Privacy Policy.

1. 1. Definitions
2. 2. Who we are
3. 3. Scope of this notice
4. 4. Personal data we process
5. 5. Where the data comes from
6. 6. Lawful basis for processing
7. 7. How we use your data
8. 8. Sharing with third parties
9. 9. International transfers
10. 10. Retention
11. 11. Your rights under the KDPA
12. 12. Security
13. 13. Children
14. 14. Cookies
15. 15. SMS pre-registration
16. 16. Enterprise tenants and employees
17. 17. Breach notification
18. 18. What happens if you do not agree
19. 19. Contact
20. 20. Version history

Key terms used in this notice.

• Platform — the Secure Labs Systems visitor and access management platform, operated by Secure Labs Limited.
• We, us, our — Secure Labs Limited.
• You — a data subject: typically a resident, employee, visitor, guard, property manager, security supervisor, organisation administrator, enterprise tenant administrator, or platform super administrator whose data is processed on the Platform.
• Estate Operator — the residential estate, commercial property, or master-planned development that has subscribed to the Platform and uses it to manage access at its premises.
• Enterprise Tenant — a company or organisation that occupies part of an Estate Operator's property and whose administrator manages employee access through the Platform under the Estate Operator's subscription.
• Sub-processor — a third-party service we engage to process personal data on our behalf, under a written agreement.
• KDPA — the Kenya Data Protection Act 2019 (Act No. 24 of 2019).
• ODPC — the Office of the Data Protection Commissioner of Kenya.

The data controller and processor.

The Platform is operated by Secure Labs Limited, a company incorporated in Kenya, with registered office at P.O. Box 8456-00100, Tom Mboya Street, Nairobi, Kenya. Secure Labs Limited holds an Office of the Data Protection Commissioner (ODPC) Data Controller registration in respect of its own user accounts. Our registration as a Data Processor (covering personal data we process on behalf of an Estate Operator) is being filed as a separate ODPC submission; we will update this notice and bump its version when that registration completes.

For most of the Platform's features, an Estate Operator is the data controller and Secure Labs Limited is its data processor. The relationship is governed by a Data Processing Agreement between us and the Estate Operator. The Estate Operator's own privacy notice may apply alongside this one.

For some activities we act as an independent data controller, including: operating and securing our own infrastructure, monitoring for abuse and fraud, maintaining audit logs, managing our own user accounts and business relationships, and complying with legal obligations that apply directly to us (such as tax, accounting, and regulatory requirements).

Our Data Protection Officer is George Macharia, reachable at [email protected] or by telephone on +254 745 424 949.

Who this notice covers.

This notice describes how we collect, use, share, retain, and protect personal data when you interact with the Platform in any of the following capacities:

• You hold an account with us (resident, employee, guard, property manager, security supervisor, organisation administrator, enterprise tenant administrator, or platform super administrator).
• You are a visitor who has been invited to or arrived at an Estate Operator's premises and your details have been processed through the Platform.
• You are a domestic worker, courier, ride-hail driver, or contractor whose access pass is held on the Platform.
• You contact us directly with a question, complaint, or data-subject request.

Where the Platform is used by an Estate Operator or an enterprise tenant, that organisation is an independent data controller for its own employment, tenancy, and visitor-management purposes. It is responsible for having a lawful basis to process personal data through the Platform, providing its own privacy notice, and obtaining any consents required. This notice does not cover processing carried out by Estate Operators or enterprise tenants in their capacity as independent data controllers.

This notice also covers personal data submitted through this website (securelabsystems.com) — including contact enquiries, prospectus requests, and journal subscription sign-ups. That data is described in §4 and §6 below.

The Kenya Data Protection Act 2019 is our primary governing law because Secure Labs Limited is incorporated in Kenya and processes personal data in Kenya and the SADC region. If you access the Platform from outside Kenya, your data will be protected to at least the standard set by the KDPA, and we will comply with any additional mandatory local requirements that apply.

What is collected and held.

