Privacy & Data Protection Policy
TWK Advocates LLP is committed to protecting the privacy and personal data of all individuals who interact with us. This policy explains how we collect, use, store, and protect your information in compliance with the Kenya Data Protection Act, 2019 (DPA 2019) and applicable regulations.
1. Identity of the Data Controller
TWK Advocates LLP (hereinafter "TWK", "we", "us", or "our") is the data controller for personal data collected through this website and our practice management systems.
2. What Personal Data We Collect
| Category | Data collected | Source |
|---|---|---|
| Contact enquiries | Name, phone number, email, legal matter description | AI intake bot, contact form |
| Client matters | Full name, ID number, contact details, financial information, case facts | Retainer agreements, instructions |
| Website visitors | IP address, browser type, pages visited (anonymised) | Server logs (auto-collected) |
| Staff portal users | Username, login times, actions performed | Portal authentication system |
| AI chat sessions | Messages sent to TWK AI assistant or intake bot | User-initiated conversations |
3. How We Use Your Data
3.1 Lawful Bases (Section 30, DPA 2019)
- Contract performance โ processing client legal matters under our retainer
- Legitimate interest โ responding to enquiries, improving our services, firm security
- Consent โ AI chat conversations; you may withdraw consent at any time
- Legal obligation โ anti-money laundering (POCAMLA), court filings, regulatory compliance
3.2 Purposes
- Providing legal services and client representation
- Responding to enquiries and booking consultations
- Maintaining matter files and billing records
- Complying with our regulatory obligations as advocates
- Sending case updates to clients (with consent)
- Improving the functionality of our AI-assisted tools
4. AI-Powered Features โ Special Disclosure
โก TWK AI Assistant & Client Intake Bot: Conversations with our AI tools are processed using Anthropic's Claude API. Messages are transmitted to Anthropic's servers to generate responses. Anthropic does not retain conversation data beyond the immediate API session and does not use your data to train their models without consent. See Anthropic's Privacy Policy.
Important: Do not share sensitive personal identifiers (national ID numbers, passport numbers, bank account details, or case-sensitive privileged information) through the AI chat interface. For privileged legal communications, contact us directly by phone or email.
AI conversations are used solely to assist with your initial enquiry. They are not legal advice and do not create an advocate-client relationship until a formal retainer is signed.
5. Data Sharing and Third Parties
We do not sell your personal data. We may share data with:
- Anthropic, Inc. โ AI message processing (see Section 4)
- Resend.com โ Transactional email delivery (OTP codes, case update notifications)
- Hostinger International Ltd. โ Web hosting and server infrastructure
- Courts and regulatory bodies โ where required by law (e.g., Judiciary, LSK, KRA)
- Opposing counsel โ where disclosure is required in the course of proceedings
- Expert witnesses and consultants โ where instructed by you in your matter
All third-party service providers are contractually bound to handle your data in accordance with applicable data protection law.
6. Retention Periods
| Data type | Retention period | Basis |
|---|---|---|
| Client matter files | 7 years post-matter closure | Limitation of Actions Act |
| Financial records | 7 years | Income Tax Act, LSK Regulations |
| Contact enquiries (no retainer) | 12 months | Legitimate interest |
| AI chat sessions | Session only (not stored) | Consent / minimisation |
| Website logs | 90 days (anonymised) | Security / fraud prevention |
| Portal access logs | 24 months | Security obligation |
7. Your Rights Under the DPA 2019
Right of Access
Request a copy of the personal data we hold about you (Section 26, DPA 2019)
Right to Rectification
Request correction of inaccurate or incomplete data we hold
Right to Erasure
Request deletion of your data where there is no lawful reason to retain it
Right to Portability
Receive your data in a structured, commonly used, machine-readable format
Right to Object
Object to processing based on legitimate interests or for direct marketing
Withdraw Consent
Withdraw consent at any time where processing is consent-based (e.g., AI chat)
To exercise any right, contact us at info@twklaw.co.ke. We will respond within 21 days as required by the DPA 2019. There is no charge for exercising your rights.
8. Security Measures
We implement appropriate technical and organisational measures to protect your data:
- Staff portal protected by password authentication + two-factor verification (email OTP)
- Automatic session lock after 30 minutes of inactivity
- All data transmitted over encrypted HTTPS connections (TLS 1.2+)
- Staff passwords stored using bcrypt hashing (not stored in plaintext)
- Access controls and role-based permissions limiting data access to authorised staff
- Audit logging of all data access and modifications
- Regular review of security practices and third-party service agreements
9. Cookies and Tracking
This website does not use tracking cookies or third-party analytics. The only technical data collected is standard web server access logs (IP address, page requested, timestamp) which are automatically anonymised after 90 days. We do not use Google Analytics, Facebook Pixel, or similar tracking technologies.
10. Cross-Border Data Transfers
Some data is transferred to servers outside Kenya (Anthropic โ United States; Resend โ United States; Hostinger โ Lithuania). These transfers are made on the basis that the recipient countries provide adequate data protection, or are subject to appropriate contractual safeguards consistent with the DPA 2019 and Office of the Data Protection Commissioner guidance.
11. Children's Data
Our services are not directed at children under 18. We do not knowingly collect personal data from minors. Where legal matters concern children (e.g., custody proceedings), such data is processed strictly under legal professional privilege and the Children Act, 2022.
12. Changes to This Policy
We may update this policy periodically. Material changes will be notified by email to active clients. The effective date at the top of this page will always reflect the current version. Previous versions are available on request.
13. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with:
Office of the Data Protection Commissioner (ODPC)
Nairobi, Kenya
Website: www.odpc.go.ke
Email: info@odpc.go.ke
14. Contact the Data Controller
Data Protection Enquiries
For any data protection query, subject access request, or complaint, contact us directly: