Privacy policy

Fehu Crest Consulting Group Ltd.(“FCCG”, “we”, “us”) respects your privacy. This Privacy Policy describes how we collect, use, store, and share personal data when you interact with our website (fehucrestconsult.com), subscribe to updates where offered, or otherwise contact us electronically, and how you can exercise your rights.

This policy is designed to align with the EU/UK General Data Protection Regulation (“GDPR”) where it applies to our processing, and with the principles of the Kenya Data Protection Act, 2019 (“KDPA”) and related regulations where applicable. If you are located outside those frameworks, local laws may also give you rights—we will respect those requirements where they apply to us.

1. Data controller

The data controller responsible for personal data described in this policy is Fehu Crest Consulting Group Ltd., with address KMA Centre, Block A, 5th floor, Suite 2, Mara Rd, Upperhill, Nairobi, P.O. Box 14677-00100, Nairobi. You can contact us at info@fehucrestconsult.com.

We do not require you to appoint a statutory Data Protection Officer for all processing described here; however, privacy questions and requests under Section 8 below should be directed to the contact details above. We will respond within timelines required by applicable law (including, where GDPR applies, within one month in most cases, subject to extension for complex requests).

2. Scope

This policy applies to information we process through:

• Our public website and web pages operated by FCCG;
• Contact or inquiry forms, e-mail, telephone, or messaging channels used to reach our team;
• Newsletter or similar marketing sign-ups where we offer them on the Site;
• Recruitment or speculative applications sent via published channels.

If you become a client under a separate engagement letter or statement of work, additional terms and privacy notices may apply to personal data processed for that engagement (for example firm-wide conflict checks or project records). This page does not replace those contractual or engagement-specific documents.

3. Information we collect

We may process the following categories of personal data:

• Identity and contact data — name, job title, employer, country, phone number, e-mail address, and similar details you provide voluntarily.
• Communication content — messages you send via forms or e-mail, call notes where retained internally, meeting scheduling information, and attachments you choose to share.
• Marketing preferences — subscription status, opt-in records, and unsubscribe requests where marketing is used.
• Technical and usage data — IP address, browser type, device identifiers, approximate location derived from IP, pages viewed, referring URL, and timestamps. Some of this may be collected through cookies or similar technologies as described in our Cookie Policy.

We do not intentionally collect special category (sensitive) data via the Site. Please do not submit health data or other sensitive categories unless we explicitly request them through a secure channel for a defined purpose (for example, where law requires or you have consented in writing).

4. How we use personal data and legal bases

Depending on context, we rely on one or more of the following legal bases (GDPR Art. 6):

• Contract / pre-contractual steps — responding to commercial enquiries, preparing proposals, and onboarding clients where you initiate a relationship with us.
• Legitimate interests — operating and securing the Site, analyzing aggregated usage, maintaining IT and security logs (balanced against your rights), and limited business development, where not overridden by your interests.
• Consent — where we place non-essential cookies or similar technologies, send certain marketing messages, or process data where consent is the appropriate lawful basis. You may withdraw consent at any time without affecting lawfulness of prior processing.
• Legal obligation — where we must retain or disclose information to comply with law, court orders, or regulatory requests.

Under the KDPA, we commit to processing personal data lawfully, fairly, transparently, and for specified purposes; collecting the minimum data necessary; ensuring accuracy and security; and retaining data only as long as necessary for the purposes described (see Section 6).

5. Sharing, processors, and international transfers

We do not sell your personal data. We may share it with:

• Service providers — hosting, e-mail delivery, analytics (where consented), customer relationship tools, or IT support, bound by contract to protect information and process it only on our instructions.
• Professional advisers — lawyers, auditors, or insurers where required for legitimate business purposes.
• Authorities — regulators, courts, or law enforcement where mandatory law requires disclosure.
• Corporate transactions — a prospective purchaser or investor in connection with a merger, acquisition, or asset sale, subject to confidentiality safeguards.

Your data may be processed in Kenya and, where our service providers are located elsewhere (including the European Economic Area, United Kingdom, or United States), transferred subject to appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other mechanisms recognised under GDPR / UK GDPR, and compatible measures under the KDPA where applicable.

6. Retention

We retain personal data only as long as necessary for the purposes described, including satisfying legal, accounting, or reporting requirements. Indicative periods: enquiry data—for the duration of the dialogue plus a limited follow-up period (typically up to 24–36 months unless a longer period is justified by a live opportunity or legal hold); client-related records—as required by professional engagement terms and law; technical logs—in line with security policy (often shorter rotating retention); marketing consents—until withdrawn or three years of inactivity, unless a different period is required.

7. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, accidental loss, or unlawful processing. No method of transmission over the Internet is completely secure; we encourage you to use secure channels for highly confidential matters after we have agreed appropriate protections.

8. Your rights

Depending on your location, you may have the right to: request access to your personal data; request correction of inaccuracies; request deletion where applicable; restrict or object to certain processing; request portability of data you provided in structured form where technically feasible; withdraw consent where processing was consent-based; and lodge a complaint with a supervisory authority.

In Kenya, you may contact the Office of the Data Protection Commissioner (ODPC) regarding concerns. In the EU/UK, you may contact your local supervisory authority. To exercise rights with FCCG, e-mail info@fehucrestconsult.com with sufficient detail for us to verify and fulfil your request.

9. Children

The Site is not directed at children under 16 (or the age required locally). We do not knowingly collect personal data from children. If you believe we have received a child's data in error, please contact us and we will delete it where required by law.

10. Automated decisions

We do not use personal data collected through the Site to make solely automated decisions that produce legal or similarly significant effects on individuals.

11. Changes to this policy

We may update this Privacy Policy to reflect legal, technical, or business changes. Material updates will be posted on this page with a revised “Last updated” date. Where required by law or where changes affect consent-based processing, we will provide an additional notice or collect fresh consent as appropriate.

12. Contact

Privacy questions or requests: info@fehucrestconsult.com.