GDPR & Data Protection

1 Our Role: Controller vs Processor

HostGuru acts as a data controller for personal data we collect about our customers (name, email, billing information) when providing our services. HostGuru acts as a data processor for any personal data you store on our infrastructure as part of your own website or application — in that case, you are the data controller and we process data only on your documented instructions.

2 Data Protection Principles

We adhere to the following principles in all data processing activities:

• Lawfulness, fairness and transparency: we process data on a valid legal basis and are open about how we use it.
• Purpose limitation: data collected for one purpose is not used for unrelated purposes.
• Data minimisation: we collect only what is strictly necessary for the stated purpose.
• Accuracy: we keep personal data up to date and correct inaccuracies promptly.
• Storage limitation: data is deleted or anonymised when no longer needed.
• Integrity and confidentiality: we protect data using appropriate technical and organisational security measures.

3 Your Rights Under GDPR & DPA 2019

You have the following rights which we will honour within the statutory timeframes:

• Right of access (Article 15 GDPR / S.26 DPA): request a copy of all personal data we hold about you, free of charge, within 30 days.
• Right to rectification (Article 16 / S.27): correct inaccurate data without undue delay.
• Right to erasure (Article 17 / S.28): “right to be forgotten” where no legal basis exists for continued processing.
• Right to restriction (Article 18 / S.29): restrict how we use your data while a dispute is resolved.
• Right to portability (Article 20 / S.30): receive your data in a structured, machine-readable format (JSON or CSV).
• Right to object (Article 21 / S.31): object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making (Article 22 / S.32): not to be subject to solely automated decisions with significant effects.

4 Data Protection Officer

HostGuru has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with GDPR and the DPA 2019. The DPO can be contacted at [email protected]. The DPO reports directly to senior management and has no conflict of interest in carrying out their duties.

5 International Data Transfers

Customer data is primarily stored in our data centres located in Nairobi, Kenya. Where we engage third-party processors based outside Kenya (e.g. payment processors, analytics providers), we ensure appropriate safeguards are in place such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

6 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, as required by the DPA 2019. We will also notify affected individuals without undue delay if the breach is likely to result in a high risk to those individuals.

7 Hosting Customers as Data Controllers

If you use HostGuru hosting to run a website or application that collects personal data from your own users, you are the data controller for that data. You are responsible for ensuring your own compliance with GDPR and the DPA 2019, including having a Privacy Policy on your site, obtaining valid consent where required, and responding to your users’ data rights requests. HostGuru acts solely as your data processor and will process your users’ data only on your instructions.

8 Regulatory Authorities

If you believe your data rights have been violated, you have the right to lodge a complaint with:

• Kenya: Office of the Data Protection Commissioner (ODPC) — odpc.go.ke
• EU residents: the supervisory authority in your EU member state of residence.

We encourage you to contact us first at [email protected] so we can address your concern directly.