Privacy Policy

Last updated: May 2026

This Privacy Policy describes how Stawitech (“Stawitech”, “we”, “us”, or “our”) handles personal data in connection with the StawiHR Human Resource Management System and related services (collectively, the “Service”). By signing up for or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Applicable Law

All processing of personal data through the Service is governed by the laws of the Republic of Kenya, including but not limited to:

  • The Constitution of Kenya, 2010 (Article 31 — Right to Privacy);
  • The Data Protection Act, 2019 and its subsidiary regulations;
  • Guidance and directives issued by the Office of the Data Protection Commissioner (ODPC); and
  • Any other applicable Kenyan statutes, regulations, and lawful orders.

Where a client organisation has established internal data protection policies, employee privacy notices, or contractual obligations that apply to HR-related data, those internal rules also apply to the extent they are consistent with Kenyan law and have been communicated to Stawitech as part of the service relationship.

2. Roles and Responsibilities

2.1 Client as Data Controller

Organisations that sign up for and use the Service (“Clients”) act as the data controller for all HR-related personal data entered into, generated by, or stored within their instance of the system. This includes, without limitation:

  • Employee and contractor personal details;
  • Payroll, compensation, and benefits information;
  • Attendance, leave, and performance records;
  • Recruitment and onboarding data;
  • Any other workforce or human-resources information uploaded or managed by the Client.

The data within the HR system remains the sole responsibility of the Client who signs up for the Service. Clients are responsible for:

  • Determining the lawful basis for processing personal data;
  • Ensuring data collected is accurate, relevant, and not excessive;
  • Providing appropriate privacy notices to employees and other data subjects;
  • Responding to data subject access requests and other rights exercised under Kenyan law;
  • Complying with their own internal policies and applicable sector-specific regulations; and
  • Ensuring that only authorised personnel access HR data within their organisation.

2.2 Stawitech as Data Processor

Stawitech acts solely as a data processor with respect to HR-related personal data that Clients store and process through the Service. We process such data only on documented instructions from the Client, as set out in our service agreement, this Privacy Policy, and applicable law.

Stawitech does not own, control, or determine the purposes for which Client HR data is processed. We do not sell Client HR data to third parties.

3. Information We Process

3.1 Client Account Data

When a Client registers for the Service, we collect business contact information such as company name, administrator name, email address, telephone number, and billing details. This information is used to administer the account, provide support, and fulfil our contractual obligations.

3.2 HR Data Processed on Behalf of Clients

Clients may upload or enter HR-related personal data into the Service. Stawitech processes this data strictly to provide, maintain, secure, and improve the Service on the Client’s behalf. The categories of data processed depend on the features the Client uses and the information the Client chooses to store.

3.3 Technical and Usage Data

We may collect limited technical information such as IP addresses, browser type, device identifiers, log files, and usage metrics. This data helps us maintain system security, diagnose issues, and improve performance. Where this data relates to identifiable individuals, it is handled in accordance with this Policy and Kenyan law.

4. How We Use Personal Data

Stawitech uses personal data only for the following purposes:

  • Providing, operating, and maintaining the Service;
  • Processing subscriptions, invoices, and payments;
  • Delivering customer support and responding to enquiries;
  • Monitoring system performance and detecting security incidents;
  • Complying with legal obligations under Kenyan law; and
  • Any other purpose explicitly instructed by the Client in their capacity as data controller.

5. Data Security

Stawitech takes all necessary and appropriate technical and organisational measures to protect personal data within its accessibility, including data stored on or transmitted through our infrastructure. These measures include, where applicable:

  • Encryption of data in transit using industry-standard protocols (such as TLS/SSL);
  • Access controls and role-based permissions limiting data access to authorised personnel;
  • Regular security monitoring, logging, and incident response procedures;
  • Secure hosting environments with physical and network safeguards;
  • Regular backups and disaster recovery planning;
  • Staff training on data protection and confidentiality obligations; and
  • Periodic review and improvement of security practices.

While we implement robust safeguards, no method of electronic storage or transmission is completely secure. Clients are encouraged to use strong passwords, enable available security features, and promptly report any suspected unauthorised access.

6. Data Sharing and Sub-Processors

Stawitech does not disclose Client HR data to third parties except:

  • Where necessary to provide the Service (for example, hosting or infrastructure providers acting as sub-processors under contract);
  • Where required by Kenyan law, court order, or a lawful request from a competent authority; or
  • With the Client’s explicit written instruction or consent.

Any sub-processors engaged by Stawitech are bound by written agreements requiring them to implement appropriate data protection and security measures consistent with Kenyan law.

7. Data Retention

Client HR data is retained for as long as the Client maintains an active account and as otherwise instructed by the Client. Upon termination of the service relationship, Stawitech will delete or return Client HR data in accordance with the service agreement and applicable law, unless retention is required for legal, regulatory, or legitimate business purposes.

Account and billing records may be retained for the period required by Kenyan tax, accounting, and commercial law.

8. Data Subject Rights

Under the Data Protection Act, 2019, data subjects have rights including access, correction, deletion, objection, and restriction of processing. Because Clients are the data controllers for HR data, employees and other data subjects should direct requests relating to their HR records to their employer (the Client). Stawitech will assist Clients in fulfilling such requests to the extent required by law and our service agreement.

Individuals may contact Stawitech directly regarding personal data for which Stawitech acts as a data controller (such as Client account contact information).

9. Cross-Border Data Transfers

Where personal data is transferred outside Kenya, Stawitech ensures that appropriate safeguards are in place as required by the Data Protection Act, 2019 and ODPC guidance, including adequate data protection standards in the receiving jurisdiction or binding contractual protections.

10. Data Breach Notification

In the event of a personal data breach affecting data within our control, Stawitech will notify affected Clients without undue delay and in accordance with the Data Protection Act, 2019. Clients are responsible for assessing whether notification to the ODPC or affected data subjects is required and for making such notifications where they act as the data controller.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify Clients through the Service or by email. Continued use of the Service after changes take effect constitutes acceptance of the revised Policy.

12. Contact Us

If you have questions about this Privacy Policy or Stawitech’s data processing practices, please contact us:

  • Stawitech
  • B32, 2nd Avenue Garden, Nairobi, Kenya
  • Email: [email protected]
  • Telephone: +254 704 602 809

For complaints relating to data protection, you also have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya.