Privacy Notice
Last updated: 15 July 2026.
Who we are
Nova Insight Ltd is a company incorporated in Kenya on 24 April 2026 (company no. PVT-BB1OD8Z2), with its registered office at Kifaru House, Rottcher Vet Surgery Compound, Miotoni Road, Karen, Nairobi. We are the data controller for the personal data described in this notice.
Nova Insight Ltd has applied for registration with the Office of the Data Protection Commissioner (ODPC) as a data controller and data processor.
Our designated data-protection contact is Barny Trevelyan-Johnson, Director — barny@novainsight.ke, +254 701 397 911.
What we collect and why
We process personal data in four categories, in line with the Data Protection Act, 2019 (ss.25–35):
| Who | Data | Purpose | Lawful basis | Retention |
|---|---|---|---|---|
| Website visitors & online enquirers | Online identifiers (IP address, cookie/analytics IDs, device and browser information); names and contact details if you submit an enquiry | Operating, securing and improving the website; measuring performance; responding to enquiries | Legitimate interests; consent for non-essential analytics cookies | Analytics data up to 14 months; enquiry records up to 24 months |
| Clients (contact persons of client organisations) | Names, job titles, business email/phone, correspondence | Contract administration, service delivery, invoicing, communication | Contract performance; legal obligation | Duration of the relationship + 7 years (statutory records) |
| Prospective clients | Names, job titles, business contact details, correspondence | Initial business-to-business contact; responding to enquiries; electronic direct marketing only with express consent or an existing business relationship, with opt-out honoured promptly (s.37 DPA 2019; Reg 14) | Legitimate interests (initial contact); express consent (marketing) | 24 months from last meaningful contact |
| Suppliers & service providers | Names, contact details, bank/mobile-money payment details, invoices | Procurement, payment, account administration | Contract performance; legal obligation | Duration of the relationship + 7 years |
We practise data minimisation: we collect what these purposes need and nothing more.
When you run a website audit
Our audit service analyses websites you ask us to look at. When you submit a site, we record the URL, your email address, a salted hash of your IP address (never the plain IP), your browser's user-agent string, and the audit results (pillar scores, homepage screenshots, structured findings). Our crawler identifies itself as NovaInsightAudit/2.0 and waits politely between requests.
- PII redaction: every screenshot passes through an automated redaction step before storage — email addresses, phone numbers, national IDs, card numbers and authentication-looking strings are blacked out. Cookies, authorisation headers and query-string tokens are stripped from network traces before anything is persisted.
- What we won't crawl: admin and account areas, pages served as private, checkout/payment pages, and third-party payment iframes.
- Automated analysis: parts of the audit use AI-assisted analysis on reputable cloud services in the United States and Ireland. Prompts never include your name, email address or other intake details; screenshots are redacted first; network traces are reduced to counts.
- Audit retention: free-scan audits are deleted after 90 days (screenshots after 30 days). Paid audit records are kept up to 24 months; active monitoring or build engagements, for the duration of the contract plus 24 months. You can ask for earlier deletion at any time via the data-subject-rights form.
Recipients
We share personal data only with:
- Google Analytics — website analytics only, and only if you consent to analytics cookies (see Cookies below).
- Cloud email and document storage providers — hosting our business correspondence and documents.
- Our bank — processing supplier payments.
- Kenya Revenue Authority — where required by law.
We do not sell personal data, and we do not share it with third parties for their own purposes.
International transfers
Some data is stored or processed on reputable cloud services in the United States, Ireland and India (India is where the cloud email provider hosting our business correspondence operates), with appropriate safeguards in place as required by ss.48–49 of the Data Protection Act, 2019. Website analytics data specifically is processed on Google infrastructure in the United States and Ireland.
Cookies
This site uses two kinds of cookies:
- Strictly necessary: a single first-party cookie that remembers your cookie choice, and session cookies for signed-in areas such as the customer portal. These don't need consent.
- Analytics (optional): Google Analytics, which stays off unless you accept it in the cookie banner. Analytics data is retained for up to 14 months.
You can change your choice at any time — “Cookie settings” in the footer reopens the banner, and declining there withdraws consent immediately. Declining never limits your use of the site.
Your rights
Under the Data Protection Act, 2019 (ss.26, 34–40) you have the right to access your personal data, to have it corrected or deleted, to object to or restrict its processing, and to data portability. Where the GDPR or UK GDPR applies to you, you have equivalent rights.
To exercise any of them, email barny@novainsight.ke or use the data-subject-rights form. We respond within the statutory timelines. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner: complaints@odpc.go.ke / www.odpc.go.ke.
Security
Personal data is encrypted in transit and at rest. Access to our systems requires multi-factor authentication and follows least-privilege principles. We never collect or store card details — payments are handled by our payment provider. We maintain a breach-response procedure and will notify the ODPC and affected people as required by s.43 of the Act.
Changes to this notice
The “Last updated” date at the top reflects the current version. If we make material changes, we'll announce them on this site.
Records of data-subject-rights requests are retained as required by statutory record-keeping obligations.
