Legal centre

Privacy Policy

Last updated: 3 May 2026 · Operated by Netiva Studio Ltd. (Kampala — UG)

This policy explains how we handle personal information when you use our public-facing properties—including the host serving netiva.tech (collectively, the “Site”), correspond with our team, or enter a commercial engagement. We process data fairly, proportionally, and with choices where the law requires them.

Notice: These documents are drafted for transparency and clarity. They are not legal advice. Engage counsel for regulations specific to your organization, jurisdictions, or industries.

1. Controller & representative

The controller responsible for processing personal data processed in connection with our marketing website and pre-contract enquiries is Netiva Studio Ltd. (Kampala — UG).

For privacy requests, contact hello@netiva.tech with subject line “Privacy request”.

2. Scope & applicability

This policy applies to:

Visitors to publicly available areas of our Site;
Contacts who email us, submit forms, booking requests, quotations, questionnaires, calendars, file uploads, invoices, NDAs or similar artefacts;
Authorized users of workspaces we administer for engagements (such as Slack, Linear, GitHub invitations, CMS access) when those tools process personal identifiers on our behalf; and
Candidates evaluated for subcontractor or collaborator roles communicated through approved channels.

Dedicated terms for contracted services—including client obligations, confidentiality, subprocessors authorised at contract tier, and DPIA artefacts where applicable—are described in Statements of Work, Master Terms, or DPAs, whichever governs your order. Consult our Terms of Service for contract formation rules.

3. Categories of personal data

Depending on interactions, we may process:

Identity & credentials: first and last names, avatar images, bios, timezone, professional affiliation, VAT / tax identifiers for billing.
Contact: work email addresses, postal addresses when supplied, messenger handles, phonetic names for scheduling.
Commercial artefacts: engagement briefs, budgets, timelines, stakeholder lists, approvals, invoicing payloads, receipts, procurement references.
Automatically collected telemetry: IP address, approximation of geolocation inferred from CDN routing, timestamps, referrer URLs, interaction heatmaps aggregated from analytics tooling, hashed device identifiers, coarse screen metrics, diagnostics from edge networks.
Collaboration artefacts: comments, uploads, previews, versioning metadata, SSO attributes when your organization connects an IdP into our workspaces.

We do not target children; we delete accounts if we inadvertently collect data demonstrating an age under sixteen.

4. Purposes & lawful bases

Lawful bases for processing
Purpose	Typical lawful basis
Respond to demos, quotations, questionnaires, onboarding checklists.	Necessary steps prior to entering a contract (GDPR Article 6(1)(b)).
Operate, secure, and scale the Site; detect abuse.	Legitimate interests balanced against your fundamental rights.
Analytics for product roadmap & marketing optimisation.	Consent (where required); otherwise aggregated legitimate-interest analytics.
Comply with tax, AML, subpoena-equivalent statutes.	Legal obligations (GDPR Article 6(1)(c)).

5. Marketing & communications preference center

Insight pieces, changelog mail, nurturing sequences, webinar invites, seasonal reports, surveys, sponsorship offers, curated partner introductions, podcasts, transcripts, transcripts of calls you approved for distribution, roadmap teasers—all require either explicit opt-ins or transactional necessity rooted in negotiations you authorised.

You may revoke marketing consent anytime using Unsubscribe links appearing in outbound mail or via a written directive to hello@netiva.tech. Transactional confirmations, security advisories where your account risks breach, invoicing artefacts, SLA escalations triggered by outages, lawful regulatory notices—even after marketing opt-out—persist because overriding laws or ongoing contracts require retention.

6. Cookies, pixels, fingerprint resistance & storage durations

We deploy strictly necessary authentication cookies controlling secured staging demos, ephemeral admin tokens, load-balancing affinity cookies terminating when browsers close unless longer persistence is unavoidable for SPA auth refresh flows you explicitly authorised.

Optional analytics/marketing identifiers—when invoked—observe modern guidance: granular consent banners where jurisdictions dictate, minimized persistent IDs, hashed IP truncation, refusal logging. You may purge stored signals through browser tooling; certain Site features degrade predictably thereafter.

We disclose personal data exclusively when:

Processors contracted under Article 28–style SCCs or materially equivalent safeguards support delivery;
You direct disclosure (client references approved in writing);
Competent authorities lawfully mandate cooperation (with proportionality objections where permitted).

Cross-border replication may occur inside EU-US Data Privacy Framework–certified providers, UK IDTA overlays, Standard Contractual Clauses, supplemented measures from transfer impact assessments documenting residual risk.

8. Retention

CRM & pipeline artefacts: ordinarily ≤ 36 months from last substantive touch unless statutes extend.
Contractual deliverables mirrored for governance: durations align with Statements of Work or DPAs.
Security/access logs rotated ≤ 365 days absent investigation holds.
Tax & accounting records obey Ugandan/Revenue-prescriptive windows (often ≥ seven years).

9. Security measures

We institute administrative, organisational, pseudonymisation, cryptographic, logging, alerting, patching, least-privilege, vendor due diligence reviews, tabletop exercises referencing ISO 27001–aligned posture. No safeguards guarantee absolute immunity; breaches triaged under regulatory clocks with transparent updates.

10. Data subject requests & timelines

Pursuant EEA/UK/Swiss parallels (where applicable): access, correction, deletion, portability, objection to processing rooted in legitimate interest, withdrawal of consent, restriction while disputes resolve, escalating to supervisory authorities. Uganda's Data Protection and Privacy Act, 2019 principles echo many requirements; escalate unresolved complaints domestically alongside cross-border escalation rights.

We acknowledge requests promptly (≤ 72 office hours acknowledging receipt); substantive outcomes typically ≤ 30 calendar days subject to statutory extensions for complex dossiers paired with explanatory narratives.

11. Automated decision-making

No fully automated adjudications with legal/significant ramifications occur without human escalation.

12. Modifications

Material updates appear at the top banner with revision history excerpts; continued use fourteen days thereafter counts as acknowledgement absent legally mandated affirmative consent regimes.

13. Regulatory authority contacts (non-exclusive)

Uganda: Personal Data Protection Office under the Uganda Communications Commission supervisory matrix (consult current guidance bulletins).
Ireland: Data Protection Commission (EU lead interactions often coordinated through Irish hub entities).

Primary studio contact stays hello@netiva.tech.