+254 735 250040
·
info@mlimbiine-mungai.com
·
Mon - Fri 09:00-17:00
Consult
Find us on Social Media
+254 735 250040
·
info@mlimbiine-mungai.com
·
Mon - Fri 09:00-17:00
Consult
Find us on Social Media

PRIVACY POLICY

M’LIMBIINE & MUNGAI ADVOCATES
Last updated: 09 September 2025

This Privacy Policy explains how M’limbiine & Mungai Advocates (“the Firm”, “we”, “us”, “our”) collects, uses, discloses, retains, secures and protects Personal Data (as defined below) obtained through:
(a) www.mlimbiine-mungai.com and any sub-domains or micro-sites (collectively “the Site”);
(b) online intake forms, client portals, e-mail, WhatsApp Business, social-media direct messages, calendar-booking tools, e-newsletter subscriptions, webinar registrations, blog comment fields, chat-bots and any other digital touch-points we operate;
(c) offline collection (in-person meetings, hard-copy forms, business cards, telephone calls, events); and
(d) data received from third-party sources (government registries, due-diligence providers, referrers, joint-event sponsors, advertising platforms, publicly accessible sources).

The Firm is a data controller for most processing activities described below. Where we act as a data processor (e.g., when hosting a data-room for a transaction) the controller-specific obligations rest with our client; we nevertheless apply the same security standards described herein.

We comply with:
• The Kenya Data Protection Act, 2019 (“KDPA”) and its subsidiary legislation;
• The EU General Data Protection Regulation 2016/679 (“GDPR”) to the extent we target or track data subjects located in the EEA/UK;
• The UK GDPR & Data Protection Act 2018;
• The California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”) where applicable;
• Any other foreign data-protection laws that mandatorily apply to our global engagements.

If any term in this Policy conflicts with a mandatory provision of such laws, the statutory provision prevails.

  1. DEFINITIONS “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It includes Special Categories of Personal Data (sensitive data) and Criminal Offences Data where we are required to process such data for the provision of legal services.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Data Subject” means the individual to whom the Personal Data relates.

“EEA” means the European Economic Area.

  1. SCOPE & CHILDREN This Policy applies to all visitors, clients, potential clients, recruits, suppliers, webinar attendees, newsletter subscribers, opposing parties, witnesses, experts and any other natural persons whose Personal Data we Process. The Site and services are not directed to children under 16. We do not knowingly collect data from minors unless provided by a parent/guardian in the context of guardianship or family-law matters with verifiable consent.
  1. WHAT PERSONAL DATA DO WE COLLECT? 3.1 Direct interactions
    • Identity: full name, national ID/passport number, date of birth, gender, marital status, photographs, CCTV images at our offices.
    • Contact: postal address, billing address, e-mail, telephone, social-media handles, emergency contact.
    • Professional: job title, employer, practising certificate number, curriculum vitae, references.
    • Financial: bank account, Mpesa details, credit-reference checks, VAT number, invoicing records.
    • Engagement details: matter description, instructions, advice given, pleadings, contracts, IP addresses, login audit trails, voice recordings of calls.
    • Marketing preferences: opt-in/opt-out status, event dietary requirements.
    • Special-category data: racial/ethnic origin, political opinions, religious/philosophical beliefs, trade-union membership, genetic/biometric data, health data (e.g., medical reports in personal-injury files), sexual orientation (e.g., in family-law matters) – processed strictly under Art. 9 GDPR & KDPA sec. 30.
    • Criminal-offence data: police-clearance certificates, prosecution records – processed under Art. 10 GDPR & KDPA sec. 31.

3.2 Automated technologies
• Server logs: IP, browser type, OS, referral URLs, pages visited, date/time stamps, clickstream.
• Cookies & similar: see dedicated Cookie Policy (Annex A).
• Pixel tags, embedded scripts, social-media plug-ins, LinkedIn Insight, Google Analytics 4 (IP anonymisation enabled), Meta Custom Audiences.
• Chat-bot transcripts with time stamps.

3.3 Third-party sources
• Anti-money-laundering databases (World-Check, Refinitiv).
• Land registries, company registries, litigation e-filing portals.
• Opposing counsel, courts/tribunals, expert witnesses.
• Recruitment agencies, LinkedIn, event organisers.
• Publicly accessible sanctions lists, gazette notices, press.