We process the following categories of personal data:

• Account identity data: full name, email address, mobile phone number, residential unit identifier (where applicable), and a confirmation that you are at least eighteen (18) years old.
• Visitor identity data: visitor full name, mobile phone number, optional email address, optional national identification number, and vehicle registration plate (where applicable). Visitor data is provided by the inviting resident, employee, or property manager — see §5.
• Pass holder data (recurring and worker passes): name, phone number, pass type, access zone or zones, valid-from and valid-until dates, and revocation status of recurring passes issued to domestic workers, delivery personnel, couriers, and contractors.
• Visit and access data: invitation records, access events (timestamps, gates used, entry and exit), pass type, valid-from and valid-until windows, accompanying-visitor details, and guard notes on access decisions.
• Authentication data: password hashes (we never store plain-text passwords), multi-factor authentication seeds, session metadata, authentication-event logs.
• Communication data: notifications dispatched to you (SMS, email, push notification) and their delivery status.
• Device and usage data: IP address, user-agent string, request identifiers used for diagnostic, security, and audit purposes.
• Consent records: the version of this notice and the Terms of Service that you accepted, the date of acceptance, your IP address at the time, and your browser type and version — retained for five (5) years per KDPA §32(4).
• Incident documentation: guard-uploaded photographs and notes attached to incident reports (e.g. a damaged barrier, a security event). These are documentary photographs of incidents, not biometric data.
• Saved contacts and preferences: your saved visitor shortlist (names and access-scheduling preferences), and your notification settings per estate.
• Website enquiry data: name, email address, company, and message submitted via the contact form or prospectus request form on this website; email address submitted via the journal subscription form.

The Platform supports an optional photo-capture module (PHOTO ID) that, when enabled by an Estate Operator, would allow a visitor selfie to be taken at the gate. This module is not enabled at launch. If an Estate Operator enables it in future, we will update this notice and re-prompt affected users for explicit consent before any photo capture begins, treat those photos as sensitive personal data within the meaning of the KDPA, apply stricter access controls and shorter retention, and carry out a Data Protection Impact Assessment (DPIA) where required.

Where the data comes from.

• From you directly. When you register, activate your account, update your profile, or contact us, you provide your name, phone number, email address, and other information required to operate the Platform.
• From the inviting resident or employee. When a resident or employee invites you to visit a property, they enter your name, phone number, and (optionally) other details on your behalf. The inviting resident or employee is responsible for having a lawful basis to share your details with us.
• From the Estate Operator. When an estate onboards a new resident, employee, or guard, the Estate Operator may provide your name, email, phone, and unit assignment to the Platform. The Estate Operator is responsible for having a lawful basis to share your data with us for access-management purposes.
• From an SMS reply. When a visitor pre-registers by replying to an SMS with their invitation code, we process the reply against the phone number already associated with the invitation. See §15.
• From your device. When you use the Platform, your device sends us its IP address, user-agent string, and (where permitted) the device token used to deliver push notifications.

Why we are permitted to process it.

We rely on the following lawful bases under KDPA §30:

• Consent — for optional marketing communications (where we choose to send them in future), age-of-majority confirmation at sign-up, and any optional features added in future that materially expand the data we process. Service and security communications are sent as part of the service and do not require separate consent. For this website's contact and prospectus forms, and journal subscriptions, the lawful basis is consent collected at the point of submission.
• Performance of a contract — for account provisioning, authentication, visitor invitation processing, pass management, and other operational features you actively use.
• Legal obligation — for tax records, audit-log retention, breach notification to the ODPC, and responses to lawful requests by Kenyan authorities.
• Legitimate interest (balanced against your rights) — for security incident detection, retention of access events for a defined window after a visit, anti-fraud, and product reliability monitoring.

In more detail: access control and audit trails rely on performance of contract and legitimate interests; security monitoring, anti-fraud, and incident documentation rely on legitimate interests balanced against your rights; device and usage data is processed on the basis of legitimate interests for Platform reliability and security. National identification numbers, where provided, are processed only where necessary for identity verification or security purposes, on the basis of legitimate interests and (where applicable) legal obligation, and are stored with the same technical protections as other identity documents.

