Data Privacy and Protection Policy

Last Updated: 12/11/2025

1. Introduction

Welcome to steepconnect.org ("we," "us," or "our"). We are committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use our website and services (steepconnect.org).

This policy is prepared in strict compliance with the Kenya Data Protection Act, 2019 (DPA), and its associated regulations. By using our services, you acknowledge that you have read and understood this policy.

For the purpose of the DPA, steepconnect.org is the Data Controller of the personal data you provide.

2. What Data We Collect

We collect different types of data to provide and improve our services to you.

A. For Job Seekers (Data Subjects)

• Personal Identification Data: Your full name, email address, phone number, physical address, and (where required for verification) a copy of your National ID or Passport.
• Professional & Employment Data: Your Curriculum Vitae (CV) or resume, cover letter, employment history, educational background, professional qualifications, skills, and references.
• Account Data: Your username, password, and profile picture.
• Sensitive Personal Data: We may collect data on gender, disability, or ethnicity only for diversity monitoring or if required by an employer, and only with your explicit consent.

B. For Employers (Data Controllers/Processors)

• Contact Person Data: Full name, business email address, and phone number of the company representative.
• Company Data: Company name, KRA PIN, physical address, and billing information.

C. Technical & Usage Data

• Log Data: Your IP address, browser type, operating system, and the pages you visit on our site.
• Cookie Data: We use cookies to manage sessions, remember your preferences, and analyze site traffic. (Please see our separate Cookie Policy).

3. How We Use Your Personal Data

We process your data for the following specific, legitimate, and lawful purposes:

• To Provide Services: To create and manage your account, allow you to search for jobs, and submit applications.
• To Facilitate Recruitment: To share your Job Seeker profile and application (including your CV) with Employers you choose to apply to.
• For Communication: To send you service notifications, job alerts, newsletters (with your consent), and responses to your inquiries.
• For Analytics & Improvement: To understand how our services are used, to improve our website's functionality, and to enhance user experience.
• For Legal Compliance: To comply with our legal obligations, court orders, or requests from government authorities like the Office of the Data Protection Commissioner (ODPC).

4. Our Legal Basis for Processing

We only process your personal data when we have a valid legal basis under the DPA, 2019:

• Consent: We rely on your explicit consent when you create an account, upload your CV, and actively apply for a job. You may withdraw your consent at any time.
• Contract: We process your data to fulfill our contractual obligations to you (i.e., to provide the job board services you registered for).
• Legitimate Interest: We may process data for our legitimate interests, such as improving our service or preventing fraud, provided your rights and freedoms do not override these interests.

5. Data Sharing and Disclosure

We do not sell your personal data. We only share it in the following limited circumstances:

• With Employers: When you, as a Job Seeker, apply for a job, your application data (CV, cover letter, profile) is shared with that specific Employer.
• With Third-Party Service Providers: We use vendors for services like cloud hosting (e.g., AWS, Azure), email delivery, and payment processing. These vendors act as Data Processors and are contractually bound to protect your data and only use it for the purpose we instruct.
• For Legal Reasons: We may disclose your data if required by Kenyan law, a search warrant, a court order, or to the ODPC.

6. Data Security and Storage

We take the security of your data seriously. We have implemented appropriate technical and organizational measures to prevent unauthorized access, use, alteration, or disclosure of your data. These include:

• Encryption: Using SSL/TLS to encrypt data in transit.
• Access Controls: Restricting access to personal data to only those employees and contractors who need it to perform their jobs.
• Regular Audits: Conducting regular security assessments and vulnerability scans.
• Data Breach Protocol: We have a procedure in place to notify you and the ODPC in the event of a data breach, as required by the DPA.

7. Data Retention

We will only retain your personal data for as long as is necessary to fulfill the purposes for which it was collected.

• Active Accounts: We retain your profile data as long as your account is active.
• Inactive Accounts: If your account is inactive for a specified period (e.g., 36 months), we will contact you before permanently deleting your personal data.
• Legal Holds: We may retain data for longer if required to comply with legal, tax, or regulatory obligations.

8. Your Rights as a Data Subject

Under the Kenya Data Protection Act, 2019, you have the following rights over your personal data:

1. Right to be Informed: To know how and why we are processing your data (as set out in this policy).
2. Right of Access: To request a copy of the personal data we hold about you.
3. Right to Rectification: To correct any inaccurate or incomplete data we hold about you.
4. Right to Erasure: To request the deletion of your personal data (the "right to be forgotten") where there is no compelling reason for us to keep it.
5. Right to Restrict Processing: To block or suppress the processing of your data in certain circumstances.
6. Right to Data Portability: To request your data in a machine-readable format to transfer it to another service.
7. Right to Object: To object to the processing of your data, particularly for direct marketing.

To exercise any of these rights, please contact our Data Protection Officer at the email address below.

9. International Data Transfers

Our services may be hosted on servers located outside of Kenya. If we transfer your personal data out of Kenya, we will ensure that the transfer complies with the DPA, 2019, by ensuring the destination country has adequate data protection laws or by implementing appropriate safeguards (such as standard contractual clauses).

10. Changes to This Privacy Policy

We may update this policy from time to time to reflect changes in our practices or for legal reasons. We will notify you of any significant changes by posting the new policy on our website and/or sending an email to your registered address.

11. How to Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your data, please contact our Data Protection Officer (DPO):

Email: privacy@steepconnect.org

You also have the right to lodge a complaint with the supervisory authority: