Your Privacy Matters to Us At Oracom Group, we believe your personal information belongs to you. This Privacy Policy explains exactly what data we collect, why we collect it, how we protect it, and the rights you hold over it — all in plain language. We are fully committed to compliance with the Kenya Data Protection Act, 2019.
Oracom Group Limited is a Kenyan-registered digital holding company and the Data Controller responsible for all personal data collected across our group platforms. This policy applies to all websites, portals, and services operated under the Oracom Group umbrella, including:
- oracomgroup.com and all associated subdomains
- OraWebHost hosting and billing portals (orawebhost.com)
- OraMEDIA photography and video booking platforms
- Oracom.co.ke web design portal
- KEOnline, DFT News, and other group-operated platforms
- Any mobile applications, booking forms, or digital tools run by the group
For all data protection matters, our designated point of contact is reachable at info@oracomgroup.com.
We only collect data that is necessary and proportionate to the service being provided. Depending on how you engage with us, this may include:
| Category |
What This Includes |
| Identity Data |
Full name, username, job title, company name |
| Contact Data |
Email address, phone number, physical or postal address |
| Financial Data |
M-Pesa transaction references, payment confirmation numbers (we do not store full card numbers) |
| Technical Data |
IP address, browser type, device type, operating system, pages visited, session duration |
| Usage Data |
Which services you view, clicks, search queries on our platforms |
| Communications Data |
Emails, WhatsApp messages, or form submissions sent to us |
| Marketing Preferences |
Your opt-in status for newsletters, SMS alerts, and promotional content |
| Project Data |
Briefs, files, images, and documents you share with us for project delivery |
We do not collect sensitive personal data — such as health information, biometric data, racial or ethnic origin, or political opinions — unless a specific service requires it and you have given clear, informed consent.
Your data reaches us through a number of channels:
- Directly from you — when you fill in a contact or quote form, register an account, send us an email or WhatsApp message, make a payment, or subscribe to our communications.
- Automatically via your device — as you navigate our websites, our servers and analytics tools (such as Google Analytics) passively collect technical and behavioural data through cookies and server logs.
- From social media platforms — if you interact with our pages on Facebook, Instagram, LinkedIn, or X (Twitter), those platforms may share engagement data with us under their own privacy terms.
- Through referrals — if an existing client or affiliate refers you to us, we may receive basic contact details to follow up. We will always seek your consent before adding you to any mailing list.
- From publicly available sources — such as business directories or professional profiles, used only for legitimate B2B outreach.
Every piece of data we process has a specific, documented purpose and a lawful basis under the Kenya Data Protection Act, 2019. We do not process data beyond what is necessary for those stated purposes.
| Purpose |
Lawful Basis |
| Delivering and managing requested services |
Performance of a contract |
| Processing payments and issuing invoices |
Performance of a contract |
| Responding to enquiries and providing customer support |
Legitimate interest / Contract |
| Sending service updates, renewal reminders, and account alerts |
Legitimate interest / Contract |
| Sending promotional emails, SMS, or WhatsApp campaigns |
Consent (opt-out available at any time) |
| Analysing website usage to improve our services |
Legitimate interest |
| Detecting and preventing fraud or security threats |
Legitimate interest / Legal obligation |
| Complying with Kenyan legal and regulatory obligations |
Legal obligation |
Oracom Group does not sell, rent, or trade your personal data to any third party for marketing or commercial purposes. Data is only shared in the following strictly controlled circumstances:
- Trusted Service Providers: We work with vetted third parties such as M-Pesa / Safaricom (payments), cloud hosting providers, email delivery services, and SMS gateway operators. Each is bound by a data processing agreement and may only use your data for the specific task we have engaged them to perform.
- Within the Oracom Group: Where a service spans multiple subsidiaries — for example, a web project that also requires hosting — relevant data is shared internally on a need-to-know basis.
- Legal and Regulatory Authorities: Where required by Kenyan law, a court order, or a formal regulatory request, we may be obligated to disclose certain data to law enforcement or government bodies.
- In a Business Transfer: Should Oracom Group undergo a merger, acquisition, or partial sale of assets, your data may form part of the transferred assets. We will provide advance notice and, where required, obtain your consent before any such transfer.
