Jabali Labs is a trade transaction verification service based in Nairobi, Kenya. When you contact us through our website, we collect your name, email address, organisation, and message so we can respond to you.
We do not sell your data. We do not share it with third parties except the services we use to operate (Formspree for form processing, Google Workspace for email). We retain contact data for 24 months.
You have the right to access, correct, or request deletion of your personal data at any time by contacting [email protected].
Jabali Labs ("Jabali Labs", "we", "us", "our") is a trade transaction verification company providing infrastructure for East African corridor finance. We operate the website jabalilabs.com.
Jabali Labs is the data controller in respect of personal data collected through jabalilabs.com. For the purposes of the Kenya Data Protection Act 2019 (DPA 2019), the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), and the Uganda Data Protection and Privacy Act 2019, Jabali Labs is the controller of the personal data described in this policy.
Jabali Labs operates across East African trade corridors and may interact with individuals in multiple jurisdictions. This policy is designed to comply with the following laws:
Where the requirements of different jurisdictions conflict, we apply the standard that is most protective of data subjects.
When you submit the contact form on jabalilabs.com, we collect:
| Data category | Specific data | Required | Source |
|---|---|---|---|
| Identity data | Full name | Yes | You provide directly |
| Contact data | Email address | Yes | You provide directly |
| Professional data | Organisation name, job title or role | No | You provide directly |
| Communication data | Message content, sample report request preference | No | You provide directly |
| Technical data | IP address, browser type, operating system, referral URL, timestamp | Automatic | Collected automatically via Formspree |
We use Google Analytics (GA4) to understand how visitors use jabalilabs.com. Google Analytics collects anonymised data including pages visited, time on page, geographic region (country/city level), device type, and referral source. Google Analytics does not collect your name or email address. IP addresses are anonymised before storage.
Where Jabali Labs provides trade transaction verification services to lenders and exporters, we process additional categories of data including business registration documents, export and import declarations, phytosanitary certificates, commercial invoices, and related trade documentation. This data is processed solely for the purpose of producing a verification report. It is not retained beyond the verification window and is not used for any other purpose. Specific data handling terms for the verification service are set out in separate service agreements.
We do not collect special categories of personal data (sensitive data) such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, or biometric data through jabalilabs.com.
We process personal data only where we have a lawful basis to do so. The following table sets out our purposes and the corresponding legal basis under each applicable jurisdiction:
| Purpose | Legal basis (Kenya DPA 2019) | Legal basis (UK/EU GDPR) |
|---|---|---|
| Responding to your enquiry or sample report request | Performance of a contract / steps prior to entering a contract (s.30(1)(b)); Legitimate interests (s.30(1)(f)) | Legitimate interests (Art.6(1)(f)); Pre-contractual steps (Art.6(1)(b)) |
| Sending you the requested sample lender verification report | Performance of a contract; Consent (s.30(1)(a)) | Consent (Art.6(1)(a)); Legitimate interests |
| Maintaining records of business communications | Legitimate interests (s.30(1)(f)) | Legitimate interests (Art.6(1)(f)) |
| Improving the website and understanding visitor behaviour | Legitimate interests (s.30(1)(f)) | Legitimate interests (Art.6(1)(f)) |
| Complying with legal obligations | Legal obligation (s.30(1)(c)) | Legal obligation (Art.6(1)(c)) |
We do not sell your personal data. We do not share it with third parties for their own marketing purposes. We share data only with the following data processors who act on our instructions:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Formspree Inc. | Contact form processing — receives form submissions and forwards to our email | United States | Formspree Privacy Policy; Standard Contractual Clauses for EU/UK transfers |
| Google LLC (Google Workspace) | Email hosting and communication — [email protected] | United States / Global | Google Workspace Data Processing Amendment; SCCs; Google Cloud adequacy measures |
| Google LLC (Google Analytics) | Website analytics — anonymised usage data | United States / Global | Google Analytics Data Processing Terms; IP anonymisation enabled; SCCs |
| Cloudflare Inc. | Website hosting, CDN, and security — jabalilabs.com infrastructure | United States / Global edge | Cloudflare Data Processing Addendum; SCCs; adequacy measures |
We may also disclose personal data where required to do so by law, by court order, or by a regulatory authority with jurisdiction over Jabali Labs, including the Office of the Data Protection Commissioner (Kenya) and equivalent authorities in other applicable jurisdictions.
Some of our data processors (Formspree, Google, Cloudflare) are based in the United States. When we transfer your personal data outside your country of residence, we ensure appropriate safeguards are in place:
Transfers outside Kenya are made in compliance with Part V of the Kenya Data Protection Act 2019. We transfer data to third countries only where the recipient country provides an adequate level of protection, or where appropriate contractual safeguards (including standard data protection clauses) are in place.
