NgenoTech Global

Data Retention

Data Retention Policy

How long we keep your data and why

Last updated: June 2026

1. Purpose

NgenoTech Global is committed to responsible data management in compliance with the Kenya Data Protection Act, 2019. This policy explains what data we collect, how long we retain it, and how it is disposed of securely.


2. Scope

This policy applies to all personal data processed by NgenoTech Global, including data collected through:

  • Our website (ngenotechglobal.co.ke)
  • User account registration
  • Software purchases and downloads
  • Customer support communications
  • Marketing and newsletter subscriptions


3. Data Retention Schedule

Account information (name, email, password hash): 12months after delete

Purchase and payment records: 7years

Download access logs: 3years

Customer support emails: 3years

Marketing consent records: until consent withdrawn + year

Website analytics data (anonymised) 26months

Security and access logs 12months

User action logs (admin audit trail): 2years


4. Data Deletion

When the retention period expires or when a valid deletion request is received (and no legal retention requirement overrides it), data is deleted or anonymised using secure methods:

  • Database records are permanently deleted (not just soft-deleted)
  • Backup copies containing the data are overwritten within 30 days of scheduled deletion
  • Anonymised analytics data may be retained indefinitely as it cannot be linked to an individual

5. Data Subject Rights

Under the Kenya Data Protection Act, 2019, you have the right to:

  • Access: Request a copy of your personal data we hold
  • Correction: Request correction of inaccurate data
  • Deletion: Request erasure of your data (where no legal retention requirement applies)
  • Portability: Receive your data in a machine-readable format
  • Object: Object to processing based on legitimate interest

Requests are processed within 30 days. To make a request, contact us at info@ngenotechglobal.co.ke.


6. Security of Retained Data

All retained data is protected with appropriate technical and organisational measures:

  • Database encryption at rest
  • HTTPS for data in transit
  • Hashed and salted passwords (bcrypt)
  • Role-based access controls only authorised staff can access personal data
  • Regular security audits


7. Third-Party Processors

Where data is processed by third parties on our behalf (e.g. payment gateways, email providers), we ensure those parties maintain equivalent or higher data protection standards and do not retain data beyond what is necessary.


8. Policy Review

This Data Retention Policy is reviewed annually or when there are significant changes to applicable laws or our data processing activities. The current version supersedes all previous versions.