Privacy Policy

1. Introduction

Elevate("we," "us," or "our"), a division of Opengates Link Limited, is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, disclose, and safeguard your information when you visit our website at stay-elevated.com (the "Site") or use any of our services.

This Privacy Policy is issued in compliance with the Kenya Data Protection Act, 2019 (Act No. 24 of 2019), the Data Protection (General) Regulations, 2021, and the constitutional right to privacy as enshrined in Article 31 of the Constitution of Kenya, 2010. Where our services extend to users in other jurisdictions, we also endeavor to comply with applicable international data protection frameworks including the EU General Data Protection Regulation (GDPR) and other relevant laws.

By using our Site or services, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal data as described herein. If you do not agree, please discontinue use of the Site immediately.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings assigned below, consistent with the Kenya Data Protection Act, 2019:

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, identification number, location data, email address, online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
• "Data Subject" means any individual whose personal data is collected, processed, or stored by us — including website visitors, clients, and talent applicants.
• "Data Controller" means Opengates Link Limited, which determines the purposes and means of processing personal data.
• "Data Processor" means any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.
• "Processing" means any operation performed on personal data, whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.
• "Sensitive Personal Data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation, as defined under Section 2 of the Kenya Data Protection Act, 2019.
• "Consent" means any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which they, through a statement or a clear affirmative action, signify agreement to the processing of their personal data.

3. Data Controller Information

The Data Controller responsible for your personal data is:

As the Data Controller, we are responsible for deciding how your personal data is collected, used, and stored, in accordance with Section 25 of the Kenya Data Protection Act, 2019. We are registered with the Office of the Data Protection Commissioner (ODPC) as required by Section 18 of the Act.

4. Legal Basis for Processing

Under Section 30 of the Kenya Data Protection Act, 2019, we process your personal data only when we have a lawful basis to do so. The legal bases on which we rely include:

• Consent: You have given clear, informed consent for us to process your personal data for one or more specific purposes (e.g., submitting a contact form or talent application). You may withdraw your consent at any time by contacting us, without affecting the lawfulness of processing based on consent before its withdrawal.
• Performance of a Contract: Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract (e.g., responding to a service inquiry).
• Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject under Kenyan law, including tax obligations under the Kenya Revenue Authority Act and anti-money laundering requirements under the Proceeds of Crime and Anti-Money Laundering Act, 2009.
• Legitimate Interest: Processing is necessary for the legitimate interests pursued by us or a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include improving our services, website security, fraud prevention, and internal administration.

5. Information We Collect

We collect the following categories of personal data:

5.1 Information You Provide Directly

• Contact Form Data: Full name, email address, phone number, company name, service of interest, and message content submitted through our inquiry form.
• Talent Waitlist Data: Full name, email address, Opengates profile URL, area of expertise, years of experience, and any additional information you include in your application.
• Communication Records: Records of correspondence when you contact us via email or other channels, including the content of those communications.

5.2 Information Collected Automatically

• Device Information: IP address, browser type and version, operating system, device type, screen resolution, and language preferences.
• Usage Data: Pages visited, time and date of visit, time spent on each page, clickstream data, referring website addresses, and navigation paths through the Site.
• Location Data: Approximate geographic location derived from your IP address (city/country level only; we do not collect precise GPS coordinates).

5.3 Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyze website traffic. A cookie is a small text file placed on your device by our web server. The types of cookies we may use include:

• Strictly Necessary Cookies: Required for the operation of the Site (e.g., session management). These cannot be disabled.
• Analytical/Performance Cookies: Allow us to recognize and count visitors, and to see how visitors navigate the Site. This helps us improve how the Site works.
• Functionality Cookies: Enable the Site to remember choices you make (e.g., language preferences) and provide enhanced personalization.

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of the Site.

5.4 Sensitive Personal Data

We do not intentionally collect sensitive personal data as defined under Section 2 of the Kenya Data Protection Act, 2019. If you voluntarily provide such information (e.g., in a free-text message), we will treat it with the highest level of confidentiality and process it only where strictly necessary to respond to your inquiry.

6. How We Use Your Information

We process your personal data for the following purposes, each tied to a specific legal basis as outlined in Section 4 above:

6.1 Service Delivery & Communication

• To respond to inquiries submitted through our contact form and provide information about our services.
• To process talent waitlist applications and match qualified professionals to client engagements.
• To send confirmation emails acknowledging receipt of your inquiry or application.
• To communicate with you about the status of ongoing service engagements or applications.

6.2 Website Improvement & Analytics

• To analyze website traffic patterns, user behavior, and engagement to improve the Site's design, content, and functionality.
• To monitor and prevent technical issues, errors, and security threats.
• To generate aggregated, anonymized statistical reports that do not identify individual users.

6.3 Legal Compliance & Protection

• To comply with applicable Kenyan laws and regulations, including the Kenya Data Protection Act, 2019, the Companies Act, 2015, and any orders issued by the Office of the Data Protection Commissioner (ODPC).
• To establish, exercise, or defend legal claims before any court or tribunal in Kenya.
• To enforce our Terms of Service and protect the rights, property, and safety of our organization, our users, and the public.

7. Information Sharing & Disclosure

We do not sell, rent, or trade your personal data to third parties. We may share your information only in the following limited circumstances:

• Parent Company & Affiliates: With Opengates Link Limited and its affiliated entities for internal business operations, service coordination, and corporate administration. All affiliates are bound by the same data protection obligations.
• Service Providers: With trusted third-party vendors who assist us in operating the Site and delivering our services, including but not limited to Microsoft Azure (email delivery and cloud hosting), Vercel (website hosting), and Sanity (content management). All service providers are contractually obligated to process your data only on our instructions and in accordance with applicable data protection laws, pursuant to Section 31 of the Kenya Data Protection Act, 2019.
• Legal & Regulatory Requirements: When required by law, regulation, subpoena, court order, or governmental request issued by a competent Kenyan authority, including the Office of the Data Protection Commissioner (ODPC), the Kenya Revenue Authority (KRA), or any court or tribunal with jurisdiction.
• Protection of Rights: When we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others; investigate fraud; or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, reorganization, dissolution, or sale of all or a portion of the assets of Opengates Link Limited, your personal data may be transferred as part of the transaction. We will notify you of any such change in ownership or control and any choices you may have regarding your data.

8. Cross-Border Data Transfers

As we use cloud-based service providers, your personal data may be transferred to and processed in countries outside the Republic of Kenya. In accordance with Section 48 of the Kenya Data Protection Act, 2019, we will only transfer your personal data to a country or territory outside Kenya if:

• The recipient country has adequate data protection safeguards as determined by the Data Protection Commissioner.
• Appropriate safeguards are in place, such as standard contractual clauses, binding corporate rules, or other legally recognized mechanisms.
• The transfer is necessary for the performance of a contract between you and us, or the implementation of pre-contractual measures taken at your request.
• You have provided explicit consent to the transfer after being informed of the possible risks.

Our primary service providers (Microsoft Azure, Vercel) maintain data processing facilities in regions that comply with internationally recognized data protection standards. We have entered into appropriate data processing agreements with each provider to ensure your data is handled with equivalent protections.

9. Data Security

In accordance with Section 41 of the Kenya Data Protection Act, 2019, we implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security) protocols.
• Encryption at Rest: Stored data is encrypted using industry-standard encryption algorithms on our cloud infrastructure.
• Access Controls: Access to personal data is restricted to authorized personnel who require it for legitimate business purposes, with role-based access controls enforced.
• Secure Infrastructure: Our hosting providers (Microsoft Azure, Vercel) maintain ISO 27001, SOC 2, and other internationally recognized security certifications.
• Regular Security Reviews: We conduct periodic security assessments and update our security practices in response to evolving threats.
• Environment Variable Protection: All sensitive credentials (API keys, connection strings) are stored as server-side environment variables and are never exposed to the client-side browser.

Despite our efforts, no method of transmission over the internet or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security. In the event of a data breach, we will comply with the notification requirements set out in Section 43 of the Kenya Data Protection Act, 2019, and notify the ODPC and affected Data Subjects within 72 hours of becoming aware of the breach.