  1. LAWFUL BASES OF PROCESSING We only Process Personal Data when at least one lawful basis applies:

a) Contract: to provide legal services you request or to perform our retainer.
b) Legal obligation: e.g., Anti-Money-Laundering Act, Advocates Act, tax legislation, court rules.
c) Legitimate interests: managing our practice, network security, debt-recovery, marketing similar services to existing clients (GDPR recital 47), preventing fraud, recruiting talent – balanced against your rights.
d) Consent: for sending e-newsletters, placing non-essential cookies, publishing your testimonial, processing special-category data for non-mandatory purposes.
e) Vital interests: e.g., safeguarding a life where a client threatens self-harm.
f) Public task: when acting as court-appointed receiver or advocate for the State.

Special-category & criminal-offence data additional conditions:
• Substantial public interest (Administration of justice, GDPR Sch. 9 clause 6; KDPA Second Schedule para. 6).
• Establishment, exercise or defence of legal claims.
• Explicit consent (rare, documented).

  1. PURPOSES & RETENTION Purpose categories (illustrative, non-exhaustive)
  2. Client intake, conflict-check, AML/KYC, credit-check.
  3. Legal advice, drafting, negotiation, litigation, arbitration, conveyancing, due-diligence, closings.
  4. Billing, ledger management, tax invoices, interest calculations.
  5. Communication: e-mail, client portal, SMS case updates.
  6. Record-keeping & knowledge-management (precedent banks, AI-assisted research).
  7. Compliance: statutory filings, regulator audits, professional indemnity.
  8. Business development: invitations, webinars, articles, social-media targeting.
  9. Recruitment & HR.
  10. Security & fraud prevention.
  11. Exercise or defence of legal claims.

Retention schedule (data-minimisation principle)
• AML records: 5 years after end of client relationship (Proceeds of Crime regs).
• Client files: minimum 7 years after last billable act (LSK guidance) or longer if litigation horizon/children involved.
• Deeds & title opinions: 12 years (Limitation of Actions).
• Wills & fiduciary records: 30 years or life-plus-7.
• Accounting books: 7 years (Tax Procedures Act).
• CCTV footage: 30 days unless incident flag.
• Marketing consents: until withdrawn or 3 years of inactivity.
• Job applicant CVs: unsuccessful candidates – 1 year unless consent to keep longer.

We periodically review archives; data no longer required is irretrievably shredded (paper) or cryptographically erased (digital).

  1. COOKIES & TRACKING TECHNOLOGIES See Annex A – Cookie Policy (separate, layered notice). In short:
    • Strictly necessary cookies (session, load-balancer).
    • Functional cookies (language, client-portal login).
    • Analytical cookies (Google Analytics 4 – IP masked, no User-ID).
    • Marketing cookies (LinkedIn, Meta – only with prior consent).
    You can manage preferences via the cookie banner or browser settings. Do-Not-Track signals are honoured.
  1. SHARING & INTERNATIONAL TRANSFERS Categories of recipients
    • Barristers, expert witnesses, arbitrators, translators, e-discovery vendors.
    • Cloud infrastructure: Microsoft Azure (EU & South-Africa regions), AWS Cape-Town backup, both ISO 27001 certified.
    • Fin-tech: M-Pesa API, banks, escrow agents.
    • Regulators: LSK, Central Bank, Judiciary e-filing, KRA, DCI, FRC.
    • Professional advisers: auditors, insurers, tax consultants.
    • Debt-collection agencies (only after default & notice).
    • Successor entity in case of merger/acquisition under confidentiality.

International transfers
We use adequacy-decided countries (UK, EU, Canada) or Standard Contractual Clauses (2021 version) plus UK IDTA for US-based processors (e.g., Zoom, Microsoft 365). Encryption in transit (TLS 1.3) and at rest (AES-256) is mandatory. Transfers outside Kenya require your explicit consent unless exempted under KDPA sec. 52 (adequacy or SCC).

  1. AUTOMATED DECISION-MAKING & PROFILING We do NOT make solely automated decisions that produce legal or similarly significant effects. AI tools used for document review or legal research always involve human lawyer validation.
  1. SECURITY MEASURES • ISO 27001-aligned Information Security Management System.
    • Role-based access control (RBAC), principle of least privilege.
    • Multi-factor authentication for all cloud services; biometric access to physical server room.
    • End-point detection & response (EDR), 24/7 SOC monitoring.
    • Annual penetration testing & vulnerability scanning; bug-bounty programme.
    • Encrypted laptops (BitLocker) and mobile-device management (Intune).
    • Paper files in locked cabinets behind RFID doors; clean-desk policy.
    • Staff undergo annual GDPR/KDPA training and sign confidentiality deeds.
    • Incident-response plan with 72-hour regulator notification SLA.
  1. YOUR RIGHTS Kenyan residents (KDPA) & EEA/UK residents (GDPR/UK GDPR) enjoy the following rights, exercisable free of charge unless manifestly unfounded:
  2. Access – receive a copy of your Personal Data we hold.
  3. Rectification – correct inaccurate or incomplete data.
  4. Erasure – “right to be forgotten” where no overriding legal basis exists.
  5. Restriction – freeze processing while disputes are investigated.
  6. Object – to direct marketing or legitimate-interest processing.
  7. Data portability – obtain data in structured, machine-readable format (where processing by automated means and based on consent/contract).
  8. Withdraw consent – at any time without affecting prior lawfulness.
  9. Lodge complaint – with the Office of the Data Protection Commissioner (Kenya) or your local EEA/UK supervisory authority.
  10. Opt-out of sale/sharing – for California residents (we do not sell data; “sharing” for cross-context behavioural advertising can be disabled).
  11. Appeal – internal escalation to the Data Protection Officer (DPO) within 30 days.

How to exercise rights
Email: privacy@mlimbiine-mungai.com
Post: Data Protection Officer, M’limbiine & Mungai Advocates, P.O. Box 12618-00100, Nairobi, Kenya
Include: full name, contact details, description of request, copy of ID (redacted passport/ID number). We respond within 30 calendar days (GDPR) or 21 days (KDPA) and may extend once by similar period for complex requests.

  1. DIRECT MARKETING & NEWSLETTERS • Opt-in consent is obtained before sending commercial e-mails to non-clients.
    • Clients receive marketing on similar services under legitimate interest but can opt-out instantly via unsubscribe link or by replying STOP.
    • SMS, WhatsApp and telephone marketing respect the Kenyan Communications Authority (CA) Do-Not-Disturb register.
    • Social-media custom audiences are uploaded using SHA-256 hashed e-mail lists; users can object via platform settings.
  1. LINKS TO THIRD-PARTY SITES The Site may contain links to courts, registries, LinkedIn, YouTube, Zoom. We are not responsible for the privacy practices or content of such sites. We encourage you to read their privacy policies.
  1. CHANGES TO THIS POLICY We will post any material changes on this page with a “Last updated” date and, where appropriate, notify you via e-mail or prominent banner. Continued use of our services after such changes constitutes acceptance.
  1. CONTACT Data Protection Officer (DPO)
    M’limbiine & Mungai Advocates
    5th Floor, Suite 5-12, 5th Ngong Avenue, Nairobi
    E-mail: privacy@mlimbiine-mungai.com | dpo@mlimbiine-mungai.com
    Telephone: +254 20 221 1362

ANNEX A – COOKIE POLICY (LAYERED NOTICE) A separate, readily accessible Cookie Policy is available at www.mlimbiine-mungai.com/cookies. It lists each cookie’s name, provider, purpose, lifespan, category, and instructions for refusal. Cookie consent can be revisited at any time via the “Cookie Settings” floating icon.

ANNEX B – CALIFORNIA CONSUMER NOTICE (CCPA/CPRA) • Categories of personal information collected: Identifiers, Customer records, Protected classifications, Commercial information, Internet activity, Professional/employment information, Education information, Inferences.
• Purposes: See section 5.
• No sale of personal information (as “sale” is defined under CCPA).
• Sensitive personal information (e.g., government ID, account log-in) processed strictly for service purposes; no inference-based advertising.
• California metrics for 2024: 0 requests to delete, 0 requests to know, 0 requests to correct, 0 opt-outs.
• Non-discrimination right honoured.

ANNEX C – GLOSSARY OF LEGAL BASES (KDPA & GDPR) Provided on request for lay-person clarity.