Privacy Policy

Enterprise-grade data governance for global clients. Compliant with Kenya DPA 2019, GDPR, and SOC 2 frameworks.

1. Introduction & Scope

Macra Systems ("we," "us," "our") operates as both a Data Controller (for website inquiries, business operations, and direct client communications) and a Data Processor (when processing personal data on behalf of Clients through our SaaS products, dedicated teams, or project-based delivery engagements).

This Privacy Policy outlines how we collect, use, disclose, retain, and safeguard personal data in compliance with the Data Protection Act, 2019 (Kenya), the General Data Protection Regulation (GDPR) where applicable, and industry standards including SOC 2 Type II and ISO 27001. By engaging our Services or providing personal data, you consent to these practices.

2. Data Controller & Processor Roles

Our role depends on the nature of our engagement:

  • As Data Controller: We determine purposes and means of processing for website analytics, contact form submissions, employee records, and marketing communications.
  • As Data Processor: We process personal data solely per Client instructions under a signed Data Processing Agreement (DPA). The Client remains the Data Controller and bears primary responsibility for lawful basis, consent, and data accuracy.
Key Distinction: For SaaS platforms (Bulk SMS, CRM, Payroll) and custom software projects, you (the Client) are the Data Controller. We act strictly as your Processor. A DPA is executed before any data processing begins.

3. Types of Personal Data Processed

3.1 As Data Controller (Direct Collection)

  • Identity & Contact Data: Name, job title, company, email, phone, physical address.
  • Inquiry & Project Data: Requirements, budget range, tech stack preferences, compliance needs submitted via forms.
  • Technical & Usage Data: IP address, browser/device info, cookies, session duration, referral sources (collected automatically).
  • Employee Data: Staff records for HR, payroll, and access management (processed internally).

3.2 As Data Processor (On Behalf of Clients)

Data types vary by engagement but may include:

  • SACCO/Financial Systems: Member IDs, loan applications, transaction histories, credit scores, bank details.
  • Education Platforms: Student records, parent contacts, fee payments, academic performance (FERPA/GDPR-aligned).
  • Payroll & HRIS: Employee names, national IDs, salaries, tax filings, NHIF/NSSF/SHIF contributions.
  • Bulk SMS: Recipient phone numbers, message content, delivery logs, opt-in/opt-out status.

4. Legal Basis for Processing

We process personal data only under valid legal bases:

  • Consent: Explicit opt-in for inquiries, newsletters, or demo requests (withdrawable anytime).
  • Contractual Necessity: To fulfill MSAs, SOWs, DPAs, deliver Services, process payments, and provide support.
  • Legal Obligation: Compliance with Kenyan tax/labor laws, ODPC regulations, court orders, and international sanctions.
  • Legitimate Interests: Website security, fraud prevention, service improvement, and B2B marketing to existing clients (with opt-out rights).
  • Vital Interests / Public Task: Rare cases involving safety or statutory reporting obligations.

5. Purposes of Processing

Personal data is used exclusively for:

  • Responding to inquiries and delivering requested assessments or proposals.
  • Executing contracted Services (development, hosting, support, maintenance).
  • Processing invoices, payments, and financial reconciliations.
  • Providing technical support, incident response, and SLA monitoring.
  • Sending service notifications (maintenance windows, security patches, feature updates).
  • Fulfilling legal, regulatory, and contractual obligations.
  • Preventing fraud, abuse, unauthorized access, and intellectual property theft.
  • Analyzing aggregated/anonymized usage data to improve platform performance and UX.

We do NOT sell, rent, license, or trade personal data to third parties for advertising or marketing purposes.

6. Data Sharing & Third Parties

Personal data is shared only when necessary and under strict safeguards:

  • Sub-processors: Cloud providers (AWS/Azure), email/SMS gateways, payment processors, and analytics tools bound by DPAs and confidentiality agreements. Current sub-processor list available upon request.
  • Clients: When acting as Processor, data is returned/transferred per Client instructions and DPA terms.
  • Legal Authorities: When compelled by law, court order, or government mandate, or to protect our legal rights/safety.
  • Business Transfers: In mergers, acquisitions, or asset sales (with prior notice and data subject rights preserved).

All third parties undergo due diligence and sign binding data protection agreements mirroring this Policy's standards.

