Privacy Policy

PRIVACY POLICY

Last updated: February 2026

This Privacy Policy explains how Xcobean Systems Limited ("Xcobean", "we", "us" or "our") collects, uses, stores, shares and protects your personal data when you use our websites and services.

This policy applies to all services offered through our websites, including:

www.xcobean.com, www.xcobean.org, www.xcobean.uk, www.xcobean.tech, www.xs.ke, www.xcobean.co.za and www.xcobean.africa (collectively, the "Websites").

By using our Websites or Services, you consent to the collection and use of your personal data as described in this policy. If you do not agree, please do not use our services.

1. DATA CONTROLLER

Xcobean Systems Limited is the data controller responsible for your personal data.

Registered Address: 11th Floor, Britam Towers, Nairobi, Kenya

Email: privacy@xcobean.com

This policy is governed by the Data Protection Act, 2019 of the Republic of Kenya and applicable data protection regulations.

2. INFORMATION WE COLLECT

We collect the following categories of personal data:

2.1 Information You Provide

  • Full name, email address, phone number and postal address
  • Company name and registration details (where applicable)
  • Billing and payment information (credit/debit card details, M-Pesa details)
  • Domain registration data (registrant name, address, email, phone as required by ICANN)
  • Support tickets, correspondence and communications with us
  • Account credentials (username and password)

2.2 Information Collected Automatically

  • IP address, browser type, operating system and device information
  • Pages visited, time spent, referral URLs and clickstream data
  • Cookies and similar tracking technologies (see Section 8)
  • Server logs and usage analytics

2.3 Information from Third Parties

  • Payment processors (transaction confirmations and fraud screening)
  • Domain registries and ICANN (WHOIS verification)
  • Identity verification services (where required)

3. HOW WE USE YOUR DATA

We process your personal data for the following purposes:

  • Service delivery: to provision, manage, maintain and support the services you have ordered
  • Account management: to create and manage your customer account
  • Billing and payments: to process invoices, payments, refunds and collections
  • Communication: to send transactional notifications including service alerts, billing reminders, maintenance notices and account updates
  • Domain registration: to submit and maintain domain registration data with registries and ICANN as required
  • Security: to detect, prevent and respond to fraud, abuse, security incidents and technical issues
  • Legal compliance: to comply with applicable laws, regulations, court orders and governmental requests
  • Service improvement: to analyse usage patterns and improve our Websites and Services
  • Support: to respond to your enquiries, support tickets and requests

We do not use your personal data for marketing purposes without your explicit consent.

4. LEGAL BASIS FOR PROCESSING

Under the Data Protection Act, 2019 (Kenya), we process your data on the following legal bases:

  • Performance of a contract: processing necessary to deliver the services you have ordered
  • Legitimate interests: processing necessary for our legitimate business interests, including fraud prevention, security and service improvement
  • Legal obligation: processing required by law, including tax, regulatory and ICANN requirements
  • Consent: where you have given explicit consent, for example for marketing communications

5. DATA SHARING AND DISCLOSURE

We may share your personal data with the following categories of recipients:

  • Domain registries and ICANN: as required for domain name registration and management
  • Payment processors: to process your payments securely (e.g. PayPal, Stripe, M-Pesa, card processors)
  • Infrastructure providers: data centre operators and hosting partners who help us deliver services
  • SSL/TLS certificate authorities: to issue and manage certificates you have ordered
  • Professional advisors: lawyers, auditors and accountants where necessary
  • Law enforcement and regulators: where required by law, court order or regulatory obligation
  • Business transfers: in the event of a merger, acquisition or sale of assets

We do not sell your personal data to third parties.

6. INTERNATIONAL DATA TRANSFERS

Some of our service providers and infrastructure partners are located outside Kenya. Where personal data is transferred internationally, we ensure that appropriate safeguards are in place in accordance with the Data Protection Act, 2019, including:

  • Contractual clauses requiring the recipient to protect personal data
  • Transfers to countries with adequate data protection laws
  • Compliance with applicable cross-border transfer requirements

7. DATA RETENTION

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including:

  • Active accounts: for the duration of your account and service subscription
  • After account closure: for up to 7 years to comply with tax, legal and regulatory obligations
  • Billing records: as required by the Kenya Revenue Authority and applicable tax law
  • Domain data: as required by ICANN and registry policies
  • Support tickets: for up to 3 years after resolution
  • Server logs: for up to 12 months

When personal data is no longer required, it will be securely deleted or anonymised.

8. COOKIES AND TRACKING

Our Websites use cookies and similar technologies to:

  • Keep you signed in to your account
  • Remember your preferences and settings
  • Analyse website traffic and usage patterns
  • Improve website performance and user experience

You can manage cookie preferences through your browser settings. Disabling cookies may affect the functionality of our Websites.

9. DATA SECURITY

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption of data in transit using TLS/SSL
  • Encryption of sensitive data at rest
  • Access controls and role-based permissions
  • Regular security assessments and monitoring
  • Secure data centre facilities with physical access controls
  • Staff training on data protection and security

While we take all reasonable steps to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

10. YOUR RIGHTS

Under the Data Protection Act, 2019, you have the following rights:

  • Right of access: to request a copy of the personal data we hold about you
  • Right to rectification: to request correction of inaccurate or incomplete data
  • Right to erasure: to request deletion of your personal data, subject to legal obligations
  • Right to restrict processing: to request that we limit how we use your data
  • Right to data portability: to receive your data in a structured, machine-readable format
  • Right to object: to object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at privacy@xcobean.com. We will respond within 30 days.

11. CHILDREN'S PRIVACY

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. THIRD-PARTY LINKS

Our Websites may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We encourage you to review the privacy policies of any third-party sites you visit.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated by:

  • Posting the updated policy on our Websites
  • Updating the "Last updated" date at the top of this page
  • Sending a notification to your registered email address (for significant changes)

Your continued use of our services after any changes constitutes acceptance of the updated policy.

14. COMPLAINTS

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

Office of the Data Protection Commissioner
Republic of Kenya
Website: www.odpc.go.ke

We encourage you to contact us first at privacy@xcobean.com so that we can address your concerns directly.

15. CONTACT US

For any questions, requests or concerns about this Privacy Policy or our data practices, please contact:

Xcobean Systems Limited
11th Floor, Britam Towers
Nairobi, Kenya
Email: privacy@xcobean.com