Spread Masters Ltd
Privacy Policy
Version 1.1 | Last updated: December 12 2025
Spreadmasters Limited is committed to protecting your personal data in line with the Kenya Data Protection Act, 2019 (KDPA). This notice explains the personal data we collect, why we collect it, how we use it, who we may share it with, and the rights you have.
1. Personal Data We Collect
We collect and process personal data depending on how you interact with us.
Categories of Data
- Identification & Contact Information: Name, phone number, email, ID/passport number.
- Financial & Transaction Data: Bank details, invoices, KRA PIN, payment records, purchase history.
- Supplier & Vendor Data: Business details, contact details, delivery/contract information.
- Digital & Website Data: IP address, device information, cookies, browsing behaviour.
- Security Data: CCTV recordings, access logs.
- Feedback & Communication: Complaints, surveys, emails, call records.
- Recruitment Data (applicants only): CVs, application letters, qualifications, references.
We only collect data that is necessary for our operations and services.
2. Why We Use Your Data (Purpose)
- To process and deliver orders.
- To provide customer support.
- To manage suppliers and service providers.
- To issue invoices and process payments.
- To manage recruitment.
- For security and access control.
- To improve our website and user experience.
- For marketing (with your consent where required)
3. Why We Use Your Data (Purpose)
| Category of Data | Examples | Purpose | Legal Basis (KDPA) |
|---|---|---|---|
| Customer Identification & Contact Data | Name, phone, email, ID number | Order processing, delivery, customer support | Contract |
| Customer Financial & Transaction Data | Bank details, invoices, KRA PIN, payments | Payment processing, financial reconciliation, accounting | Contract; Legal Obligation |
| Purchase & Interaction Data | Purchase history, preferences, complaints | Service improvement, product development | Legitimate Interest |
| Marketing & Communication Data | Activations and promotions | Sending promotional content | Consent |
| Supplier / Vendor Data | Business contact details, contracts, invoices | Delivering services, contract administration | Contract; Legitimate Interest |
| Website & Digital Data | IP address, cookies, browsing behaviour | Site functionality, analytics, service improvement | Consent (cookies); Legitimate Interest |
| Security Data | CCTV, visitor logs | Safety and security of premises | Legitimate Interest |
| Feedback & Complaints Data | Surveys, emails, call records | Quality assurance, responding to inquiries | Legitimate Interest |
| Recruitment Data (applicants) | CV, certificates, references | Evaluating suitability for employment | Legitimate Interest |
4. Sharing and Protecting Your Data
We may share your personal data with:
- Authorized third-party service providers such as IT support, payment processors, logistics providers.
- Regulators or law enforcement, if required by law
- Other third parties, only with your explicit consent
Security Measures
We apply administrative, technical, and physical safeguards including:
- Secure servers located in Kenya.
- Encryption and access controls.
- Staff training and awareness
- Audit and monitoring controls.
- Role-based access and multifactor authentication
- Biometric access and physical security measures
Cross-Border Transfers
If data must be shared or stored outside Kenya:
- We assess the receiving country’s data protection standards.
- We use legally binding agreements and safeguards.
- We follow KDPA cross-border transfer requirements.
5. Data Retention
We keep personal data only for as long as necessary for the purposes described or as required by law. Typical retention periods range between 7 and 10 years in line with our Data Retention Policy. Data that is no longer needed is securely deleted or anonymized.
6. Your Data Protection Rights
You have the right to:
- Access your data.
- Request correction.
- Request deletion under qualifying conditions.
- Restrict or object to processing.
- Request data portability.
- Withdraw consent at any time.
Response timelines under KDPA are as follows:
| Right | Response Time |
|---|---|
| Access | 7 days |
| Rectification | 14 days |
| Erasure | 14 days |
| Restrict Processing | 14 days |
| Object to Processing | 14 days |
| Data Portability | 30 days |
To exercise any of these rights, contact smastersfinance@gmail.com.
We do not use automated decision-making or profiling.
7. Cookies and Website Use
Our website uses cookies to support functionality and analytics. You can accept or reject non-essential cookies through the cookie banner on our site.
8. How to Contact Us
For queries, complaints, or data rights requests, write to us through smastersfinance@gmail.com. If you are not satisfied with our response, you may contact the Office of the Data Protection Commissioner www.odpc.go.ke
9. Updates to This Notice
We may update this notice from time to time. The latest version will always be available on our website.