10. Data Retention

In accordance with the data minimization and storage limitation principles under Section 25 of the Kenya Data Protection Act, 2019, we retain your personal data only for as long as necessary to fulfill the purposes for which it was collected. Our specific retention periods are:

• Contact Form Submissions: Retained for up to 24 months from the date of submission, or until the inquiry is resolved and any resulting engagement concludes, whichever is later.
• Talent Waitlist Applications: Retained for up to 36 months from the date of submission to facilitate ongoing matching with client engagements, unless you request earlier deletion.
• Website Usage & Analytics Data: Retained in anonymized and aggregated form for up to 12 months.
• Contractual & Financial Records: Retained for a minimum of 7 years in compliance with the Kenya Tax Procedures Act, 2015 and the Companies Act, 2015.
• Communication Records: Retained for up to 24 months, or longer if required for ongoing business relationships or legal disputes.

Upon expiration of the applicable retention period, your personal data will be securely deleted or irreversibly anonymized. If deletion is not immediately possible due to technical constraints (e.g., data stored in backup archives), we will isolate the data and protect it from further processing until deletion is feasible.

11. Your Rights as a Data Subject

Under Part IV of the Kenya Data Protection Act, 2019, you have the following rights in relation to your personal data:

• Right of Access (Section 26(a)): You have the right to request confirmation as to whether we process your personal data, and if so, to access that data and receive a copy. We will respond to access requests within 30 days.
• Right to Rectification (Section 26(b)): You have the right to request correction of inaccurate or incomplete personal data we hold about you.
• Right to Deletion (Section 26(c)): You have the right to request that we delete your personal data, subject to legal retention requirements. We will comply unless we have a legal obligation or legitimate reason to retain the data.
• Right to Object (Section 26(e)): You have the right to object to the processing of your personal data where processing is based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
• Right to Data Portability (Section 26(d)): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right Not to be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. We do not currently employ fully automated decision-making processes.

To exercise any of these rights, please submit a written request to enterprise@opengates.app. We may require proof of identity before processing your request to prevent unauthorized access to your data. We will respond to all valid requests within 30 days.

If you are unsatisfied with our response or believe that your data protection rights have been violated, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya. The ODPC can be contacted through their official channels as published by the Government of Kenya.

12. Children's Privacy

Our Site and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. In accordance with Section 33 of the Kenya Data Protection Act, 2019, the processing of personal data relating to a child is only permissible where consent is given by the child's parent or guardian.

If we become aware that we have collected personal data from a child without verified parental consent, we will take immediate steps to delete that data. If you believe a child has provided us with personal data, please contact us at enterprise@opengates.app.

13. Third-Party Links & Services

Our Site may contain links to third-party websites, platforms, or services, including but not limited to:

• Opengates (opengates.app) — freelance marketplace
• Opengates Link Limited (https://www.opengates.com) — parent company
• Social media platforms

These third-party services have their own privacy policies, and we are not responsible for their content or privacy practices. We strongly encourage you to review the privacy policy of every third-party site you visit. A link from our Site does not constitute an endorsement of the third party's privacy practices or data handling procedures.

14. Email Communications

When you submit an inquiry through our contact form, we use Microsoft Azure Communication Services to send transactional emails, including:

• A confirmation email to acknowledge receipt of your inquiry.
• An internal notification to our enterprise team with your inquiry details so we can respond promptly.

These are transactional communications directly related to your request and are not marketing emails. We do not send unsolicited marketing communications. We do not subscribe you to any mailing lists as a result of your inquiry.

Email content is transmitted securely via Azure's encrypted infrastructure. We retain email delivery logs for operational and troubleshooting purposes for up to 90 days.

15. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Post the revised Privacy Policy on the Site.
• Where changes are significant, make reasonable efforts to notify affected Data Subjects (e.g., via email or a prominent notice on the Site).

Your continued use of the Site after any changes to this Privacy Policy constitutes your acceptance of the revised terms. We encourage you to review this page periodically.

16. Governing Law & Jurisdiction

This Privacy Policy is governed by and shall be construed in accordance with the laws of the Republic of Kenya, including but not limited to:

• The Constitution of Kenya, 2010 (Article 31 — Right to Privacy)
• The Data Protection Act, 2019 (Act No. 24 of 2019)
• The Data Protection (General) Regulations, 2021
• The Computer Misuse and Cybercrimes Act, 2018
• The Kenya Information and Communications Act, 1998

Any dispute arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Nairobi, Kenya, or at our discretion, referred to mediation or arbitration in accordance with the Arbitration Act, 1995 (Cap. 49, Laws of Kenya).

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us:

For complaints regarding data protection, you may also contact the Office of the Data Protection Commissioner (ODPC) of Kenya.