We have assessed that our legitimate interests in Platform security, fraud prevention, and service reliability are not overridden by your interests or fundamental rights, given the limited scope of data used for these purposes and the access controls and retention limits applied to it.

How your data is used.

We process personal data to (i) provide and maintain the Platform, (ii) operate access control at participating Estate Operators, (iii) issue and validate visitor QR passes, (iv) dispatch notifications to you and to your invited visitors, (v) investigate and respond to security incidents, (vi) comply with our regulatory and contractual obligations, and (vii) improve the safety and reliability of the Platform.

QR validation at the gate is an automated process — when a guard scans a visitor's QR code, the Platform decides automatically whether to display a green "valid" or red "invalid" result. This decision does not produce legal effects within the meaning of KDPA §35 and the final decision to admit a visitor remains with the guard. We do not engage in any other solely automated decision-making and we do not profile you.

Service and security communications — including visit confirmations, access alerts, account notifications, and security advisories — are sent as part of the service and do not require separate consent; you can only stop receiving them by closing your account. Optional marketing communications, if we introduce them, will require your prior consent and will carry a clear opt-out in every message.

Data relating to one Estate Operator or enterprise tenant is not accessible to another, except where required by law or at your explicit instruction.

Sharing with third parties.

We share personal data only with sub-processors that act on our written instructions under a Data Processing Agreement, or where we are legally compelled to disclose. We do not sell personal data, and we do not share it with advertising networks or data brokers. We require each sub-processor to: (i) not engage additional sub-processors without our prior written approval and equivalent contractual protections; and (ii) implement appropriate technical and organisational security measures.

Currently active sub-processors

• Africa's Talking (Kenya) — primary SMS dispatch and two-way (inbound) SMS handling (recipient phone number and message body).
• Vonage (United States, with international SMS routing) — fallback SMS dispatch and inbound-SMS handling, used when the primary provider is unavailable (recipient phone number and message body).
• Resend (United States) — transactional email dispatch (recipient email address and message body).
• Firebase Cloud Messaging (Google LLC) (United States) — delivery of push notifications to your device (device token only).
• Microsoft Azure (South Africa North, Johannesburg) — managed application hosting, the relational database, the message broker, and related compute/networking infrastructure.
• Cloudflare, Inc. (United States, global edge network) — DNS, web application firewall, content delivery, and the R2 object store we use for visitor pass attachments, DSAR export packages, and incident photographs.
• Google Maps (Google LLC) (United States) — embedded map and directions on the visitor invitation page so the visitor can navigate to the gate. Your IP address and the gate co-ordinates are visible to Google when the embed loads.
• Have I Been Pwned (HIBP) (United Kingdom) — at password set or reset, we check the first five characters of the SHA-1 hash of your password against the HIBP service to detect known-breached passwords. We never send your password or its full hash; HIBP cannot identify you from the partial hash.
• Intercom, Inc. (United States) — in-app support chat and AI-assisted help (Fin AI agent). When you open the support chat, we share your name and email address with Intercom so that our support team and Fin can identify you and access your conversation history. We do not share your phone number, national ID, unit details, or visitor data with Intercom. Conversation content you submit is stored on Intercom's servers under its standard Data Processing Agreement.
• Datadog (European Union — datadoghq.eu) — application performance monitoring, error tracking, and web session (RUM) telemetry used to keep the Platform reliable and secure. Datadog processes device and usage data (IP address, browser type, page-performance and interaction events) and diagnostic logs. We do not intentionally send your name, phone number, email, national ID, or visitor data to Datadog.

Planned sub-processors (not yet active)

• Sentry — additional error monitoring (we will configure server-side PII filtering before any production traffic reaches it).

We will update this notice and bump its version before any planned sub-processor begins processing your data.

