Privacy Policy

This policy explains what personal data NaiForge collects when you use naiforge.com, why we collect it, how we store it, and the rights you have under Kenya's Data Protection Act 2019. We aim for this document to be shorter, clearer, and more honest than the template privacy policies you have already scrolled past this week.

Questions about anything below? Email hello@naiforge.com.

Who we are

NaiForge is a productized web development studio based in Karen, Nairobi, Kenya. We are the data controller for any personal information collected through naiforge.com. Contact: hello@naiforge.com, +254 790 117 953.

What personal data we collect

Three categories, nothing more:

Inquiry form data. When you fill in the contact form, we receive: your name, email address, optional phone number, project type selection, budget range selection, and your message.
Technical data. When your browser loads any page, our servers receive: your IP address (stored only as a short hash, not the raw IP), browser user-agent string, referring URL, and basic request metadata. This is standard web-server operation.
Analytics data. We use Google Analytics 4 to understand aggregate site usage. Google may set cookies to identify returning visitors. See Google's privacy policy for their handling.

We do not collect or store payment card data. We do not ask for, and do not receive, any special-category personal data (health, religion, political opinions, biometrics).

Why we collect it

Three reasons, mapped to specific data:

To reply to your inquiry. If you fill in the contact form, we need your name and email to get back to you. That is the whole purpose of that data. Lawful basis: your consent (given by submitting the form).
To operate and secure the website. Technical logs let us keep the site fast, catch errors, and block abusive traffic. Lawful basis: legitimate interest in operating a functioning, secure website.
To improve the website. Analytics data helps us see which pages are useful and which aren't, so we can make the site better. Lawful basis: legitimate interest; you can opt out via browser-level cookie controls.

We share data only with the service providers who help us run the site. Currently:

Cloudflare — hosts the site infrastructure (Workers, D1 database, R2 storage). Your data may transit through Cloudflare's global edge network.
Resend — sends the email notifications to our inbox when you submit the contact form. Resend processes your name, email, and message for delivery purposes only.
Google Analytics — processes aggregate analytics. You can prevent this by using browser privacy settings or a tracking blocker.

We do not sell your personal data. We do not share it with advertisers. We do not share it with third parties outside the list above. We may disclose data when legally compelled (Kenyan court order, regulatory requirement) — we'd push back on any overreach and would notify you where legally permitted.

How long we keep it

Inquiry form submissions: kept for up to 24 months in our secure database (Cloudflare D1). We may keep summary records longer for business-record purposes. Delete-on-request available immediately at any time.
Email records: inquiries arriving in our inbox are kept per normal email retention; we purge anything older than 24 months.
Technical/analytics data: Cloudflare and Google retain their standard periods (typically 30-90 days raw, 26 months aggregated).

Where we store it

Cloudflare distributes data across a global network with edge presence in Nairobi. Resend and Google are US-based. This means some of your data will be processed outside Kenya. We rely on the providers' standard international transfer protections (standard contractual clauses, provider-level certifications) as permitted under Kenya's Data Protection Act 2019.

Your rights under Kenya's Data Protection Act

As a data subject under the Kenya Data Protection Act 2019, you have the right to:

Access any personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your personal data ("right to erasure").
Object to our processing for legitimate-interest purposes.
Restrict processing in specific circumstances.
Portability — receive your data in a structured, commonly used format.
Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) if you believe we've mishandled your data.

To exercise any of these rights, email hello@naiforge.com. We respond within 7 working days and will complete the action within 30 days — almost always much faster.

Cookies

We use minimal cookies. A session cookie may be set when you use any logged-in area (currently none public). Google Analytics may set its own cookies (_ga, _gid, etc.) for analytics purposes. No third-party advertising or tracking pixels are loaded on this site.

Security

All traffic to naiforge.com runs over HTTPS. Data in our Cloudflare D1 database is encrypted at rest. Access to the database is restricted to authorized NaiForge team accounts. We do not store passwords in plain text (none collected on this site, currently). If a breach affecting your personal data occurs, we will notify the ODPC within 72 hours and affected individuals as legally required.

Children's privacy

NaiForge is a B2B / small-business service. We do not knowingly collect data from anyone under 18. If you believe a minor has submitted data, email us and we will delete it.

Changes to this policy

When we update this policy, we change the "Last updated" date at the top. Material changes (new data categories, new third-party processors, new purposes) are announced via a banner on the homepage for at least 30 days and by email to anyone with an open inquiry with us. We never retroactively apply new terms to data collected before you consented to them.

Contacting us about privacy

Email hello@naiforge.com with the subject line "Privacy inquiry." Phone or WhatsApp +254 790 117 953. Physical address available on written request to registered Kenyan businesses for legal notice service.