Last Updated: June 2025
At Busara.ai, we are committed to protecting your personal data. This Privacy Notice explains how Busara.ai Ltd and its future affiliates (see Group Entities below) (Busara.ai, we, us, or our) process, hold, use, manage, and secure personal data that we collect about you and/or your organisation. It also outlines the rights and choices you have regarding your personal data.
All references to data, personal data, and personal information in this Privacy Notice refer to any information (held in any form) that can be used to identify an individual person.
We aim to align our privacy compliance principles with global standards such as the EU General Data Protection Regulation (GDPR), while ensuring full adherence to applicable local privacy laws, including Kenya’s Data Protection Act, 2019 (collectively, “Data Protection Laws”). We only use and process your personal data in a manner that is consistent with this Privacy Notice.
This Privacy Notice applies to anyone who interacts with us in any way or form (email, phone, website, etc.). We collect your personal data to maintain and operate our business and to communicate with you.
We may handle and manage your personal data differently depending on our relationship with you, as one or more of the following:
- A business, organisation, or professional (Client or Customer) using, or interested in using, our AI-enabled software and products (Products) and/or referring personal data to us, including end-user information.
- An individual whose data is processed by our Products under the instruction of a Client (End-User) (please see the End-User Data section).
- A visitor to our website accessible at the domain ‘busara.ai’ (Website) and/or a subscriber to our newsletter and other marketing materials (Visitor).
- A contracted service provider providing goods or services to us, or a business partner (Supplier).
If you are applying for a job at Busara.ai, please see our Employee Privacy Notice for more information on how we handle your personal data.
WHAT TYPES OF DATA DO WE COLLECT?
We collect different types of personal data from you depending on our relationship with you and your interactions with us and our Website.
If you choose not to provide personal data to us, or do not provide us with accurate personal data, you may not be able to use a product or feature, or we may not be able to undertake certain activities for you.
The types of personal data we collect may include, but are not limited to, the following:
- Contact details (name, address, mobile number, email, etc.)
- Work contact details / business contact information (work address, company name, work email, work phone number, and job title)
- Your customer account login information (e.g., login credentials)
- Analytics data
- Free text feedback
- Customer payment information (e.g., credit card, bank account, or other details to facilitate payments)
- Supplier payment information (e.g., company bank account details or other details to facilitate payments)
- Information collected using cookies and other technologies on our Website (you can find further information in our Cookie Notice).
HOW DO WE COLLECT PERSONAL DATA?
We collect your personal data through various means, including but not limited to, the following:
- Directly from you.
- Directly from your organisation when you supply goods and services to us.
- Via other third parties (e.g., our suppliers and merchants).
- Through direct mailing or online marketing.
- At exhibitions and trade events.
- Directly from you or your organisation, if you or your organisation:
- Buys or registers for products or services from us.
- Requests information about us or our products or services.
- Provides feedback.
- Responds to a survey.
- Fills in a form or a request for services.
- Fills in a form on our Website.
- Otherwise provides it to us via the Website, over the phone, via email, or in-person.
- If you are a Client or other person interested in our Products, from another individual who registers you with us on your behalf.
- If you are an End-User, we only collect your personal data from our Client.
HOW WE USE YOUR PERSONAL DATA?
We may use the personal data that we collect about you for the following purposes:
- To ensure that content from our Website is presented in the most effective manner for you and your device(s).
- To understand how you use our website, apps, or other technology, including IP address or other device information.
- If you subscribe to our mailing list, to provide you with news and updates about our company and our activities. You may opt out at any time by contacting us or by clicking ‘unsubscribe’ in any of our emails.
- To reply to your queries or provide information you have requested.
- To enter into, perform, manage, and administer your (or your organisation’s) contractual relationship with us, including any trial of the Products, pilot testing, integration testing, after-sales support, technical support, managing your account, billing, and providing other services you may have requested.
- To analyse and improve the Products and other services we provide.
- To provide you with direct marketing materials. You may opt out of receiving direct marketing material by contacting us or by clicking ‘unsubscribe’ in any of our messages.
- To conduct business and service dealings with you.
