Data Protection Policy

Abi Computers ("we", "us", "our") respects your privacy and is committed to protecting your personal data. We act as a Data Controller for the information you provide when you use our website, online shop, hosting, software, learning platform, and support services.

This Data Protection Policy explains, in plain language, what personal data we collect, why we collect it, how we use and protect it, who we share it with, and the rights you have over your information. It applies to all customers, website visitors, and partners, wherever you are in the world.

We process personal data in accordance with applicable data protection laws, including:

• The Data Protection Act, 2019 (Kenya) — the primary law governing how personal data is handled in Kenya, enforced by the Office of the Data Protection Commissioner (ODPC)
• The Data Protection (General) Regulations, 2021 and related ODPC guidance
• The Constitution of Kenya, 2010 — Article 31, which guarantees the right to privacy
• The EU General Data Protection Regulation (GDPR) and UK GDPR — where we serve customers in the EU/UK
• Other global privacy standards as best practice, regardless of where you are based

• Personal data — any information that can identify you, directly or indirectly (e.g. name, phone, email, ID, location, online identifiers)
• Sensitive personal data — special-category data such as health, religion, ethnicity, financial details, or biometric data, which receives extra protection
• Data subject — you, the individual the personal data is about
• Data controller — the party that decides why and how personal data is processed (that is us)
• Data processor — a third party that processes data on our behalf (e.g. our hosting or email provider)
• Processing — any action performed on data: collecting, storing, using, sharing, or deleting it

As required by the Data Protection Act, 2019 and the GDPR, we handle your data according to these principles:

• Lawfulness, fairness & transparency — we process data lawfully and tell you how
• Purpose limitation — we collect data for specified, legitimate purposes only
• Data minimisation — we collect only what we actually need
• Accuracy — we keep data correct and up to date
• Storage limitation — we keep data only as long as necessary
• Integrity & confidentiality — we keep data secure
• Accountability — we take responsibility for, and can demonstrate, our compliance

• Identity & contact data — name, email, phone number, company, physical/delivery address
• Account data — username, password (encrypted), preferences and verification status
• Transaction & payment data — orders, invoices, and M-Pesa phone number and transaction references (we do not store your M-Pesa PIN or full card numbers)
• Technical data — IP address, browser type, device and operating system
• Usage data — pages visited, features used, and learning progress on our platform
• Communications — messages you send us via forms, email, or WhatsApp

We generally do not collect sensitive personal data (such as health, religion, ethnicity or biometric data). Where a specific service requires it, we will:

• Ask for your explicit consent first, and explain why it is needed
• Apply stronger security and stricter access controls
• Process it only for the stated purpose and delete it when no longer required

We only process your data when we have a valid legal basis to do so:

• Consent — you have clearly agreed (e.g. subscribing to updates)
• Contract — processing is needed to deliver a service you ordered (e.g. shipping an order, hosting a website)
• Legal obligation — we must comply with the law (e.g. tax and accounting records)
• Legitimate interests — to run, secure and improve our business, balanced against your rights
• Vital interests — to protect someone's life or safety, in rare cases

• To create and manage your account and verify your identity
• To process orders, payments (via M-Pesa), invoices, and deliveries
• To provide hosting, software, learning, and support services
• To respond to your enquiries and send service-related notifications
• To send marketing or updates only where you have consented (you can opt out anytime)
• To detect and prevent fraud, abuse, and security threats
• To comply with legal and regulatory obligations
• To analyse and improve our website and services

Under the Data Protection Act, 2019 and the GDPR, you have the following rights over your personal data:

• Right to be informed — to know how your data is collected and used (this policy)
• Right of access — to request a copy of the personal data we hold about you
• Right to rectification — to have inaccurate or incomplete data corrected
• Right to erasure — to ask us to delete your data ("right to be forgotten"), where there is no legal reason to keep it
• Right to restrict processing — to limit how we use your data in certain situations
• Right to data portability — to receive your data in a structured, machine-readable format and reuse it
• Right to object — to object to processing based on legitimate interests or for direct marketing
• Rights around automated decisions — not to be subject to a solely automated decision that significantly affects you
• Right to withdraw consent — at any time, without affecting prior lawful processing
• Right to complain — to lodge a complaint with the ODPC or your local regulator

Where we rely on consent, it is always freely given, specific, informed, and unambiguous. You are never required to consent to marketing in order to buy from us.

• You can withdraw consent at any time via your account settings, the unsubscribe link in our emails, or by contacting us
• You can choose which communications you receive
• Withdrawing consent does not make earlier, lawful processing unlawful

We use cookies and similar technologies to keep you signed in, remember your cart, and understand how our site is used. We use Google Analytics with IP anonymisation to measure traffic and improve our services.

You can control or delete cookies through your browser settings. Disabling some cookies may affect how parts of the site work. For more detail, see our Privacy Policy.

We do not sell your personal data. We share it only with trusted parties who help us deliver our services, and only as far as necessary:

• Safaricom (M-Pesa / Daraja) — to process mobile payments
• Hosting & infrastructure providers — to run our website and store data securely
• Email & communication providers — to send transactional and support messages
• Analytics providers — to measure and improve our services
• Delivery / logistics partners — to fulfil shop orders
• Professional advisers & authorities — where required by law

All processors are bound by contracts requiring them to protect your data and use it only for the agreed purpose.

Some of our providers (for example, cloud or email services) may store or process data outside Kenya. When personal data is transferred across borders, we ensure — as required by the Data Protection Act, 2019 and the GDPR — that it is protected by appropriate safeguards, such as:

• Transferring only to countries or providers with adequate data protection
• Using standard contractual clauses or equivalent legal safeguards
• Obtaining your consent where required for the transfer

We use appropriate technical and organisational measures to keep your data safe, including:

• Encryption in transit (SSL/TLS) and hashing of passwords
• Access controls — staff access data on a need-to-know basis only
• Secure infrastructure, firewalls, and regular backups
• Two-factor authentication available on accounts
• Ongoing monitoring, updates, and security reviews

While we work hard to protect your data, no system is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication.

We keep personal data only for as long as necessary for the purposes set out in this policy, or as required by law:

• Account data — for as long as your account is active, then deleted after a reasonable inactivity period
• Transaction & tax records — retained as required by Kenyan law (typically several years)
• Marketing data — until you withdraw consent or object
• Support messages — retained for a limited period to assist you

When data is no longer needed, we securely delete or anonymise it.

We have procedures to detect, report, and investigate personal data breaches. In line with the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021:

• We will notify the Office of the Data Protection Commissioner (ODPC) of a notifiable breach within 72 hours of becoming aware of it
• Where a breach is likely to result in a high risk to you, we will inform you without undue delay
• We keep a record of all breaches and the steps taken to address them

Our services are intended for users aged 18 and over. We do not knowingly collect personal data from children without verifiable parental or guardian consent, as required by the Data Protection Act, 2019.

If you believe a child has provided us data without consent, please contact us and we will delete it promptly.

If you have a concern about how we handle your data, please contact us first at dpo@abicomputers.co.ke — we will do our best to resolve it.

You also have the right to lodge a complaint with the supervisory authority:

• Kenya — Office of the Data Protection Commissioner (ODPC), www.odpc.go.ke
• EU/UK — your local Data Protection Authority (e.g. the ICO in the UK)