- With Your Explicit Consent: In any other scenario, we will only share your data after obtaining your clear, informed agreement.
Our websites use cookies — small text files stored on your device — and similar tracking technologies to make our sites function properly and to improve your experience. We use four types of cookies:
- Essential Cookies: Required for basic site functionality such as maintaining your login session, remembering your cart, and enabling security features. These are always active and cannot be turned off.
- Analytics Cookies: Collected via Google Analytics and similar tools to understand how users navigate our site — page views, time on page, bounce rates, and traffic sources. All data is aggregated and anonymised; no individual is identified.
- Preference Cookies: Store your settings such as language, currency, or region to personalise your experience across visits.
- Marketing & Retargeting Cookies: Used to display relevant advertisements on platforms such as Google and Facebook based on your browsing behaviour. These are only activated after you provide consent via our cookie banner.
Managing CookiesYou can accept, reject, or customise non-essential cookies at any time via our cookie consent banner or through your browser settings (under Privacy or History). Disabling certain cookies may limit some website features. For full details on the cookies we use, please see our Cookie Policy.
We do not keep personal data longer than necessary. Retention periods are based on the nature of the data, our contractual obligations, and applicable legal requirements:
| Data Type |
Retention Period |
| Active client account records |
Duration of relationship + 3 years after last activity |
| Financial and billing records |
7 years (Kenya Revenue Authority compliance) |
| Project files and deliverables |
2 years after project completion (unless otherwise agreed) |
| Marketing consent records |
Until you withdraw consent |
| Website analytics data |
26 months (Google Analytics default) |
| Customer support communications |
2 years from last contact |
When data reaches the end of its retention period, it is securely and permanently deleted or irreversibly anonymised so it can no longer be traced back to you.
The Kenya Data Protection Act, 2019 gives you clear, enforceable rights over your personal data. Oracom Group is committed to honouring every one of them:
👁️
Right of Access
Request a copy of all personal data we hold about you, free of charge.
✏️
Right to Rectification
Ask us to correct inaccurate or outdated personal data without delay.
🗑️
Right to Erasure
Request deletion of your data when there is no longer a valid reason for us to hold it.
🚫
Right to Object
Object to us processing your data for direct marketing or based on our legitimate interests.
⏸️
Right to Restriction
Ask us to pause processing of your data — for example, while a dispute is being resolved.
📦
Right to Portability
Receive your data in a structured, machine-readable format to transfer to another provider.
↩️
Withdraw Consent
Withdraw consent for marketing or non-essential processing at any time, with no penalty.
⚖️
Right to Complain
Lodge a complaint with Kenya's Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.
To exercise any of these rights, email info@oracomgroup.com with your request. We will respond within 21 days as required under Kenyan law, at no cost to you.
We take a layered approach to data security, combining technical controls, operational procedures, and staff accountability to keep your information safe:
- Encryption in transit: All data transmitted between your browser and our servers is protected by SSL/TLS encryption (HTTPS).
- Access controls: Internal systems are role-based — staff can only access data that is necessary for their specific job function.
- Two-factor authentication (2FA): Mandatory on all critical administrative and hosting platforms.
- Regular security audits: We conduct periodic vulnerability assessments and penetration testing on our hosting infrastructure.
- Encrypted backups: Data backups are encrypted and stored securely with restricted access and tested restoration procedures.
- Staff training: All Oracom Group employees and contractors are required to sign confidentiality agreements and complete data protection awareness training.
In the Event of a Data BreachShould a personal data breach occur that poses a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware, and will inform all affected individuals promptly and transparently.
As our services evolve and data protection regulations are updated, this Privacy Policy may be revised from time to time. When material changes are made, we will:
- Update the "Last Updated" date shown at the top of this page
- Display a prominent notice on our website for a minimum of 30 days
- Notify registered users by email or SMS where the changes materially affect their rights
We encourage you to revisit this page periodically. Continuing to use our services after a policy update has been communicated constitutes your acceptance of the revised terms. If you disagree with any update, you are entitled to contact us to request deletion of your personal data before the changes take effect.
For any questions about this Privacy Policy, requests to exercise your data rights, or concerns about how your information is handled, please get in touch with us directly:
