquire about our services, request proposals, or attend demonstrations.
Clients — individuals or authorised representatives of client organisations with whom we have an active or past commercial relationship.
Newsletter and marketing subscribers — individuals who have signed up to receive communications from us.
Any other individual who contacts us directly by email, phone, or through our website.
This policy does not apply to our employees, contractors, or job applicants, whose data is handled under a separate internal HR and recruitment privacy notice.
This policy does not govern the processing of personal data that we carry out as a data processor on behalf of our clients. That processing is governed by the relevant client Data Processing Agreement.
What Personal Data We Collect
We only collect personal data that is adequate, relevant, and not excessive relative to the purpose for which it is collected, in line with the data minimisation principle under DPA 2019.
The categories of personal data we may collect are as follows:
Identity data — your full name, job title, and the name of your organisation or employer.
Contact data — your business or personal email address, telephone number, and postal address.
Technical and device data — your IP address, browser type and version, operating system, device identifiers, time zone, and the pages of our website you visit. This data is collected automatically when you access our website.
Usage data — information about how you interact with our website, including pages visited, time spent, links clicked, and referral source.
Communications data — the content of messages, enquiries, emails, or other communications you send to us, including the context of any business discussions.
Special category data — we do not collect special category personal data (such as health data, biometric data, racial or ethnic origin, religious beliefs, or political opinions) unless you have given us your explicit written consent to do so, and there is a clear and documented reason for the collection. If we ever need to collect special category data, we will explain why and seek your explicit consent separately.
AI and Machine Learning interaction data — where you use or interact with AI/ML tools, demos, or features operated by us, the inputs you provide (such as text prompts, documents, or queries) and the outputs generated may constitute personal data if they relate to an identifiable individual. All such data is handled under this policy and the lawful bases set out in Section 5. Where AI/ML features process personal data as part of a client engagement, this will be governed by the applicable Data Processing Agreement.
How We Collect Your Data
We collect your personal data through the following means:
Directly from you — when you fill in a contact form on our website, send us an email, request a proposal, subscribe to our newsletter, engage us for services, or otherwise communicate with us.
Automated technologies — when you visit our website, we automatically collect technical and usage data through cookies, server logs, and similar tracking technologies. Please see our Cookie Policy at www.kratosystems.africa/cookies for full details of what we collect, how, and your choices.
Third parties — we may receive personal data about you from third-party platforms such as professional networking sites (for example LinkedIn), referral partners, or cloud-based tools we use to manage our business operations.
Publicly available sources — we may collect information that is publicly available, such as professional profiles, company websites, or publicly posted content, where relevant to a business development context.
Lawful Basis for Processing
Under DPA 2019 §30, we must have a lawful basis before processing your personal data. The lawful bases we rely on, and the processing activities they apply to, are as follows:
Consent (DPA 2019 §30(a)):
We rely on your consent when we send you marketing emails or newsletters, set non-essential cookies on your device, or use your testimonial or image in our marketing materials.
Consent means you have freely, specifically, and clearly agreed to the processing. You can withdraw your consent at any time by emailing info@kratosystems.africa or by using the unsubscribe link in any marketing email. Withdrawing consent does not affect the lawfulness of processing that took place before withdrawal.
Contract (DPA 2019 §30(b)):
We rely on contract performance when processing is necessary to deliver our services to you or your organisation, for example, managing a project, communicating with you during service delivery, sending invoices, and responding to service-related requests.
This basis also covers steps we take before entering a contract at your request, such as preparing a proposal or scoping document.
Legal obligation (DPA 2019 §30(c)):
We rely on legal obligation when we are required to process your data to comply with Kenyan law, for example, retaining financial records under the Kenya Companies Act and Kenya Revenue Authority requirements, responding to lawful requests from regulatory authorities, or complying with court orders.
Legitimate interests (DPA 2019 §30(e)):
We rely on legitimate interests for the following purposes, having weighed our interests against your rights and determined that our interests are not overridden:
Security monitoring — protecting our systems, infrastructure, and clients from cyberattacks, fraud, and unauthorised access.
