GDPR Compliance

Effective Date: 1 January 2026 · Supplementary to Kenya Data Protection Act, 2019

QUANTEDGE LIMITED is a Kenyan software company. For clients globally and individuals in the European Economic Area or United Kingdom, this page explains how we apply GDPR standards to protect your rights and data.

Your GDPR Rights

As an EEA or UK resident, you have the following rights under the GDPR.

Right of Access (Art. 15)

You may request a copy of all personal data we hold about you, along with information on how it is processed.

Right to Rectification (Art. 16)

You may request correction of inaccurate or incomplete personal data without undue delay.

Right to Erasure (Art. 17)

You may request deletion of your personal data where it is no longer necessary, or where you withdraw consent and no other legal basis applies.

Right to Restrict Processing (Art. 18)

You may request that we limit how we process your data in certain circumstances, such as while a rectification request is being assessed.

Right to Data Portability (Art. 20)

You may request your personal data in a structured, machine-readable format and have it transferred to another controller where technically feasible.

Right to Object (Art. 21)

You may object at any time to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

Rights re: Automated Decisions (Art. 22)

Where we use automated decision-making with legal or significant effects, you have the right to human review and to contest the decision.

Right to Withdraw Consent (Art. 7)

Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

Lawful Bases for Processing

Lawful Basis	GDPR Article	Processing Activity
Contract Performance	Art. 6(1)(b)	Provisioning and delivering our SaaS platforms to subscribed clients.
Legal Obligation	Art. 6(1)(c)	Compliance with Kenyan tax, anti-money laundering, and data protection laws.
Legitimate Interests	Art. 6(1)(f)	Fraud prevention, platform security, and product improvement analytics.
Consent	Art. 6(1)(a)	Marketing communications, non-essential cookies, and optional analytics.

1. Our Position Under GDPR

QUANTEDGE LIMITED is primarily governed by the Kenya Data Protection Act, 2019. Where our software services are accessed by individuals located in the European Economic Area (EEA) or the United Kingdom, we voluntarily apply the standards of the General Data Protection Regulation (EU) 2016/679 ("GDPR") as a supplementary framework. In such cases, QUANTEDGE LIMITED acts as a Data Controller in respect of data collected directly from EEA/UK data subjects, and as a Data Processor in respect of personal data submitted by our enterprise clients through our platforms.

2. Legal Bases for Processing

We rely on the following lawful bases under Article 6 GDPR when processing personal data of EEA/UK residents. See the table above for specific processing activities mapped to each basis.

3. International Data Transfers

As a Kenya-based company, processing personal data from EEA/UK residents involves international transfers to a third country not yet subject to an EU adequacy decision. We safeguard such transfers through: • Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914/EU). • Binding contractual protections in Data Processing Agreements with all relevant subprocessors. • Transfer Impact Assessments (TIAs) conducted where required. A copy of our Standard Contractual Clauses is available upon written request to [email protected].

4. Data Retention

We retain personal data of EEA/UK residents only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Where our Kenyan legal obligations mandate longer retention periods (e.g., seven years for financial records under the Tax Procedures Act, 2015), we apply appropriate access restrictions to minimise exposure during that retention period.

5. Automated Decision-Making & Profiling

Our AI and analytics modules may perform automated processing of transactional and behavioural data to generate business insights. Where such processing produces legal or similarly significant effects on individuals, we provide human oversight mechanisms and the right to contest outcomes. We do not conduct GDPR-regulated profiling for marketing purposes without explicit consent.

6. Data Breach Notification

In the event of a personal data breach affecting EEA/UK residents, we will notify the relevant lead supervisory authority within seventy-two (72) hours of becoming aware, and affected data subjects without undue delay where there is a high risk to their rights and freedoms consistent with Article 33 and 34 GDPR. Our primary supervisory authority for GDPR purposes is the Office of the Data Protection Commissioner (ODPC) of Kenya.

7. Exercising Your Rights

EEA/UK residents may exercise any of the GDPR rights listed above by submitting a request to: Email: [email protected] Website: quantedgeltd.com We will respond within thirty (30) days. Complex requests may be extended by a further two (2) months with notice. Identity verification may be required before processing your request. Requests are free of charge; we may charge a reasonable fee only for manifestly unfounded or excessive requests. If you are unsatisfied with our response, you have the right to lodge a complaint with your local EU/UK supervisory authority.

8. Contact & DPO

QUANTEDGE LIMITED Data Protection Officer Email: [email protected] Website: quantedgeltd.com For EEA-specific matters, you may also contact your local data protection supervisory authority. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Exercise your GDPR rights: Contact our Data Protection Officer at [email protected]. We respond within 30 days.