Privacy Policy

1. Who we are (data controller)

The data controller responsible for personal data processed through the Services is:

• Legal name: SkillSiteAI
• Website: https://skillsiteai.com

If and when we are required to register with the ODPC, we will update this Policy with the relevant registration particulars.

2. Scope of this Policy

This Policy applies to personal data processed when you visit our website, register for an account, sign in, configure routing (including incoming mailbox addresses, custom routing “classes”, default fallback destinations, and chat recipient lists), contact support, or otherwise interact with the Services. It does not govern third-party websites, email providers, or AI or automation tools that you may connect outside our application, except where we process personal data on their behalf strictly as instructed by you and subject to a written agreement where required by law.

3. Categories of personal data we may process

Depending on how you use the Services, we may process the following categories of personal data:

• Identity and account data: name, email address, password (stored using appropriate cryptographic hashing), and similar authentication identifiers.
• Configuration and operational data: incoming mailbox email addresses you designate, user-defined routing class names and slugs, destination email addresses (including default fallback and chat recipients), timestamps of updates, and related technical metadata necessary to operate routing.
• Technical and security data: IP address, device and browser type, approximate location derived from IP (if processed), logs of security-relevant events, and diagnostic information reasonably required to secure the Services and investigate misuse, consistent with the Computer Misuse and Cybercrimes Act and good security practice.
• Communications: messages you send to us (for example support requests) and our responses.
• Billing data (if applicable): billing contact details and transaction references. We do not store full payment card numbers on our servers where payments are handled by a regulated payment service provider.

The Services are designed to help you configure email routing. Unless we expressly offer and you expressly use inbound message storage or content processing within our application, we do not intend to process the body content of third-party emails as part of the core product described in this deployment. If that changes, we will update this Policy and, where required, obtain appropriate consent or establish another lawful basis.

4. Purposes and lawful bases (Data Protection Act, 2019)

We process personal data only for specified, explicit, and legitimate purposes. Typical purposes and lawful bases include:

• Performance of a contract (Section 30(b) DPA): to register your account, authenticate you, and provide the routing configuration features you request.
• Legal obligation (Section 30(c) DPA): to comply with court orders, lawful regulatory directions, tax and company law record-keeping (where applicable), and lawful requests from competent authorities.
• Legitimate interests (Section 30(f) DPA), balanced against your rights: to secure the Services, prevent fraud and abuse, improve reliability and performance, and analyse aggregated usage statistics that do not identify you.
• Consent (Section 30(a) DPA): where we rely on consent (for example optional marketing communications or non-essential cookies), we will obtain it separately and you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. How we share personal data

We may share personal data with:

• Service providers (processors) who host infrastructure, provide email delivery or logging, analytics, customer support tooling, or security services, strictly under written terms that require confidentiality and appropriate technical and organisational measures.
• Professional advisers (lawyers, auditors, insurers) where necessary and subject to professional duties of confidentiality.
• Authorities when required by applicable law or to protect vital interests.
• Corporate transactions such as a merger or acquisition, subject to appropriate confidentiality and continuity safeguards.

We do not sell your personal data.

6. International transfers

Your personal data is primarily processed in Kenya where our systems and primary processors are located. If we transfer personal data outside Kenya, we will do so in accordance with Chapter 8 of the Data Protection Act, 2019 and applicable ODPC guidance, including where appropriate adequacy decisions, appropriate safeguards such as standard contractual clauses, or your explicit consent after clear information has been provided.

7. Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, including statutory limitation periods, dispute resolution, and legitimate business needs. Account and configuration data are generally retained for the life of your account and a reasonable period thereafter for backups and legal compliance, after which we delete or irreversibly anonymise the data unless a longer period is required by law.

8. Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are reviewed periodically. No method of transmission over the Internet is completely secure; you should use a strong password, enable any available multi-factor authentication, and protect your credentials.

9. Your rights

Subject to the Data Protection Act, 2019 and any applicable exemptions, you may have the right to:

• be informed of the processing (this Policy and supplementary notices);
• access your personal data and certain information about processing;
• request rectification of inaccurate data or completion of incomplete data;
• request erasure where applicable;
• request restriction of processing where applicable;
• object to processing based on legitimate interests or direct marketing;
• withdraw consent where processing is based on consent;
• lodge a complaint with the ODPC.

To exercise rights, contact us using the details in Section 1. We may need to verify your identity before responding. We will respond within the timelines required by law, typically as soon as practicable and in any event within thirty (30) days unless an extension is permitted and explained to you.

10. Cookies and similar technologies

We may use cookies and similar technologies that are strictly necessary for authentication, security, and session management. Where we use optional analytics or marketing cookies, we will present appropriate choices and, where required, obtain consent before non-essential cookies are set.

11. Children

The Services are not directed to children under eighteen (18) years without parental or guardian consent. If you believe we have collected personal data from a child without appropriate authority, please contact us and we will take steps to delete such information promptly where required by law.

12. Automated decision-making

Unless we expressly notify you otherwise, we do not make decisions based solely on automated processing that produce legal or similarly significant effects concerning you within the meaning of the Data Protection Act, 2019. Routing “classes” and fallback rules are configuration choices that you control.

13. Changes to this Policy

We may update this Policy from time to time. We will post the revised version on this page and update the “Last updated” date. Where changes are material, we will provide additional notice as required by law (which may include email notice or a prominent banner within the Services).

14. Complaints to the ODPC

If you consider that our processing infringes the Data Protection Act, 2019, you have the right to lodge a complaint with the Office of the Data Protection Commissioner. Contact and procedural details are published on the ODPC’s official website. We encourage you to contact us first so that we can seek to resolve your concern promptly.