Where data is processed and stored.

We make commercially reasonable efforts to keep all personal data within Kenya or the SADC region (our primary hosting region is in South Africa (Johannesburg), and we use Cloudflare R2 for object storage). Where a sub-processor processes data outside this region, we use appropriate contractual safeguards and technical measures recognised under Kenyan data protection law — including data transfer agreements incorporating standard protective clauses, and pseudonymisation or aggregation where feasible. Where required by the ODPC, we will register such transfers and reflect any changes in this notice.

The specific transfers you should be aware of:

• Africa's Talking (Kenya, with international SMS routing). Africa's Talking is a Kenyan company, but SMS messages are routed internationally through mobile network operators. The data transferred is the recipient's phone number and message body.
• Vonage (United States, with international SMS routing). When the primary SMS provider is unavailable, outbound and inbound SMS are handled by Vonage, whose infrastructure and routing are operated from outside Kenya. The data transferred is the recipient's phone number and message body. We rely on Vonage's standard contractual data-protection terms as the safeguard for this transfer.
• Cloudflare control plane (United States). Cloudflare's edge network and account management are operated from the United States. Account-level metadata (request logs, security events) may be processed in the United States.
• Resend (United States). Transactional email is dispatched via Resend's infrastructure in the United States. The data transferred is your email address and the body of the email we send you.
• Google (Maps and Firebase Cloud Messaging). When the visitor invitation page renders the gate map, your browser fetches map tiles directly from Google's servers in the United States. When you receive a push notification, the message is dispatched via Google's servers.
• Have I Been Pwned (HIBP). The k-anonymity hash check described in §8 is sent to HIBP's servers in the United Kingdom. The partial hash sent does not identify you.
• Intercom (United States). When you use the in-app support chat, your name and email address are transmitted to Intercom's servers in the United States, where any conversation content you submit is stored. We rely on Intercom's standard contractual data-protection terms as the safeguard for this transfer.
• Datadog (European Union). Application performance traces, error events, and web session (RUM) telemetry are sent to Datadog's EU region (datadoghq.eu). The data transferred is device and usage data (IP address, browser type, performance and interaction events) and diagnostic logs, processed under Datadog's standard contractual data-protection terms.

How long data is kept.

We retain personal data only for as long as is necessary for the purpose for which it was collected. "Anonymised" means irreversibly de-identified such that we can no longer link the data to any natural person. Where we retain any identifier alongside stripped data, that data is pseudonymised and remains subject to these retention periods and technical protections.

• Visitor personal data — 90 days from visit completion (configurable per Estate Operator down to a 30-day floor); afterwards anonymised.
• Access events — 2 years after the visit, retained for security audit. Personal data on the event is anonymised after the visitor-data retention window above.
• Authentication and security events — 1 year.
• Notification delivery records — 90 days.
• Audit logs (administrative) — 3 years.
• Audit logs (DSAR / consent / data-subject events) — 5 years (KDPA requirement).
• Consent records — 5 years (KDPA §32(4)).
• Incident photographs uploaded by a guard — 90 days from upload.
• DSAR export packages — 30 days from compilation.
• Invitation lifecycle records (creation through completion) — 2 years.
• Recurring and worker pass holder data — 90 days after pass expiry or revocation.
• Website enquiry data (contact forms, prospectus requests) — 2 years from submission or until withdrawal of consent.
• Journal subscription data — retained until you unsubscribe or request deletion.
• Cookies — see §14 for per-cookie expiry.

Deleted data may remain in encrypted backups for up to 7 days, after which it is overwritten on the regular backup cycle and is not used for active processing. We may retain certain records for longer than the periods above where required by law or to establish, exercise, or defend legal claims.

Data-subject rights under the KDPA.

