← Back to Dashboard

Privacy Policy

Last updated: February 2026

1. Introduction

Nguzo Strategy OS ("Nguzo", "we", "us") is committed to protecting your personal data in accordance with the Kenya Data Protection Act, 2019 (DPA) and international best practices. This policy explains how we collect, use, store, and protect your information.

2. Data We Collect

  • Account data: Name, email address, password (hashed), role, profile photo
  • Business data: Business names, strategic pillars, goals, activities, tasks, KPIs
  • Usage data: Login times, actions taken, audit logs
  • Device data: Browser type, IP address (for security purposes)

3. How We Use Your Data

  • Provide and maintain the Nguzo strategy execution platform
  • Authenticate users and enforce access controls
  • Generate reports, dashboards, and analytics for your business
  • Send notifications about task deadlines and status changes
  • Maintain audit trails for compliance and accountability
  • Improve our services based on usage patterns

4. Data Storage & Security

Your data is stored on secure cloud infrastructure (Neon PostgreSQL / Vercel). We employ encryption in transit (TLS/HTTPS), hashed passwords (bcrypt), role-based access control, and comprehensive audit logging. We implement appropriate technical and organisational measures as required by the DPA.

5. Your Rights (Kenya DPA 2019)

Under the Kenya Data Protection Act, you have the right to:

  • Access: Request a copy of all personal data we hold about you
  • Rectification: Correct any inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Data portability: Export your data in a machine-readable format (JSON/CSV)
  • Object: Object to processing of your personal data
  • Withdraw consent: Withdraw consent at any time

To exercise these rights, go to Settings → Data & Privacy, or contact us at privacy@nguzo.co.ke.

6. Data Sharing

We do not sell your personal data. Data is shared only within your business organisation as determined by your role and permissions. We may share data with service providers (hosting, email) who are bound by data processing agreements.

7. Data Retention

We retain your data for as long as your account is active. Upon account deletion, personal data is permanently removed within 30 days. Anonymised business data may be retained for aggregate analytics.

8. Contact

Data Protection Officer: privacy@nguzo.co.ke
Office of the Data Protection Commissioner (Kenya): www.odpc.go.ke