Privacy Policy

1Introduction

McDorcis Solutions Ltd ("McDorcis," "we," "us," or "our") is committed to protecting the privacy and personal information of our clients, website visitors, job applicants, and other individuals who interact with our services. We are a Kenya-based company providing Business Process Outsourcing (BPO), IT Solutions, and AI-driven automation services to businesses worldwide.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our website at www.mcdorcis.com, use our services, communicate with us, or otherwise interact with our business. It applies to all personal information processed by McDorcis Solutions, whether collected online or offline.

We process personal information in accordance with applicable data protection legislation, including the Kenya Data Protection Act, 2019 (DPA) and, where applicable, the European Union General Data Protection Regulation (GDPR). By using our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy.

2Information We Collect

We may collect and process the following categories of personal information, depending on how you interact with us:

Identity & Contact Information

• Full name, job title, and company name
• Email address, telephone number, and physical address
• Professional profile information (e.g., LinkedIn profile)

Business & Engagement Information

• Information provided in service enquiries, proposals, and Statements of Work
• Billing and payment details (bank account information, invoicing details)
• Communication records (emails, meeting notes, support tickets)
• Feedback, survey responses, and testimonials

Technical & Usage Information

• IP address, browser type and version, operating system, and device information
• Pages visited, time spent on pages, click patterns, and referral URLs
• Cookies and similar tracking identifiers (see Section 11)

Job Applicant Information

• Curriculum vitae (CV) or resume, cover letter, and work history
• Educational qualifications and professional certifications
• References and background check information (where applicable and with consent)

Client Service Data

• Data provided by clients in the course of receiving our BPO, IT, or AI services, which may include personal information of the client's own customers or employees. In such cases, McDorcis Solutions acts as a data processor on behalf of the client (the data controller).

3How We Collect Information

We collect personal information through the following means:

• Directly from you: When you fill out a contact form on our website, send us an email, call us, attend a meeting, submit a job application through our careers portal, or otherwise provide information to us voluntarily.
• Through our services: When you engage us for BPO, IT outsourcing, or AI-driven solutions, we collect information necessary to deliver those services as defined in the applicable Statement of Work or service agreement.
• Automatically: When you visit our website, we automatically collect certain technical and usage information through cookies, web beacons, analytics tools (such as Google Analytics), and server logs.
• From third parties: We may receive information about you from business partners, recruitment agencies, publicly available sources (such as company websites and professional networking platforms), or from our clients when they engage us to process data on their behalf.

4How We Use Your Information

We use the personal information we collect for the following purposes:

• Service Delivery: To provide, manage, and improve our BPO, IT outsourcing, AI-driven automation, application development, infrastructure management, and technical support services.
• Communication: To respond to your enquiries, provide customer support, send service-related notifications, and communicate about projects and engagements.
• Business Operations: To process invoices and payments, manage contracts and Statements of Work, maintain client records, and administer our business relationships.
• Recruitment: To evaluate job applications, conduct interviews, perform background checks (with consent), and manage our talent pipeline.
• Marketing: To send you information about our services, industry insights, and company updates where you have opted in to receive such communications. You may unsubscribe at any time.
• Website Improvement: To analyse website usage patterns, improve user experience, optimise content, and ensure the security and proper functioning of our website.
• Legal & Compliance: To comply with applicable laws and regulations, respond to legal processes, enforce our terms and conditions, and protect our rights, property, and safety.
• Security: To detect, prevent, and address fraud, security threats, and technical issues affecting our systems and services.

5Legal Basis for Processing

We process your personal information on one or more of the following legal bases, as required by the Kenya Data Protection Act (DPA) and, where applicable, the GDPR:

• Consent: Where you have given clear, voluntary consent for us to process your personal information for a specific purpose (e.g., subscribing to our newsletter or submitting a contact form). You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Contractual Necessity: Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract (e.g., delivering services under a Statement of Work).
• Legal Obligation: Where processing is necessary to comply with a legal obligation to which McDorcis Solutions is subject (e.g., tax reporting, employment law compliance, or responding to lawful requests from regulatory authorities).
• Legitimate Interest: Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include improving our services, maintaining security, marketing to existing clients, and managing our business operations.
• Protection of Vital Interests: In rare circumstances, where processing is necessary to protect the vital interests of a natural person.

6Data Sharing & Third Parties

We do not sell your personal information. We may share your personal information with the following categories of recipients, only to the extent necessary and in accordance with applicable law:

• Service Providers: Trusted third-party vendors who assist us in operating our business, including cloud hosting providers, payment processors, email service providers, analytics providers, and CRM platforms. These providers are contractually obligated to protect your data and may only process it on our instructions.
• Professional Advisors: Legal counsel, auditors, and accountants who require access to personal information in connection with the professional services they provide to us.
• Business Partners: Where we collaborate with technology partners or subcontractors to deliver services to you, we may share relevant information to the extent necessary for service delivery.
• Regulatory & Legal Authorities: Where required by law, regulation, or legal process, or where necessary to protect our rights, property, safety, or the rights of others. This includes responding to lawful requests from government authorities.
• Corporate Transactions: In connection with a merger, acquisition, reorganisation, or sale of assets, your personal information may be transferred to the acquiring entity, subject to applicable data protection obligations.

We require all third parties to whom we disclose personal information to implement appropriate security measures and to process data only in accordance with our instructions and applicable law.

7International Data Transfers

As a company that provides services to clients worldwide, your personal information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from the laws of your jurisdiction.

