BOLD INSIGHT TECH SOLUTIONS LIMITED DATA PRIVACY POLICY

1.0 INTRODUCTION

1.1 Commitment to Privacy

Bold Insight Tech Solutions Limited ("BITs", "we", "our", "us") is committed to protecting your personal data and privacy rights. We operate in a data-intensive environment processing personal information to fulfill our core mandate of managing procurement processes for our clients. This Privacy Policy demonstrates our commitment to the highest standards of data protection as required under the Data Protection Act 2019 and international best practices.

1.2 Scope of Application

This Privacy Policy applies to all personal data processing activities when you:

Visit our premises or use our online portal
Use any of our products and services including SRM eProcurement, TenderAlert, DiversityLink, and www.srmhub.com
Interact with us as visitors, users, suppliers, agents, customers, or stakeholders

1.3 Legal Basis for Processing

We process personal data under the following lawful bases:

Consent: For marketing communications and optional services
Contract Performance: For service delivery and client obligations
Legal Obligation: For compliance with legal and regulatory requirements
Legitimate Interests: For business operations, security, and service improvement

2.0 DEFINITIONS

BITs/We/Our/Us: Bold Insight Tech Solutions Limited, including successors, affiliates, and subsidiaries
Our Products: SRM eProcurement, TenderAlert, DiversityLink, www.srmhub.com, and related services
Processing: All operations performed on personal data including collection, use, storage, disclosure, and deletion
Data Subject: Any individual whose personal data we process
Personal Data: Any information relating to an identified or identifiable individual

3.0 DATA COLLECTION

3.1 Collection Principles

We collect personal data for specified, explicit, and legitimate purposes. Data will not be processed incompatibly with these purposes.

3.2 Types of Data Collected

We collect the following categories of personal data:

Identity Information:

Full names, age, date of birth
National identification numbers
Professional titles and designations

Contact Information:

Physical addresses (business and residential)
Telephone numbers (mobile and landline)
Email addresses
Emergency contact details

Business Information:

Company registration details
PIN numbers and tax information
Business licenses and permits
Financial statements and references

Technical Information:

IP addresses and device identifiers
Browser type and version
Operating system information
Website usage patterns and preferences

3.3 Methods of Collection

We collect personal data when you:

Register for our products or services
Subscribe to notifications, SMS, email, or social media updates
Participate in surveys, competitions, or promotional activities
Visit or access our websites and online platforms
Contact us with queries or complaints
Interact with us as suppliers, buyers, or staff members
Visit our premises (including CCTV surveillance)
Make payments for our products or services
Attend events organized by BITs

3.4 Consent and Notice

By interacting with us through the above methods, you consent to our collection and processing of your personal data as described in this policy and in accordance with the Data Protection Act 2019.

4.0 USE OF PERSONAL DATA

We use your personal data for the following purposes:

4.1 Service Delivery

Processing products and services subscriptions
Managing user accounts and access rights
Facilitating procurement processes and transactions
Providing customer support and technical assistance

4.2 Communication

Responding to queries, concerns, and complaints
Sending service-related notifications and updates
Providing information about new or existing products

4.3 Legal Compliance

Meeting Know Your Customer (KYC) requirements
Complying with anti-money laundering obligations
Fulfilling tax and regulatory reporting duties
Responding to legal requests and court orders

4.4 Business Operations

Conducting research and market analysis
Improving products and services
Managing business relationships
Ensuring platform security and fraud prevention

4.5 Marketing (with consent)

Sending promotional materials and offers
Personalizing marketing communications
Analyzing marketing campaign effectiveness

5.0 DATA RETENTION

5.1 Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to meet legal obligations.

5.2 Specific Retention Periods

Client and Business Data: 7 years after contract termination
Marketing Data: 2 years from last interaction or consent withdrawal
CCTV Footage: 90 days unless incident recorded (then 2 years)
Financial Records: 7 years as required by tax legislation
Employee Data: 7 years after employment termination
Website Analytics: 26 months from collection
Support Communications: 3 years from last interaction

5.3 Data Anonymization

At the end of retention periods, we may anonymize personal data so it can no longer identify you, allowing continued use for research and statistical purposes.

6.0 DATA BREACH RESPONSE

6.1 Incident Response

We maintain comprehensive data breach response procedures including:

Immediate containment and assessment
Risk evaluation and impact analysis
Notification to affected individuals and authorities
Remedial action and prevention measures

6.2 Notification Timeframes

Data Protection Commissioner: Within 72 hours of breach discovery
Affected Individuals: Without undue delay where high risk exists
Internal Reporting: Immediate notification to management

7.0 DISCLOSURE OF PERSONAL DATA

7.1 General Principle

We assess each data disclosure request and may decline requests that don't meet legal or legitimate business requirements.

7.2 Permitted Disclosures

We may disclose personal data to:

Legal Authorities:

Law enforcement agencies (with legal basis)
Regulatory bodies and government agencies
Courts and tribunals (under legal compulsion)

Business Partners:

Other buyers interested in your services (with consent)
Professional service providers (lawyers, auditors, insurers)
Survey agencies conducting research on our behalf

Service Providers:

IT service providers and cloud hosting companies
Payment processors and financial institutions
Marketing agencies and communication platforms

7.3 Safeguards

All data disclosures include appropriate safeguards such as:

Data processing agreements
Confidentiality undertakings
Purpose and use limitations
Security requirements

8.0 MARKETING COMMUNICATIONS

8.1 Consent Requirements

Marketing communications require explicit opt-in consent. We will not send promotional materials without your permission.

8.2 Opt-Out Rights

You can stop marketing communications by:

Emailing admin@srmhub.com
Following unsubscribe links in messages
Contacting us through provided channels
Managing preferences in your account settings

8.3 Service Communications

Opting out of marketing doesn't affect essential service communications related to your existing products or services.

9.0 COOKIES AND TRACKING TECHNOLOGIES

9.1 Cookie Categories

Essential Cookies (Always Active):

Authentication and security
Shopping cart functionality
User preferences and settings

Functional Cookies (Consent Required):

Enhanced website features
Personalization options
Language and region settings

Analytics Cookies (Consent Required):

Website usage statistics
Performance monitoring
User behavior analysis

Marketing Cookies (Explicit Consent Required):

Personalized advertisements
Cross-site tracking
Campaign effectiveness measurement

9.2 Cookie Management

You can manage cookie preferences through:

Browser settings and controls
Our cookie management dashboard at www.srmhub.com/cookies
Opt-out tools for marketing cookies

9.3 Cookie Data Retention

Session cookies: Deleted when browser closes
Persistent cookies: Maximum 2 years
Marketing cookies: 13 months from last update

10.0 THIRD-PARTY INTEGRATIONS

10.1 Social Media Features

Our websites include social media buttons (Facebook, Twitter, LinkedIn) and sharing widgets. These features may collect your IP address and set cookies. Your interactions are governed by the respective social media platform's privacy policy.

10.2 External Links

We may provide links to external websites. BITs doesn't endorse or control external sites and isn't responsible for their content or privacy practices. We recommend reviewing privacy policies of external sites you visit.

11.0 INTERNATIONAL DATA TRANSFERS

11.1 Transfer Safeguards

When transferring personal data outside Kenya, we ensure adequate protection through:

Adequacy Decisions: Countries approved by Data Protection Commissioner
Standard Contractual Clauses: European Commission or DPC-approved clauses
Binding Corporate Rules: Internal privacy rules for multinational organizations
Certified Transfer Mechanisms: Approved certification schemes
Explicit Consent: For specific, informed consent to transfers

11.2 Transfer Documentation

We maintain records of all international transfers including safeguards applied and legal bases used.

12.0 YOUR PRIVACY RIGHTS

12.1 Right to Information

You have the right to know what personal data we hold and how we use it.

12.2 Right of Access

You can request copies of your personal data we hold.

12.3 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

12.4 Right to Erasure

You can request deletion of your personal data subject to legal retention requirements.

12.5 Right to Restrict Processing

You can request limitation of processing under certain circumstances.

12.6 Right to Data Portability

You can request personal data in structured, machine-readable format for transfer to another controller.

12.7 Right to Object

You can object to processing for direct marketing or legitimate interests.

12.8 Right to Withdraw Consent

You can withdraw consent for processing based on consent at any time.

12.9 Right to Complain

You can lodge complaints with the Office of the Data Protection Commissioner.

12.10 Response Timeframes

We respond to privacy rights requests within 30 days. Complex requests may require additional time with notification.

12.11 Right to Human Review

You have the right to human review of automated decision-making that significantly affects you.

13.0 DATA SECURITY

13.1 Security Measures

We implement comprehensive technical and organizational security measures:

Technical Safeguards:

Data encryption in transit and at rest
Access controls and authentication systems
Regular security monitoring and logging
Firewall and intrusion detection systems
Secure backup and disaster recovery

Organizational Safeguards:

Staff privacy training and awareness
Data handling policies and procedures
Regular security assessments and audits
Vendor security requirements
Incident response procedures

13.2 Access Controls

Personal data access is limited to authorized personnel who need it for their duties and have signed confidentiality agreements.

14.0 CONTACT INFORMATION

14.1 Privacy Inquiries

For privacy-related questions, requests, or complaints:

Email: admin@srmhub.com
Phone: +254 733312000
Mail: Bold Insight Tech Solutions Limited
iHiT Innovation Centre
Dennis Pritt Road
P.O Box 36662-00200
Nairobi, Kenya

14.2 Data Protection Officer

Contact our Data Protection Officer for privacy matters: Email: dpo@srmhub.com

15.0 POLICY UPDATES

15.1 Amendment Rights

BITs reserves the right to amend this Privacy Policy to reflect legal changes, business developments, or improved practices.

15.2 Notification of Changes

Significant changes will be communicated through:

Website notifications at www.srmhub.com
Email alerts to registered users
Posted notices at our premises

15.3 Effective Date

This Privacy Policy is effective from 18th September 2025 and supersedes all previous versions.

Last Updated: 18.09.2025
Version: 2.0