Privacy policy

01Scope and who we are

This privacy policy explains how Augusta Software House Limited ("Augusta", "we", "us", or "our") — a company incorporated in Kenya with offices at Harrison House, Third Ngong Avenue, Upper Hill, Nairobi — collects, uses, stores, and protects personal data.

It applies to information we collect through our website (augusta.co.ke), our customer engagements, our recruitment processes, and any other interaction you have with us. Augusta is a registered Data Controller and Data Processor under the Kenya Office of the Data Protection Commissioner.

02Personal data we collect

We only collect personal data that we need to do what you've asked us to do. Specifically:

• Identification & contact data — name, email, phone number, job title, organisation — when you contact us, request a quote, or apply for a role.
• Project data — information you share with us about your business, technology stack, or the work you'd like us to do.
• Recruitment data — CV, references, work history — when you apply for a job at Augusta.
• Website usage data — IP address, browser type, pages visited, referrer — collected via cookies and analytics tools (see our Cookie Policy).
• Customer-system data — when we operate or process data inside a customer's system, we act as a Data Processor under instruction from the customer (the Data Controller).

03How we use your data

We use personal data to:

• Respond to enquiries and deliver the services you've asked us to deliver.
• Manage customer relationships, including invoicing, support, and account management.
• Recruit, evaluate, and onboard people who apply to work with us.
• Operate our website, measure its performance, and improve it.
• Comply with legal, regulatory, and audit obligations.
• Communicate news and updates with consenting recipients (you can unsubscribe at any time).

04Legal basis for processing

We rely on one of the following lawful bases under the Kenya Data Protection Act 2019 for every processing activity:

• Performance of a contract — to deliver services you've engaged us for.
• Consent — for marketing communications and optional cookies.
• Legitimate interests — to operate our business, protect our systems, and improve our services where this doesn't override your rights.
• Legal obligation — to comply with tax, employment, financial, and audit law.

05Sharing data & processors

We share personal data only with:

• Sub-processors we engage to deliver services — for example, cloud infrastructure providers (AWS, Microsoft Azure), email services, payment processors, and HR platforms. All sub-processors are bound by data-processing agreements that mirror our obligations to you.
• Customers — where you are an end-user of a system we operate on a customer's behalf, the customer is the Data Controller and we act under their instruction.
• Authorities — where required by law, court order, or regulatory request.

A current list of sub-processors is available on request.

06How long we keep data

We retain personal data only as long as necessary for the purpose it was collected:

• Enquiry data — 24 months from last contact.
• Customer engagement records — 7 years from end of engagement (for tax and audit compliance).
• Recruitment data — 12 months for unsuccessful applicants; for the duration of employment plus 7 years for hires.
• Website analytics — aggregated, with personally identifying elements removed within 14 months.

07Your rights

Under the Kenya Data Protection Act 2019, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate personal data.
• Erase personal data in specified circumstances ("right to be forgotten").
• Restrict processing of your data while a dispute is being resolved.
• Object to processing based on legitimate interests or for marketing.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time where consent was the legal basis.
• Lodge a complaint with the Office of the Data Protection Commissioner.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

08Security

We protect personal data with technical and organisational controls including: encryption of data in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, multi-factor authentication for privileged access, regular vulnerability scanning, annual penetration testing, security training for all staff, and audit logging of access to personal data.

Despite our efforts, no system is perfectly secure. If a data breach occurs that affects your personal data, we will notify you and the Office of the Data Protection Commissioner within 72 hours where required by law.

09International transfers

Some of our sub-processors are located outside Kenya — primarily in the European Union, United States, and South Africa. Where we transfer personal data internationally, we rely on legal mechanisms recognised under the Kenya Data Protection Act 2019, including Standard Contractual Clauses and adequacy decisions where applicable.

10Changes to this policy

We may update this policy to reflect changes to our practices or to law. The "last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to active customers and recipients of our newsletter at least 30 days before they take effect.

11Contact us

For privacy questions, requests, or complaints, please contact our Data Protection Officer.