TWK Advocates LLP ("TWK", "the firm", "we", "us") is committed to protecting the privacy and personal data of our clients, website visitors and other individuals we deal with. This notice explains what personal data we collect, why and how we use it, who we share it with, and the rights you have under the Data Protection Act, No. 24 of 2019 (the "DPA") and its Regulations.
1Who we are (the data controller)
TWK Advocates LLP is a law firm based in Mombasa, Kenya. For the purposes of the DPA, we act as the data controller in respect of the personal data described in this notice.
2Personal data we collect
Depending on how you interact with us, we may collect and process:
- Information you give us directly — your name, contact details, and the details of your matter when you instruct us, contact us, or request a consultation.
- Information you enter into the AI assistant ("TWK Legal Intelligence") — the questions and any details you choose to type into the chat on our website.
- Client matter data — information required to act on your instructions, which may include sensitive personal data (for example information relating to family, employment, financial or court matters), processed under our professional engagement with you.
- Technical data — limited information your browser sends automatically (such as IP address and request data) and any strictly necessary information required to operate and secure the website. Our public site does not use advertising or third-party tracking cookies.
3How and why we use your data (and our lawful basis)
We process personal data only where the DPA permits. Our lawful bases (section 30 of the DPA) include:
- Performance of a contract / taking steps at your request — to respond to enquiries, arrange consultations, and provide legal services under our engagement.
- Compliance with a legal obligation — including our obligations as advocates, anti-money-laundering and "know your client" checks, court rules, and record-keeping requirements.
- Your consent — where you voluntarily submit information (for example through the AI assistant). You may withdraw consent at any time.
- Legitimate interests — to operate, secure and improve our website and services, balanced against your rights.
4The "TWK Legal Intelligence" AI assistant
The assistant is an artificial-intelligence tool that provides general information only. It does not give legal advice and does not create an advocate–client relationship. Please do not enter confidential, sensitive, or case-identifying information into the chat. For advice on your matter, contact the firm directly.
So you understand how the assistant works with your data:
- The messages you send are transmitted to a third-party AI provider (Anthropic) which generates the response on our behalf, acting as our data processor. Your messages are used to produce the reply for your session; they are not used by us to build a profile of you.
- Any Kenyan legal authority the assistant cites is checked against the public Kenya Law database before it is shown to you; references it cannot verify are flagged rather than presented as confirmed.
- The assistant does not make any decision about you that produces legal or similarly significant effects. You therefore retain your right under section 35 of the DPA not to be subject to solely automated decision-making of that kind.
5Who we share data with
We do not sell your personal data. We may share it with:
- Service providers / processors who help us operate the firm and the website (for example our hosting provider, email provider, and the AI provider referred to above), under contractual confidentiality and data-protection terms.
- Courts, tribunals, regulators and counsel where necessary to act on your matter or comply with the law.
- Authorities where we are required to disclose information by law or court order.
6International transfers
Some of our service providers (including the AI provider that powers the assistant, and certain hosting/email infrastructure) process data on servers located outside Kenya. Where personal data is transferred outside Kenya, we take steps to ensure it is protected in accordance with sections 48 and 49 of the DPA — including relying on appropriate safeguards and/or your consent, and ensuring the recipient is bound by suitable data-protection obligations.
7How long we keep data
We keep personal data only for as long as necessary for the purposes set out above, including to meet our professional, legal, accounting and regulatory obligations, after which it is securely deleted or anonymised. Client matter files are retained for the periods required by law and professional practice. AI-assistant chats are retained only as needed to provide and secure the service.
8Your rights under the Data Protection Act
Subject to the conditions in the DPA, you have the right to:
- be informed of the use of your personal data;
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request deletion of data we no longer have a lawful basis to keep;
- object to, or request restriction of, certain processing;
- withdraw consent where processing is based on consent;
- not be subject to a decision based solely on automated processing that has legal or similarly significant effects (section 35).
To exercise any of these rights, contact us using the details in section 1. We will respond within the timelines set by the DPA. There is normally no charge, though we may decline or charge for manifestly unfounded or excessive requests as permitted by law.
9Security and data breaches
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse. Access to the firm's systems is restricted and authenticated. Where a personal-data breach occurs that meets the threshold under the DPA, we will notify the Office of the Data Protection Commissioner, and affected individuals where required, within the periods prescribed by law.
10Complaints
If you have a concern about how we handle your personal data, please contact us first so we can address it. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya — the supervisory authority under the DPA (odpc.go.ke).
11Artificial-intelligence regulation
We monitor developments in AI law and governance in Kenya. As at the date of this notice, Kenya's Artificial Intelligence Bill, 2026 has been published and is before Parliament but has not yet been enacted into law. Our use of AI tools is currently governed by the Data Protection Act, 2019 and our professional obligations as advocates. We will review and update our practices to comply with the AI Bill once it is enacted and in force.
12Changes to this notice
We may update this notice from time to time to reflect changes in our practices or the law. The "last updated" date above shows when it was last revised. Material changes will be brought to your attention where appropriate.