Business development — processing contact data of prospective clients obtained through professional networking or publicly available sources to make initial contact.
Service improvement — analysing aggregated, anonymised usage data to improve our website and service offerings.
Fraud prevention — identifying and blocking fraudulent or abusive activity directed at our systems.
You have the right to object to processing carried out on a legitimate interest basis. If you object, we must stop processing unless we can demonstrate compelling legitimate grounds that override your rights. See Section 11 for how to exercise this right.
Special category data: For any special category personal data (as described in Section 3.2(f)), we will always rely on explicit consent as the lawful basis, in addition to one of the bases above. We will never process special category data without your clear, written, and specific agreement.
How We Use Your Data
We use your personal data for the following specific purposes:
Service delivery — providing the software engineering, AI/ML, cloud infrastructure, automation, data engineering, and cybersecurity services you or your organisation have engaged us for.
Client communication — contacting you about your project, responding to your enquiries, sharing progress updates, and managing our relationship with you.
Invoicing and financial administration — preparing and sending invoices, processing payments, and maintaining financial records as required by Kenyan law.
Improving AI and ML models — where we use interaction or usage data to improve or train AI/ML models that we operate as a controller, we will inform you of this and provide you with a clear opt-out option. We will never use your personal data to train third-party AI models without your explicit consent.
Security monitoring — monitoring our systems and network for threats, vulnerabilities, and suspicious activity, drawing on our own cybersecurity expertise.
Legal and regulatory compliance — meeting our obligations under Kenyan law, including the DPA 2019, the Companies Act, tax legislation, and any other applicable regulation.
Fraud prevention — detecting, investigating, and preventing fraudulent or harmful activity directed at us or our clients.
Marketing and business development — sending you information about our services, case studies, or events where you have consented or where we have a legitimate interest to do so.
AI and Machine Learning — Specific Provisions
Kratos Systems provides AI and Machine Learning services as a core part of its offering. This section explains how we handle personal data in that context and your rights in relation to automated processing.
Use of client data to train AI models:
We do not use personal data provided by clients or their end-users to train our own AI models without the explicit written consent of the relevant data controller (the client) and, where required, the individual data subject.
Where an engagement specifically involves developing or fine-tuning an AI model using client-provided datasets, this will be clearly set out in the applicable Statement of Work and Data Processing Agreement. Appropriate safeguards, including data minimisation, pseudonymisation, and access controls will be applied.
Any client data used for AI model training purposes will only be used for the purpose specified in the engagement agreement and will not be retained beyond what is necessary for that purpose.
Automated decision-making — your rights under DPA 2019 §34:
You have the right not to be subject to a decision made solely by automated means (without any human involvement) where that decision produces legal effects on you or similarly significantly affects you, for example, decisions about your creditworthiness, your eligibility for a service, or your professional assessment.
Currently, Kratos Systems does not make solely automated decisions about individuals visiting our website or interacting with our services that produce legal or similarly significant effects.
Where Kratos Systems builds AI systems for clients that involve automated decision-making affecting individuals, those systems are governed by the client's own data controller obligations and the applicable Data Processing Agreement.
If in the future we introduce any automated decision-making that could significantly affect you, we will update this policy and notify you in advance.
Right to request human review:
If you believe you have been subject to a solely automated decision that has significantly affected you in connection with any service provided by Kratos Systems, you have the right to request that a human being reviews that decision.
To exercise this right, please contact us at info@kratosystems.africa. We will respond within 30 days.
Profiling:
Profiling means using personal data to evaluate, analyse, or predict aspects of an individual's behaviour, preferences, or characteristics.
We may carry out limited profiling of website visitors using aggregated, anonymised usage data to understand how people use our website and to improve it. This profiling does not produce any significant effects on individuals.
We do not carry out profiling for marketing purposes without your consent. If we introduce any profiling with significant effects, we will disclose the logic involved, the significance of the profiling, and your right to opt out. You may object to any profiling at any time by contacting us at info@kratosystems.africa.
Data Protection Impact Assessments (DPIAs): For AI/ML processing activities that pose a high risk to individuals' rights and freedoms, we conduct Data Protection Impact Assessments in accordance with DPA 2019 and ODPC guidance. The results of these assessments inform how we design and operate our AI services.
Sharing Your Data
We may share your personal data with the following categories of recipients:
Sub-contractors and technology partners — cloud infrastructure providers, email delivery platforms, CRM tools, bookkeeping software, and other technology vendors we use to operate our business. We only share data with these parties where they have signed a written Data Processing Agreement (DPA) that requires them to handle your data securely and in line with DPA 2019. Current major categories of processors include: Cloud Infrastructure Providers, Email Service Provider, CRM Platform, Accounting Software.
The ODPC and law enforcement — where we are legally required to do so, for example in response to a court order, a formal request from the ODPC, or other lawful regulatory demand. We will only share the minimum data necessary to comply.
Successors in a business transfer — if Kratos Systems is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity, subject to the same protections as described in this policy. We will notify you before your data is transferred and becomes subject to a different privacy policy.
We do not sell your personal data to any third party, under any circumstances.
We do not share your personal data with third parties for their own marketing or advertising purposes without your explicit consent.
Cross-Border Data Transfers
Some of the third-party service providers and cloud platforms we use may process your personal data in countries outside Kenya. This is particularly relevant for our cloud infrastructure services.
Where we transfer personal data outside Kenya, we comply with DPA 2019 §49, which requires that adequate safeguards are in place before any transfer takes place.
The safeguards we rely on include:
Adequacy decisions — where the destination country has been recognised as providing an adequate level of data protection.
Standard Contractual Clauses (SCCs) — contractual terms based on ODPC-recognised or internationally recognised models that bind the recipient to protect your data to Kenyan standards.
Technical safeguards — including end-to-end encryption, pseudonymisation, and strict access controls applied to data before and during transfer.
Our main cloud infrastructure is hosted by Google Cloud Platform, Amazon Web Services, Microsoft Azure, operating in the following regions: eu-central-1, af-south-1,eu-west-2, me-central-1. We maintain transfer impact assessments for high-risk transfer scenarios.
You may request details of the specific safeguards in place for any cross-border transfer by emailing info@kratosystems.africa.
Data Retention
We retain your personal data only for as long as is necessary to fulfil the purpose for which it was collected, or as required by Kenyan law. The specific retention periods we apply are as follows:
The table below sets out our retention periods by data category.
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| Client contract and project data | Duration of contract + 7 years | Limitation of Actions Act (Cap 22); DPA 2019 |
| Financial and invoicing records | 7 years from the end of the relevant financial year | Kenya Companies Act; Kenya Revenue Authority requirements |
| Marketing and newsletter data | Until you withdraw consent or unsubscribe | DPA 2019 §30(a) — consent |
| Technical and server log data | 12 months from date of collection | Legitimate interests (security monitoring) |
| Enquiry and pre-contract data | 2 years from date of enquiry if no contract is entered | Legitimate interests (business development) |
| AI/ML interaction data (where applicable) | As specified in the applicable DPA or consent, maximum [retention period TBC per engagement] | Contract / Consent |
| Special category data | Only for the duration of the specific purpose for which consent was given | Explicit consent |
When the relevant retention period expires, we will securely delete, anonymise, or archive your personal data in a way that makes it impossible to link back to you.
Retention periods are reviewed annually as part of our internal data protection review cycle.
Your Rights Under DPA 2019
Under the Kenya Data Protection Act, 2019, you have the following rights in relation to your personal data. To exercise any of these rights, please email us at info@kratosystems.africa with your name, a description of your request, and sufficient information to verify your identity. We will respond within 30 days of receiving your request, as required by DPA 2019. If your request is complex or we receive multiple requests, we may extend this period and will inform you of the reason.
Right to be informed (DPA 2019 §26):
You have the right to be told clearly and in plain language how and why we process your personal data. This Privacy Policy is how we meet this obligation. If anything is unclear, please contact us.
Right of access (DPA 2019 §26):
You have the right to ask us whether we hold personal data about you, and to receive a copy of that data along with information about how we use it.
To submit an access request, email info@kratosystems.africa with the subject line "Data Subject Access Request."
