Credwave Limited is committed to protecting and respecting your privacy. This Data Privacy Policy outlines how we collect, use, disclose, store, and safeguard your personal data in accordance with the Kenya Data Protection Act, 2019, the Data Protection (General) Regulations, 2021, and the European Union General Data Protection Regulation (GDPR).

This Policy applies to all individuals who interact with Credwave, including users of our communication platform, website visitors, employees, contractors, business partners, and other stakeholders whose personal data we process.

  1. Definitions

For the purposes of this Policy, the term

  •  “Personal data” refers to any information relating to an identified or identifiable natural person.
  •  “Processing,” means any operation or set of operations performed on personal data, whether automated or not, such as collection, recording, storage, alteration, retrieval, use, disclosure, or deletion.
  • “Data subject” refers to any individual whose personal data is being processed.
  •  “Data controller” refers to the entity that determines the purpose and means of processing personal data.
  •  “Data processor” is any person or organization that processes personal data on behalf of a controller.
  1. Scope

This Privacy Policy governs all data processing activities undertaken by Credwave Limited. It applies to users of our communication suite, clients, partners, employees, contractors, and visitors who access or interact with our website, applications, and digital services.

  1. Data Collection

Credwave collects personal data directly from you, automatically through your interaction with our systems, and indirectly from authorized third parties. The information we collect may include your name, contact details, account credentials, communication records, payment information, and any content you share while using our services. We also collect certain technical data such as IP addresses, browser type, operating system, device identifiers, and usage logs.

We may receive additional information from publicly available sources or from partners and service providers who have obtained your consent to share such information with us.

  1. Lawful Basis for Processing

We process personal data only where a lawful basis exists. This may include processing necessary for the performance of a contract to which you are a party, compliance with a legal or regulatory obligation, the pursuit of our legitimate business interests such as service improvement and fraud prevention, or where you have provided explicit consent. Where consent is the basis for processing, we ensure that such consent is informed, freely given, and verifiable. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

  1. Purpose of Processing

Credwave processes personal data to facilitate communication, provide and maintain our services, administer accounts, process payments, and deliver customer support. We also use personal data to enhance our products, conduct audits and analytics, detect and prevent security threats, comply with legal obligations, and communicate with you regarding updates or changes to our services. Marketing communications are sent only to individuals who have expressly opted in, and every message includes a mechanism for unsubscribing from future marketing correspondence.

  1. Consent and Opt-In Management

Before collecting or processing your personal data for marketing or optional communications, we will always obtain your explicit consent through a clear opt-in process. This may include ticking a consent box or completing a subscription form. You may withdraw your consent or opt out of marketing communications at any time by following the unsubscribe link provided in our emails or by contacting us directly. Once you withdraw consent, we will cease the associated processing activities while continuing to process data necessary for legal or contractual purposes.

  1. Sharing and Disclosure of Personal Data

Credwave does not sell personal data to third parties. We only share personal data when it is necessary for legitimate business purposes and in compliance with applicable law. This may include disclosures to authorized employees, contractors, or third-party service providers such as hosting companies, analytics providers, payment processors, or communication vendors who process data strictly under our instructions.

Where we engage partners or vendors, we require them to sign legally binding data protection agreements obligating them to comply with this Policy, maintain adequate technical and organizational measures, and uphold standards consistent with the Kenya Data Protection Act and the GDPR. In cases of mergers, acquisitions, or similar transactions, personal data may be transferred subject to strict confidentiality and data protection safeguards.

  1. Partner and Vendor Compliance

All Credwave partners, contractors, and service providers are required to adhere to our Data Protection and Security Standards. They must handle personal data only for authorized purposes and are prohibited from processing it for their own marketing or unrelated business interests. We conduct due diligence and periodic assessments to ensure that our partners’ practices align with our privacy commitments and applicable legal frameworks.

  1. Cross-Border Data Transfers

Where personal data is transferred outside Kenya or the European Economic Area, Credwave ensures that such transfers comply with applicable legal requirements. We use safeguards such as Standard Contractual Clauses (SCCs), data protection agreements, and technical measures to maintain the confidentiality, integrity, and security of personal data. Transfers occur only where the recipient provides an adequate level of data protection consistent with Kenyan and European standards.

  1. Data Security

We have implemented appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include data encryption, access controls, network security protocols, and regular system monitoring. Access to personal data is limited to personnel who require it for legitimate business purposes and who are bound by confidentiality obligations.

Although we take all reasonable precautions, no system can guarantee absolute security. We encourage you to protect your login credentials and notify us immediately of any unauthorized use of your account.

  1. Data Retention

Credwave retains personal data only for as long as it is necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory, and contractual obligations. Generally, account and contact information are retained for the duration of the customer relationship and for up to two years thereafter, while payment and transaction records are kept for seven years to comply with tax and audit requirements. Communication logs may be retained for up to twelve months, and consent records for up to two years following the last contact. Once the retention period expires, personal data is securely deleted or anonymized.

  1. Your Rights

As a data subject, you have the right to access the personal data we hold about you, request correction of inaccurate information, and request deletion where appropriate. You may also restrict or object to specific types of processing, withdraw consent, and request a copy of your data in a portable format.

To exercise these rights, please contact us at privacy@credwave.com

We will acknowledge your request within seven days and provide a complete response within twenty-one days. Where the request is complex, we may extend the response period up to sixty days and will inform you of such an extension. You have a right to lodge complaints pertaining to the processing of your personal data with the relevant data protection supervisory authority.

  1. Cookies and Tracking Technologies

Our website uses cookies and other tracking technologies to enhance usability, analyse traffic patterns, and improve our services. Cookies are small data files stored on your device that help us remember your preferences and improve functionality. You may manage or disable cookies through your browser settings, though this may affect the performance of certain features.

  1. Children’s Data

Our services are not directed to persons under the age of eighteen. We do not knowingly collect personal data from minors. Should we discover that we have inadvertently obtained such data, we will delete it promptly.

  1. Data Subject Request Procedure

All requests to exercise data rights must be submitted in writing to info@credwave.com with the subject line “Data Subject Request.” We may require proof of identity to prevent unauthorized access. Once verified, we will process the request in accordance with applicable law and provide confirmation once it has been completed.

  1. Policy Updates

Credwave may update this Policy from time to time to reflect legal developments or operational changes. Any modifications will be published on our website Significant updates may also be communicated to users via email or through our platform. Continued use of our services after such notice constitutes acceptance of the updated Policy.

  1. Contact Information

For any questions, complaints, or concerns regarding this Policy or our handling of personal data, please contact our Data Protection Officer at info@credwave.com

Compliance Statement

This Policy reflects Credwave Limited’s commitment to the principles of accountability, lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and data subject rights as set out under the Kenya Data Protection Act (2019) and the EU GDPR. All employees, partners, and processors engaged by Credwave are required to comply fully with this Policy and the data protection standards it upholds.