Chikengezha Advisory is a specialist data protection and AI governance practice. We advise organisations on how to handle personal data lawfully, ethically, and with operational discipline. It follows that we hold ourselves to the same standards.
This Privacy Policy describes how Chikengezha Advisory ("we", "us", "our") collects, uses, discloses, and protects personal data that you provide to us or that we collect through our website, our communications, and our engagements. It is written to comply with the Cyber and Data Protection Act [Chapter 12:07] of Zimbabwe (the "CDPA") and, where relevant, internationally recognised data protection standards.
We have written this policy in plain language. If anything is unclear, please contact us — we will explain it.
Who We Are
Chikengezha Advisory is the data controller responsible for personal data collected through this website and through our services. Our contact details are set out at the end of this policy.
Our founder, Steve Chikengezha, is a Data Protection Officer trained and registered with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) and serves as the Data Protection Officer for Chikengezha Advisory. Any questions about this policy or our data handling practices may be directed to him at steve@chikengezha.com.
What Personal Data We Collect
We collect personal data in the following circumstances.
| Source | Personal Data Collected |
|---|---|
| Website contact form | Your name, email address, organisation name, the service you are interested in, and the content of your enquiry. |
| Direct correspondence | Email address, telephone number, name, job title, organisation, and any content of your correspondence with us. |
| Client engagements | Information provided for the purposes of delivering our services, including organisational information, data protection records, staff details, and processing activity information. |
| Website analytics | Aggregate, anonymised visitor statistics (pages visited, approximate location by country, device type, referring source). We do not use cookies that identify individual visitors. |
Our hosting and form-handling providers may set essential cookies required for the security and operation of the website (for example, to prevent abuse of our contact form or to manage load balancing). These cookies do not track individuals across websites or build behavioural profiles. We do not use cookies for advertising, remarketing, or behavioural analytics.
We do not collect sensitive personal data (as defined in section 15 of the CDPA) through our website. Where sensitive personal data is provided in the course of a client engagement, we process it in accordance with the additional safeguards set out in the CDPA and our engagement letter.
How We Use Your Personal Data
We use personal data only for the purposes set out below, and only where we have a legal basis to do so under section 14 of the CDPA.
| Purpose | Legal Basis |
|---|---|
| Responding to your enquiry and providing information about our services | Taking steps at your request prior to entering into a contract (section 14(b)). |
| Delivering our advisory services under an engagement letter | Performance of a contract to which you are party (section 14(b)). |
| Maintaining business records and complying with legal obligations | Compliance with a legal obligation (section 14(c)). |
| Improving our website, services, and communications | Our legitimate interests in operating and improving our business (section 14(f)), balanced against your rights and freedoms. |
| Sending updates or insights that you have requested | Your consent (section 14(a)), which you may withdraw at any time. |
Artificial Intelligence and Automated Decisions
As a practice that advises clients on AI governance, we hold ourselves to the same standards we recommend to others. The following statements reflect our current practices.
We do not use personal data provided to us to train external, third-party artificial intelligence models. Personal data entrusted to us by clients or enquirers is not uploaded to public AI tools, shared with AI vendors for training purposes, or otherwise used to improve the capabilities of generative AI systems beyond our control.
We do not make decisions about individuals based solely on automated processing. All substantive decisions affecting clients or enquirers — including decisions about engagement, scope, pricing, and advisory output — are made by human professionals.
Where we use AI-assisted productivity tools internally (for example, for drafting support, research, or document review), we apply appropriate controls: we avoid inputting identifiable client personal data into such tools, we use enterprise configurations that disable model training on submitted content where available, and the final output is always reviewed and authorised by a human advisor before use.
Who We Share Your Data With
We do not sell personal data. We do not share personal data for marketing purposes. We share personal data only in the limited circumstances described below.
| Recipient | Purpose |
|---|---|
| Service providers | Technology providers that host our website, manage our email, and process form submissions. These providers act as processors on our behalf and are bound by contractual obligations to protect your data. |
| Professional advisors | Our legal, accounting, and insurance advisors, where necessary and subject to professional confidentiality obligations. |
| Regulators and authorities | Where we are required to disclose data by law, court order, or the direction of a competent authority (including POTRAZ). |
| Business successors | In the event of a merger, acquisition, or restructuring of Chikengezha Advisory, personal data may be transferred to the successor entity. You will be notified of any such change. |
International Data Transfers
Some of the service providers we use (for example, email hosting and website hosting) are based outside Zimbabwe. Personal data you provide may therefore be transferred to, and processed in, countries other than Zimbabwe.
We transfer personal data internationally only where the destination country has an adequate level of protection, or where we have put in place appropriate safeguards such as contractual clauses. We have notified POTRAZ of our cross-border data transfers as required under section 30 of the CDPA.
How Long We Keep Personal Data
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law.
| Category | Retention Period |
|---|---|
| Enquiries that do not become engagements | 12 months from the date of last contact, unless you ask us to delete them sooner. |
| Client files and engagement records | Seven years from the end of the engagement, in line with professional and legal requirements. |
| Financial records | Six years from the end of the relevant financial year, in line with tax and corporate requirements. |
| Marketing communications subscribers | Until you unsubscribe. |
| Website analytics | Aggregated and anonymised indefinitely; no individual profiles retained. |
Your Rights
The CDPA gives you specific rights over the personal data we hold about you.
| Right | What It Means |
|---|---|
| Right of access (s.22) | You may request a copy of the personal data we hold about you. |
| Right to rectification (s.23) | You may ask us to correct inaccurate or incomplete personal data. |
| Right to erasure (s.24) | You may ask us to delete your personal data in certain circumstances. |
| Right to restriction (s.25) | You may ask us to stop processing your data while a query is resolved. |
| Right to object (s.26) | You may object to processing we carry out on the basis of our legitimate interests or for direct marketing. |
| Right regarding automated decisions (s.27) | You have the right not to be subject to decisions based solely on automated processing that significantly affect you. As noted above, we do not currently make decisions of this kind. |
| Right to withdraw consent | Where we rely on your consent, you may withdraw it at any time. |
| Right to lodge a complaint | You may complain to POTRAZ about our handling of your personal data. |
To exercise any of these rights, please email us at steve@chikengezha.com. We will respond within 30 days. There is no fee for exercising these rights unless the request is manifestly unfounded or excessive.
How We Protect Personal Data
We implement technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These include encryption in transit, access controls, secure authentication, staff confidentiality obligations, and regular review of our security practices.
No system is perfectly secure. In the unlikely event of a personal data breach that affects you, we will notify POTRAZ within 24 hours and, where the breach poses a high risk to your rights, we will notify you within 72 hours — as required by the CDPA and Statutory Instrument 155 of 2024.
Children's Data
Our website and services are directed at organisations and professionals, not at children. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will delete it.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The effective date at the top of this policy indicates when it was last updated. Material changes will be communicated to active clients by email.
How to Contact Us
If you have any questions about this Privacy Policy, wish to exercise your rights, or wish to lodge a complaint, please contact us.
| Data controller | Chikengezha Advisory |
| steve@chikengezha.com | |
| Website | chikengezha.com |
| Location | Harare, Zimbabwe |
| Supervisory authority | Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) — potraz.gov.zw |