- To maintain and protect the security of our premises, IT systems, databases, and websites, including identifying, preventing, and detecting security incidents and fraudulent or illegal activity.
- To prevent misuse of our products or services.
- To comply with our legal or regulatory obligations, such as record-keeping and disclosures to tax or other regulatory authorities.
- To establish, exercise, and defend legal claims and to investigate and resolve disputes.
LEGAL BASIS FOR PROCESSING PERSONAL DATA
We process your personal data for the purposes set out above and, where applicable, on the legal bases set out in the following table:
| PURPOSE | LEGAL BASIS |
| Clients / Customers | |
| Perform our contract with you or your organisation | Perform our contract with you<br>Legitimate interest: to perform our contract with your organisation |
| Analytics, Product and service improvement | Your consent (where required)<br>Legitimate interest: to improve our Products |
| Direct marketing | Your consent (where required)<br>Legitimate interest: to promote our Products and services |
| Contact regarding requested products/services | Perform our contract with you<br>Legitimate interest: to provide services under our contract |
| End-Users | |
| Analysis | Legitimate interest: to perform our contract with our Client to provide our Products |
| Visitors | |
| Website presentation | Legitimate interest: to ensure Website content is effectively presented |
| Mailing list subscription | Your consent (with the choice to opt-out at any time) |
| Respond to questions and enquiries | Legitimate interest: to respond to queries and provide requested information |
| Suppliers | |
| Contact regarding ordered products/services | Perform our contract with you<br>Legitimate interest: to receive products/services under our contract |
| Everyone | |
| Identifying and preventing security threats | Legitimate interest: to maintain office, facilities, and IT system security |
| Incident or accident notification | Legitimate interest: for legal and regulatory purposes |
| Compliance activities & defending legal claims | Legitimate interest: to comply with legal obligations and protect our legal rights |
HOW WE DISCLOSE PERSONAL DATA?
We may share your personal data with the parties set out below for the purposes described above.
- Our contracted service providers, domestic or abroad (e.g., legal, financial, and other professional advisers, auditors, website hosts), who will process personal data on our behalf and in accordance with our instructions only.
- Future members of the Busara.ai Group Entities.
- Third parties, where required and permitted by law.
- Any prospective purchaser if we sell or transfer any part of our business or assets.
- Public authorities or governmental bodies where we are required to do so by applicable law or regulation.
Other than as listed above, we will only disclose your personal data when you direct or give us permission, when we are required by applicable law to do so, or when we suspect fraudulent or criminal activities.
We do not sell your personal data to third parties for marketing purposes.
END-USER DATA
If you are an End-User, we encourage you to refer to the privacy notice of the Client (e.g., your employer or service provider) for information about how your personal data is handled by them or authorised for us to process under their instructions.
We may collect some of your personal data from our Client for analysis, including:
- Data sets, which may include text, images, or other formats.
- User profiles or records.
- Associated metadata (e.g., name, age, date of birth, and an identification number unique to you as an end-user), (collectively, Information Package).
Where agreed with our Client, we may de-identify or anonymise the Information Package. This process involves permanently removing any data that could be used to identify you.
Only as instructed by our Client, we may share your personal data with the Client and any other party the Client has asked us to. We may use the Information Package to perform AI-driven analysis to produce findings, predictions, or insights and return those results to our Client.
We support ethical research and development. We may de-identify (or anonymise as required) your personal data to use it for research, statistical analysis, and our product development purposes, including to improve our AI models. The de-identification/anonymisation process involves permanently deleting any information that could be used to identify you.
INTERNATIONAL TRANSFERS
As a company with global aspirations, we may transfer your personal data to countries outside of Kenya or your country of residence to fulfil our business obligations or contracted services. We may disclose personal data to our future Group Entities, as well as certain third-party service providers (including cloud infrastructure providers like Amazon Web Services), which may be located in other parts of Africa, Europe, North America, the United Kingdom, and Asia.
When we transfer personal data outside of Kenya or other jurisdictions with specific cross-border transfer regulations, we will ensure that appropriate safeguards are in place as required by applicable Data Protection Laws, such as the use of standard contractual clauses or ensuring the recipient country is deemed to have an adequate level of data protection.
