Who we are
Clay & Associates Advocates (“the Firm”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy. This privacy policy explains how we collect, use, store, and protect your personal data when you visit our website (clay-law.com), contact us, or instruct us to act on your behalf.
This policy is published in compliance with the Data Protection Act No. 24 of 2019 (the “DPA 2019”) and the regulations made thereunder. We are not registered with the Office of the Data Protection Commissioner as a data controller as we do not currently meet the threshold for registration but this status may change over time and this policy will be updated.
1. Data Controller
1. The data controller responsible for your personal data is Clay & Associates Advocates, a law firm registered and practising in Kenya, with offices at Nextgen Mall, Mombasa Road, 5th Floor, Suite 6, P.O. Box 38811-00100, Nairobi, Kenya.
2. For any questions about this policy or your personal data, contact us at: solutions@clay-law.com or +254 20 2100 999.
2. Personal Data We Collect
We collect personal data in the following circumstances and categories:
2.1 When you visit our website
3. We collect technical data including your IP address, browser type and version, operating system, referring URL, pages visited, time and date of visit, and time spent on pages. This data is collected automatically through cookies and similar technologies.
2.2 When you contact us
4. When you submit an enquiry through our website contact form, email us, call us, or contact us via WhatsApp, we collect the personal data you provide, which may include your name, email address, telephone number, company or organisation name, and the details of your legal enquiry.
2.3 When you instruct us
5. When you engage us to provide legal services, we collect personal data necessary for the provision of those services, which may include your full name and contact details, national identification number or passport number (for KYC/AML compliance), KRA PIN, corporate registration documents (CR12, beneficial ownership register), financial information relevant to your matter, court documents and correspondence, and any other personal data that is relevant to the legal services we provide.
2.4 Sensitive personal data
6. In the course of providing legal services, we may process sensitive personal data as defined by the DPA 2019, including data relating to criminal proceedings, health information (where relevant to a matter), and biometric data. We process such data only where it is necessary for the provision of legal services or where we have your explicit consent.
3. How We Use Your Personal Data
7. We use your personal data for the following purposes: (a) to respond to your enquiries and communicate with you; (b) to provide legal services, including the management of your matter, preparation of legal documents, court filings, and correspondence; (c) to comply with our legal and regulatory obligations, including anti-money laundering and know-your-client requirements under the Proceeds of Crime and Anti-Money Laundering Act; (d) to comply with our professional obligations under the Advocates Act (Cap 16) and the rules of the Law Society of Kenya; (e) to administer our website and improve its functionality; (f) to send you legal updates and information about our services, where you have consented to receive such communications; and (g) to establish, exercise, or defend legal claims.
4. Legal Basis for Processing
8. Under the DPA 2019, we process your personal data on the following legal bases: (a) Consent: where you have given us clear consent to process your personal data for a specific purpose, such as receiving our newsletter or legal updates; (b) Contract: where processing is necessary for the performance of a contract with you, including the provision of legal services under an engagement letter; (c) Legal obligation: where processing is necessary for compliance with a legal obligation to which we are subject, including AML/KYC requirements, tax reporting obligations, and court orders; (d) Legitimate interests: where processing is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include the administration of our practice, the improvement of our services, and the protection of our legal rights.
5. Data Sharing
9. We do not sell your personal data to third parties. We may share your personal data with the following categories of recipients where necessary: (a) courts, tribunals, and regulatory bodies, where required for the conduct of your matter or by law; (b) the Kenya Revenue Authority, as required by tax legislation; (c) the Financial Reporting Centre, as required by POCAMLA; (d) opposing parties and their legal representatives, where necessary in the conduct of litigation or negotiations on your behalf; (e) our technology service providers who process data on our behalf, including Zoho Corporation (practice management and email), Microsoft (cloud services), and Namecheap (website hosting). These processors are contractually required to protect your data and process it only on our instructions; (f) other law firms, where we refer a matter or part of a matter with your consent; and (g) our outsourced accountant, for payroll and tax compliance purposes (where relevant to employment matters).
6. International Data Transfers
10. Some of our technology service providers process data outside Kenya. Where your personal data is transferred outside Kenya, we ensure that appropriate safeguards are in place in accordance with Section 48 of the DPA 2019. These safeguards may include contractual clauses, the recipient country’s adequacy determination by the Data Protection Commissioner, or your explicit consent.
7. Data Security
11. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted communications (SSL/TLS), password-protected access to our practice management systems with two-factor authentication, restricted access to client files on a need-to-know basis, physical security of our office premises, and regular backup of electronic data.
8. Data Retention
12. We retain your personal data only for as long as necessary for the purposes for which it was collected. Our standard retention periods are: (a) client matter files: seven years after the closure of the matter, in accordance with the Law Society of Kenya’s guidance on file retention and the Limitation of Actions Act (Cap 22); (b) enquiry data (where no engagement follows): twelve months from the date of the last communication; (c) website analytics data: twenty-four months; (d) marketing consent records: retained for the duration of your consent plus twelve months after withdrawal.
13. At the end of the applicable retention period, personal data is securely deleted or anonymised. Physical files are disposed of by confidential shredding.
9. Your Rights
Under the DPA 2019, you have the following rights in relation to your personal data:
14. Right of access: You have the right to request confirmation of whether we process your personal data and, if so, to request a copy of that data.
15. Right to rectification: You have the right to request that we correct any inaccurate personal data we hold about you.
16. Right to erasure: You have the right to request that we delete your personal data, subject to any legal or regulatory obligation that requires us to retain it.
17. Right to restrict processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
18. Right to data portability: You have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format.
19. Right to object: You have the right to object to the processing of your personal data on grounds relating to your particular situation.
20. Right to withdraw consent: Where we process your personal data based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
21. To exercise any of these rights, contact us at solutions@clay-law.com. We will respond to your request within thirty days.
10. Cookies
22. Our website uses cookies and similar technologies. Cookies are small text files placed on your device when you visit our website. We use the following types of cookies: (a) Strictly necessary cookies: required for the website to function and cannot be switched off. They include session cookies that maintain your browsing session. (b) Analytics cookies: help us understand how visitors use our website by collecting information about pages visited, time spent, and navigation patterns. We use Google Analytics for this purpose. (c) Functional cookies: enable enhanced functionality and personalisation.
23. You can manage your cookie preferences through the cookie consent banner that appears when you first visit our website. You can also control cookies through your browser settings. Disabling cookies may affect the functionality of the website.
11. Changes to This Policy
24. We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. The date of the most recent revision is shown at the top of this page. We encourage you to review this policy periodically.
12. Complaints
25. If you have a complaint about how we handle your personal data, please contact us first at solutions@clay-law.com. We will investigate your complaint and respond within thirty days.
26. If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner at complaints@odpc.go.ke or by writing to the Office of the Data Protection Commissioner, P.O. Box 76aborez, Nairobi, Kenya.
