BRIA Risk intelligence

Privacy Policy

Effective date: [To be set before public launch]  ·  Last updated: June 2026  ·  Governed by Kenya's Data Protection Act, 2019
This document is a working draft prepared ahead of ODPC registration. It will be reviewed by a data protection officer and updated before BRIA is made publicly available. Sections marked [Placeholder] are incomplete.

1. Who we are

BRIA Intelligence Ltd ("BRIA", "we", "us") is a Kenya-based business risk intelligence service. We are the data controller for personal data processed in connection with the BRIA API, dashboard, and related services.

Registered address: P.O. Box 12345-00100, Nairobi, Kenya.
Data Protection Officer: [Placeholder — to be appointed and registered with the ODPC before public launch.]

2. What data we collect

We collect two categories of data:

  • Account and contact data — name, work email address, organisation name, phone number (if provided), and inquiry details submitted via our contact form or pilot agreement.
  • API usage data — API key identifier, company names queried, timestamps, response codes, and volume metrics. We do not log the full content of API responses.

We do not collect special categories of personal data (health, political opinions, biometrics, etc.) as defined under Kenya's Data Protection Act, 2019.

3. How we use your data

  • To fulfil your pilot or commercial agreement and provide API access.
  • To respond to contact form submissions and support requests.
  • To monitor service health, usage limits, and detect abuse.
  • To send service-related updates (not marketing without your consent).
  • To comply with legal obligations and regulatory requirements in Kenya.

4. Legal basis for processing

Under Kenya's Data Protection Act, 2019, we process your data on the following bases:

  • Contract — processing necessary to perform your pilot or API agreement.
  • Legitimate interests — service monitoring and fraud prevention, where those interests are not overridden by your rights.
  • Consent — for any optional communications you opt into.
  • Legal obligation — where required by Kenyan law.

5. Public-record data

The BRIA database contains information drawn from Kenyan public records (court judgments, Gazette, PPRA lists, regulatory registers, news). This data is already public and is processed under the legitimate interest of enabling business due-diligence. If you believe a public-record entry about you or your company is inaccurate, contact us and we will investigate.

6. Data sharing

We share personal data only in the following circumstances:

  • Service providers — hosting (Railway), cloud storage (Cloudflare R2), and AI/LLM processing (OpenAI). Each is bound by appropriate data processing terms.
  • Legal requirement — if required by a Kenyan court order or regulatory authority.
  • Business transfer — [Placeholder — in the event of a merger or acquisition, subject to continuity of this policy.]

We do not sell personal data to third parties.

7. Data retention

  • Account and contact data is retained for the duration of your agreement plus [Placeholder — retention period, e.g. 3 years] for legal compliance.
  • API usage logs are retained for [Placeholder — e.g. 12 months] and then deleted or anonymised.

8. Your rights

Under Kenya's Data Protection Act, 2019 you have the following rights regarding your personal data:

Access Request a copy of the personal data we hold about you.
Rectification Ask us to correct inaccurate or incomplete data.
Erasure Request deletion of your data, subject to legal retention requirements.
Restriction Ask us to pause processing while a complaint is resolved.
Objection Object to processing based on legitimate interests.
Portability Receive your data in a structured, machine-readable format.

To exercise any of these rights, contact us. We will respond within the timeframe required by law. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya.

9. Cookies and tracking

The BRIA landing site does not use tracking cookies or third-party analytics. [Placeholder — update if analytics or session cookies are added before launch.]

10. Security

We apply industry-standard technical controls including encrypted transit (TLS), encrypted storage at rest, API key authentication, and access-limited production credentials. No security measure is infallible; we will notify affected users without undue delay in the event of a data breach, as required by the DPA 2019.

11. Changes to this policy

We will update this policy as the service develops. Material changes will be communicated to active users by email at least 14 days before taking effect. The effective date at the top of this page will be updated accordingly.

12. Contact

Privacy questions and data-subject requests: contact us.
Write to: BRIA Intelligence Ltd, P.O. Box 12345-00100, Nairobi, Kenya.
DPO: [Placeholder — name and email once appointed.]