Introduction

Oriango and Associates ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our websitewww.oriangoandassociates.co.ke or engage our professional services.

This Privacy Policy is designed to comply with the Kenya Data Protection Act, 2019 (the "Act") and the Data Protection (General) Regulations, 2021. As a data controller, we are registered with the Office of the Data Protection Commissioner of Kenya and are committed to upholding the principles of data protection as set out in the Act.

By using our website or services, you consent to the collection and use of your information as described in this Privacy Policy.

In accordance with Section 25 of the Kenya Data Protection Act, 2019, we collect personal data that is adequate, relevant, and limited to what is necessary for our purposes. We may collect:

Information You Provide Directly:

• Name, email address, phone number, and postal address
• Company name and business registration details
• KRA PIN and other tax identification numbers
• Financial information necessary for our accounting and tax services
• Employment and payroll information for payroll services
• Any other information you provide through our contact forms or service engagements

Information Collected Automatically:

• IP address and browser type
• Device information and operating system
• Pages visited and time spent on our website
• Referring website addresses
• Cookies and similar tracking technologies (see our Cookie Policy)

Under Section 30 of the Kenya Data Protection Act, 2019, we process your personal data based on the following lawful grounds:

• Consent: Where you have given explicit consent for specific purposes
• Contractual Necessity: Processing necessary for the performance of a contract with you
• Legal Obligation: Processing necessary to comply with legal requirements (e.g., tax laws, anti-money laundering regulations)
• Legitimate Interests: Processing necessary for our legitimate business interests, provided these do not override your rights and freedoms

We use your personal data for the following purposes:

• To provide our professional services including audit, taxation, consultancy, and accounting services
• To communicate with you about our services and respond to inquiries
• To process payments and manage billing
• To comply with legal and regulatory requirements, including KRA filings and statutory reporting
• To improve our website and services
• To send you relevant updates about our services (with your consent)
• To prevent fraud and ensure security

In accordance with Section 43 of the Kenya Data Protection Act, 2019, we may share your personal data with:

• Regulatory Authorities: Kenya Revenue Authority (KRA), Registrar of Companies, and other government bodies as required by law
• Professional Bodies: ICPAK and other professional regulatory bodies where required
• Service Providers: Third-party service providers who assist us in delivering our services, subject to appropriate data protection agreements
• Legal Requirements: Courts, law enforcement, or other authorities when required by law or to protect our legal rights

We do not sell, trade, or otherwise transfer your personal data to third parties for marketing purposes without your explicit consent.

In accordance with Section 39 of the Kenya Data Protection Act, 2019, we retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Client Records: Retained for a minimum of 7 years after the end of our engagement, as required by professional standards and tax laws
• Tax Records: Retained for a minimum of 5 years as required by the Kenya Tax Procedures Act
• Website Data: Analytics data retained for up to 26 months

After the retention period expires, we will securely delete or anonymize your personal data.

Under Part IV of the Kenya Data Protection Act, 2019, you have the following rights:

• Right to be Informed (Section 26): You have the right to know how your personal data is being collected and used
• Right of Access (Section 26(a)): You can request a copy of the personal data we hold about you
• Right to Rectification (Section 26(b)): You can request correction of inaccurate or incomplete personal data
• Right to Erasure (Section 26(c)): You can request deletion of your personal data in certain circumstances
• Right to Object (Section 26(e)): You can object to the processing of your personal data for certain purposes
• Right to Data Portability (Section 26(d)): You can request your personal data in a structured, commonly used format
• Right to Withdraw Consent: Where processing is based on consent, you can withdraw your consent at any time
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Office of the Data Protection Commissioner

To exercise any of these rights, please contact us using the details below. We will respond to your request within 30 days as required by the Act.

In accordance with Section 41 of the Kenya Data Protection Act, 2019, we implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Secure access controls and authentication
• Regular security assessments and updates
• Staff training on data protection
• Physical security measures for our offices
• Confidentiality agreements with employees and contractors

International Data Transfers

In accordance with Section 48 of the Kenya Data Protection Act, 2019, we may transfer your personal data outside Kenya only where:

• The recipient country has adequate data protection laws
• Appropriate safeguards are in place (such as standard contractual clauses)
• You have given explicit consent to the transfer
• The transfer is necessary for our contract with you

In accordance with Section 43 of the Kenya Data Protection Act, 2019, in the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner within 72 hours and will notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated policy on our website with a new "Last updated" date. We encourage you to review this Privacy Policy periodically.