Legal

Privacy Policy

Last updated:

At Black Knights, your privacy is a first-class concern — not a checkbox. This policy explains exactly what data we collect, why we collect it, how we protect it, and the rights you hold over it.

1. Introduction

Black Knights (“we”, “our”, or “us”) is an AI-focused technology company headquartered in Gigiri, Nairobi, Kenya. We specialize in AI-led software development, marketing automation, intelligent agents, data analytics, and AI-powered content generation.

This Privacy Policy describes how we collect, use, disclose, and safeguard personal information when you visit our website at blackknights.co.ke (the “Site”), or when you interact with us through our services, contact forms, or marketing communications.

By using our Site, you acknowledge that you have read, understood, and agree to the practices described in this policy. If you do not agree with any part of this policy, please discontinue use of our Site.

This policy applies to all personal data processed by Black Knights, whether you are a prospective client, an existing client, a newsletter subscriber, or simply a visitor browsing our content.

2. Information We Collect

We collect only the information necessary to provide our services and improve your experience. The categories of data we may collect include:

2.1 Personal Data You Provide Directly

When you fill out our contact form, request a consultation, or sign up for our newsletter, you may provide:

  • Full name
  • Email address
  • Company or organisation name
  • Phone number (if provided)
  • The nature of your enquiry or project brief
  • Any other information you voluntarily include in a message

2.2 Usage and Technical Data

When you browse our Site, we may automatically collect certain technical information through cookies and analytics tools:

  • IP address (anonymised where possible)
  • Browser type and version
  • Operating system
  • Referring URL and exit pages
  • Pages visited and time spent on each page
  • Device type (desktop, tablet, mobile)
  • Geographic region (country/city level)
  • Timestamps of visits

2.3 Communication Records

If you contact us directly by email or through our contact form, we retain records of those communications, including your message content and any attachments, to assist in responding to your enquiry and maintaining a history of our correspondence.

2.4 Data From Third-Party Sources

In some cases we may receive information about you from third-party sources such as business networking platforms (e.g., LinkedIn) when you interact with our company profile or when a referral partner provides your contact details with your knowledge and consent.

3. How We Use Your Information

We use the personal data we collect for the following purposes, always on a lawful basis as described in Section 4:

  • Responding to your enquiries and contact form submissions
  • Assessing and scoping potential project engagements
  • Delivering contracted services and ongoing client support
  • Sending newsletters, updates, and marketing communications where you have opted in
  • Conducting analytics to understand how visitors use our Site and to improve content and functionality
  • Fulfilling legal and regulatory obligations
  • Protecting against fraud, misuse, or security threats
  • Personalising and improving your experience on our Site
  • Contacting you about changes to our services, pricing, or this Privacy Policy

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

4. GDPR Compliance and Your Rights

Although Black Knights is based in Kenya, we serve clients globally, including individuals in the European Economic Area (EEA) and the United Kingdom. Where the General Data Protection Regulation (GDPR) or the UK GDPR applies to our processing of your data, we fully adhere to its requirements.

4.1 Lawful Basis for Processing

We only process your personal data when we have a lawful basis to do so. Depending on the context, the applicable basis is one of the following:

  • Consent — you have given clear, specific, and informed consent (e.g., newsletter sign-up or non-essential cookies)
  • Contract — processing is necessary to perform a contract you have entered into with us, or to take pre-contractual steps at your request
  • Legal Obligation — processing is necessary to comply with applicable law
  • Legitimate Interests — processing is necessary for our legitimate interests (e.g., improving our services, analytics, fraud prevention), provided those interests are not overridden by your rights and freedoms

Where we rely on consent as our lawful basis, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4.2 Your Data Subject Rights

Under GDPR and equivalent legislation, you have the following rights with respect to your personal data:

Right of Access

You have the right to request a copy of the personal data we hold about you, along with information about how and why we process it.

Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it.

Right to Erasure

Also known as the 'right to be forgotten'. You may request that we delete your personal data where there is no compelling reason for its continued processing.

Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format and to have it transmitted to another controller.

Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data under certain circumstances, such as while we investigate a dispute about the accuracy of your data.

Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests or where data is processed for direct marketing purposes. We will cease that processing unless we can demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions made solely by automated processing, including profiling, where those decisions produce legal or similarly significant effects concerning you.

4.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at hello@blackknights.co.ke with the subject line “Data Subject Rights Request”. We will respond within 30 days of receipt. We may need to verify your identity before actioning your request.

If you are dissatisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence. For EEA residents this is your national Data Protection Authority; for UK residents this is the Information Commissioner's Office (ICO).

4.4 Data Protection Officer

We have designated a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and ensuring compliance with applicable law. You may contact our DPO directly at hello@blackknights.co.ke with the subject line “DPO Enquiry”.

5. Data Security

We take the security of your personal data seriously and implement a range of technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration.

  • All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS/HTTPS)
  • Data stored with our cloud providers is encrypted at rest using industry-standard AES-256 encryption
  • Access to personal data is restricted on a need-to-know basis through role-based access controls
  • We conduct regular internal security audits and vulnerability assessments
  • We maintain an incident response plan; in the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay
  • Our development and operational practices follow security-by-design principles

While we apply rigorous security measures, no method of electronic transmission or storage is 100% secure. We encourage you to use strong, unique passwords and to notify us immediately if you suspect any unauthorised use of information you have shared with us.

6. Data Protection Measures

Beyond technical security controls, we have adopted organisational measures to embed data protection into our culture and operations:

  • All staff who handle personal data receive mandatory data protection training upon onboarding and periodically thereafter
  • We apply the principle of data minimisation — collecting only what is strictly necessary for the stated purpose
  • We apply the principle of purpose limitation — data collected for one purpose is not repurposed without a fresh lawful basis or your consent
  • Third-party suppliers and processors who handle personal data on our behalf are vetted for their data protection practices and bound by Data Processing Agreements (DPAs)
  • We maintain a Record of Processing Activities (ROPA) as required by GDPR Article 30
  • Privacy impact assessments are conducted for new projects or systems that involve significant processing of personal data

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our general retention periods are:

  • Contact form enquiries and pre-sales correspondence: up to 2 years from last interaction, or until you request deletion
  • Active client project records: for the duration of the engagement plus 7 years to meet legal and contractual obligations
  • Marketing contact lists (newsletter subscribers): until you unsubscribe or request removal
  • Website analytics data: up to 26 months in aggregated or anonymised form
  • Financial and invoicing records: 7 years as required by Kenyan tax law and international accounting standards

When personal data is no longer required, we securely delete or anonymise it in accordance with our data deletion procedures. Physical records containing personal data are shredded; digital records are permanently purged from our systems and those of our processors.

8. Third-Party Services

We use a small number of carefully selected third-party services to operate our Site and deliver our services. These services may process your personal data on our behalf as data processors.

8.1 Firebase (Google)

Our Site is hosted on Firebase Hosting and we use Firebase Firestore to store contact form submissions. Firebase is a platform provided by Google LLC. Data may be stored on Google's global infrastructure. Google acts as a data processor under our agreement. For more information, see the Firebase Privacy and Security documentation.

8.2 Analytics

We may use web analytics tools to understand how visitors interact with our Site. Analytics data is collected in aggregate and anonymised where possible. We configure our analytics tools to respect user privacy preferences, including IP anonymisation.

8.3 Email and Communication Tools

We use third-party email service providers to send transactional emails (e.g., enquiry confirmations) and marketing emails. These providers process your email address and name on our behalf under Data Processing Agreements.

8.4 Payment Processors

Where applicable, payments for our services are handled by PCI-DSS-compliant third-party payment processors. We do not store, transmit, or process payment card details on our own systems. Payment processors act as independent data controllers for financial data.

We do not allow third-party service providers to use your personal data for their own purposes. They may only process it in accordance with our documented instructions.

9. International Data Transfers

Black Knights is based in Kenya and may store or process your data using cloud infrastructure located in different countries. When personal data is transferred outside your country of residence — including outside the EEA — we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where required for EEA data transfers
  • UK International Data Transfer Agreements (IDTAs) for UK data transfers
  • Transfers only to countries recognised as providing an adequate level of data protection, where applicable
  • Data Processing Agreements with all processors that include data transfer provisions

By submitting your personal data through our Site, you acknowledge that it may be transferred to and processed in countries outside your jurisdiction. We take all reasonable steps to ensure that any such transfers are handled securely and in accordance with this Privacy Policy.

10. Cookies

Our Site uses cookies — small text files placed on your device — to enhance your browsing experience, remember your preferences, and gather analytics data.

10.1 Types of Cookies We Use

Strictly Necessary Cookies

Essential for the Site to function correctly. These cannot be switched off. They include cookies set for security purposes and session management.

Analytics Cookies

Help us understand how visitors interact with our Site by collecting anonymous data about pages visited, time spent, and referral sources. We use this data to improve our content and user experience.

Preference Cookies

Allow the Site to remember choices you have made (such as language or region preferences) to provide a more personalised experience.

Marketing Cookies

Used to track visitors across websites to display relevant advertisements. We only use these where you have given explicit consent.

10.2 Managing Cookies

You can control and manage cookies in several ways:

  • Via our cookie consent banner when you first visit the Site
  • Through your browser settings — most browsers allow you to refuse or delete cookies (note: disabling certain cookies may affect Site functionality)
  • Using browser extensions designed for privacy management
  • By opting out of specific analytics tools via their opt-out mechanisms

Withdrawing consent for non-essential cookies will not affect the lawfulness of any processing that occurred before withdrawal.

11. Children's Privacy

Our Site and services are directed exclusively at businesses and adult professionals. We do not knowingly collect, solicit, or process personal data from individuals under the age of 16.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us immediately at hello@blackknights.co.ke. We will promptly investigate and, where confirmed, delete such data from our records.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other legitimate business reasons. The updated version will always be available at this URL, and the “Last updated” date at the top of this page will be revised accordingly.

Where changes are material — meaning they significantly affect how we use your data or your rights — we will notify you by:

  • Sending an email notification to the address on file (where you have provided one and where required by law)
  • Displaying a prominent notice on our Site
  • In some cases, seeking fresh consent where required

We encourage you to review this page periodically to stay informed of any updates. Continued use of our Site after a policy change constitutes acceptance of the revised terms, to the extent permitted by applicable law.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please do not hesitate to reach out:

Black Knights

AddressGigiri, Nairobi, Kenya

Emailhello@blackknights.co.ke

SubjectPrivacy Enquiry / Data Subject Rights Request

We aim to respond to all privacy-related enquiries within 30 calendar days. Complex requests involving data retrieval or deletion may take up to 60 days; we will notify you if this is the case.