Legal · Data Protection

Privacy Policy

This policy explains how GradeCrest Insurance Investigators collects, processes and safeguards personal data — in accordance with Kenya's Data Protection Act, 2019 and applicable international standards.

Effective: 1 January 2025 Last updated: April 2026 Version: 2.1
Please note. This policy is provided as a general framework describing our data handling practices. For specific engagements, additional terms may apply under a signed engagement letter or data processing agreement. Clients with questions about data handling in their matter should contact their assigned investigator.

Data Controller

For the purposes of the Data Protection Act, 2019 of the Republic of Kenya, the data controller is:

Data Controller

GradeCrest Insurance Investigators

Epic Ridge Apartments, Block 40 D
Getathuru Road, Kitisuru, Westlands, Nairobi

P.O. Box 153-00232, Ruiru, Kenya

contact@gradecrestinvestigators.com · +254 703 107 934

What We Collect

The categories of personal data we process depend on the nature of our relationship with you:

From website visitors

  • Contact form submissions — name, email, phone, organisation and the details of your enquiry
  • Technical information — IP address, browser type, device type and pages visited (via standard server logs)
  • Cookie data — see Section 09

From clients and engaging parties

  • Identification and contact details of authorised representatives
  • Engagement instructions, case details and supporting documentation
  • Billing and payment information

In the course of investigations

Where we are instructed to investigate a specific matter, we may process personal data relating to data subjects (including claimants, witnesses and third parties) as necessary to fulfil the engagement. This may include names, contact details, identification documents, photographs, vehicle records, property records, employment history, financial records and similar categories — strictly limited to information relevant to the engagement.

How We Use Your Data

We process personal data only for specified, explicit and legitimate purposes:

  • Responding to enquiries submitted through our website or by phone/email
  • Providing the investigation, tracing, due diligence and process service for which we have been engaged
  • Preparing reports, evidence bundles and other deliverables for clients
  • Administering our contractual relationship with clients (including billing)
  • Complying with our legal and regulatory obligations in Kenya
  • Protecting our lawful interests in any legal proceeding
  • Maintaining internal records of engagements for quality assurance and audit

Legal Basis for Processing

Under the Data Protection Act, 2019, our processing of personal data is carried out on one or more of the following bases:

  • Consent — where you have given informed consent (for example, by submitting our contact form)
  • Contract — where processing is necessary to perform a contract with you (for example, carrying out an investigation you have engaged us for)
  • Legal obligation — where we are required to process data to comply with a legal or regulatory requirement
  • Legitimate interests — where processing is necessary for the legitimate interests of our firm, our clients or third parties (including the detection and prevention of insurance fraud), balanced against the rights and freedoms of the data subject
  • Public interest — where processing supports the detection or investigation of an offence, in accordance with Section 51 of the Data Protection Act

Sharing & Disclosure

GradeCrest does not sell personal data. We disclose personal data only in the following limited circumstances:

  • To the instructing client — the party who engaged us, as part of the investigation report and supporting evidence
  • To legal counsel or the courts — where our findings form part of judicial or quasi-judicial proceedings
  • To law enforcement or regulators — where compelled by lawful order or required to report criminal conduct
  • To authorised sub-processors — vetted service providers (e.g. secure cloud storage, communications) who are bound by confidentiality obligations
  • To professional advisers — our own lawyers, accountants and auditors, where necessary

All disclosures are limited to what is strictly necessary and are subject to appropriate safeguards.

Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected and to meet our legal, professional and regulatory obligations. Typical retention periods include:

  • Website enquiries not converted into engagements — up to 12 months
  • Closed case files (insurance claim investigations) — 7 years from closure, consistent with industry and insurance regulatory practice
  • Court-related matters (process service, litigation support) — retained in line with applicable statutes of limitation
  • Financial and billing records — 7 years, as required by Kenyan tax law

At the end of the applicable retention period, personal data is securely destroyed or anonymised.

Information Security

We implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, alteration, disclosure or destruction. These measures include:

  • Access controls and role-based permissions on our case management system
  • Encrypted storage of case files and evidence
  • Encrypted transmission of sensitive communications
  • Confidentiality obligations on all staff, contractors and sub-processors
  • Regular security reviews and staff training
  • Secure disposal of physical and electronic records at end of retention

Your Rights as a Data Subject

Under the Data Protection Act, 2019 you have the following rights in relation to your personal data:

  • Right to be informed of how your data is being used
  • Right of access to the personal data we hold about you
  • Right to rectification of inaccurate or incomplete data
  • Right to erasure ("right to be forgotten"), subject to our legal and professional obligations
  • Right to object to processing in certain circumstances
  • Right to data portability for data you have provided to us
  • Right to restrict processing in certain circumstances

To exercise any of these rights, contact us at contact@gradecrestinvestigators.com. We will respond within seven (7) days and complete action within thirty (30) days, in accordance with the Act.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.

Cookies

Our website uses a minimal set of cookies and similar technologies:

  • Essential cookies — required for basic site functionality
  • Preference cookies — remember your theme setting (light / dark)

We do not use third-party advertising or tracking cookies. You may disable cookies via your browser settings; some site functionality may be affected.

Updates to This Policy

We may update this policy from time to time to reflect changes in law, technology or our practices. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically.

Contact & Data Protection Enquiries

For all privacy and data protection enquiries, including to exercise your rights under the Act:

Data Protection Contact

GradeCrest Insurance Investigators

Attention: Data Protection Enquiries

contact@gradecrestinvestigators.com

+254 703 107 934

P.O. Box 153-00232, Ruiru, Kenya