Privacy Policy

Kendaall Tracking Limited is the data controller for all personal information collected through our website, platform, and IoT device network. We are registered under the laws of Kenya and operate under the regulatory oversight of the Office of the Data Protection Commissioner (ODPC) established by the Kenya Data Protection Act 2019 (DPA 2019).

Our primary place of business is located at 35644 Kasarani Mwiki Road, Nairobi, Kenya 00100. Our company specialises in next-generation asset management for logistics and heavy industry — specifically the real-time monitoring of locomotives, freight wagons, mining equipment, port machinery, and industrial assets in operational service. The platform we operate collects telemetry data from physical IoT devices installed on these assets. While the primary subject of that telemetry is the asset itself, some telemetry — such as operator identification, access event records, and driver behaviour scoring — may constitute personal data where it is linked to an identifiable natural person.

Our registered Data Protection Officer (DPO) is Amara Osei, reachable at privacy@kendaalltracking.co.ke. For enterprise clients who have signed a Data Processing Agreement (DPA) with Kendaall Tracking, the DPA takes precedence over this general Privacy Policy where the two documents address the same subject matter.

This Privacy Policy applies to all personal data processing activities conducted by Kendaall Tracking in connection with the following interactions and relationships. Understanding the scope of this policy is the first step in understanding what data rights apply to you as an individual in your specific relationship with our organisation.

This policy does not apply to personal data processed by our clients in their own systems, even where that data may have originated from Kendaall telemetry feeds. Clients are responsible for their own compliance with applicable data protection legislation in respect of data held within their own operational systems.

Kendaall Tracking collects personal data through three primary mechanisms: data you provide directly when registering for and using the platform, data generated automatically through your use of our technology, and data received from our enterprise clients in connection with deploying the platform in their operational environment. The following categories describe each type of personal data we hold.

The vast majority of data processed by our platform — vibration signatures, temperature readings, pressure measurements, GPS coordinates, fuel consumption metrics, and mechanical cycle counts — relates to physical assets, not to individuals, and does not constitute personal data under the DPA 2019 unless it is linked to a named or identifiable person. Where such linkage exists or could reasonably be made, we treat the data as personal data and apply the full protections of this policy.

Every processing activity conducted by Kendaall Tracking must rest on a valid legal basis under Section 30 of the Kenya Data Protection Act 2019 and, for clients operating in the European Economic Area, under Article 6 of the General Data Protection Regulation (GDPR). The following sets out the legal bases we rely upon for our primary processing activities. We do not use a single legal basis as a catch-all; we assess the appropriate basis for each specific processing purpose separately.

Where Kendaall Tracking acts as a data processor for enterprise clients — for example, processing telemetry data that includes operator identification records on behalf of a logistics operator — the client as data controller determines and is responsible for the legal basis for that processing. Kendaall acts only on the documented instructions of the controller and does not make independent decisions about the purpose or means of such processing.

Personal data collected by Kendaall Tracking is used exclusively for purposes that are directly connected to delivering, maintaining, improving, and protecting our asset intelligence platform and the services built upon it. We do not use personal data for profiling, automated decision-making with legal effects on individuals, advertising targeting, or any purpose that an individual would reasonably find incompatible with the purpose for which the data was originally provided.

Kendaall Tracking shares personal data with third parties only where it is strictly necessary to deliver our platform services, required by law, or expressly authorised by the data subject. We categorise third-party relationships by function and apply appropriate contractual and technical safeguards to each category.

Sub-Processors are companies we engage to process personal data on our behalf under our instruction. Our current sub-processor categories include: cloud infrastructure and hosting providers (processing platform data in ISO 27001-certified data centres); email service providers (processing account notification and alert email delivery); customer support platform providers (processing support ticket content and communication records); payment processing providers (processing billing contact and transaction confirmation data, not full card data which is managed entirely by the payment gateway); and security monitoring and intrusion detection service providers (processing access log data for platform security purposes).

All sub-processors are bound by Data Processing Agreements that require them to: process personal data only on Kendaall’s documented instructions; implement technical and organisational security measures equivalent to those described in Section 9 of this policy; promptly notify Kendaall of any personal data breach affecting data we have shared with them; and return or securely delete all personal data upon termination of the sub-processing relationship. A current list of our approved sub-processors is available on request from our DPO.

Disclosure Required by Law: Where Kendaall Tracking receives a valid court order, regulatory demand, or other legally enforceable requirement to disclose personal data, we will comply with our legal obligations. We will, where legally permitted to do so, notify the affected data subject before disclosure. We will disclose only the minimum data responsive to the specific legal demand and will challenge overreaching demands through appropriate legal channels.

Kendaall Tracking’s primary data infrastructure is located within the African region. However, the nature of our sub-processor relationships, the global reach of satellite communication providers, and the multinational operations of some of our enterprise clients means that personal data may, in certain circumstances, be transferred to or accessed from countries outside Kenya.

Where personal data is transferred to a country that has not been designated as providing an adequate level of data protection under the Kenya Data Protection Act or applicable EU adequacy decisions, Kendaall Tracking implements appropriate safeguards before the transfer takes place. These safeguards include Standard Contractual Clauses (SCCs) as approved by the relevant regulatory authority, Binding Corporate Rules where applicable, and case-by-case Transfer Impact Assessments (TIAs) to evaluate the legal environment in the recipient country.

Clients operating under the EU General Data Protection Regulation (GDPR) — for example, European logistics operators using Kendaall’s platform for assets operating through European corridors — may request a copy of the Standard Contractual Clauses and associated Transfer Impact Assessments governing any transfer of their employees’ personal data to non-EEA sub-processors. Such requests should be directed to privacy@kendaalltracking.co.ke.

Kendaall Tracking retains personal data for the minimum period necessary to fulfil the purpose for which it was collected, to meet our contractual obligations, and to comply with applicable legal retention requirements. The following table sets out our standard retention periods by data category.

Upon expiry of the applicable retention period, personal data is either securely deleted (for digital records) or physically destroyed (for any paper-based records) using methods compliant with ISO 27001 data disposal procedures. Deletion events are logged with a certificate of deletion available to enterprise clients on request. Backup copies are purged on the same schedule as production data, with backup purge confirmed within 90 days of the scheduled production deletion date.

Data security is not a compliance checkbox at Kendaall Tracking — it is an engineering priority that shapes every layer of our platform architecture. We hold ISO 27001 certification across our information security management system, which means our security controls are independently audited annually and our risk management processes meet internationally recognised standards for asset-class data environments.

The Kenya Data Protection Act 2019 grants specific rights to individuals whose personal data is processed by organisations such as Kendaall Tracking. These rights are not bureaucratic formalities — they are enforceable entitlements that Kendaall Tracking takes seriously and maintains processes to honour. The following describes each right and how to exercise it.

To exercise any of the rights above, contact our Data Protection Officer at privacy@kendaalltracking.co.ke with the subject line identifying the right you wish to exercise. We will verify your identity before processing the request and will confirm receipt within 72 hours. We aim to complete all data subject requests within 30 calendar days. Where complexity or volume requires an extension, we will notify you within the initial 30-day period and provide an updated completion timeline not exceeding 60 days total.

For field personnel employed by Kendaall clients whose personal data is processed by Kendaall as a data processor acting on the client’s instruction, rights requests should be directed first to the employer (the data controller). Kendaall will cooperate fully with any rights exercise process initiated by a controller in respect of data subjects whose data we process on their behalf.

The Kendaall Tracking website uses cookies and similar technologies to enable core site functionality, remember user preferences, and — where consent is given — measure audience behaviour and improve site content. A cookie is a small data file stored in your web browser by our server. The following categories of cookies are used on our website.

You can manage cookie preferences at any time by accessing the Cookie Preference Centre linked in the footer of every page on our website. You can also configure your browser to block or delete cookies — note that blocking strictly necessary cookies will impair or prevent your ability to log in to the Kendaall platform. Most browser providers offer detailed guidance on cookie management in their help documentation.

The Kendaall Tracking platform is a professional industrial operations tool designed exclusively for adults operating in commercial and enterprise contexts. Our platform is not directed at, designed for, or intended to be used by individuals under the age of 18. We do not knowingly collect personal data from children or minors.

If you believe that we have inadvertently collected personal data relating to a person under the age of 18, please contact our Data Protection Officer at privacy@kendaalltracking.co.ke immediately. We will investigate the report and, where confirmed, delete the relevant data within 14 days of confirmation.

Kendaall Tracking reviews this Privacy Policy at minimum annually and additionally whenever a material change occurs to our processing activities, the introduction of a new sub-processor category, a significant change in applicable law, or a material change to our business structure. The version number and last-updated date displayed at the top of this policy and in the page header reflect the most recent substantive revision.

Where a revision is material — meaning it substantively affects what personal data we collect, how we use it, who we share it with, or the rights available to data subjects — we will notify all active platform account holders by email at least 30 days before the revised policy takes effect. The notification will describe the changes clearly and provide a link to both the new and previous versions. Continued use of the platform after the effective date of a material revision constitutes acceptance of the updated policy for processing activities covered by contractual necessity. Where the revision introduces a new processing purpose that previously required consent, we will seek fresh consent separately.

Previous versions of this Privacy Policy are archived and available on request from our DPO. The archive allows data subjects to understand the terms that applied to their data at any point in the history of the policy.

If you have a question about this Privacy Policy, wish to exercise a data subject right, or have a concern about how your personal data has been handled, your first point of contact should always be our Data Protection Officer. We are committed to resolving privacy concerns fairly, promptly, and transparently.

If you are dissatisfied with our response to your privacy concern, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC). The ODPC is the independent supervisory authority established under the Kenya Data Protection Act 2019 with powers to investigate complaints, compel compliance, and impose administrative penalties for violations of the Act.

Contact details for the ODPC: Website — www.odpc.go.ke. Telephone — +254 20 628 4000. Physical Address — Teleposta Towers, Kenyatta Avenue, Nairobi, Kenya.

For data subjects in the European Economic Area who believe their rights under the GDPR have been infringed, the right to lodge a complaint with a supervisory authority in their country of residence remains available regardless of where Kendaall Tracking is established.