Privacy Policy
1. Introduction
Novacom Systems Limited (“Novacom”, “we”, “us”, or “our”) is a hospitality technology solutions provider offering services including Property Management Systems, Point of Sale, Loyalty programmes, and related solutions to the hospitality industry across Kenya and other African countries.
We are committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains who we are, what personal data we collect, why we collect it, how we use and protect it, and what rights you have.
This Policy applies to:
- All visitors to our website at www.novacom.co.ke
- Prospective and existing clients who enquire about or purchase our services
- Users of the Novacom client portal and support systems
- End-customers of restaurants and hospitality businesses using the Novacom Loyalty platform
- Any individual whose personal data is processed by Novacom
This Policy is governed by the Kenya Data Protection Act, 2019 (DPA) and its subsidiary regulations, and is also informed by international best practice including the EU General Data Protection Regulation (GDPR). Where we operate in other African countries, we additionally comply with applicable local data protection laws.
2. Who We Are — Data Controller and Data Processor
Novacom operates in two legal capacities depending on the context:
2.1 As a Data Controller
When we collect and use personal data about our own website visitors, newsletter subscribers, sales enquiries, and client contacts, we are the Data Controller and are responsible for how that data is used.
2.2 As a Data Processor
When we collect and use personal data about our own website visitors, newsletter subscribers, sales enquiries, and client contacts, we are the Data Controller and are responsible for how that data is used.
3. Personal Data We Collect
3.1 Data You Provide to Us Directly
- Identity data:
Name, job title, company name - Contact data:
Email address, telephone number, physical address - Communication data:
Enquiries, support requests, messages sent to us - Marketing preferences:
Opt-in/opt-out choices for updates, newsletters and communications
3.2 Data Collected Automatically
- Technical data:
IP address, browser type, device identifiers, operating system - Usage data:
Pages visited, time spent, links clicked, referral source - Cookie data:
Session and preference cookies (see Section 9)
3.3 Loyalty Platform — End-Customer Data (Processor Role)
When operating the Loyalty platform for hospitality clients, we may process on their behalf:
- Name, phone number, and email address of loyalty programme members
- Transaction history, points balance, and redemption records
- Visit frequency and spend patterns
- Marketing consent preferences recorded by the client
We do not collect sensitive personal data (such as biometric data, health data, or financial account details) unless specifically required for a contracted service, in which case separate notice and consent will be obtained.
4. How We Use Your Personal Data
| Purpose | Data Used | Lawful Basis (DPA 2019) |
|---|---|---|
| Respond to enquiries and provide support | Identity, Contact, Communication | Performance of contract / Legitimate interest |
| Provide and manage our products and services | Identity, Contact, Technical | Performance of contract |
| Send service updates and operational notices | Contact data | Performance of contract |
| Send marketing newsletters (opted-in) | Contact, Marketing preferences | Consent |
| Analyse website usage and improve our platform | Technical, Usage, Cookie data | Legitimate interest |
| Comply with legal obligations | Any relevant data | Legal obligation |
| Fraud prevention and security | Technical, Usage | Legitimate interest / Legal obligation |
5. Your Consent
Where we rely on consent as the lawful basis for processing your personal data (for example, for marketing emails and newsletters), we will:
- Ask for your explicit, informed consent before sending marketing communications
- Record the date, time, and method of consent
- Provide a clear and easy way for you to withdraw consent at any time
- Never make our services conditional on consent to marketing
You may withdraw consent at any time by:
- Clicking the “Unsubscribe” link in any marketing email
- Emailing us at privacy@novacom.co.ke
- Calling us on +254 20 273 1000
Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Certain processing activities are based on contractual necessity or legitimate interest and are not affected by withdrawal of marketing consent.
By submitting an enquiry form, signing up for a newsletter, or entering into a contract with Novacom, you acknowledge that you have read and understood this Privacy Policy.
6. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data to third parties. We may share your data only in the following circumstances:
6.1 Service Providers and Sub-Processors
We engage trusted third-party service providers to help us operate our business and deliver services. These include cloud hosting providers, email delivery platforms, CRM systems, and IT support services. All sub-processors are bound by confidentiality obligations and data processing agreements that require them to protect your data to the same standard we do.
6.2 Legal and Regulatory Requirements
We may disclose personal data where required to do so by law, court order, or regulatory authority, including the ODPC, or to protect the rights, property, or safety of Novacom, our clients, or others.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred as part of that transaction. We will notify affected individuals prior to such a transfer.
7. How Long We Keep Your Data
We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. Our general retention guidelines are:
| Data Category | Retention Period |
|---|---|
| Website enquiry and contact data | 2 years from last contact, or as required to resolve the matter |
| Client contract and billing records | 7 years from end of contract (Kenya tax and commercial law requirements) |
| Marketing consent records | Duration of relationship + 3 years |
| Support and helpdesk records | 3 years from resolution of the support request |
| Security and audit logs | 12 months rolling |
| Website cookie data | As per cookie consent settings (session or up to 12 months) |
When data is no longer required it is securely deleted or anonymised in accordance with our data retention and deletion procedures.
8. Cookies
Our website uses cookies — small text files placed on your device — to improve your browsing experience. We use:
- Strictly necessary cookies:
Required for the website to function (e.g. login sessions, form submissions). These cannot be disabled. - Analytics cookies:
Help us understand how visitors interact with our website (e.g. Google Analytics). These are only set with your consent. - Preference cookies:
Remember your settings and preferences for future visits. Set with your consent.
On your first visit to our website you will be shown a cookie consent banner. You may accept all cookies, customise your preferences, or decline non-essential cookies. You can change your cookie settings at any time via the “Cookie Settings” link in the website footer.
Your browser settings can also be used to block or delete cookies, although this may affect your ability to use certain features of our website.
9. Your Rights as a Data Subject
Under the Kenya Data Protection Act, 2019 and applicable international privacy law, you have the following rights:
| Your Right | What It Means |
|---|---|
| Right of Access | You may request a copy of all personal data we hold about you. |
| Right to Rectification | You may ask us to correct inaccurate or incomplete personal data. |
| Right to Erasure | You may ask us to delete your personal data where it is no longer necessary or where you withdraw consent. |
| Right to Restriction | You may ask us to pause processing of your data while a query or objection is being resolved. |
| Right to Data Portability | You may request your data in a structured, commonly used, machine-readable format. |
| Right to Object | You may object to processing based on legitimate interest, including direct marketing. |
| Right to Withdraw Consent | Where processing is based on consent, you may withdraw it at any time without penalty. |
| Right to Lodge a Complaint | You have the right to lodge a complaint with the ODPC at www.odpc.go.ke if you believe your rights have been violated. |
To exercise any of these rights, please contact us at privacy@novacom.co.ke. We will respond within 60 days of receiving your request. The ODPC requires us to resolve complaints within 90 days. We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive.
10. How We Protect Your Data
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration. These measures include:
- Encryption of data in transit using TLS/SSL and encryption of data at rest
- Role-based access controls ensuring staff access only the data necessary for their role
- Multi-factor authentication for access to systems holding personal data
- Regular security assessments and penetration testing
- Audit logs of access to and modifications of personal data
- Secure data deletion procedures when retention periods expire
- Staff training on data protection and information security
While we take every reasonable precaution, no method of transmission over the internet is completely secure. If you have reason to believe your interaction with us is no longer secure, please contact us immediately.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will:
- Notify the ODPC within 72 hours of becoming aware of the breach, via the ODPC breach notification portal
- Notify affected data subjects without undue delay where the breach is likely to result in high risk
- Provide clear information about the nature of the breach, the data involved, likely consequences, and steps taken to address it
We maintain a breach response plan and incident register and conduct annual breach response drills to ensure preparedness.
12. Children’s Privacy
Our services are directed at businesses and adult consumers. We do not knowingly collect personal data from children under the age of 18 without verifiable parental or guardian consent. If you become aware that a child has provided us with personal data without appropriate consent, please contact us at privacy@novacom.co.ke and we will take steps to delete such data.
13. Third-Party Websites and Links
Our website may contain links to third-party websites. This Privacy Policy applies only to Novacom’s own website and services. We are not responsible for the privacy practices of third-party websites and encourage you to review their privacy policies before providing any personal data.
14. Changes to This Privacy Policy
We review and update this Privacy Policy periodically to reflect changes in our business, technology, or legal requirements. When we make material changes, we will:
- Update the “Effective Date” and version number at the top of this Policy
- Post a notice on our website homepage for at least 30 days
- Where the change materially affects how we use your data, notify existing clients and subscribers directly by email
Your continued use of our website or services after changes to this Policy constitutes acceptance of the updated terms. We recommend reviewing this Policy whenever you interact with us.
15. Contact Us and Complaints
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact:
| Contact Method | Details |
|---|---|
| Data Protection Contact | privacy@novacom.co.ke |
| Phone | +254 20 273 1000 |
| Postal Address | Novacom Systems Limited, 200 MEBank Towers, Milimani Road, Nairobi 00100, Kenya |
| Website | www.novacom.co.ke |