ACAIGO PRIVACY NOTICE

WHO WE ARE

The African Centre for AI Governance and Oversight (ACAIGO) is a company incorporated in Kenya pursuant to the provisions of the Companies Act, 2015.

WHAT WE DO

The African Centre for AI Governance and Oversight is a pan-African organization committed to supporting organizations across Africa in the responsible, secure, and effective adoption of AI systems in line with existing policy frameworks and international best practices, including helping businesses and institutions navigate the complex and evolving data protection landscape to meet their compliance obligations across multiple jurisdictions. The Centre also works directly with governments and regulatory bodies, providing evidence-based research and expert guidance to inform the design and implementation of effective AI policies and legal frameworks. Throughout this Privacy Notice, we will refer to the organization as “The Centre”, “ACAIGO”, “We”, “Our” or “Us”.

WHAT DOES THIS NOTICE COVER?

This Privacy Notice describes how the Centre collects, uses, shares or otherwise manages your personal data in your interaction with us.

We will hold and manage your information differently, depending on your relationship with Us. ACAIGO could be in possession of your information when you

Visit our website www.acaigo.africa and any other sites or applications containing a link to this Privacy Notice or
Interact with us offline (for example when you attend any of our events or physical training sessions).
When we provide services to you

In certain circumstances, where we collect personal information for new or additional purposes, we will provide you with specific privacy information at the time your information is collected. Where separate privacy notices have been provided and are applicable, those notices will govern our interactions with you instead of this Privacy Notice.

If you are visiting our website, please read this Privacy Notice alongside our Cookie Privacy Notice, which is available on our website.

If you share personal information about someone other than yourself (for example, a friend or family member), you are responsible for ensuring that you comply with all relevant privacy and data protection laws beforehand, including obtaining their consent where this is required.

Our website is intended for a general audience and is not directed at children. We do not knowingly collect, use, or retain personal data relating to individuals under the age of 18. If you have reason to believe that we may hold personal data about a child, please contact us promptly at "info@acaigo.africa" and we will take appropriate steps to investigate and where confirmed we will address the matter appropriately.

If there is any inconsistency between this Privacy Notice and applicable local laws, the requirements of the local laws will take precedence.

DEFINITIONS

Personal information: any information that can be used to identify you or can be linked directly to you.

Processing: means any operation or sets of operations which we perform on your personal data whether or not by automated means, such as (a) collection, recording, organization, structuring; (b) storage, adaptation or alteration; (c) retrieval, consultation or use; (d) disclosure by transmission, dissemination, or otherwise making available; or (e) alignment or combination, restriction, erasure or destruction.

Data Controller: means a person who makes decisions about how and why your information is used and have a responsibility to make sure that your rights are protected. For the purposes of the Kenyan Data Protection Act, 2019 ACAIGO is a “controller” of your personal data as it is described in this Privacy Notice.

Data Processors: A person or entity that processes personal data on behalf of a Data Controller.

Data Protection Legislation: The Kenyan Data Protection Act, 2019 and its attendant regulations and any legislation implemented in connection with data protection in your jurisdiction.

HOW CAN YOU CONTACT ACAIGO?

If you would like to exercise one of your rights as set out in this Privacy Notice, or you have a question, query, or complaint about this Privacy Notice or the way we are managing your personal data please contact Our Data Protection Officer via email: info@acaigo.africa

HOW DO WE COLLECT YOUR PERSONAL INFORMATION?

We may collect and process your personal information directly from you when you

Visit our website
Contact us by phone
Complete a contact form
Meet with or engage with us at events or conferences
Interact with us on social media platforms
When you respond to our surveys

In some cases, we may collect your information indirectly such as

1. From publicly available sources including social media sites (e.g., LinkedIn) or news articles.

2. Referrals from our current employees or clients

3. Third parties including other organizations and industry experts: We collaborate with a network of organizations and industry experts to identify talented individuals and connect them with relevant opportunities in the AI and data governance space. Such opportunities may include employment positions, fellowships, volunteer roles, professional training programmes, and conferences. As part of this process, our partner organizations and industry experts may share personal data with us relating to individuals they work with including job applicants, employees, and volunteers. We use this data for the following purposes:

To assess individuals as potential recipients of our programmes or services
To deliver services to them directly
To consider them for specific roles or opportunities within our network

4. Referees: As part of our recruitment process, you may be asked to provide the contact details of individuals who can speak to your professional background or suitability for a role. Where you provide such details, we will contact those referees and may collect personal data about you from them in the course of assessing your application. Please ensure that any referee you nominate is aware that you have provided their details and that we may contact them for this purpose.

WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?

Identity and Contact Data such as your name, profession, date of birth, mailing address, email address, and phone number. We may request additional information to verify your identity in exceptional situations.
Demographic Information such as country of residence, gender, and age
Service Engagement with US such as your attendance at relevant virtual or in-person events, or activities on the Websites.
Any other personal data that you choose to share with Us, which given the nature of Our services, is not likely to be sensitive personal data
We may collect certain personal data directly from the devices you use to access our website or services. For full details of what is collected, how it is used, and how you can manage your preferences, please refer to our www.acaigo.africa/cookiepolicy Unless we specifically request it, we ask that you not provide us with any sensitive personal information (e.g. information relating to your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of your children, parents, spouse or spouses, sex or your sexual orientation)

WHAT LAWFUL BASIS DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATIONS?

We are committed to processing your personal data lawfully, fairly, and transparently. We will only use, store, or transfer your information where we have a legitimate purpose and a recognized legal basis under applicable data protection law. Below, we set out those purposes and the corresponding legal grounds that justify them.

Purpose of processing.	Category of personal data.	Lawful basis for processing.
To communicate with you in response to any enquiry, question, or request you direct to us.	Contact information, name	Legitimate interest
To address any matters you raise with us, including general enquiries, feedback, reported issues, or formal complaints,	Contact information; Complaint information; name	Legitimate interest
To manage your data subject right requests.	Contact information, name other information	Legal Obligation
Fulfilling Our contract to provide you with the agreed service.	Contact information;	Contractual performance
To maintain the integrity, safety, and security of our business operations, including our website, IT systems, and underlying technical infrastructure.	Contact information; Surveys and opinions; Complaint information; Engagement and usage; Cookies; Website security; Browser and user information;	Legitimate interest
To provide you with access to webinars and other complimentary online events for which you have registered.	Contact information	Consent
To evaluate your suitability for programmes, events, collaborations, or other opportunities offered by ACAIGO or by organizations we are supporting, and to recommend you for or reach out to you regarding any such opportunities.	Contact information, Professional background and work experience, Academic qualifications and credentials.	Consent
To plan, coordinate, and facilitate our various programmes and events, which may take the form of conferences, fellowships, courses, reading groups, retreats, or other structured engagements.	Full name, contact information, Organization or institutional affiliation, Job title or professional role, Geographic location or country of residence.	Consent

As our relationship with you develops, we may supplement the personal data we hold about you with additional information arising from your interactions with us. This may include records of services you have accessed, correspondence and agreements between us, and details of any financial transactions you have carried out with us.

We will not use your personal data in a manner that goes beyond the purposes for which it was collected. If we need to process your data for a different purpose, we will carefully assess whether that purpose is genuinely compatible with the original one before proceeding and ensure that any such use remains grounded in an appropriate legal basis.

Should we need to process your personal data for a purpose that is unrelated to the one for which it was originally collected, we will inform you of this and provide a clear explanation of the legal basis upon which such processing is justified.

There may be circumstances in which we are legally required or permitted to process your personal data without your knowledge or prior consent. Where this occurs, it will always be in accordance with applicable data protection law

HOW WE SHARE YOUR PERSONAL INFORMATION?

We may share your personal information with third parties from time to time as follows:
With organizations and individuals who provide financial support to help us sustain and expand our work.
Where necessary in connection with any actual or anticipated legal proceedings, claims, or regulatory investigations involving our organization.
With relevant regulatory and governmental bodies where we are required to do so, including tax and revenue authorities
With third-party service providers who act as Data Processors on our behalf. We engage a few specialist companies and individuals to carry out certain functions in support of our operations, such as data storage and hosting, IT maintenance, and enterprise resource planning (ERP) services. All such providers are bound by Data Processing Agreements with us, which strictly govern how they may handle your personal data. Under these agreements, they are permitted to process your data only on our explicit instructions and for no other purpose. They are prohibited from sharing your personal data with any other organization, except where we have authorized the engagement of sub-processors, who are themselves required to comply with the same contractual obligations.
With professional advisors engaged by us in the course of our operations, which may include legal counsel, accountants, auditors, and financial services providers, where such disclosure is necessary for the provision of their services to us.
With your employer or the organization on whose behalf you are engaging with us, where we have a contractual relationship with that entity, and only to the extent necessary for the delivery of our services under that contract.
With financial institutions and payment service providers involved in processing transactions carried out in connection with our services.

HOW WE SECURE YOUR PERSONAL INFORMATION

We have implemented adequate technical and organizational measures designed to protect your personal data against accidental loss, unauthorized access, misuse, alteration, or disclosure. Access to your personal data is strictly controlled and limited to those members of our staff, contractors, and trusted third parties whose roles require them to handle such data in order to support the delivery of our services. Examples of Our security measures include:

Access controls: we restrict access to our IT systems and infrastructure to authorized personnel only, ensuring that your data is accessible solely to those with a legitimate need to engage with it.
Technical and procedural safeguards: We employ a range of security measures across our systems, website, and premises, including encryption, anonymization, and archiving techniques, to protect your personal data from unauthorized access or misuse.
Third-party due diligence: Before engaging any Data Processor, we conduct thorough due diligence assessments to verify their compliance with applicable data protection legislation. We ensure that appropriate Data Processing Agreements are in place before any personal data is shared with or processed by a third party.
Staff training: All members of our team receive regular training on information security and data protection to ensure awareness of their obligations and best practices in handling personal data.
Internal policies and procedures: We maintain comprehensive internal policies governing data protection matters, including procedures for managing data breaches, security incidents, and requests from individuals exercising their data subject rights.

LINKS TO OTHER SITES

Our website may include links to external websites that are independently owned and operated by third parties. ACAIGO has no control over, and accepts no responsibility for, the privacy practices or content of any such third-party sites.

HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected. Once your personal data is no longer required for the purposes for which it was collected, we will securely delete it.

The length of time for which we retain your personal data will vary depending on the nature of the data, the purpose for which it was collected, and any applicable legal or regulatory retention requirements. There is therefore no single retention period that applies uniformly across all the personal data we hold. However, unless a longer retention period is required by law or necessary for a legitimate business purpose, we will generally not retain personal data for longer than two (2) years from the date of collection or the end of our engagement with you.

Where personal data needs to be retained beyond its standard retention period for example, in connection with anticipated or ongoing legal proceedings we will retain it for as long as is reasonably necessary for that purpose. Upon conclusion of such matters, or where retention is no longer justified, we will delete it in line with the applicable data protection legislation.

WHAT RIGHTS DO YOU HAVE?

We are committed to ensuring that the personal data we hold about you remains accurate and up to date. Should any of your personal details change at any point during your engagement with us, we would be grateful if you could notify us promptly so that we can update our records accordingly. Where we act as a Data Controller in respect of your personal data, you have the following rights under applicable data protection law

Right of Access — You are entitled to request a copy of the personal data we hold about you, along with information about how and why we are processing it
Right to Rectification — If any personal data we hold about you is inaccurate, outdated, or incomplete, you have the right to request that we correct or update it accordingly.
Right to Erasure — You may request that we delete or remove your personal data where there is no longer a justified basis for us to continue processing it. This right also applies where you have successfully exercised your right to object to processing, as set out below.
Right to Object — Where we are processing your personal data on the basis of our legitimate interests, or those of a third party, you have the right to object to that processing where you have grounds for doing so relating to your individual circumstances. You also have an unconditional right to object where your personal data is being processed for direct marketing purposes.
Right to Restriction of Processing — You may request that we temporarily suspend the processing of your personal data in certain circumstances, such as where you contest its accuracy or have objected to its processing pending our consideration of that objection
Right to Data Portability — You have the right to request that your personal data be transferred to you or to a third party of your choosing, in a structured, commonly used, and machine-readable format.
Right to Withdraw Consent — Where we are processing your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out prior to its withdrawal. Where we have no other legal justification or obligation exists for the processing, we will cease processing your data upon receipt of your withdrawal.

In order to safeguard your personal data and protect the privacy of others, we may be required to verify your identity before we are able to action any request you submit to us.

If you would like to exercise any of these rights, please contact info@acaigo.africa

Where we establish that the personal data to which your request relates is held by us in our capacity as a Data Processor rather than as a Data Controller, we will refer your request to the relevant Data Controller on whose behalf we are acting and will handle the matter in accordance with their instructions.

AUTOMATED DECISION MAKING AND PROFILING

We do not make decisions that would have a significant impact on you based solely on automated processing of your personal data, without human involvement.

Profile Creation

When you complete a registration or sign-up form whether through our website or at one of our events we may create a basic profile in our systems using the information you provide. This profile may include:

Your industry or sector
Your country of residence or operation
Your professional role or job title This information is used solely to ensure that any communications we send you are relevant, meaningful, and appropriately tailored to your professional background and interests.

WILL YOUR DATA BE PROCESSED OUTSIDE THE COUNTRY?

Where it is necessary to transfer your personal data to our partners, third-party service providers, or other recipients located outside Kenya, we will ensure that any such transfer is carried out in full compliance with the Data Protection Act, 2019 and that appropriate safeguards are in place to protect your personal data throughout.

Such safeguards may include entering legally recognized transfer mechanisms, such as Data Transfer Agreements as well as any other contractual or technical measures required to ensure an adequate level of protection for your personal data in the recipient country.

We will not transfer your personal data internationally unless we are satisfied that the recipient is able to provide a level of protection that is materially equivalent to that which applies within Kenya. If you would like more information about how your personal data may be transferred, please do not hesitate to contact us at "info@acaigo.africa".

HOW YOU CAN MAKE A COMPLAINT

If you are dissatisfied with the way in which we have handled your personal data, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

However, we would welcome the opportunity to address your concerns directly before you escalate the matter to the ODPC. If you have a complaint, we encourage you to contact us in the first instance at info@acaigo.africa. We take all complaints seriously and will make every effort to resolve your concerns promptly and to your satisfaction.

If, having contacted us, you remain dissatisfied with our response or the manner in which your complaint has been handled, you are entitled to refer the matter to the ODPC. You can submit a complaint to the ODPC through the following link: cie.odpc.go.ke/

UPDATES AND CHANGES TO THIS PRIVACY NOTICE

We reserve the right to change this Privacy Notice from time to time. We will alert you when changes have been made by indicating the date this Privacy Notice was last updated or as otherwise may be required by law. It is recommended that you periodically revisit this Privacy Notice to learn of any changes.

DOCUMENT CONTROL

Version	Updates/ Changes	Review Data
1.	First version of the Privacy Data Notice	June 2026