DATA SECURITY AND HOW WE STORE PERSONAL DATA?
Your personal data will generally be stored in secure cloud systems, such as those provided by Amazon Web Services.
We take reasonable steps to protect your personal data from misuse, interference, loss, and from unauthorised access, modification, or disclosure in accordance with Data Protection Laws and our own data security policies. These measures include redundancy protection, strict access controls, in-transit and at-rest encryption, and industry-standard authentication protocols. All our employees are trained in privacy compliance and are required to protect your personal data.
DATA RETENTION
We will retain your personal data for as long as is required for the permitted purposes, or longer if otherwise required by law or regulation. To determine the1 appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use, the purposes for which we process it, and applicable legal requirements.
YOUR DATA PROTECTION RIGHTS
In line with the GDPR and the Kenyan Data Protection Act, 2019, you have the following legal rights regarding your personal data:
- Access – You may request access to the personal data we hold about you.
- Correction / Rectification – You have the right to request that we correct any personal data we hold about you which you believe is inaccurate.
- Erasure (Right to be Forgotten) – You have the right to request that we erase your personal data.
- Restriction of Processing – You have the right to request that we restrict the processing of your personal data.
- Object to Processing – You have the right to object to the processing of your personal data, including for direct marketing purposes.
- Data Portability – You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, in a machine-readable format.
- Withdrawal of Consent – If processing is based on your consent, you may withdraw it at any time.
For any of the above requests, you will be required to verify your identity. Please send a written description of your request to the contact details below.
End-Users and Clients: If we process your data on behalf of a Client (who is the data controller), the Client is the party responsible for managing your rights. Please contact the relevant Client directly with any requests.
MARKETING
Where your consent is required for direct marketing, we will only provide you with such information if you have opted in. You may opt out at any time by clicking the unsubscribe link in our emails or by contacting us directly.
PRIVACY POLICIES OF THIRD PARTIES
Our Website may contain links to other websites. Our Privacy Notice applies only to our Website. If you click on a link to another website, you should read their privacy policy.
HOW TO CONTACT US & GROUP ENTITIES
If you have any questions about this Privacy Notice, the data we hold about you, or you would like to exercise one of your data protection rights, please contact us:
Busara.ai Ltd
[Your Company Registration Number]
Attention: Privacy Officer
[Your Address in Nairobi, Kenya]
Email: privacy@busara.ai
As we grow, this section will be updated to include affiliate entities in other regions.
HOW TO CONTACT THE APPROPRIATE AUTHORITY
If you feel that your privacy has not been respected or that we have acted inconsistently with this Privacy Notice or applicable Data Protection Laws, please contact our Privacy Officer at privacy@busara.ai.
If you are an End-User, we will forward your complaint to the relevant Client who is the responsible controller for your personal data.
You may also submit a complaint to the competent data protection supervisory authority in your country.
Kenya:
Office of the Data Protection Commissioner (ODPC)
Website: https://www.odpc.go.ke/
Email: info@odpc.go.ke
Address: CA Centre, Waiyaki Way, Westlands, Nairobi
European Union:
If you are located in the EU, you may contact the data protection authority in your jurisdiction. A list is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
CONTROLLERS
Certain Data Protection Laws distinguish between a ‘Controller’ (who determines the purposes and means of processing) and a ‘Processor’ (who processes data on behalf of the controller).
- Busara.ai is the Controller when we are in direct business contact with you or identified in our communications with you.
- Our Client is the Controller for the personal data of its End-Users. In this case, Busara.ai acts as a Processor on the Client’s behalf.
CHANGES TO THIS PRIVACY NOTICE
We may make changes to this policy from time to time. Please visit www.busara.ai/privacy to obtain the latest version of this Privacy Notice.
COUNTRY ADDENDUMS
CALIFORNIA – ADDITIONAL RIGHTS FOR CALIFORNIA RESIDENTS
If the California Consumer Privacy Act of 2018 (CCPA) applies to our operations and you are a California resident, you may have additional rights. We do not sell personal data as defined by the CCPA. If these rights apply to you, you may submit a verifiable Consumer Request to privacy@busara.ai. If you are an End-User, you must contact the relevant Client.
