Privacy Policy

TechOps Hub ("we", "us", "our", or "the Company") is committed to protecting the privacy, dignity, and personal data of every individual who visits our website, enrols in our programmes, uses our platform, or engages with our services.

This Privacy Policy explains what personal information we collect, the lawful basis on which we process it, how we use and protect it, with whom we share it, and the rights you hold over your data under Kenyan law. It applies to all services offered through techopsshub.com and associated sub-domains.

By accessing techopsshub.com, registering an account, submitting a form, or otherwise using our services, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please discontinue use of our services immediately.

This policy is governed by the laws of the Republic of Kenya, including the Kenya Data Protection Act, 2019 (Act No. 24 of 2019)("DPA 2019"), the Kenya Information and Communications Act, Cap 411A, and any subsidiary legislation issued thereunder. Where we engage with data subjects in the European Union, we align with the EU General Data Protection Regulation (GDPR) where applicable.

For the purposes of the Kenya Data Protection Act, 2019, TechOps Hub is the Data Controller responsible for personal data collected through this platform. A Data Controller is the person or entity that determines the purposes and means of processing personal data (DPA 2019, s.2).

TechOps Hub is an AI product school, technology company, and start-up incubator headquartered in Nairobi, Kenya. We operate training programmes, research labs, incubation services, an online community, and a commercial merchandise store ("Swag Shop").

For all data protection, privacy, or legal enquiries, contact us at:

We are committed to registering with the Office of the Data Protection Commissioner of Kenya (ODPC) in accordance with DPA 2019 s.15, which requires data controllers to register where required by regulations. We will publish our registration number on this page upon confirmation.

The Kenya Data Protection Act, 2019 (s.24) requires certain data controllers to designate a Data Protection Officer where processing is carried out on a large scale or involves sensitive personal data. As TechOps Hub scales its operations and membership base, we are in the process of formally designating a DPO.

In the interim, all data protection matters, rights requests, and complaints are handled directly by the founding team. You may reach the person responsible for data protection at:

Upon formal DPO designation, the officer's name and contact details will be published on this page and notified to the ODPC as required.

Under DPA 2019 s.30, we may only process personal data where we have a lawful basis to do so. The lawful bases we rely upon are:

Where we rely on consent as our lawful basis, you have the right to withdraw that consent at any time without affecting the lawfulness of processing conducted prior to withdrawal. To withdraw consent, email privacy@techopsshub.com or use the unsubscribe link in any marketing email.

We apply the principle of data minimisation(DPA 2019 s.25(d)): we collect only the personal data that is adequate, relevant, and limited to what is necessary for the specific purpose for which it is processed. We do not collect personal data speculatively or "just in case".

5.1 Information You Provide Directly

• Registration data: full name, email address, phone number, location (city/county), sector or industry, and programme of interest when you apply for membership.
• Account credentials: email address and password. Passwords are stored exclusively as a salted bcrypt hash — we never store, transmit, or have access to your plain-text password.
• Contact form submissions: your name, email address, subject, and message when you write to us via the Contact page.
• Swag orders: name, email address, phone number, shipping address, and selected product options (size, colour, quantity) when you place an order through our merchandise store.
• Event registrations: name, email address, phone number, and any optional message when you register for a TechOps Hub event or workshop.
• Newsletter subscriptions: email address and, optionally, your first name when you subscribe to our mailing list.
• Incubation applications: business description, team composition, stage of development, financial projections, and any documents you voluntarily provide during the incubation application process.

5.2 Information Collected Automatically

• Page analytics:we record page paths visited and anonymous session identifiers (a client-generated UUID stored in your browser's sessionStorage) to understand how our platform is used. We do not store raw IP addresses — only a truncated SHA-256 hash of your IP (first 16 hex characters) for fraud and abuse detection.
• User-agent string:we record your browser's user-agent string (up to 300 characters) for analytics. Bot traffic (identified by known crawler signatures) is automatically discarded and never stored.
• Server log data: our hosting infrastructure may automatically record IP addresses, timestamps, HTTP status codes, and referring URLs as part of standard server operation. This data is used solely for security, uptime monitoring, and incident investigation.

5.3 Sensitive Personal Data

The DPA 2019 (s.2) defines certain categories of data as sensitive personal data, including racial or ethnic origin, political opinions, religious beliefs, health data, and biometric data. We do not collect sensitive personal data as part of our standard registration or programme enrolment. If any sensitive data is requested for a specific purpose (e.g., accessibility accommodations for an event), we will seek your explicit prior consent in writing.

