PRIVACY POLICY

Effective Date: 1 July 2026

Version 1.0

Document Title

Privacy Policy

Issued By

Strath Africa Ltd

Jurisdiction

Republic of Rwanda (primary); Republic of Kenya

Governing Law

Rwanda Data Protection Law (Law No. 058/2021) & related regulations

Contact

info@strathafrica.com  |  +250 781 455 033

Address

1KN Nyarugenge, Kigali, Rwanda

Last Updated

June 2026

1.  Introduction

Strath Africa (hereinafter “we”, “us”, “our”, or “the Firm”) is a dynamic legal and financial advisory firm incorporated and operating in Rwanda with liaison offices in Kenya. We are committed to protecting the privacy and confidentiality of all personal data we collect in the course of providing our services and operating our website at www.strathafrica.com  (the “Website”).

This Privacy Policy describes how we collect, use, share, retain, and protect your personal data. It also explains your rights under applicable data protection laws, in particular Rwanda’s Law No. 058/2021 of 13/10/2021 Relating to the Protection of Personal Data and Privacy (“RPDP Law”) and, where applicable, the Kenya Data Protection Act, 2019.

By accessing our Website, submitting an enquiry, engaging our services, or communicating with us in any manner, you acknowledge that you have read and understood this Privacy Policy.

2.  Identity of the Data Controller

For the purposes of applicable data protection legislation, the Data Controller responsible for your personal data is:

 

Firm Name

Strath Africa (trading as Strath Africa Chambers)

Address

1KN Nyarugenge, Kigali, Rwanda

Email

info@strathafrica.com

Telephone

+250 781 455 033

Website

www.strathafrica.com

3.  Personal Data We Collect

We collect personal data only to the extent necessary to fulfil legitimate purposes. The categories of personal data we may collect include:

3.1  Data You Provide to Us

  • Identity data: full name, national identification number, passport details, nationality, date of birth.
  • Contact data: email address, telephone number, postal address.
  • Professional data: employer, job title, company registration details, professional licences, and business relationships.
  • Financial data: bank account details, transaction records, ownership structures, and financial statements — collected solely where required to deliver financial advisory services.
  • Matter-specific data: information provided in the context of a legal or financial engagement, including correspondence, contracts, corporate documents, and supporting evidence.
  • Marketing preferences: your preferences regarding receiving communications from us.

3.2  Data We Collect Automatically

  • Technical data: IP address, browser type and version, operating system, device identifiers, and time-zone settings.
  • Usage data: pages visited, links clicked, referral URLs, session duration, and clickstream data.
  • Cookie data: information collected via cookies and similar tracking technologies (see Section 9).

3.3  Data Received from Third Parties

  • Publicly available registers: Rwanda Development Board (RDB) company registry, Rwanda Revenue Authority records, court registers.
  • Referral partners: law firms, banks, or professional advisors who refer clients to us.
  • Due diligence providers: where required by law (e.g., AML/KYC obligations), we may obtain data from accredited third-party verification services.

4.  Legal Bases for Processing

We process your personal data only where a lawful basis exists under the RPDP Law and applicable regulations. The legal bases we rely on are:

 

Legal Basis

When We Rely on It

Contractual Necessity

Processing required to provide legal or financial advisory services you have engaged us for, or to take steps prior to entering into a contract at your request.

Legal Obligation

Processing necessary to comply with our obligations under Rwanda law, including anti-money laundering (AML), know-your-customer (KYC), tax, and court-ordered disclosure requirements.

Legitimate Interests

Operating and improving our Website, preventing fraud, securing our systems, and direct marketing to existing clients, where those interests are not overridden by your rights.

Consent

For non-essential cookies, newsletter subscriptions, and any secondary use of data not covered by the above. You may withdraw consent at any time.

Vital Interests

In rare circumstances where processing is necessary to protect someone’s life.

 

5.  How We Use Your Personal Data

We use your personal data for the following purposes:

5.1  Provision of Legal & Financial Advisory Services

  • To advise on corporate structuring, mergers and acquisitions, banking and finance, energy and infrastructure transactions, and cross-border investment.
  • To provide regulatory and ESG compliance advice, intellectual property counsel, and dispute resolution representation.
  • To conduct due diligence, draft and review legal documents, and maintain matter files.

5.2  Client Relationship Management

  • To respond to enquiries and communicate regarding ongoing or prospective engagements.
  • To send engagement letters, invoices, and other contractual communications.
  • To maintain records of our professional relationship as required by law and professional standards.

5.3  Legal & Regulatory Compliance

  • To fulfil AML/CFT obligations including client identification and verification (KYC).
  • To respond to lawful requests from regulators, courts, and law enforcement authorities.
  • To comply with applicable tax, accounting, and professional regulatory requirements.

5.4  Business Operations

  • To improve and secure our Website and digital services.
  • To conduct internal research, analytics, and quality assurance.
  • To manage our business relationships and operational processes.

5.5  Marketing & Communications (with your consent or legitimate interest)

  • To send newsletters, thought leadership content, event invitations, and updates relevant to your sector.
  • You may opt out of marketing communications at any time by contacting info@strathafrica.com or clicking “unsubscribe” in any marketing email.

6.  Sharing of Personal Data

We do not sell, rent, or trade your personal data. We may share it only in the following circumstances:

6.1  Within Our Firm

Data is shared among authorised personnel (lawyers, financial advisors, and administrative staff) of Strath Africa on a strict need-to-know basis, subject to professional confidentiality obligations.

6.2  Service Providers

We may engage trusted third-party service providers (“processors”) including:

  • IT infrastructure and cloud service providers (data hosting, cybersecurity).
  • Accounting, audit, and tax advisors.
  • Court process servers, notaries, and public registries.
  • Translation and transcription services.

