Privacy Policy

1. Introduction

This Privacy Policy describes how Lenhac Limited ("we", "us", "our", or "the Data Processor") collects, processes, stores, and protects information when you use SISU OPUS version Q::4 ("the Application", "SISU OPUS", "the System"), our enterprise resource planning (ERP) system purpose-built for law firms operating in Kenya.

Lenhac Limited is a technology company registered in Kenya and operates as a Data Processor under the Data Protection Act, 2019 (No. 24 of 2019) of the Republic of Kenya. Your law firm, as the subscriber, acts as the Data Controller for all client data entered into the System.

By using the Application, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2. Definitions

• Client Data: Any information relating to your law firm's clients, their matters, cases, communications, and legal affairs entered into the System.
• Firm Data: Information relating to your law firm's internal operations, including employee records, financial records, and administrative data.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined by the Data Protection Act, 2019.
• Sensitive Personal Data: Data revealing race, health, ethnic origin, political opinion, religious belief, genetic data, biometric data, sex life, or sexual orientation.
• Data Controller: Your law firm, which determines the purposes and means of processing Client Data.
• Data Processor: Lenhac Limited, which processes data on behalf of the Data Controller.

3. Lawful Basis for Processing

We process personal data under the following lawful bases as provided by the Data Protection Act, 2019:

• Performance of Contract: Processing necessary to provide the SISU OPUS service under your subscription agreement.
• Legitimate Interest: Processing necessary for system security, fraud prevention, service improvement, and the proper functioning of the Application.
• Legal Obligation: Processing required to comply with applicable Kenyan law, including tax reporting obligations to the Kenya Revenue Authority.
• Consent: Where you have given explicit consent for specific processing activities, such as connecting third-party integrations.

4. Information We Collect

4.1 Account and Firm Information

• Firm name, registration details, and branch locations
• User names, email addresses, phone numbers, and roles within the firm
• Login credentials (passwords are salted and hashed; we never store plaintext passwords)
• User profile information and preferences

4.2 Client and Matter Data

• Client names, contact details, identification documents, and KYC information
• Case and matter details, court references, filing numbers, and case status
• Legal documents, correspondence, notes, and file attachments
• Instruction records, milestones, and task assignments
• Court calendar entries, cause list data, and hearing schedules

4.3 Financial and Accounting Data

• Invoice records, billing details, and payment histories
• Trust account transactions, deposits, and withdrawals
• General ledger entries, journal entries, and chart of accounts
• Payroll data, employee compensation, and statutory deductions (PAYE, NSSF, SHIF, Housing Levy)
• KRA tax compliance data and returns
• Collections and escrow records, tranche schedules, and disbursements

4.4 Human Resource Data

• Employee personal details, employment contracts, and job history
• Leave records, performance reviews, and disciplinary records
• Bank account details for payroll processing
• National identification numbers, KRA PINs, and NSSF/SHIF numbers

4.5 System Usage Data

• Login timestamps, IP addresses, and session data
• Audit trail logs (who accessed, modified, or deleted records)
• Feature usage analytics (anonymised and aggregated)
• Error logs and system performance data

4.6 Information from Google Services

When you connect your Google account to SISU OPUS, we access the following data based on the permissions you grant:

5. Attorney-Client Privilege and Confidentiality

We recognise that law firms handle information protected by attorney-client privilege and professional confidentiality obligations under the Advocates Act (Cap. 16) and the Law Society of Kenya rules of professional conduct.

• No Waiver of Privilege: Storing data in SISU OPUS does not constitute a waiver of attorney-client privilege. Lenhac Limited is not a party to the attorney-client relationship.
• Confidentiality Obligation: All Lenhac Limited personnel with access to system infrastructure are bound by strict confidentiality agreements that extend to all Client Data.
• No Content Inspection: We do not access, review, or inspect the content of your legal documents, case notes, or client communications unless explicitly requested by you for technical support purposes, and only with your written authorisation.
• Court Orders and Subpoenas: In the event we receive a court order or subpoena requesting access to your firm's data, we will promptly notify you before any disclosure (unless prohibited by law from doing so), to allow you to assert privilege or seek protective orders.

6. How We Use Your Information

We use the information we collect to:

• Provide the Service: Operate and maintain SISU OPUS, including case management, financial accounting, HR, and document management features.
• Calendar Synchronisation: Sync court dates, deadlines, and appointments between SISU OPUS and your Google Calendar.
• Email Communications: Send emails to your clients on your behalf when you initiate such actions within the Application.
• Notifications and Alerts: Send you reminders about deadlines, court dates, statutory filing dates, and important case milestones.
• Tax Compliance: Generate statutory returns and compliance reports for KRA obligations including PAYE, NSSF, SHIF, Housing Levy, VAT, and Withholding Tax.
• Audit Trails: Maintain comprehensive logs of all data access and modifications for accountability and regulatory compliance.
• Service Improvement: Analyse anonymised and aggregated usage patterns to improve functionality and user experience.
• Customer Support: Respond to your inquiries and provide technical assistance.

7. Data Storage, Location, and Security

7.1 Storage and Location

Your data is hosted on secure cloud infrastructure. Our primary data centres are located in regions that ensure low latency for East African users. We may use cloud service providers whose infrastructure spans multiple geographies for redundancy and disaster recovery purposes.

7.2 Security Measures

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• Access Controls: Role-based access control (RBAC) ensures users only access data appropriate to their role within the firm.
• Data Isolation: Each law firm's data is logically isolated from other subscribers. No firm can access another firm's data.
• Authentication Security: Passwords are salted and hashed. Google OAuth tokens are stored securely and are only used to access the specific Google services you have authorised. We never store your Google password.
• Infrastructure Security: Regular security assessments, vulnerability scanning, and penetration testing of our infrastructure.
• Employee Access: Strict access controls ensure only authorised Lenhac personnel can access system infrastructure, and all access is logged.

7.3 Backup and Disaster Recovery

• Automated Backups: Your data is backed up daily with encrypted backups stored in geographically separate locations.
• Recovery Objectives: We maintain a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 24 hours.
• Business Continuity: Our disaster recovery plan is tested periodically to ensure service restoration within stated objectives.

8. Third-Party Integrations and Sub-Processors

SISU OPUS offers optional integrations with third-party services. These integrations are only activated at your request and with your explicit consent. Each integration involves sharing specific data with the third-party provider as described below:

All third-party service providers are bound by data processing agreements that require them to protect your data to standards no less protective than those described in this Privacy Policy.

9. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information or Client Data to third parties. We may share data only in the following circumstances:

• With Your Consent: When you explicitly authorise us to share information, including activating third-party integrations.
• Service Providers: With trusted infrastructure providers (cloud hosting, email delivery) who are bound by confidentiality and data processing agreements.
• Legal Requirements: When required by law, court order, or governmental authority — subject to the attorney-client privilege protections described in Section 5.
• Protection of Rights: To protect the rights, privacy, safety, or property of Lenhac Limited, our users, or the public, where permitted by law.
• Business Transfer: In the event of a merger, acquisition, or sale of assets, your data would be transferred subject to the same privacy protections. You will be notified in advance of any such transfer.

10. User Roles and Access Control

SISU OPUS implements role-based access control. Your firm's administrator is responsible for assigning appropriate roles and permissions to each user. Available roles include (but are not limited to) Managing Partner, Partner, Associate, Accounts, HR, and Support Staff — each with different levels of data access.

• Firm Responsibility: Your firm is responsible for ensuring that user accounts are assigned appropriate permissions and that credentials are not shared between individuals.
• Audit Trails: All actions within the system (creation, modification, deletion, and access of records) are logged with the identity of the user, timestamp, and IP address.
• Account Termination: When a user leaves your firm, your administrator should promptly deactivate their account. We can assist with this upon request.

11. Data Retention

We retain your data for as long as your subscription is active or as needed to provide you services.

• Active Subscription: All data is retained and accessible throughout your subscription period.
• Account Closure: Upon termination of your subscription, we will retain your data for a grace period of 90 days during which you may request a full data export. After 90 days, data will be permanently deleted from our active systems.
• Backup Retention: Data may persist in encrypted backups for up to 180 days after deletion from active systems, after which backups containing your data will be purged.
• Legal Holds: Where we are required by law or regulation to retain specific data beyond these periods, we will do so and inform you of the requirement.
• Google OAuth Tokens: Tokens are retained only while your Google account is connected. When you disconnect your Google account or revoke access, tokens are immediately deleted from our systems.

12. Data Portability and Export

You have the right to receive your data in a portable format:

• You may request a full export of your firm's data at any time during your active subscription.
• Data exports are provided in standard, machine-readable formats (CSV, PDF, or JSON as appropriate).
• Export requests will be fulfilled within 14 business days.
• Upon subscription termination, you have 90 days to request and retrieve your data before permanent deletion.

13. Cross-Border Data Transfers

Our cloud infrastructure may involve data being processed or stored in jurisdictions outside Kenya for purposes of redundancy, disaster recovery, or service delivery. In such cases:

• We ensure that any cross-border transfer complies with Section 48 of the Data Protection Act, 2019.
• We only transfer data to jurisdictions that provide adequate data protection safeguards, or where appropriate contractual protections (such as standard contractual clauses) are in place.
• We will inform you upon request of the jurisdictions in which your data may be processed.

14. Data Breach Notification

In the event of a personal data breach as defined by the Data Protection Act, 2019:

• Assessment: We will promptly assess the nature, scope, and potential impact of any breach.
• Notification to You: We will notify affected law firms within 72 hours of becoming aware of a breach that is likely to result in risk to the rights and freedoms of data subjects.
• Regulatory Notification: We will notify the Office of the Data Protection Commissioner (ODPC) within the timeframes required by law.
• Breach Report: Our notification will include the nature of the breach, the categories and approximate number of records affected, likely consequences, and the measures taken or proposed to address the breach.
• Cooperation: We will cooperate fully with your firm in assessing the impact on your clients and in meeting your own notification obligations as Data Controller.
• Remediation: We will take immediate steps to contain the breach, mitigate its effects, and prevent recurrence.

15. Your Rights Under the Data Protection Act, 2019

As a data subject, you have the following rights under Kenyan law:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements and contractual obligations.
• Right to Data Portability: Request an export of your data in a structured, commonly used, and machine-readable format.
• Right to Object: Object to processing of your personal data where we rely on legitimate interest as our lawful basis.
• Right to Restrict Processing: Request that we restrict the processing of your data in certain circumstances.
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Revoke Google Access: Disconnect your Google account at any time through your SISU OPUS account settings or through your Google Account permissions.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) if you believe your data protection rights have been violated.

To exercise any of these rights, contact us at privacy@lenhac.com. We will respond within 30 days.

16. Professional and Regulatory Compliance

We are mindful that law firms using SISU OPUS are subject to professional conduct rules under the Law Society of Kenya and the Advocates Act (Cap. 16). Accordingly:

• SISU OPUS is designed to support — not replace — your firm's professional obligations regarding client confidentiality, conflicts of interest, and record-keeping.
• The System provides tools for document retention in compliance with applicable legal and regulatory requirements, but your firm remains responsible for determining appropriate retention periods for legal files.
• Audit trail functionality supports your firm's obligations for accountability and transparency to clients and regulatory bodies.
• Financial modules are designed to comply with the Advocates Remuneration Order and trust account requirements under the Advocates Act.

17. Google API Services User Data Policy

SISU OPUS's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only request access to the Google services necessary to provide the features described in this policy.
• We do not use Google user data for advertising purposes.
• We do not sell Google user data to third parties.
• We do not use Google user data for purposes unrelated to the core functionality of SISU OPUS.

18. Children's Privacy

SISU OPUS is designed for use by legal professionals and law firms. The Application is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your firm's registered administrator and by posting the updated Privacy Policy on this page with a revised "Last Updated" date. Material changes will be communicated at least 30 days before they take effect. Continued use of the Application after changes take effect constitutes acceptance of the revised policy.

20. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about our data practices, please contact us:

You may also contact the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke if you wish to lodge a complaint.