Where we transfer personal information outside of Kenya or the European Economic Area (EEA), we ensure that appropriate safeguards are in place to protect your data, including:

• Transferring data to countries that have been recognised as providing an adequate level of data protection by the relevant authority (the Office of the Data Protection Commissioner in Kenya or the European Commission).
• Entering into Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent contractual arrangements recognised under the Kenya Data Protection Act.
• Obtaining your explicit consent to the transfer, where required and where you have been informed of the potential risks.
• Implementing binding corporate rules or other recognised transfer mechanisms approved by the applicable supervisory authority.

You may contact us to obtain more information about the safeguards we have in place for specific international data transfers.

8Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are determined by the following criteria:

• Client & Contract Data: Retained for the duration of the client relationship and for a period of five (5) years after the termination or expiration of the last active contract, to comply with legal, tax, and regulatory obligations.
• Financial & Tax Records: Retained for a minimum of five (5) years from the end of the relevant financial year, in accordance with Kenyan tax legislation and the Companies Act.
• Job Applicant Data: Retained for up to twelve (12) months after the completion of the recruitment process. If your application is unsuccessful, we may retain your information for future opportunities unless you request its deletion.
• Marketing Data: Retained until you withdraw your consent or unsubscribe from our communications. Contact records may be retained for up to two (2) years after the last interaction.
• Website & Analytics Data: Retained for up to twenty-six (26) months, in line with Google Analytics default retention settings.
• Communication Records: Retained for the duration of the relevant engagement and for up to three (3) years thereafter.

When personal information is no longer required, we securely delete or anonymise it in accordance with our data disposal procedures. Anonymised data, which cannot be used to identify you, may be retained indefinitely for analytical and statistical purposes.

9Data Security

McDorcis Solutions implements appropriate technical and organisational measures to protect personal information against unauthorised or unlawful processing, accidental loss, destruction, alteration, or damage. Our security measures include:

• Encryption: Data is encrypted in transit using TLS/SSL protocols and, where appropriate, at rest using industry-standard encryption algorithms.
• Access Controls: Access to personal information is restricted to authorised personnel on a need-to-know basis. We employ role-based access controls, multi-factor authentication, and strong password policies.
• Infrastructure Security: Our systems are hosted on secure, SOC 2-compliant cloud infrastructure with firewalls, intrusion detection systems, and continuous monitoring.
• Employee Training: All employees and contractors undergo regular data protection and security awareness training. Staff with access to personal data are bound by confidentiality obligations.
• Incident Response: We maintain a data breach incident response plan to ensure that any security incidents are detected, reported, and addressed promptly. In the event of a breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and within 72 hours of becoming aware of the breach.
• Vendor Management: Third-party service providers are subject to due diligence assessments and are required to maintain security standards consistent with our own.

While we take all reasonable precautions, no method of data transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining and continuously improving our security posture.

10Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information. Under the Kenya Data Protection Act (DPA) and, where applicable, the GDPR, you have the right to:

• Access: Request confirmation of whether we hold personal information about you and, if so, obtain a copy of that information together with details of how it is processed.
• Rectification: Request correction or updating of inaccurate or incomplete personal information we hold about you.
• Erasure (Right to be Forgotten): Request deletion of your personal information where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where there is no overriding legal basis for continued processing.
• Restriction of Processing: Request that we restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of the data or object to our processing.
• Data Portability: Where applicable under the GDPR, request a copy of your personal information in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller.
• Objection: Object to the processing of your personal information where we rely on legitimate interests as the legal basis, or object to processing for direct marketing purposes at any time.
• Withdrawal of Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Automated Decision-Making: The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you, unless such processing is necessary for a contract, authorised by law, or based on your explicit consent.

To exercise any of these rights, please contact our Data Protection Officer using the details provided in Section 14. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may request verification of your identity before processing your request. If your request is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse the request, in accordance with applicable law.

Right to Lodge a Complaint

If you believe that your privacy rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority. In Kenya, this is the Office of the Data Protection Commissioner (odpc.go.ke). If you are located in the EEA, you may lodge a complaint with the data protection authority in your country of residence.

11Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyse website traffic, and understand how visitors interact with our site.

Types of Cookies We Use

• Essential Cookies: Required for the basic functioning of our website, including navigation, security, and session management. These cookies cannot be disabled.
• Analytics Cookies: We use Google Analytics (GA4) to collect aggregated, anonymised data about how visitors use our website, including pages visited, session duration, and traffic sources. Google Analytics uses cookies to generate statistical reports. For more information, see Google's Privacy Policy.
• Functional Cookies: These cookies enable enhanced functionality and personalisation, such as remembering your preferences and settings.

Managing Cookies

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling certain cookies may affect the functionality of our website. For more information about cookies and how to manage them, visit www.allaboutcookies.org.

Do Not Track

Some browsers offer a "Do Not Track" (DNT) setting. There is currently no industry-wide standard for DNT signals. Our website does not currently respond to DNT signals, but we respect your right to manage tracking through cookie settings and browser preferences.

12Children's Privacy

Our website and services are directed at businesses and professionals and are not intended for use by children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information as soon as reasonably practicable.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately using the details in Section 14, and we will take appropriate action.

13Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. When we make material changes, we will:

• Update the "Effective Date" and version number at the top of this page.
• Post the updated Privacy Policy on our website.
• Where required by law or where changes are significant, notify you by email or through a prominent notice on our website.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information. Your continued use of our website or services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

14Contact & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, or if you wish to exercise any of your rights described in Section 10, please contact us:

• Email: privacy@mcdorcis.com
• General Enquiries: info@mcdorcis.com
• Phone: +254 704 093 039
• Address: McDorcis Solutions Ltd, Westlands, Nairobi, Kenya

For data protection-related matters, you may also contact our appointed Data Protection Officer directly at dpo@mcdorcis.com. We will endeavour to respond to all enquiries within 30 days.