Privacy Policy

LY Third Party Privacy Policy

New Version (Effective as of 25 May 2018)

1. Introduction


This privacy notice is provided in accordance with the GDPR, including any Common Law, national laws implementing or supplementing the same, and any other applicable data protection laws (the “Data Privacy Laws”).

LY Detectives Agency PI Service firm is a privately owned firm with operations in over 15 countries. LY Detectives (and all affiliates and subsidiaries, collectively “LY”), is committed to complying with the applicable data privacy and security requirements in the jurisdictions in which it operates. LY complies with internationally recognized standards of privacy protection, and with various privacy laws globally including, but not limited to, the Data Protection Act 2019.

LY provides private forensic investigations, due diligence, fraud examination (compliance), Forensic Document Examinations, cyber security, investigative research and other risk consultancy services to clients (collectively, “services”).

In this respect, the relevant LY affiliate providing these services may act as data processor or as a separate data controller depending on the service being provided and the amount of control LY has over the purpose(s) and means of the data processing.

To the extent that LY is deemed to be a data controller under Data Privacy Laws, this notice fulfils our obligation to provide certain information to third parties whose personal data we process in this capacity as required by Data Protection act 2019 and the notice requirements set out in any other Data Privacy Laws for processing personal data which has been obtained indirectly.

If you are a Kenyan resident, please see our Ke Privacy Policy to learn about your rights under the Kenya Privacy Act.

2. Who is Collecting Data?

Limited data will be collected by LY.

3. Data We Collect

LY collects the following categories of personal data:

Contact data: We may collect information about data subjects such as name and contact details (email, phone number, etc.) in order to communicate and facilitate the provision of our services with our clients or potential clients. For example, contact details of individuals who work for or on behalf of the clients, in order to carry out the client’s engagement with LY.

Services data: Personal data may be provided to us by clients to the extent required to perform the services. LY may also acquire personal data from a third party as required to perform services requested by our client(s).

Marketing information: We may collect information to respond to inquiries regarding our products and services or to provide you with information, reports, or updates.

Website visitor information: when you visit our website, we may collect information about your visit such as your IP address and the pages you visited and when you use our services we may collect information on how you use those services. Please see our Website Privacy Policy, Website Terms of Use and Cookies Policy for additional information.

Clients and other third parties who provide personal information to LY must do so in compliance with applicable data privacy regulations.

4. Processing of Personal Data

We collect personal data to offer and administer our services.

The data you provide to us will be processed in accordance with the purposes specified in this notice, namely:

a. To provide the products or perform the services requested by clients and individuals pursuant to a letter of engagement, statement of work, or similar (where the processing is necessary for our legitimate business interests in conducting and managing our business).

b. To provide the products or perform the services requested by clients and individuals using our website or web applications (where the processing is necessary for our legitimate business interests in conducting and managing our business).

c. For complying with obligations provided by laws, current regulations and Kenyan Legislation (e.g. tax regulations) (where processing is based on a legal obligation) or legislation in other jurisdictions that may be applicable.

d. For legitimate business purposes to advise you through e-mail, phone call, or post, in the framework of our ordinary commercial relationship, about other products or services similar to the products or services we have provided to you and that we think will be of interest to you (where the processing is necessary for our legitimate business interests).

e. For marketing purposes. For example, we may use your information to further discuss your interest in the services and to send you information regarding LY and its group companies such as information about promotions, events, products or services. You can withdraw your consent or opt out of receiving our marketing communications at any time.

f. For improving LY’s communications with you. Emails sent to you by LY may include standard tracking, including open and click activities. LY may collect information about your activity as you interact with our email messages and related content.

g. For operating and improving LY’s website and your customer experience. For example, we may collect and analyse data on your use of our website and process it for the purpose of improving our online experience. Please see our Website Privacy Policy, Website Terms of Use and Cookies Policy for additional information.

h. For security purposes. e.g, we may use your data to protect LY and its third parties against security breaches and to prevent fraud and violation of LY’s applicable agreements (where the processing is necessary for our legitimate business interests).

Whenever we process your personal data for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You have the right to object to this processing if you wish.

5. Personal data and the performance of client services

Our clients engage us on a wide range of matters to help them analyse situations, for example to conduct due diligence on a potential partner, supplier or acquisition target. In many cases, the client’s engagement of LY is to fulfil a requirement of EU or member state law or regulation, e.g. the EU Anti-Money Laundering Regulations and the UK Bribery Act 2010. We believe that LY has a legitimate interest in processing data to support its clients in these objectives provided that the privacy rights of any affected individuals are not unduly affected.

The personal data we process in the performance of services for and on behalf of our clients includes but is not limited to any information relating to a living individual in which the individual is identified or identifiable, for example, the individual’s name, contact information, education information, work history, directorships, financial information, as well as, where necessary, data concerning criminal convictions and offences and some special categories of information as defined by Data Protection Act 2019 or sensitive personal data, as defined by laws of other jurisdictions.

In connection with our services we collect various types of personal data from a variety of different sources, including from:

  • our clients
  • public sources such as public records and registers, social media sites and the internet
  • other third party sources such as industry or country experts

6. How data is processed

Personal data is processed both manually and electronically in accordance with the above-mentioned purposes and in compliance with current regulations. We permit only authorized LY employees and third-party providers to have access to your information. Such employees and third-party providers are appropriately designated and trained to process data only according to the instructions we provide them.

7. Storage of Personal Data

We will retain personal data for a reasonable period, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period necessary to comply with  local,East African Community regulations, federal regulations, or country specific regulations and requirements, and in accordance with LY’s Records Retention Policy.

8. Disclosure/Sharing of Personal Data

We only share your personal data with your consent or in accordance with this notice. We will not otherwise share, sell or distribute any of the information you provide to us except as described in this notice.

We share personal data among LY-controlled affiliates and subsidiaries who act for LY for the purposes set out in this notice.

LY may share your information with external third parties, such as vendors, consultants, legal advisors, auditors and other service providers who are performing, advising or assisting with certain services on behalf of LY. Such third parties have access to personal data solely for the purposes of performing the services specified in the applicable contract, and not for any other purpose. LY requires these third parties to undertake security measures consistent with the protections specified in this notice.

LY may be required to disclose personal data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

If LY’s business enters into a joint venture with or is merged with another business entity, your information may be disclosed to our new business partners.

9. Cross – Border Transfers of Personal Data

Personal information may be transferred, accessed and stored globally as necessary for the uses stated above in accordance with this notice, and in compliance with local law and regulations.

Data concerning EU or Swiss data subjects may be transferred to or processed in locations outside of the EU or Switzerland only where one of the following safeguards is in effect:

  • Transfers to the US, pursuant to LY’s participation in the EU-U.S. and Swiss-U.S. Privacy Shield
  • Transfers to certain countries which the EU Commission has determined ensures an adequate level of protection
  • Transfers pursuant to standard contractual clauses or contract terms ensuring adequate data protection
  • Where required, LY entities have entered into European Union Model Clause Agreements which allows for the processing of your personal information and for transfers of your personal information.

10. Your Rights

You have the following rights concerning your data processed by LY:

Access: You have limited right to access personal information that LY holds about you.

Rectification: You have the right to ask us to rectify information LY holds about you if it is inaccurate or not complete.

Erasure: You can request that LY erase your personal data. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.

Restrict Processing: You have the right to ask LY to restrict how we process your data. This means we are permitted to store the data but not further process it. We keep just enough data to make sure we respect your request in the future.

Object to processing: Where processing is based on legitimate interests, you have the right to object to LY processing your data. LY will discontinue processing your data, unless we can demonstrate compelling legitimate grounds for the processing. We will keep basic data to identify you and retain it solely for preventing further unwanted processing.

Portability: Where processing is based on consent or performance of a contract, you have the right to data portability. LY must allow you to obtain and reuse your personal data for your own purposes in a safe and secure way without this effecting the usability of your data. This right only applies to personal data that you have provided to LY as the Data Controller.

Please contact to request access, rectification, or erasure, or to restrict processing, to object to processing, to request data portability.

Requests received via post may be delayed due to limited office access during the Covid-19 pandemic.  Please contact us by email to ensure your request is received in a timely manner.

11. Automated Decision Making

Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.

LY does not make automated decisions using personal data. If automated decisions are to be made, affected persons will be given an opportunity to express their views on the automated decision in question and object to it.

12. Providing Information to LY

If you choose not to provide certain personal information, it may be an impediment to the exchange of information necessary for the execution of the contract or provision of services, and we may not be able to provide you with some services and you may not be able to participate in some of the activities on our website(s).

13. Third Party Websites or Other Services

We are not responsible for the privacy practices of any non-LY operated websites, mobile apps or other digital services, including those that may be linked through LY websites or services, and we encourage you to review the privacy policies or notices published thereon.

14. Contact Us

Requests received via post may be delayed due to limited office access during the Covid-19 pandemic.  Please contact us by whatsapp or email to ensure your request is received in a timely manner.

Please contact us at LY Detectives PI Services with questions, concerns, or complaints:

LY Corporate Headquarters

Covid-19 Guidelines Observed
Ambank House. Nairobi, Utalii Lane.

For data subjects located in the EU: if we are not able to satisfactorily resolve your questions, concerns, or complaints, or if you believe that the processing of your personal data infringes on your rights under applicable data protection laws, you have the right, without prejudice to any other administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. Contact information for the supervisory authorities may be found here:

Ke Data Protection Authorities:

Data Protection Act 2019