5.4 Information We Do Not Collect

• We do not collect or store payment card numbers, bank account numbers, or M-Pesa PINs. Payment instructions and confirmations are communicated separately through secure channels.
• We do not use third-party advertising trackers, Facebook Pixel, TikTok Pixel, or Google Analytics on our platform.
• We do not collect government-issued ID numbers, KRA PINs, or National ID numbers unless expressly required for a legally mandated purpose and with your prior written consent.
• We do not conduct audio or video surveillance of our members.

We use the personal information we collect for the following specific, explicit, and legitimate purposes (DPA 2019 s.25(b)):

We will never use your personal data for purposes incompatible with those listed above without providing prior notice and, where required, obtaining your consent. We do not use personal data for profiling or automated decision-making that produces legal or similarly significant effects — see Section 14 for more detail.

TechOps Hub does not use third-party tracking cookies, advertising cookies, or behavioural profiling technologies. We use only the following strictly necessary browser storage mechanisms:

7.1 localStorage (Persistent — cleared on sign-out)

• Authentication token (JWT):when you log in, we store a signed JSON Web Token in your browser's localStorage to maintain your authenticated session across page loads. The JWT contains your user ID and role only — no sensitive personal data. It is invalidated server-side on sign-out and expires automatically.
• Refresh token: a long-lived refresh token is stored alongside the JWT to allow seamless session renewal without requiring repeated sign-in. It is rotated on each use and invalidated on sign-out.
• Theme preference: your chosen light or dark mode preference is stored locally. This data is never transmitted to our servers and is used solely to apply your visual preference on return visits.

7.2 sessionStorage (Session-scoped — cleared when browser tab closes)

• Analytics session ID: when you first visit the platform, a randomly generated UUID is created and stored in sessionStorage to identify your browsing session for analytics purposes. This ID is sent alongside page view events so we can count unique sessions. It contains no personal identifiers and is never linked to your account. It is automatically deleted when you close the browser tab.

7.3 Server-Side Cookies

We do not set any first-party HTTP cookies on our domain beyond what may be set automatically by our hosting infrastructure for load balancing or DDoS protection purposes (e.g., a sticky-session token). These are strictly functional and are not used for tracking or profiling.

7.4 Third-Party Cookies

We do not load any third-party scripts that set cookies — including Google Analytics, Meta Pixel, Hotjar, Intercom, or similar tracking products. No third-party cookies are set on our domain.

7.5 Managing Your Storage Preferences

You may clear localStorage and sessionStorage data at any time by:

• Clicking "Sign Out" in your account menu (clears authentication tokens).
• Clearing your browser's site data via browser settings.
• Using your browser's developer tools (Application → Storage → Clear).

Note: clearing authentication tokens will require you to sign in again on your next visit. Clearing the session ID will generate a new anonymous session.

We do not sell, rent, trade, or license your personal information to any third party. Your data is shared only in the following strictly limited circumstances:

8.1 Service Providers (Data Processors)

We engage limited third-party service providers who process personal data on our behalf and under our documented instructions only:

• Email delivery (Google SMTP / Gmail):we use Google's SMTP infrastructure to deliver transactional emails — OTP codes, registration confirmations, order updates, and contact replies. Google processes email content solely to deliver the message and does not use it for advertising or profiling. We do not use Google Analytics, Google Ads, or other Google tracking products.
• Cloud hosting (DigitalOcean):our backend infrastructure and database are hosted on DigitalOcean servers, which store and process your data in accordance with DigitalOcean's security and compliance standards. DigitalOcean is SOC 2 Type II certified.
• Frontend hosting: our frontend application may be served via a global CDN for performance. Static assets and server-side rendering do not expose personal data to CDN infrastructure beyond what is transmitted in standard HTTP request headers.

All service providers are contractually bound via Data Processing Agreements (DPAs) to handle your data securely, process it only for the purpose specified, and delete it upon termination of the relationship.

8.2 Legal and Regulatory Disclosures

We may disclose personal data to competent governmental or regulatory authorities where required by Kenyan law, including but not limited to:

• In response to a valid court order, warrant, or legal process.
• To comply with obligations under the Kenya Information and Communications Act (Cap 411A), the Computer Misuse and Cybercrimes Act, 2018, or any other applicable legislation.
• To report to the ODPC as required under DPA 2019.
• To protect the rights, property, or safety of TechOps Hub, our members, or the public where we have a reasonable and good-faith belief that disclosure is necessary.

We will, to the extent permitted by law, notify affected individuals before disclosing their data to authorities.

8.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of the assets of TechOps Hub, personal data held by us may be transferred to the successor entity as part of that transaction. We will notify affected users by email at least 30 days before any such transfer occurs, and the successor entity will be bound by this Privacy Policy or a substantially equivalent policy.