Transfers are made in compliance with Part VII of the Uganda Data Protection and Privacy Act 2019, with appropriate contractual safeguards in place with all data processors.
Transfers outside the UK are made in compliance with UK GDPR Chapter V. We use UK International Data Transfer Agreements (IDTAs) or UK Addenda to EU Standard Contractual Clauses where required.
Transfers outside the EU/EEA are made in compliance with EU GDPR Chapter V. We rely on Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) EU GDPR where no adequacy decision covers the destination country.
You may request a copy of the transfer safeguards we have in place by contacting [email protected].
| Data category | Retention period | Reason |
|---|---|---|
| Contact form submissions (name, email, organisation, message) | 24 months from the date of submission | To maintain records of business enquiries and follow up as appropriate |
| Email correspondence | 36 months from the date of last communication | Business records and potential dispute resolution |
| Google Analytics data | 14 months (as configured in GA4) | Website improvement; standard GA4 retention period |
| Verification service documents | Duration of verification process plus 30 days | Audit trail and report validity window; not retained beyond this period |
| Legal obligation records | As required by applicable law (typically 7 years for financial records) | Regulatory compliance |
At the end of the applicable retention period, personal data is securely deleted or anonymised. You may request earlier deletion — see Section 8.4.
Depending on your jurisdiction, you have the following rights regarding your personal data. We will respond to all verifiable requests within 30 days (or within the statutory period required by your jurisdiction's law):
| Right | Kenya DPA 2019 | Uganda DPA 2019 | UK GDPR | EU GDPR |
|---|---|---|---|---|
| Right of access — obtain a copy of your data | ✓ s.26 | ✓ | ✓ Art.15 | ✓ Art.15 |
| Right to rectification — correct inaccurate data | ✓ s.27 | ✓ | ✓ Art.16 | ✓ Art.16 |
| Right to erasure ("right to be forgotten") | ✓ s.28 | ✓ | ✓ Art.17 | ✓ Art.17 |
| Right to restriction of processing | ✓ s.29 | ✓ | ✓ Art.18 | ✓ Art.18 |
| Right to data portability | ✓ s.34 | ✓ | ✓ Art.20 | ✓ Art.20 |
| Right to object to processing | ✓ s.32 | ✓ | ✓ Art.21 | ✓ Art.21 |
| Rights related to automated decision-making | ✓ s.33 | ✓ | ✓ Art.22 | ✓ Art.22 |
| Right to withdraw consent | ✓ s.30 | ✓ | ✓ Art.7(3) | ✓ Art.7(3) |
To exercise any of the above rights, contact us at [email protected] with the subject line "Data Subject Request". Please include sufficient information for us to verify your identity and locate your data. We do not charge a fee for reasonable requests.
Where we process your data on the basis of legitimate interests, you have the right to object at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or processing is necessary for legal claims.
Where we process your data based on consent, you may withdraw that consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing that occurred prior to withdrawal.
Jabali Labs does not make automated decisions that produce legal or similarly significant effects about individuals based solely on automated processing. The Transaction Truth Score and GridScore produced through the verification service are provided to lenders as one input into their own human-led credit assessment process.
jabalilabs.com uses the following cookies and tracking technologies:
| Cookie / technology | Provider | Purpose | Duration |
|---|---|---|---|
| _ga, _ga_[ID] | Google Analytics | Distinguishes users for analytics purposes. IP address anonymised. | 2 years / session |
| Cloudflare security cookies | Cloudflare | Security, DDoS protection, load balancing | Session |
We do not use advertising cookies, remarketing cookies, or cookies that track you across other websites. We do not use cookies for profiling or targeted advertising.
You can disable cookies in your browser settings. Disabling analytics cookies will not affect the functionality of jabalilabs.com.
Jabali Labs implements appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
No method of transmission over the internet or electronic storage is completely secure. While we take all reasonable steps to protect your personal data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay in accordance with applicable law.
jabalilabs.com is directed at business professionals and institutional users. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly.
jabalilabs.com may contain links to external websites including Google Calendar (for appointment booking). We are not responsible for the privacy practices of those websites and encourage you to read their privacy policies. This policy applies only to data collected through jabalilabs.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of jabalilabs.com after changes are published constitutes acceptance of the updated policy.
If you have concerns about how we handle your personal data, please contact us first at [email protected]. We will aim to resolve your concern within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:
| Jurisdiction | Supervisory authority | Contact |
|---|---|---|
| Kenya | Office of the Data Protection Commissioner (ODPC) | odpc.go.ke · [email protected] |
| Uganda | Personal Data Protection Office (PDPO) | pdpo.go.ug |
| United Kingdom | Information Commissioner's Office (ICO) | ico.org.uk · 0303 123 1113 |
| European Union | Your local EU data protection authority (Lead authority: determined by your member state) | edpb.europa.eu for directory |
For any questions, requests, or concerns about this Privacy Policy or your personal data: