Skip to main content

Privacy Notice

Last updated: 15 July 2026.

Who we are

Nova Insight Ltd is a company incorporated in Kenya on 24 April 2026 (company no. PVT-BB1OD8Z2), with its registered office at Kifaru House, Rottcher Vet Surgery Compound, Miotoni Road, Karen, Nairobi. We are the data controller for the personal data described in this notice.

Nova Insight Ltd has applied for registration with the Office of the Data Protection Commissioner (ODPC) as a data controller and data processor.

Our designated data-protection contact is Barny Trevelyan-Johnson, Director — barny@novainsight.ke, +254 701 397 911.

What we collect and why

We process personal data in four categories, in line with the Data Protection Act, 2019 (ss.25–35):

WhoDataPurposeLawful basisRetention
Website visitors & online enquirersOnline identifiers (IP address, cookie/analytics IDs, device and browser information); names and contact details if you submit an enquiryOperating, securing and improving the website; measuring performance; responding to enquiriesLegitimate interests; consent for non-essential analytics cookiesAnalytics data up to 14 months; enquiry records up to 24 months
Clients (contact persons of client organisations)Names, job titles, business email/phone, correspondenceContract administration, service delivery, invoicing, communicationContract performance; legal obligationDuration of the relationship + 7 years (statutory records)
Prospective clientsNames, job titles, business contact details, correspondenceInitial business-to-business contact; responding to enquiries; electronic direct marketing only with express consent or an existing business relationship, with opt-out honoured promptly (s.37 DPA 2019; Reg 14)Legitimate interests (initial contact); express consent (marketing)24 months from last meaningful contact
Suppliers & service providersNames, contact details, bank/mobile-money payment details, invoicesProcurement, payment, account administrationContract performance; legal obligationDuration of the relationship + 7 years

We practise data minimisation: we collect what these purposes need and nothing more.

When you run a website audit

Our audit service analyses websites you ask us to look at. When you submit a site, we record the URL, your email address, a salted hash of your IP address (never the plain IP), your browser's user-agent string, and the audit results (pillar scores, homepage screenshots, structured findings). Our crawler identifies itself as NovaInsightAudit/2.0 and waits politely between requests.

Recipients

We share personal data only with:

We do not sell personal data, and we do not share it with third parties for their own purposes.

International transfers

Some data is stored or processed on reputable cloud services in the United States, Ireland and India (India is where the cloud email provider hosting our business correspondence operates), with appropriate safeguards in place as required by ss.48–49 of the Data Protection Act, 2019. Website analytics data specifically is processed on Google infrastructure in the United States and Ireland.

Cookies

This site uses two kinds of cookies:

You can change your choice at any time — “Cookie settings” in the footer reopens the banner, and declining there withdraws consent immediately. Declining never limits your use of the site.

Your rights

Under the Data Protection Act, 2019 (ss.26, 34–40) you have the right to access your personal data, to have it corrected or deleted, to object to or restrict its processing, and to data portability. Where the GDPR or UK GDPR applies to you, you have equivalent rights.

To exercise any of them, email barny@novainsight.ke or use the data-subject-rights form. We respond within the statutory timelines. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner: complaints@odpc.go.ke / www.odpc.go.ke.

Security

Personal data is encrypted in transit and at rest. Access to our systems requires multi-factor authentication and follows least-privilege principles. We never collect or store card details — payments are handled by our payment provider. We maintain a breach-response procedure and will notify the ODPC and affected people as required by s.43 of the Act.

Changes to this notice

The “Last updated” date at the top reflects the current version. If we make material changes, we'll announce them on this site.

Records of data-subject-rights requests are retained as required by statutory record-keeping obligations.