Legal

Privacy Policy

Effective 20 May 2026 · Compliant with Kenya DPA 2019, EU/UK GDPR, CCPA

We collect the minimum personal data necessary to respond to your enquiries and operate this website. We do not sell or rent your data. We respect your rights under applicable data protection laws.

Contents

  1. 01Who we are
  2. 02What data we collect
  3. 03Why we collect it (legal bases)
  4. 04Who we share data with
  5. 05How long we keep it
  6. 06Your rights
  7. 07How we protect your data
  8. 08International transfers
  9. 09Children's data
  10. 10Cookies
  11. 11Changes to this policy
  12. 12Questions or complaints

01 — Section

Who we are

Spidey Labs Limited ("Spidey Labs", "we", "our", or "us") is a private limited company registered in Kenya. We operate the website spideylabs.tech and provide custom software engineering services to clients in Kenya, the European Union, the United Kingdom, and the United States.

This Privacy Policy describes how we collect, use, store, and share information about you when you visit our website, contact us, or engage our services. We act as a data controller for the personal data described below.

Registered office
Spidey Labs Limited
Nairobi, Kenya
Email: peter@spideylabs.tech

02 — Section

What data we collect

We collect only what we need to respond to you and to operate the site:

  • Information you give us when you fill out the contact form: name, email address, company name (optional), phone or WhatsApp number (optional), project category, budget range, and your message.
  • Information collected automatically by our hosting and analytics providers: IP address, browser type, device type, operating system, the pages you visit, the order you visit them in, referrer URL, and approximate location (country and city level only).
  • Information from cookies and similar technologies — we use a minimal set of strictly-necessary cookies (session handling, theme preference) and privacy-respecting analytics cookies (Vercel Analytics, Vercel Speed Insights). We do not use advertising cookies, cross-site trackers, or behavioural retargeting.

We do not collect special categories of personal data (health, race, political opinions, biometric or genetic data, etc.) through the website.

03 — Section

Why we collect it (legal bases)

Under EU/UK GDPR and the Kenya Data Protection Act 2019, we rely on the following legal bases:

  • Legitimate interests — responding to your enquiry, providing information about our services, operating the website, and protecting it from abuse or fraud.
  • Performance of a contract — when you engage us for paid work, processing personal data necessary to deliver the agreed services.
  • Consent — for any optional uses (for example, if you ever opt-in to a newsletter). You can withdraw consent at any time.
  • Legal obligation — keeping records for tax, accounting, and statutory compliance.

04 — Section

Who we share data with

We do not sell, rent, or trade your personal data. We share it only with the following categories of processors, each bound by data processing agreements:

  • Vercel Inc. — hosting, deployment, analytics, and speed insights for the website. Vercel processes data in the United States and other regions; it is certified under the EU–US Data Privacy Framework.
  • Resend Inc. — delivery of contact-form submissions to our inbox and (when applicable) transactional emails. Processed in the United States.
  • Anthropic PBC — where you knowingly use AI-assisted features in any product we provide, prompts and responses may be processed via Anthropic's Claude API. Anthropic operates a zero-data-retention policy for commercial API traffic.
  • Professional advisors and authorities — accountants, lawyers, or regulators where required by Kenyan or applicable foreign law.

We do not allow our processors to use your data for their own purposes.

05 — Section

How long we keep it

  • Contact-form enquiries: up to 24 months from your last interaction, after which we delete or anonymise the record.
  • Engagement records (clients): for the duration of the engagement plus 7 years to meet Kenyan tax and statutory record-keeping obligations.
  • Analytics data: anonymised aggregates retained per Vercel's standard retention (typically 30–90 days for raw, longer for aggregate).

You can request earlier deletion at any time, subject to our legal retention obligations.

06 — Section

Your rights

Under the Kenya Data Protection Act 2019, EU/UK GDPR, and the California Consumer Privacy Act (CCPA), you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your personal data ("right to be forgotten").
  • Restriction — ask us to stop processing your data in certain circumstances.
  • Portability — receive your data in a structured, commonly-used format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent.
  • Non-discrimination (CCPA) — we will not deny services or charge you differently for exercising your rights.
  • Lodge a complaint — with the Office of the Data Protection Commissioner of Kenya, your local EU data protection authority, the UK Information Commissioner's Office, or the California Attorney General.

To exercise any of these rights, email peter@spideylabs.tech with the subject “Data subject request.” We respond within 30 days.

07 — Section

How we protect your data

We apply industry-standard organisational and technical safeguards, including: TLS 1.3 encryption in transit, encryption at rest with our providers, role-based access controls, least-privilege credentials, two-factor authentication on operational accounts, and regular security reviews of dependencies.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and the relevant supervisory authorities within 72 hours of becoming aware, where required by law.

08 — Section

International transfers

We are based in Kenya. Some of our processors (Vercel, Resend, Anthropic) are based in the United States. When personal data is transferred outside Kenya or the European Economic Area, we rely on appropriate safeguards including Standard Contractual Clauses, the EU–US Data Privacy Framework, and processor certifications.

09 — Section

Children's data

Our services are directed at businesses and adults. We do not knowingly collect personal data from children under 16 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it.

10 — Section

Cookies

We use the minimum set of cookies needed to operate the site:

  • Strictly necessary — session handling, security tokens. Cannot be disabled.
  • Analytics — Vercel Analytics and Speed Insights, which do not use cross-site tracking and respect "Do Not Track" headers.

We do not use advertising, marketing, or third-party retargeting cookies. You can control cookies through your browser settings.

11 — Section

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version with an updated effective date at this URL. If we make a material change, we will give reasonable notice (typically by email to active clients and prominent notice on the site).

12 — Section

Questions or complaints

For any privacy question, complaint, or data subject request, contact: peter@spideylabs.tech. You also have the right to complain to the Office of the Data Protection Commissioner of Kenya (odpc.go.ke) or your local data protection authority.

Last updated: 20 May 2026

Terms of Service →Contact us