7. Data Security Measures

We implement enterprise-grade technical and organizational controls:

  • Encryption: AES-256 at rest; TLS 1.3+ in transit. Keys managed via AWS KMS/Azure Key Vault.
  • Access Control: Role-based permissions (RBAC), MFA enforcement, least-privilege principles, and quarterly access reviews.
  • Infrastructure: SOC 2 Type II-certified cloud environments; isolated VPCs; WAF and DDoS protection.
  • Testing: Annual third-party penetration tests; continuous vulnerability scanning; SAST/DAST in CI/CD pipelines.
  • Personnel: Mandatory security training; background checks; signed NDAs; termination access revocation within 1 hour.
  • Incident Response: Documented IR plan; 72-hour breach notification to ODPC and affected individuals; post-incident root cause analysis.
Transparency Note: No system is impervious. While we employ defense-in-depth architecture aligned with NIST CSF and ISO 27001, absolute security cannot be guaranteed. We commit to prompt, transparent communication in the event of any incident.

8. Data Retention Periods

Data is retained only as long as necessary for stated purposes or legal requirements:

  • Website Inquiries: 24 months after last interaction, then secure deletion.
  • Active Client Engagements: Duration of contract + 7 years (tax/legal compliance).
  • SaaS Platform Data: Per Client subscription term; purged within 30 days of termination unless extended by written agreement or legal hold.
  • Analytics & Logs: Aggregated/anonymized data retained indefinitely; PII-linked data deleted after 12 months.
  • Employee Records: Per Kenyan Employment Act and tax regulations (minimum 7 years post-termination).

9. Your Data Subject Rights

Under DPA 2019, GDPR, and applicable laws, you have the right to:

  • Access: Obtain confirmation of processing and a copy of your personal data.
  • Rectification: Correct inaccurate or incomplete data without undue delay.
  • Erasure: Request deletion where no overriding legal basis exists ("Right to be Forgotten").
  • Restriction: Limit processing pending verification of accuracy or legality.
  • Portability: Receive data in structured, commonly used, machine-readable format.
  • Objection: Object to processing based on legitimate interests or direct marketing.
  • Withdraw Consent: Revoke consent at any time (does not affect prior lawful processing).
  • Lodge Complaint: Escalate unresolved concerns to the Office of the Data Protection Commissioner (ODPC).

To exercise rights, email info@macrasystems.com with subject line "Data Subject Request." We verify identity and respond within 14 calendar days. Requests may be denied if manifestly unfounded, excessive, or exempted by law.

10. International Data Transfers

Cross-border transfers occur only with adequate safeguards:

  • Adequacy Decisions: Transfers to jurisdictions recognized by ODPC or EU Commission as providing equivalent protection.
  • Standard Contractual Clauses (SCCs): ODPC-approved modules executed with all non-adequate country recipients.
  • Binding Corporate Rules (BCRs): For intra-group transfers (if applicable).
  • Supplementary Measures: Encryption, pseudonymization, and contractual warranties layered atop transfer mechanisms.

All transfers comply with Part VIII of Kenya’s DPA 2019 and Chapter V of GDPR where applicable. Transfer Impact Assessments (TIAs) are conducted prior to new data flows.

11. Cookies & Tracking Technologies

Our website uses:

  • Essential Cookies: Required for site functionality (session management, security). Cannot be disabled.
  • Analytics Cookies: Anonymized usage metrics to improve performance. Opt-out available via browser settings or cookie banner.
  • No Advertising/Tracking Pixels: We do not deploy third-party ad trackers, retargeting pixels, or social media widgets that harvest user data.

12. Children's Data

Our Services are not directed to individuals under 18. We do not knowingly collect children’s data. If inadvertent collection occurs, we will delete it promptly upon discovery. Parents/guardians may request verification and deletion by contacting us.

13. Policy Updates

We may revise this Policy to reflect legal, technological, or operational changes. Material modifications will be communicated via email or prominent website notice at least 14 days before effectiveness. Continued use constitutes acceptance. Previous versions archived upon request.

14. Regulatory Oversight & Complaints

If dissatisfied with our response to a privacy concern, you may escalate to:

Office of the Data Protection Commissioner (ODPC) – Kenya
Email: complaints@odpc.go.ke
Phone: +254 20 780 1800
Website: www.odpc.go.ke
Physical Address: Anniversary Towers, University Way, Nairobi

We cooperate fully with regulatory investigations and welcome constructive feedback to strengthen our data governance.

Last Updated: June 18, 2026 | Effective Date: June 18, 2026 | Version: 3.0 (Global Enterprise Alignment)