Sandrose Website Data Privacy Policy

31 March 2021

1. Introduction

Welcome to the SandRose Website Privacy Policy (the “Privacy Policy”). We appreciate you taking the time to read all Our notices carefully.SandRose Consulting Limited (“SandRose”, “We” “Us” “Our”) is committed to protecting your privacy by ensuring that any personal data is collected and used lawfully and transparently. We process your personal information under the Kenya Data Protection Act 2019.

This Privacy Policy aims to give you information on how We collect and process your personal data through your use of this website, and through interactions with its clients, suppliers, and other third parties.

2. Who is SandRose?

SandRose is a project management and consulting firm specializing in supporting infrastructure projects across Africa with a specific focus on energy transition, infrastructure projects, industrial parks and sustainable cities. Our offices are situated at with offices off Timau Plaza, Off Timau Road, PO Box 25177 00100 Nairobi, Kenya.

3. What is the Purpose of this Policy?

This Privacy Policy outlines how SandRose collects, uses and stores personal data in the course of its business from clients, suppliers and other individuals (referred to as “you” or “your” in this Privacy Policy).

4. Data Controller

SandRose is the data controller of the personal information which you provide or which We gather from you.

5. What is Personal Data?

For purposes of this Privacy Policy, Personal Data includes any information about an identifiable individual.

6. What Personal data do We Collect and How Do We Use It?

We collect personal data about:

  • Visitors to Our website
  • People who email Us
  • People who telephone Us
  • People who contact Us about Our services or products
  • People who use or services or products
  • Project stakeholders
  • Job applicants
  • Suppliers

6.1. Visitors to Our Website

When you visit, We use third party services such as Google Analytics to collect details of visitor behaviour patterns and standard internet log information such as IP (internet) address and browser type or version. The information is processed in such a way that it does not identify any specific individual. You can read Google’s overview of privacy and safeguarding data here:

If We want to collect information which identifies an individual, We will tell you. For instance, you will be given the opportunity to fill in your contact details and to “opt-in” if you want to receive more information about Us or about Our services or Our products.

6.2. Cookies and other Technologies

Our website may use “cookies” and other technologies such as pixel tags and web beacons. These technologies help Us better understand user behaviour, tell Us which parts of Our website people have visited and facilitate and measure the effectiveness of advertisements and web searches. We will ask for your consent before We use Cookies to collect your information.

Find out more about cookies, including how to disable/enable and delete them, at the following website

You can block most cookies (except for Flash cookies) by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you block all cookies (including essential cookies) you may not be able to access all or parts of Our services or you may experience reduced functionality when accessing certain services. Unless you have adjusted your browser setting so that it will refuse cookies, Our system will issue cookies as soon as you visit Our website.

6.3. People Who Email Us

If you give Us your contact details by email, We will use those to contact you in connection with your email. Depending on the purpose of your email to Us, We may use your personal information in other ways as listed in Privacy Policy.

We use Transport Layer Security (“TLS”) cryptographic protocol to encrypt and protect email traffic. If your email service does not support TLS cryptographic protocol, you should be aware that any emails you send or receive may not be protected in transit. We monitor emails sent to Us, including attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send to Us is within the bounds of the law.

6.4. People who Telephone Us

If you give Us your contact details over the phone, We will use those to contact you in connection with your call. Depending on the purpose of your call to Us, We may use your personal information in other ways listed in this Privacy Policy.

6.5. People Who Contact Us About Our Services or Products

Most of Our services and products are provided ‘business to business. But if you are an individual (for example an employee in a business, a sole trader, or a consumer of Our services in your own right) We will treat your personal data in accordance with data privacy principles. If you ask Us about Our services or products We will use your personal data to send you that information.

We will use the personal data to help Us understand your initial query and instructions and to determine what services or products are required from Us. If your enquiry becomes an order, instruction or contract, We will retain your information in accordance with Our internal archiving procedures.

If you decide not to instruct Us, We may retain your information in Our system. We maintain email archives for a period of 15 years.

6.6. People Who Use Our Services or Products (Our Clients)

Most of Our services and products are provided ‘business to business. But if you are an individual (for example an employee in a client business which buys Our services or products, a sole trader client who buys Our services or products, or a consumer of Our services in your own right) We will treat your personal data in accordance with data privacy principles.

We will use your personal data to provide the services or products including training, as per the contract between SandRose and you, the client (or where you are an employee of the client, to your employer, Our client).

We retain your information in line with Our internal archiving policies and procedures. Due to the nature of Our work, Our retention periods may be up to 30 years.

If you have opted to receive marketing communications, We will retain and use your personal details to send those. We will usually send this information by email to the email address you have given Us. You will be given the opportunity to opt out of further marketing emails each time We send you such an email.

Even if you have not opted in to receive marketing, We may still use your personal information to send you marketing emails relating to service or products which are similar to those which We have already supplied to you (or where you are an employee of a client), to your employer, Our client. You will be given the opportunity to opt out of such material each time We send you such an email.

If you do not wish to receive marketing material from Us, please let Us know. You can contact Us by email on

6.7. Project Stakeholders

In the course of carrying out Our duties, We hold various engagements with various individuals or groups of people living within communities where proposed projects are set to be implemented. Such engagements are conducted through face-to-face, audio or video recorded interviews, meetings or by administration of face-to-face or online questionnaires.

In some instances, We may collect the following data:

  • Identification Information: your name, address, telephone number, email address, physical address, country of residence, age, ID numbers.
  • Sensitive Personal Data: information about your ethnic social origin, conscience, belief, property details, marital status, family details including the names of your children, parents, spouse or spouses, gender or your sexual orientation. We do not typically request for such information through Our website. Where We collect such data, We will obtain your explicit consent before We collect, use or other process the below personal sensitive data.

6.8. Job Applicants

Personal data relating to Job Applicants is collected in accordance with Our Job Applicant Privacy Policy.

6.9. Suppliers

We use your personal data as part of Our selection process for Our approved suppliers. We will retain your personal data as stated in the data retention clause of your contract

7. Purposes, Legal Basis and Use

We may use, process, store or disclose the personal data We collect only where one or more of the below outlined principal legal grounds and specific business justifications exist:

Activity Our Purpose for Processing Our Legal Basis

New Client / Supplier


  • To facilitate communication with you
  • To enter into a contract with you
  • To fulfil Our legal obligations
  • For Our legitimate business interests e.g. conducting Our consulting services and preparing the requisite reports
  • To enter into a contract with you
  • For historical, statistical and scientific research purposes subject to appropriate data protection safeguards
Administration of surveys, questionnaire or focus-based groups
  • To conduct Environmental and Social Impact Assessments and associated studies
  • Consent
  • To fulfil Our legal obligations e.g. make reports to the relevant National Environment Management Authority or similar authorities
  • For Our legitimate business interests where those interests do not override your rights
  • To fulfil Our contractual obligations
Job Application processing
  • To review your application and where applicable enter into a contract with you
As stated in the Job Applicant Policy
Online Identifiers, Cookies and Geo-location data
  • To administer and protect Our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
Necessary for Our legitimate interests (to study how customers use Our products/services, to develop them, to grow Our business and to inform Our marketing strategy)

8. Data Retention

Due to the nature of Our business, We find it useful to retain project files and contact details for an indefinite period in case We need to refer back to the project.

For any other information such as supplier information, We will retain the data in accordance with your contract and Our data retention policies.

9. How We May Share the Information

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for Us. For example, Our email service is provided by Microsoft; We use Google Analytics to collect details of website visitor behaviour patterns and standard internet log information (see Visitors to Our website, above).

We may also need to share some personal information with other parties, such as external contractors and Our professional advisers, and with potential purchasers of some or all of Our business. The recipient of the information will be bound by confidentiality obligations.

We may also be required to share some personal information (for example with the government departments, border security or law enforcement) to comply with the law.

You have the following rights in relation to your Personal Data. Please note that these rights are available subject to certain criteria and exceptions in accordance The Kenya Data Protection Act, 2019.

10. Your Rights

10.1. Right to Transparency of Information

You are entitled to clear and transparent information about how We process your personal data.

10.2. Right of Access

You have the right to request for a copy of the personal data We are processing about you and to exercise that right easily and at reasonable intervals.

10.3. Right to Withdraw Consent

You have the right to withdraw consent where that is the legal basis of Our processing.

10.4. Right to Rectification

You have the right to have inaccuracies in personal data We hold about you rectified.

10.5. Right to Erasure

You have the right to have your personal data deleted where We no longer have any justification for retaining it subject to certain exemptions such as if the data is required for purposes of evidence.

10.6. Right to Object

We process your data pursuant to the reasons set out in this Policy. However, you can object to this processing, in which case We will make a new determination of whether your data should no longer be used for this purpose. We will stop the processing if your interest outweighs Our interest.

10.7. Right to Portability

You have the right to receive personal data concerning you in a structured, commonly used and machine-readable format.

10.8. Procedure

  • If you wish to exercise any of the rights outlined above, please write an email to the Data Protection Officer (DPO) on
  • We will endeavour to answer all questions via email within one month after receipt.
  • That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In that event, We will keep you informed of the progress on your request.
  • If the provision of the data involves the data of third parties, these third parties can be asked in advance whether they have objections to the provision.
  • We may ask for identification, because We need to know for certain whether We are issuing the data to the right person.
  • In some cases, We will not be able to comply with your request. We may, for example, not be required to delete the data SandRose is legally obliged to retain.

10.9. To Whom Shall I Direct a Question or Complaint?

If you have any questions or complaints about the processing of personal data, you can contact SandRose on

11. Changes to this Privacy Policy

This Privacy Policy will be reviewed from time to time to consider any changes in the law and the data protection practices of SandRose. We will update the date at the top of this Privacy Policy accordingly. You are required to regularly review this Privacy Policy for changes and to make yourself aware of the same.


How can we help?

Get in touch