All processors are contractually bound to process data only on our instructions and to implement appropriate technical and organisational security measures.

6.3  Professional Co-Counsel and Correspondent Firms

Where a matter requires expertise from co-counsel or correspondent firms in other jurisdictions, we may share relevant matter data under confidentiality obligations equivalent to those governing our own practice.

6.4  Legal and Regulatory Authorities

We may disclose personal data to government bodies, courts, regulators, or law enforcement authorities where required by applicable law, including under AML/CFT legislation, court orders, or subpoenas. We will, where legally permissible, notify you of such disclosure.

6.5  Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of the Firm’s business, personal data may be transferred to the relevant successor entity, subject to equivalent privacy protections.

6.6  Cross-Border Transfers

Where personal data is transferred outside Rwanda or Kenya, we will ensure that appropriate safeguards are in place as required by the RPDP Law and the Kenya Data Protection Act, including the use of standard contractual clauses or transfers to jurisdictions offering adequate protection.

7.  Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this Policy, including compliance with legal, regulatory, and professional obligations. Our default retention periods are:

 

Client matter files

10 years from close of matter 

Financial & AML/KYC records

7 years from the end of the business relationship 

Tax and accounting records

7 years 

Website user data

26 months from collection (or as required by cookie consent)

Marketing contact data

3 years from last meaningful interaction, or until consent is withdrawn

Job applicant data

6 months from the conclusion of the recruitment process, unless extended with consent

 

Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised in accordance with our records management procedures.

8.  Your Data Protection Rights

Under the RPDP Law and applicable regulations, you have the following rights regarding your personal data. To exercise any of these rights, please contact our Data Protection Contact at info@strathafrica.com. We will respond within 30 days of receiving a valid request.

 

Right

Description

Right of Access

To obtain confirmation of whether we hold your data, and to receive a copy of it.

Right to Rectification

To request correction of inaccurate or incomplete personal data.

Right to Erasure

To request deletion of your data where it is no longer necessary, or where consent is withdrawn (subject to legal retention obligations).

Right to Restriction

To request that we restrict processing of your data in certain circumstances.

Right to Data Portability

To receive your data in a structured, commonly used, machine-readable format.

Right to Object

To object to processing based on legitimate interests, including direct marketing.

Right to Withdraw Consent

To withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.

Right to Complain

To lodge a complaint with Rwanda’s National Cyber Security Authority (NCSA) or the relevant supervisory authority in Kenya.

 

Please note that certain rights may be limited where we are required to retain or process data to comply with a legal obligation, or where exercising the right would adversely affect the rights of others.

9.  Cookies & Tracking Technologies

Our Website uses cookies and similar technologies. A cookie is a small text file placed on your device when you visit a website.

9.1  Types of Cookies We Use

 

Strictly Necessary

Essential for the Website to function. Cannot be disabled. No consent required.

Performance / Analytics

Help us understand how visitors interact with our Website (e.g., pages viewed, error messages). Require consent.

Functional

Enable enhanced functionality and personalisation (e.g., remembering your preferences). Require consent.

Marketing

Used to deliver relevant advertisements and track the effectiveness of campaigns. Require consent.

 

You can manage or withdraw your cookie consent at any time through our cookie preference centre on the Website, or by adjusting your browser settings. Note that disabling certain cookies may impair Website functionality.

10.  Security of Personal Data

We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:

  • Encryption of data in transit (TLS/SSL) and, where appropriate, at rest.
  • Access controls: role-based access and the principle of least privilege.
  • Regular security assessments, vulnerability scanning, and penetration testing.
  • Staff training on data protection and information security obligations.
  • Incident response procedures aligned with our notification obligations under the RPDP Law.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals without undue delay, in accordance with applicable law.

11.  Attorney-Client Privilege & Professional Confidentiality

Personal data disclosed to Strath Africa in the context of a legal engagement is also subject to legal professional privilege and the duty of confidentiality owed by legal professionals. This means that, in addition to the protections afforded by this Privacy Policy, data shared in the context of a legal matter is protected from disclosure in legal proceedings, except where disclosure is required by law or authorised by you.

The existence of this Policy does not derogate from, waive, or limit any applicable privilege or confidentiality obligation.

12.  Children’s Privacy

Our Website and services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at info@strathafrica.com and we will take steps to delete it promptly.

13.  Third-Party Links

Our Website may contain links to third-party websites, resources, or services. This Privacy Policy applies solely to Strath Africa’s own Website and services. We have no responsibility for the privacy practices of linked third-party sites and encourage you to review their respective privacy policies before providing personal data.

14.  Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. The most current version will always be available on our Website at www.strathafrica.com/privacy-policy, with the effective date updated accordingly.

Where changes are material, we will provide a prominent notice on our Website or contact you directly. Your continued use of our Website or services after the effective date of a revised Policy constitutes acceptance of the changes.

15.  How to Contact Us

For any queries, concerns, or requests relating to this Privacy Policy or our data protection practices, please contact:

 

Data Protection Contact

Strath Africa – Data Protection Office

Email

info@strathafrica.com

Telephone

+250 781 455 033

Website

www.strathafrica.com

 

If you are not satisfied with our response, you have the right to lodge a complaint with Rwanda’s National Cyber Security Authority (NCSA) at www.ncsa.rw .

Issued by Strath Africa

1KN Nyarugenge, Kigali, Rwanda

www.strathafrica.com  |  info@strathafrica.com  |  +250 781 455 033

© 2026 Strath Africa. All Rights Reserved.