Right to rectification (DPA 2019 §27):
You have the right to ask us to correct any personal data we hold about you that is inaccurate or incomplete.
We will update your data promptly and, where possible, notify any third parties to whom we have shared the incorrect data.
Right to erasure (DPA 2019 §28):
You have the right to ask us to delete your personal data where it is no longer necessary for the purpose it was collected, where you have withdrawn consent, where you have successfully objected to processing, or where the data was processed unlawfully.
This right is not absolute, we may need to retain certain data to comply with a legal obligation or to establish, exercise, or defend legal claims. Where we cannot delete your data, we will explain why.
Right to restrict processing (DPA 2019 §29):
You have the right to ask us to pause the processing of your personal data in certain circumstances, for example, while you contest the accuracy of the data, or while we assess an objection you have raised.
When processing is restricted, we will continue to store your data but will not actively use it until the restriction is lifted.
Right to data portability (DPA 2019 §31):
Where we process your personal data on the basis of your consent or a contract with you, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format.
You may also ask us to transmit that data directly to another service provider where technically feasible.
To make a portability request, email info@kratosystems.africa.
Right to object (DPA 2019 §32):
You have the right to object to our processing of your personal data where we rely on legitimate interests as the lawful basis. If you object, we must stop processing your data unless we can demonstrate compelling legitimate grounds that override your rights and freedoms, or unless we need the data for legal claims.
You also have an unconditional right to object to your personal data being processed for direct marketing purposes at any time. We will stop processing your data for marketing immediately upon receiving your objection.
To object, email info@kratosystems.africa with the subject line "Objection to Processing."
Rights related to automated decision-making and profiling (DPA 2019 §34):
As described in Section 7, you have the right not to be subject to solely automated decisions that significantly affect you.
You have the right to request human review of any automated decision, to express your point of view, and to contest the decision.
To exercise these rights, contact us at info@kratosystems.africa.
We will never charge you a fee for exercising your data subject rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline the request, and will explain our reasons.
Data Protection Officer
Kratos Systems recognises the importance of having a dedicated point of accountability for data protection matters, particularly given the nature of our AI/ML, cloud, and cybersecurity services.
We have appointed / are in the process of appointing a Data Protection Officer (DPO) in accordance with DPA 2019 §24. Our DPO is responsible for:
monitoring our compliance with DPA 2019 and related regulations;
advising on Data Protection Impact Assessments;
acting as the point of contact with the ODPC; and
handling data subject rights requests and complaints.
You can contact our DPO at:
Name: [DPO Name — TBC upon appointment]
Email: [dpo@kratosystems.africa or info@kratosystems.africa]
Once our DPO appointment is confirmed, we will update this policy with the DPO's name and registration details with the ODPC.
Security Measures
Kratos Systems takes the security of your personal data seriously. We implement a range of technical and organisational security measures, including:
Encryption — all data transmitted through our website and systems is encrypted in transit using HTTPS/TLS. Data stored on our systems is encrypted at rest.
Access controls — we apply the principle of least privilege, ensuring that only authorised personnel have access to personal data, and only to the extent necessary for their role. Multi-factor authentication (MFA) is required for access to administrative systems.
Regular security audits — drawing on our in-house cybersecurity expertise, we conduct regular security reviews, vulnerability assessments, and penetration testing of our systems and infrastructure.
Staff training — all staff who handle personal data receive regular training on data protection obligations and secure data handling practices.
Incident response procedures — we maintain documented incident response procedures that are activated in the event of a suspected data breach or security incident. See Section 14 for our breach notification commitments.
Data segregation — production and staging/testing environments are kept strictly separate, and real personal data is not used in testing environments without appropriate safeguards.
Vendor security — we require all third-party processors and sub-contractors to maintain security standards equivalent to our own as a condition of their engagement.
While we take all reasonable steps to protect your data, no system is completely immune from security risks. We encourage you to use strong, unique passwords and to notify us immediately at info@kratosystems.africa if you suspect any unauthorised access to your account or data.
Data Breach Notification
In the event of a personal data breach, Kratos Systems will act swiftly in accordance with DPA 2019 §43.
