Privacy notice
Kito Mwangi runs a one-person AI-visibility practice out of Nairobi, working with fintech teams, SaaS founders, coworking operators, NGOs and professional-services firms who want to know how they read to ChatGPT, Gemini and the rest. This notice spells out three things in plain terms: which personal details reach me when you use the contact form on nairobiaiseo.com, the reason each one is kept, and the controls the law gives you over your own information. There is no marketing list quietly gathering addresses, and no funnel running behind the page.
Who controls this data
Kito Mwangi operates nairobiaiseo.com as a sole practitioner based in Nairobi, and under Kenya's Data Protection Act, 2019 that makes me the data controller for everything described on this page. If a privacy question comes up, or you want to act on any of the rights below, email hello@nairobiaiseo.com and I will handle it directly — there is no support desk or ticketing layer in between.
What arrives through the contact form
The contact form only asks for what is needed to have a useful first conversation:
- Name and email address — required, since without them I cannot reply to the right inbox.
- Everything else in the message field — optional detail such as the company name, the AI-visibility issue you've noticed, or links to the pages, listings or profiles worth checking. You decide how much of this to include.
That information is used for one purpose: replying to what you asked. It is never folded into a mailing list, never sold, and never handed to a third party for their own use. I log the timestamp of each submission and a salted SHA-256 hash of the sending IP address — nothing more — purely to spot and block automated spam. The raw IP address is discarded, and I do not collect browser fingerprints or device identifiers of any kind.
What is deliberately left uncollected
- No cookies are used for tracking, and the analytics tool cannot tell a returning visitor from a first-time one.
- No pixels feed ad networks, and no retargeting or marketing-automation script runs on this site.
- No profile is ever built from your behaviour, and no automated system makes a decision that affects you.
- Nothing is sold, and nothing is passed along to a commercial partner — that has never been how this practice operates.
Legal basis for processing
Kenya's Data Protection Act, 2019 recognises several lawful grounds, and I rely on more than one here. The message you send through the form is handled under pre-contractual steps taken at your request — you got in touch first, and I am responding to that. Securing the form against bots, via the IP hash, sits instead on legitimate interest. Where a payment status is recorded, that rests on the underlying contract.
How long things are kept
- Contact-form messages: if they turn into paid work, retained for the life of that engagement plus 24 more months for traceability; if not, deleted after 12 months.
- Payment records: kept exactly as long as Kenyan tax and accounting rules require, then cleared.
- IP hashes: automatically discarded after 90 days.
- Email threads: kept until 24 months after the last reply, or until the engagement ends, whichever is later.
Your rights
Under the Data Protection Act, 2019 you can ask to see what I hold on you, have it corrected or deleted, object to how it is processed, and ask how it is being used. Email hello@nairobiaiseo.com to start any of those — expect a reply within a reasonable window. If you are not satisfied with how a request was handled, the Office of the Data Protection Commissioner is the right place to escalate.
Where the data is hosted
This site runs on servers located in European Union (Germany). If any processor I use (email provider) operates outside Kenya, that transfer is covered by standard contractual clauses and whatever additional safeguards that processor publishes.
Notice updates
When how data is actually handled changes, this page is updated to match — there is no separate changelog. The current version carries the "Updated" date shown near the top. If a change is substantial, I will flag it on the homepage for 30 days so returning visitors do not miss it.