Privacy Policy

Privacy Policy for Almasi Experience

Effective Date: July 8, 2025

At Almasi Experience ("we," "us," or "our"), a full-service Event Planning and Management Company, we are deeply committed to protecting the privacy and security of your personal data in compliance with the Kenya Data Protection Act (DPA) 2019. This Privacy Policy outlines how we collect, use, store, and protect your personal data, whether confidential or non-confidential, when you engage with our event planning and management services, visit our website (www.almasiexperience.com), receive our proposals, or interact with us. We aim to be transparent about our data practices and ensure you understand your rights as a data subject.

1. Scope of This Policy This Privacy Policy applies to all personal data collected by Almasi Experience in the course of our business activities, including:

• Data provided by clients, prospective clients, employees, contractors, and partners.

• Data collected through our website, email communications, event proposals, surveys, or during event planning and execution.

• Both confidential data (e.g., event budgets, guest lists, specific preferences) and non-confidential data (e.g., contact information, event type preferences).

2. Data Controller Almasi Experience, registered in Kenya, is the data controller responsible for your personal data. For inquiries, contact our Data Protection Officer (DPO) at:

Email: info@almasiexperience.com Phone: +254 755160169 Address: Nandi Flame Road, Nairobi/Kenya.

3. Principles of Data Processing In accordance with the DPA 2019, we process personal data based on the following principles:

• Lawfulness, Fairness, and Transparency: We process data legally, fairly, and with clear communication to data subjects.

• Purpose Limitation: We collect data for specific, explicit, and legitimate purposes related to event planning and management.

• Data Minimization: We collect only the data necessary for the intended purpose.

• Accuracy: We ensure data is accurate and updated where necessary.

• Storage Limitation: We retain data only for as long as required for the purpose or as mandated by law.

• Integrity and Confidentiality: We protect data with appropriate security measures.

• Accountability: We take responsibility for complying with the DPA 2019.

4. Types of Data We Collect We collect and process the following categories of personal data:

• Contact Information: Name, email address, phone number, postal address.

• Event-Specific Data: Event type, date, location, guest lists, dietary requirements, budget details, special requests, vendor preferences, and feedback on services.

• Identification Data: National ID number or passport details (only when necessary for specific event requirements like venue bookings, travel arrangements, or compliance with regulatory bodies).

• Financial Data: Payment information, billing address, or other financial details necessary for processing payments or refunds related to our services.

• Employee/Contractor Data: Job role, department, performance data, or training records for internal processes related to event staffing and coordination.

• Website Usage Data: IP address, browser type, pages visited, and cookies (if applicable).

• Survey/Feedback Data: Responses to surveys or feedback forms used for improving our event services.

• Other Data: Any additional data you voluntarily provide, such as preferences or comments in proposals or communications related to your event.

5. How We Collect Your Data We collect personal data through:

• Direct Interactions: When you provide data via inquiry forms, emails, service contracts, event proposals, consultations, or during the event planning process.

• Website: Through contact forms, service inquiry forms, or analytics tools (e.g., cookies, with your consent).

• Surveys and Feedback: Through tools like online forms or direct communication for post-event feedback or service improvement.

• Third Parties: From partners, venues, or service providers (e.g., caterers, entertainment providers, travel agencies) involved in your event, with your consent or where legally permitted.

• Public Sources: Social media profiles, business listings, or public records, where relevant to understanding your event needs or business profile.

6. Purposes and Legal Basis for Processing We process personal data for the following purposes, with the corresponding legal basis under the DPA 2019:

• To Provide Event Planning and Management Services: Processing client data, guest lists, and event specifications to deliver our services. Legal Basis: Contractual necessity (to fulfill our contract with you).

• To Communicate: Sending proposals, event updates, reminders, or responses to inquiries. Legal Basis: Legitimate interest (to manage client relationships) or consent (for marketing communications).

• To Improve Services: Analyzing feedback or event data to enhance our offerings and service quality. Legal Basis: Legitimate interest or consent.

• To Comply with Legal Obligations: Meeting regulatory requirements (e.g., tax laws, health and safety regulations for events). Legal Basis: Legal obligation.

• To Ensure Security: Protecting our systems, data, and event operations from unauthorized access or incidents. Legal Basis: Legitimate interest.

• To Conduct Marketing and Promotions: Sending information about our services, promotions, or events (with your consent where required). Legal Basis: Consent or legitimate interest.

7. Consent Where consent is the legal basis for processing, we will:

• Obtain explicit consent before collecting or processing sensitive personal data (e.g., specific health-related dietary requirements or identification numbers for travel).

• Provide clear information about the purpose of data collection.

• Allow you to withdraw consent at any time by contacting our DPO at info@almasiexperience.com. Withdrawal of consent will not affect the lawfulness of prior processing.

8. Data Sharing We may share your personal data with:

• Service Providers: Third-party vendors (e.g., venues, caterers, florists, entertainment, photographers, travel agencies) who process data on our behalf to facilitate your event, under DPA-compliant contracts.

• Partners: Other businesses involved in specific event collaborations, with your consent or where legally required.

• Regulatory Authorities: To comply with legal obligations (e.g., tax authorities, local government bodies for event permits).

• Internal Teams: Employees or contractors who need access to perform their duties related to your event, with strict access controls.

We do not sell or share your personal data for marketing purposes without your explicit consent.

9. Data Security We implement appropriate technical and organizational measures to protect your data, including:

• Encryption: Using SSL/TLS encryption for data transmission on our website and secure storage for sensitive data like payment details.

• Access Controls: Restricting data access to authorized personnel only on a need-to-know basis.

• Anonymization: Anonymizing data where possible for analysis or internal reporting.

• Secure Vendors: Ensuring third-party providers involved in your event comply with DPA 2019 standards regarding data security.

• Regular Audits: Conducting data protection reviews to identify and mitigate risks.

In the event of a data breach, we will notify the Office of the Data Protection Commissioner and affected data subjects within 72 hours, as required by the DPA 2019.

10. Data Retention We retain personal data only for as long as necessary to fulfill the purpose for which it was collected or to comply with legal requirements:

• Client Event Data: Retained for the duration of the event planning and execution and up to 7 years thereafter, as required by Kenyan tax and business laws for record-keeping.

• Prospective Client Data: Retained for up to 2 years from last contact unless they become a client or withdraw consent.

• Employee/Contractor Data: Retained for the duration of employment/contract and up to 7 years post-termination, per legal requirements.

• Website Data: Cookies and analytics data retained for up to 12 months, with your consent.

After the retention period, data is securely deleted or anonymized.

11. Your Rights as a Data Subject Under the DPA 2019, you have the following rights:

• Right to be Informed: To know how your data is collected and used (as outlined in this policy).

• Right to Access: To request a copy of your personal data held by us.

• Right to Rectification: To correct inaccurate or incomplete data.

• Right to Erasure: To request deletion of your data, where no legal basis for retention exists.

• Right to Restrict Processing: To limit how we process your data in certain circumstances.

• Right to Data Portability: To receive your data in a structured, machine-readable format.

• Right to Object: To object to processing based on legitimate interests or direct marketing.

• Right to Withdraw Consent: To withdraw consent at any time, without affecting prior processing.

To exercise these rights, contact our DPO at info@almasiexperience.com. We will respond within 30 days, as required by the DPA 2019.

12. International Data Transfers If personal data is transferred outside Kenya (e.g., to cloud servers used by third-party providers for project management tools or specific event platforms), we ensure:

• The recipient country has adequate data protection laws, as determined by the Office of the Data Protection Commissioner.

• Appropriate safeguards are in place, such as standard contractual clauses or binding corporate rules.

• Your consent is obtained for such transfers, where required for your specific event.

13. Cookies and Website Tracking Our website may use cookies to enhance user experience and analyze site usage. Cookies are small text files stored on your device. We use:

• Essential Cookies: For website functionality (e.g., navigation, keeping you logged in if applicable).

• Analytics Cookies: To track site performance (e.g., Google Analytics, anonymized data to understand website traffic).

• Marketing Cookies: For personalized content or advertising (only with your explicit consent).

You can manage cookie preferences via your browser settings. For more details, please refer to our separate Cookie Policy [if you create one, otherwise remove this sentence and expand on cookie details here].

14. Data Protection Impact Assessments (DPIAs) For high-risk processing activities (e.g., large-scale collection of guest data for major events), we conduct DPIAs to identify and mitigate risks, as required by the DPA 2019. Our DPO oversees these assessments to ensure compliance.

15. Complaints If you have concerns about how we handle your data, please contact our DPO at info@almasiexperience.com. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner:

Email: complaints@odpc.go.ke Address: Office of the Data Protection Commissioner, CA Centre, Waiyaki Way, Nairobi, Kenya

16. Changes to This Privacy Policy We may update this Privacy Policy to reflect changes in our practices or legal requirements. Updates will be posted on our website (https://www.almasiexperience.com/privacy-policy) and, where required, communicated to you via email or other means. The effective date at the top of this policy will be updated accordingly.

17. Contact Us For questions, concerns, or to exercise your data subject rights, contact our Data Protection Officer:

Email: info@almasiexperience.com Phone: +254 755160169 Address: Nandi Flame Road, Nairobi/Kenya.

Thank you for trusting Almasi Experience with your personal data. We are committed to safeguarding your privacy and ensuring compliance with the Kenya Data Protection Act 2019.