Last updated: July 1, 2026
Privacy Policy
This Privacy Policy describes how HRGenie (“we”, “us”, or “our”) collects, uses, stores, and discloses personal data when you use our websites, cloud software, and related services (collectively, the “Services”). It is intended to align with the Data Protection Act, 2019 of Kenya and related regulations issued by the Office of the Data Protection Commissioner (ODPC).
Important: This document is provided for general information and operational transparency. It does not constitute legal advice. You should obtain independent legal counsel to confirm that your use of the Services meets your compliance obligations.
1. Data controller
The data controller responsible for personal data processed in connection with the Services is the entity operating HRGenie as identified in your order form, agreement, or account registration (including SkillMind Software / HR Genie affiliates where applicable). For privacy enquiries, use the contact details in Section 12 below.
2. Scope
This policy applies to visitors, account administrators, and end users (such as employees or contractors) whose personal data is submitted to the Services by a customer organisation. Where your employer or another organisation provisions your account, that organisation is typically an independent controller for HR and workforce data; we act as a processor on their instructions, except where we determine purposes and means as a controller (for example, account, billing, security, and product analytics as described below).
3. Personal data we collect
Depending on how you use the Services, we may process:
- Account and contact data: name, email address, telephone number, job title, company name, authentication credentials, and preferences.
- HR and workforce data (on behalf of customers): identifiers, employment details, payroll-related information, attendance, performance, recruitment, and other categories configured by the customer.
- Technical and usage data: IP address, device and browser type, log files, cookies and similar technologies, diagnostics, and security telemetry.
- Billing data: payment-related references and transaction metadata (payment processing may be performed by regulated third-party providers).
- Support and communications: messages you send us, call recordings if expressly captured with notice, and feedback.
4. Sources of personal data
We collect personal data directly from you, from the organisation that invites you to the Services, from integrated systems you or your organisation connect, and automatically through your use of the Services.
5. Legal bases (Kenya)
We rely on appropriate bases under the Data Protection Act, 2019, which may include:
- Performance of a contract — to provide, secure, and improve the Services you or your organisation requested.
- Consent — where we expressly ask for it (for example, certain marketing cookies or optional communications), which you may withdraw without affecting processing that does not depend on consent.
- Legal obligation — to comply with applicable law, court orders, or regulatory directions.
- Legitimate interests — for fraud prevention, network and information security, product development, and business analytics, balanced against your rights.
- Vital interests — rarely, where necessary to protect life.
6. How we use personal data
We use personal data to:
- Provide, operate, maintain, and support the Services;
- Authenticate users, enforce access controls, and protect against abuse;
- Process subscriptions, invoices, and payments;
- Communicate about service updates, security notices, and administrative matters;
- Comply with law and respond to lawful requests;
- Improve features, reliability, and user experience, including through aggregated or de-identified analytics where permitted.
7. Cookies and similar technologies
We use cookies and similar technologies for essential operation, security, preferences, and (where allowed) analytics or marketing. You can control non-essential cookies through your browser settings and any cookie banner we provide. Essential cookies may be required for login and session integrity.
8. Disclosures and processors
We may share personal data with subprocessors that assist us (for example, hosting, email delivery, payment gateways, customer support tools, and security vendors). They are bound by written agreements requiring appropriate safeguards and processing only on our instructions where we act as a processor. We may disclose personal data if required by law, to protect rights and safety, or in connection with a merger, acquisition, or asset transfer subject to confidentiality obligations.
9. Security
We implement technical and organisational measures appropriate to the risk, including encryption in transit where applicable, access controls, logging, and staff training. No method of transmission or storage is completely secure; we encourage strong passwords, multi-factor authentication where offered, and prompt reporting of suspected incidents.
10. International transfers
Personal data may be processed in Kenya and in other countries where we or our subprocessors operate. Where personal data originating in Kenya is transferred outside Kenya, we will take steps required under the Data Protection Act, 2019 (such as adequacy assessments, appropriate safeguards, or your explicit consent where applicable).
11. Retention
We retain personal data for as long as necessary to fulfil the purposes described in this policy, meet legal, tax, and accounting requirements, resolve disputes, and enforce agreements. Retention periods may differ by data category and customer configuration. Customer administrators may be able to delete or export certain data subject to subscription features and organisational policy.
12. Your rights
Subject to applicable law, you may have the right to:
- Be informed of the processing of your personal data;
- Access your personal data and obtain certain information about processing;
- Request rectification of inaccurate or incomplete data;
- Request erasure where applicable;
- Object to or restrict certain processing;
- Withdraw consent where processing is based on consent;
- Lodge a complaint with the Office of the Data Protection Commissioner (Kenya).
Where your organisation controls workforce data in the Services, we may need to direct certain requests to that organisation’s administrator. To exercise rights directly with us, contact us using the details below.
13. Children
The Services are not directed to children in a way that requires collection of their personal data without appropriate authority. If you believe we have collected personal data from a child without proper basis, please contact us and we will take appropriate steps.
14. Automated decision-making
Unless we expressly notify you otherwise, we do not make solely automated decisions that produce legal or similarly significant effects concerning you within the meaning commonly used under data protection law. Features that involve scoring or recommendations remain subject to customer configuration and human oversight.
15. Changes to this policy
We may update this Privacy Policy from time to time. We will post the revised version and update the “Last updated” date. Where changes are material, we will provide additional notice as appropriate (for example, by email or in-product notification).
16. Contact
For privacy questions, data subject requests, or to contact our data protection lead, please use the support channels published in the Services (for example, the in-app support or help centre) or contact HR Genie / SkillMind Software at the addresses shown on hrgenie.ai or your order documentation.
To request deletion of your account and associated personal data, you may use our account deletion request form.