8.4 Aggregated & Anonymised Data

We may share aggregated, anonymised statistical data (e.g., total page views, programme enrolment numbers) publicly or with partners. Such data cannot reasonably be used to identify you and is not personal data within the meaning of DPA 2019.

Your personal data is primarily stored and processed in Kenya. Where data is transferred to or processed in countries outside Kenya — for example, through our cloud hosting provider or email delivery service — we take the following safeguards (DPA 2019 s.48):

• Adequacy: we transfer data only to countries or organisations that the ODPC has determined provide an adequate level of data protection, or where an equivalent adequacy determination exists.
• Standard Contractual Clauses (SCCs): where no adequacy determination exists, we rely on contractual clauses approved by the ODPC or equivalent competent authority to ensure your data receives the same level of protection as it would in Kenya.
• Binding Corporate Rules: where applicable, we rely on the binding corporate rules of our service providers.
• Your explicit consent: for transfers not covered by the above, we will seek your prior explicit consent and inform you of any risks.

You may request details of the specific safeguards in place for any cross-border transfer by contacting us at privacy@techopsshub.com.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by Kenyan law (DPA 2019 s.25(e)). The following retention periods apply:

Upon expiry of the applicable retention period, data is permanently and irreversibly deleted or anonymised in a manner that prevents re-identification. You may request early deletion subject to the exercise of your right to erasure as described in Section 12.

We implement privacy by design and by default (DPA 2019 s.41), integrating data protection safeguards into our systems and processes from inception rather than as an afterthought. Our technical and organisational security measures include:

11.1 Technical Measures

• Password hashing: all passwords are hashed using bcrypt with a per-user salt. We never store, log, or transmit plain-text passwords.
• Transport encryption: all data in transit between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). Plain HTTP is redirected to HTTPS automatically.
• Token security: authentication JWTs are signed with strong secret keys, carry expiry claims, and are invalidated server-side on sign-out. Refresh tokens are rotated on every use.
• OTP security: one-time passwords are single-use, expire within 15 minutes, and are immediately invalidated upon use or expiry.
• IP anonymisation: raw IP addresses are never stored. Analytics records only a truncated SHA-256 hash of the IP address, which cannot be reversed to recover the original address.
• Bot filtering: known bot and crawler user-agents are identified and their requests discarded before any data is written to our analytics database.
• Infrastructure security: backend systems are hosted in hardened cloud environments with network firewalls, intrusion detection, automated security patching, and regular vulnerability assessments.

11.2 Organisational Measures

• Access control: access to personal data is restricted on a need-to-know basis, enforced through role-based access controls (RBAC). Administrative access requires multi-factor authentication.
• Staff awareness: all team members with access to personal data are briefed on their obligations under the DPA 2019 and our internal data protection policies.
• Vendor due diligence: third-party service providers are evaluated for security and compliance before engagement and are bound by Data Processing Agreements.
• Incident response: we maintain a documented data breach response procedure, including defined escalation paths and regulatory notification timelines.

While we take all reasonable and proportionate precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to use strong, unique passwords and to sign out of your account on shared devices.

The Kenya Data Protection Act, 2019 (s.43) imposes obligations on data controllers to notify the ODPC and affected data subjects in the event of a personal data breach. We are committed to the following:

• ODPC notification: in the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach, in accordance with DPA 2019 s.43. Where notification is not possible within 72 hours, we will provide the notification with reasons for the delay.
• Data subject notification: where a breach is likely to result in a high risk to your rights and freedoms (e.g., exposure of credentials, financial data, or sensitive personal data), we will notify you directly — by email to the address associated with your account — without undue delay, and in any event within 72 hours of becoming aware, or as soon as reasonably practicable.
• Breach notification content: our notification will include the nature of the breach, categories and approximate number of data subjects affected, categories and approximate volume of records affected, likely consequences of the breach, and measures taken or proposed to address it and mitigate its effects.
• Breach register: we maintain an internal record of all data breaches — regardless of their severity — as required by DPA 2019 s.43(4).

If you believe your personal data held by us has been compromised, please contact us immediately at privacy@techopsshub.com with the subject line "Data Breach Report".

Under the Kenya Data Protection Act, 2019 (ss.26–35), you hold the following rights in respect of your personal data. We are committed to honouring all requests within 30 days of receipt. Where a request is complex or numerous, we may extend this period by a further 30 days — we will inform you of any extension within the initial 30-day period.

13.1 Right of Access (DPA 2019 s.26)

You have the right to obtain confirmation of whether we hold personal data about you, and to receive a copy of that data along with supplementary information about how it is processed. The first copy is provided free of charge; we may charge a reasonable fee for subsequent requests.

13.2 Right to Rectification (DPA 2019 s.27)

You have the right to have inaccurate or incomplete personal data corrected or completed without undue delay. You may also update your profile information directly through your account settings.

13.3 Right to Erasure / "Right to be Forgotten" (DPA 2019 s.28)

You have the right to request the deletion of your personal data where:

• the data is no longer necessary for the purpose for which it was collected;
• you withdraw consent (where consent was the lawful basis) and no other lawful basis applies;
• you object to processing and there are no overriding legitimate grounds;
• the data has been unlawfully processed; or
• deletion is required to comply with a legal obligation.

Erasure requests may be declined where retention is required by law (e.g., tax records) or to defend or establish a legal claim.

13.4 Right to Restrict Processing (DPA 2019 s.29)

You have the right to request that we restrict processing of your data — meaning we may store it but not actively process it — in the following circumstances: you contest accuracy pending verification; processing is unlawful and you prefer restriction to deletion; we no longer need the data but you require it for a legal claim; or you have objected and we are verifying whether our legitimate grounds override yours.

13.5 Right to Data Portability (DPA 2019 s.30(g))

Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit it to another controller without hindrance.

13.6 Right to Object (DPA 2019 s.32)

You have the right to object at any time to processing of your personal data where we rely on legitimate interests as the lawful basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of a legal claim. You may object to direct marketing processing at any time without providing any justification, and we will stop immediately.

13.7 Right to Withdraw Consent (DPA 2019 s.31)

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. To withdraw consent for newsletters, use the "Unsubscribe" link in any email. For other consent-based processing, contact privacy@techopsshub.com.

13.8 How to Exercise Your Rights

To exercise any of the rights above, please send a written request to:

We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests but reserve the right to charge a reasonable administrative fee for manifestly unfounded or excessive requests, or alternatively to refuse to act on such requests.

The Kenya Data Protection Act, 2019 (s.31) provides protections against decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects.

TechOps Hub does not currently make any decisions about individuals — including membership admission, incubation selection, or access to services — based solely on automated processing without human review. All material decisions involving personal data include meaningful human involvement and oversight.

Our analytics system processes aggregated, anonymised data to understand platform usage patterns. This is not used to profile individual users or make individual decisions about them.

If we introduce automated decision-making processes in future that produce legal or similarly significant effects, we will:

• Notify you in advance and update this Privacy Policy.
• Provide you with the right to obtain human review of the decision.
• Provide you with the right to express your point of view and contest the decision.

Our services are not directed at children under the age of 18(or the applicable age of majority in Kenya). We do not knowingly collect personal data from minors. The DPA 2019 (s.30) requires explicit consent for processing personal data of children, and where a parent or guardian provides consent on behalf of a minor, additional verification and safeguards apply.

If you are under 18, please do not submit any personal information to us without the express consent and supervision of a parent or legal guardian.

If you believe that a minor has provided us with personal data without appropriate consent, please contact us immediately at privacy@techopsshub.com. We will take prompt steps to verify the matter and, where confirmed, delete the data without delay.

Our website may contain links to external websites, social media platforms, or third-party services. Once you navigate away from techopsshub.com, this Privacy Policy no longer applies to data you share with those third parties. We are not responsible for the privacy practices, content, or security of third-party websites.

We strongly encourage you to review the privacy policy of any third-party site before submitting personal information to it. The inclusion of a link on our platform does not constitute an endorsement of that site's privacy practices.

Where we embed third-party content (such as embedded YouTube videos or social media widgets) on our platform, those third parties may set their own cookies or collect data in accordance with their own privacy policies. We will clearly identify such integrations and, where technically feasible, implement them in a privacy-preserving manner.

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, operational needs, or new features. When we make material changes, we will:

• Update the "Effective Date" at the top of this page.
• Notify all registered members via the email address associated with their account at least 14 days before the new policy takes effect.
• Display a prominent notice on the platform for at least 14 days following the update.

For non-material changes (such as minor formatting corrections or clarifications that do not affect your rights), we may update this policy without prior notice but will always update the Effective Date.

Your continued use of TechOps Hub after the effective date of an updated policy constitutes your acceptance of the revised terms. If you do not accept a material change, you may close your account and request deletion of your data before the new policy takes effect.

Prior versions of this Privacy Policy are available on request by emailing privacy@techopsshub.com.

For any questions, concerns, access requests, or complaints regarding this Privacy Policy or our data protection practices, contact us:

We will acknowledge your request within 5 business days and respond substantively within 30 days. Where a longer period is needed for complex requests, we will inform you within the initial 30-day window.

If you are dissatisfied with our response, or believe that your data protection rights under the Kenya Data Protection Act, 2019 have been violated, you have the right to lodge a complaint with the:

Filing a complaint with the ODPC does not affect your right to seek judicial remedy in a court of competent jurisdiction in Kenya.