As a data subject in Kenya you have the following rights, exercisable at any time and free of charge:

• The right to be informed about how your data is processed (this notice).
• The right of access — for account holders, request a copy of your data via Account Settings → Privacy → Request My Data.
• The right to rectification — correct inaccurate data via your account profile, or by emailing us at [email protected].
• The right to erasure — request deletion of your data, subject to limited exemptions where retention is required by law (for example, audit-log obligations).
• The right to restriction of processing.
• The right to data portability — receive your data in a structured, machine-readable JSON format.
• The right to object to processing based on legitimate interest.
• The right to withdraw consent at any time, where consent is the lawful basis.
• The right not to be subject to a decision based solely on automated processing that significantly affects you (KDPA §35) — we carry out no such processing; see §7.
• The right to lodge a complaint with the ODPC at [email protected].

Self-service rights of access, rectification, and erasure are available in the account dashboard. Restriction requests are also submitted via the dashboard but are fulfilled by our DPO within the statutory 30-day window — they are not automatically applied at the time of submission. The remaining rights (portability, objection, withdrawal of consent for non-essential processing) are exercised by writing to [email protected]. We respond to data-subject requests within thirty (30) days as required by KDPA §26 (a one-time extension of up to a further 30 days may apply to complex requests, with notice to you), and we typically respond materially faster as an internal operational target.

Before fulfilling a request, we may need to verify your identity by asking for information we reasonably require. We may refuse or limit a request where the KDPA permits — for example, where fulfilment would adversely affect the rights of another person, where we are subject to a conflicting legal obligation, or where a request is manifestly unfounded or excessive. Where we refuse, we will give you the reason in writing.

Visitors who do not hold an account can exercise these rights by contacting the Estate Operator they visited or by emailing us directly at [email protected].

11.1 — How to lodge a complaint with the ODPC

If you believe we have processed your personal data in breach of the Kenya Data Protection Act 2019 — and you are not satisfied with our response under §11 above — you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), the independent regulator established under §5 of the Act. The procedure is governed by the Data Protection (Complaints Handling and Enforcement) Regulations 2021.

• Online complaints portal: complaints.odpc.go.ke — the recommended route; submission generates a tracking reference.
• Email: [email protected], quoting your name, the subject of the complaint, and any reference number we previously gave you.
• Post: Office of the Data Protection Commissioner, P.O. Box 5588-00100, Nairobi, Kenya.
• Telephone: +254 20 222 2331 (general enquiries).

Lodging a complaint with the ODPC is free of charge. The ODPC is required to acknowledge your complaint within seven (7) days, to issue a preliminary determination within ninety (90) days, and to give you a written outcome at the close of its investigation. Sanctions the ODPC can impose under §63 of the Act include compliance orders, monetary penalties up to KES 5,000,000 or 1% of annual turnover (whichever is lower), and orders for compensation payable to you under §65.

How your data is protected.

In plain terms: we encrypt your sensitive data, restrict who inside the company can see what, keep an unalterable record of administrative actions, and require strong passwords with optional multi-factor authentication.

In technical terms: personal data fields are encrypted at rest using AES-256-GCM. Data in transit is encrypted using TLS (v1.2 or higher). Tenant isolation is enforced by PostgreSQL row-level security at the database layer and by role-based access controls in the application layer. Authentication uses Argon2id password hashing with HttpOnly, Secure, SameSite=Strict session cookies. We maintain an immutable, append-only audit log for all administrative actions and data-subject events.

For higher-risk processing activities — such as any future biometric or photo-ID module, or any systematic monitoring feature — we will carry out a Data Protection Impact Assessment in line with KDPA requirements and ODPC guidance before enabling that processing.

Under-18 users and data.

The Platform is intended for use by adults (eighteen years and older). We do not knowingly collect personal data from children under eighteen. Account registration requires confirmation that you are at least eighteen years of age.

In some cases, information about children may be entered into the Platform by a parent, guardian, employer, or Estate Operator (for example, a minor visitor accompanying an adult, or a child mentioned in an incident report). Where this happens, we process that information only for the limited purpose of managing access at the property and documenting security incidents. We do not use children's data for marketing or profiling. Where information about a child is entered by a parent, guardian, employer, or Estate Operator, that person or organisation is responsible for obtaining any consent required under the KDPA and the Children Act 2022 before entering the child's information.

Rights under the KDPA in respect of a child's personal data may be exercised by the child, their parent, or guardian, in accordance with the Children Act 2022. If you believe we hold personal data of a child in a way that is inconsistent with this section, please contact us at [email protected] and we will investigate and delete or appropriately restrict the data without undue delay.

What cookies we use.

We use only strictly necessary cookies — session and authentication cookies required for the Platform to function. We do not use advertising or analytics cookies that require consent.

All four cookies are set with the HttpOnly, Secure, and SameSite=Strict attributes. They cannot be read by JavaScript and they are not sent on cross-site requests.

Third-party services integrated into the Platform — in particular Cloudflare (CDN / WAF) and Google Maps (map embed) — may set their own cookies or collect device-level information when their content loads. These are governed by their respective privacy notices; we do not use them for advertising or profiling, and they are not under our control.

We do not use browser localStorage or sessionStorage to store personal data. All authentication state is held in the HttpOnly cookies listed above. Any localStorage keys we use hold UI preferences only and contain no personal data.

SMS pre-registration.

Some Estate Operators allow a visitor to pre-register for entry by replying to an SMS with their invitation code. When you do this:

• Your phone number is already known to us from the invitation your host created.
• You reply with your six-digit invitation code to the Secure Labs shortcode (keyword: SECURELABS).
• If the code matches a valid invitation, we activate your visit and send you a PIN for gate entry.

The lawful basis for processing your data through the SMS channel is the contract between Secure Labs Limited and the Estate Operator and your inviting host's assertion of lawful basis to share your details with us (see Terms of Service §6). SMS messages are dispatched and received on our behalf by Africa's Talking and, as a fallback, Vonage (see §8). The SMS record is retained for the same period as the linked visit (see §10). If you would rather not register by SMS, the visitor invitation page (the link in the SMS your host sent you) provides the same flow over a regular web browser.

Enterprise tenants and employees.

Where an Estate Operator hosts an enterprise tenant (a company occupying part of the property), the company's designated administrator can:

• Onboard employees as users of the Platform under the company's account.
• View visitor invitations and access events scoped to the company's zone of the property.
• Manage worker passes for the company's domestic and contract staff.

If you are an employee of an enterprise tenant, your employer is the data controller for visitor and access data within the company's zone, and we act as the company's data processor. Your employer's own privacy policy may apply alongside this notice in respect of your employment data. Your employer is responsible for having a lawful basis to onboard you as a Platform user and to share your employment data with us.

What happens if there is a breach.

In the event of a personal-data breach that is likely to result in risk to your rights and freedoms, we notify the ODPC within seventy-two (72) hours of becoming aware of the breach (KDPA §43), and we notify affected data subjects without undue delay.

Where we notify you of a breach, we will do so by email to the address on your account or, if that is not possible, by in-app notice. The notification will describe the nature of the breach, the categories of personal data affected, the likely consequences, and the steps we are taking to address it, in line with KDPA §43.

What happens if you do not agree.

If you do not accept this notice, you cannot use the Platform. You may close this page without creating an account. If you have already created an account and you do not wish to accept a new version of this notice when we publish one, you can ask us to delete your account and any partial data we have collected by emailing [email protected]. We will action the request within thirty (30) days of confirming your identity, subject to any data we must retain to comply with legal obligations or to establish, exercise, or defend legal claims (see §10).

How to reach us.

Secure Labs Limited
P.O. Box 8456-00100, Tom Mboya Street, Nairobi, Kenya
Telephone: +254 745 424 949

Data Protection Officer: George Macharia
DPO email: [email protected]
General privacy enquiries: [email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with the ODPC — see §11.1 for full contact details and the complaints procedure.

Changes to this notice.

Material changes to this policy are notified to customer properties via the Platform's announcement module and updated on this page with a new effective date. The current version is always the authoritative one.