Notification to the ODPC: We will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of a personal data breach, where the breach is likely to result in a risk to the rights and freedoms of individuals. Our notification will include, where known:
a description of the nature of the breach, including the categories and approximate number of individuals and data records affected;
the name and contact details of our DPO or the person responsible for data protection;
a description of the likely consequences of the breach; and
the measures taken or proposed to address the breach and to mitigate its possible adverse effects.
Notification to affected individuals: Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, for example, where it could lead to financial loss, identity theft, discrimination, or significant distress we will notify those individuals without undue delay. Our notification will be clear, plain, and will explain:
what happened;
what data was involved;
what we are doing about it; and
what you can do to protect yourself.
If you suspect that your personal data held by Kratos Systems has been compromised, or if you wish to report a potential security incident, please contact us immediately at info@kratosystems.africa.
Cookies
Our website uses cookies and similar tracking technologies. Cookies help us to make our website function properly, understand how visitors use it, and (where you have consented) to improve your experience.
For full details of the specific cookies we use, their purposes, how long they last, and how you can manage your cookie preferences, please read our Cookie Policy, available at www.kratosystems.africa/cookies.
Non-essential cookies (such as analytics or marketing cookies) will only be placed on your device with your prior consent. You can withdraw your cookie consent at any time by visiting the cookie preferences panel on our website.
Third-Party Links
Our website may contain links to third-party websites, tools, or services that are not operated by Kratos Systems.
We have no control over the content or privacy practices of third-party websites. When you click on a link to a third-party site, we encourage you to read that site's privacy policy before providing any personal data.
The inclusion of a link to a third-party website does not constitute an endorsement by Kratos Systems of that site or its privacy practices. Kratos Systems is not responsible for the data practices of third-party sites.
Children's Data
Our services and website are directed at businesses and professionals, and are not intended for use by persons under the age of 18.
We do not knowingly collect or process personal data from children under 18. If you are under 18, please do not submit any personal data to us through our website or any of our services.
If we become aware that we have inadvertently collected personal data from a person under 18 without appropriate parental or guardian consent, we will take immediate steps to delete that data from our records and notify the relevant parent or guardian where possible.
If you believe we may have collected data from a child, please contact us at info@kratosystems.africa immediately.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, our data processing activities, or applicable law.
When we make significant changes to this policy, we will notify you by:
posting a notice on our website at www.kratosystems.africa; and/or
sending an email notification to the email address you have provided to us, where we hold it.
The updated policy will take effect 30 days after we post the notice or send the notification, giving you time to review the changes. Your continued use of our website or services after that date will constitute your acceptance of the updated policy.
The Effective Date at the top of this policy always shows when the current version came into force. We maintain an archive of previous versions, which is available on request.
How to Complain
We take your privacy rights seriously and are committed to resolving any concerns you have about how we handle your personal data. If you have a complaint, please follow the steps below:
Step 1 Contact Kratos Systems first:
Email us at info@kratosystems.africa with a description of your concern.
We will acknowledge your complaint within 5 working days and aim to provide a full response within 30 days.
If your complaint is complex, we will let you know within 30 days and give you a revised timeline.
Step 2 Escalate to the ODPC:
If you are not satisfied with our response, or if we fail to respond within the timeframe above, you have the right to lodge a complaint directly with the Office of the Data Protection Commissioner (ODPC).
The ODPC is Kenya's independent data protection supervisory authority. Their contact details are:
Website: odpc.go.ke
Email: info@odpc.go.ke
Physical Address: Office of the Data Protection Commissioner, Nairobi, Kenya
Kratos Systems will cooperate fully with any investigation or inquiry conducted by the ODPC.
Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or want to speak to someone about how we handle your personal data, please get in touch:
This policy is governed by and construed in accordance with the Kenya Data Protection Act, 2019, the Computer Misuse and Cybercrimes Act, 2018, the Kenya Information and Communications Act (Cap 411A), and all applicable subsidiary regulations and ODPC guidance in force from time to time.
Privacy Policy — Kratos Systems | Version 1.0 | Effective Date: 27th May 2026