Data Protection Statement
Chuchi Enterprise Limited ("we", "us", "AkiliLex") is committed to protecting the privacy of users of the AkiliLex platform and the personal data of their clients. This Statement explains how we process personal data in compliance with the Data Protection Act 2019 ("DPA 2019") and the Data Protection (General) Regulations 2021.
1. Data Controller / Data Processor
For your firm's clients, your firm is the Data Controller and AkiliLex is the Data Processor acting on your documented instructions. For your firm's own users and billing details, AkiliLex is the Data Controller.
Chuchi Enterprise Limited is registered with the Office of the Data Protection Commissioner (ODPC) Kenya as a Data Processor.
2. What Personal Data We Process
On behalf of your firm we store and process the following categories of personal data relating to your clients:
- Identification: name, ID/passport number, KRA PIN, residential address, date of birth;
- Contact details: phone numbers, email addresses, postal addresses;
- Matter information: case details, court records, correspondence, documents;
- Financial: invoice amounts, payment records, trust account ledgers;
- Communications: emails, SMS, WhatsApp messages exchanged through the platform.
For your firm's users we additionally process: login credentials (passwords hashed using industry standards), audit log entries, time entries, and email signature content.
3. Legal Basis for Processing (DPA 2019 Section 30)
We process personal data on the following legal bases:
- Contract performance: to deliver the AkiliLex service to your firm;
- Legitimate interests: to operate, secure, and improve the platform;
- Legal obligation: to comply with Kenyan tax, anti-money-laundering, and other statutory obligations;
- Consent: for marketing communications and any optional features clearly marked as consent-based. Your firm collects and records its own clients' consent through the platform's opt-in mechanism.
4. Per-Channel Consent Tracking
The platform includes a built-in opt-in tracking system that records, for each of your firm's clients, granular consent status (granted / revoked / pending) for each communication channel (Email, SMS, WhatsApp, Marketing, Notifications). This is to ensure your firm's outbound communications comply with DPA 2019 Section 30 consent requirements. Your firm is responsible for obtaining genuine, informed consent before recording it as granted.
5. Data Subject Rights
Under the DPA 2019, data subjects (the natural persons whose data we process) have the following rights:
- Right to be informed about how their data is processed;
- Right of access — to obtain a copy of their data;
- Right to rectification — to correct inaccurate data;
- Right to erasure — subject to legal retention obligations;
- Right to restriction of processing;
- Right to data portability — to receive their data in a structured, machine-readable format;
- Right to object to processing for direct marketing;
- Right to lodge a complaint with the Office of the Data Protection Commissioner.
Where a data subject contacts AkiliLex directly with a request, we will forward it to the relevant Data Controller (your firm) for action. Where a data subject contacts AkiliLex about our own processing (e.g. our users), we will respond within 30 days.
6. Data Retention
We retain personal data for as long as the customer firm maintains an active subscription. On cancellation, customer data is retained for 90 days (allowing the firm to re-subscribe or export) and then permanently deleted, save where retention is required by law (e.g. financial records under the Tax Procedures Act).
7. Data Security
- Encryption in transit: TLS 1.3 for all browser and API traffic;
- Encryption at rest: AES-256 for database storage;
- Access control: role-based, principle of least privilege, all administrative access logged;
- Localisation: data hosted in Kenya in accordance with DPA 2019 localisation principles;
- Backups: encrypted daily backups retained for 30 days;
- Audit logging: all data access and modification events recorded with timestamp and user attribution.
8. Data Breach Notification
In the event of a personal data breach, we will notify the Office of the Data Protection Commissioner within 72 hours, and the affected Data Controllers (your firm) without undue delay, as required by DPA 2019 Section 43.
9. International Transfers
We do not transfer personal data outside Kenya in the ordinary course of operations. Where third-party processors (e.g. SMS gateways, WhatsApp Business API) require cross-border transfer for transmission, we ensure adequate safeguards are in place per DPA 2019 Section 49.
10. Sub-Processors
We use the following sub-processors:
- Hosting infrastructure provider (Kenya-based);
- Africa's Talking (SMS gateway, for SMS sent through the platform);
- Meta Platforms Inc. (WhatsApp Business API, for WhatsApp sent through the platform).
11. Contact
For data protection enquiries, contact our Data Protection Officer:
Data Protection Officer
Chuchi Enterprise Limited
Email: dpo@akililex.com
Postal: P.O. Box 25 - 80119, Vipingo, Kilifi County, Kenya