Comprehensive Privacy Policy
Last updated: 7/6/2026
1. Introduction & Privacy Commitment
Crown Engine Oils Distributors ("Company," "We," "Our," or "Us") is committed to protecting your privacy and ensuring transparency regarding how we collect, process, use, store, and protect personal information. This Privacy Policy ("Policy") sets forth our comprehensive practices and procedures for handling personal data of all individuals who interact with our company, including customers, suppliers, website visitors, and business contacts ("Data Subject" or "You").
We recognize that privacy is a fundamental right, and we have implemented robust data protection measures to ensure that your personal information is treated with the utmost care, confidentiality, and security. This Policy complies with applicable privacy and data protection laws, including the Data Protection Act of Kenya and international best practices for data protection and privacy.
By accessing our website, submitting information through contact forms, placing orders, requesting quotations, or engaging in any business transaction with Crown Engine Oils Distributors, you acknowledge that you have read and understood this Privacy Policy and consent to our collection, processing, and use of your personal data as described herein.
2. Definitions & Terminology
For purposes of this Privacy Policy, the following terms shall have the meanings ascribed to them:
- "Personal Data" means any information relating to an identified or identifiable individual, including name, email address, phone number, physical address, company affiliation, position, payment information, and transaction history.
- "Processing" means any operation performed on personal data, including collection, recording, organization, storage, use, transmission, or deletion.
- "Data Subject" means any individual to whom personal data relates.
- "Data Controller" means Crown Engine Oils Distributors, which determines the purposes and means of processing personal data.
- "Data Processor" means any entity that processes personal data on behalf of Crown Engine Oils Distributors, such as hosting providers or email service providers.
- "Consent" means any freely given, specific, informed, and unambiguous affirmation of willingness expressed by the Data Subject to allow processing of their personal data.
- "Special Categories of Data" means personal data revealing race, ethnicity, political opinions, religious beliefs, trade union membership, genetic or health data, and biometric or sex life data.
- "Data Breach" means a security incident resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data.
3. Information Collection & Data Categories
3.1 Categories of Personal Data Collected: Crown Engine Oils Distributors collects various categories of personal data depending on the nature of your interaction with our company. These categories include:
- Contact Information: Full name, job title, position, company/business name, phone number (mobile and/or office), email address, and physical business address.
- Delivery Information: Delivery addresses, recipient names, delivery instructions, special handling requirements, and geographic coordinates for delivery routing.
- Business Information: Company registration details, tax identification numbers (PIN), business license information, company size, industry classification, and business sector.
- Payment Information: Banking details for RTGS/EFT transfers, M-Pesa account numbers (transaction IDs only, not account holder details), cheque details, and payment history. Note: We do not collect or store credit card numbers, PINs, or other sensitive payment card data.
- Transaction History: Order details, quotations requested, products purchased, quantities, pricing, delivery dates, returns, and communication records related to transactions.
- Communication Records: Correspondence via email, phone calls, chat messages, contact form submissions, and support tickets.
- Technical Information: IP addresses, browser type, device identifiers, operating system, pages visited, time spent on website, links clicked, and general browsing behavior through cookies and analytics tools.
- Marketing Preferences: Email preferences, communication frequency preferences, product categories of interest, and consent status for marketing communications.
3.2 Methods of Collection: We collect personal data through the following channels:
- Direct submission through contact forms on our website
- Email communications and business correspondence
- Telephone conversations and inquiries
- Purchase orders and quotation requests
- Invoice and payment processing
- Website cookies and tracking technologies
- Third-party sources, including business directories and LinkedIn profiles (for business contact information verification)
- Customer service interactions and support tickets
3.3 Non-Solicitation of Children's Data: Our website and services are directed exclusively to business entities and individuals aged 18 and above. We do not knowingly collect personal data from children under 18 years of age. If we become aware that personal data of a child has been collected, we shall immediately delete such data and cease further collection from that individual.
3.4 Voluntary vs. Mandatory Information: Some information is mandatory for transaction processing (name, contact details, delivery address), while other information is voluntary (company background, marketing preferences). If mandatory information is not provided, we may be unable to process your order or respond to your inquiry.
4. Purposes of Data Processing & Legal Basis
4.1 Primary Processing Purposes: Crown Engine Oils Distributors processes your personal data for the following legitimate business purposes:
- Order Processing & Fulfillment: To process quotations, purchase orders, invoices, payment collections, order confirmations, and delivery arrangements.
- Delivery & Logistics: To arrange product delivery, coordinate with logistics partners, track shipments, and manage delivery logistics to your specified address.
- Customer Service & Support: To respond to inquiries, address complaints, provide technical assistance, resolve disputes, and maintain customer communication records.
- Payment Processing & Financial Management: To process payments, manage accounts receivable, issue invoices, track payment status, and manage credit facilities for approved accounts.
- Legal Compliance: To comply with applicable laws, regulations, tax requirements, accounting standards, and regulatory obligations in Kenya and East Africa.
- Risk Management & Fraud Prevention: To assess creditworthiness, prevent fraudulent transactions, verify identity, and manage business risks associated with transactions.
- Marketing & Business Development: To send product updates, promotional offers, new product announcements, and industry news to customers who have provided consent or with whom we have existing business relationships.
- Website Optimization: To analyze website usage patterns, improve user experience, optimize website performance, and conduct statistical analysis.
- Record Keeping & Documentation: To maintain accurate business records, transaction histories, correspondence, and documentation required for business operations.
- Quality Assurance: To conduct quality assurance reviews, gather customer feedback, and improve service delivery.
4.2 Legal Basis for Processing: We process your personal data on one or more of the following legal bases:
- Contractual Necessity: Processing is necessary to perform our obligations under purchase agreements, delivery contracts, or service terms.
- Legal Obligation: Processing is required to comply with laws, regulations, court orders, or government directives in Kenya and East Africa.
- Legitimate Business Interest: Processing is necessary for our legitimate business interests in managing operations, preventing fraud, and ensuring business continuity.
- Explicit Consent: You have provided clear, voluntary, and informed consent to processing for specific purposes (particularly for marketing communications).
- Vital Interests: Processing is necessary to protect vital interests of individuals or the public.
4.3 Processing Limitations: We shall not process personal data for purposes incompatible with those disclosed in this Policy without obtaining your prior written consent. Any secondary processing for a new purpose shall require separate legal basis and notification to the Data Subject.
5. Data Sharing, Disclosure & Recipients
5.1 Non-Sale Commitment: Crown Engine Oils Distributors categorically commits that personal data shall NEVER be sold, rented, leased, traded, or licensed to third parties for commercial purposes. Your personal data is not a commodity and shall not be monetized in any manner. This commitment applies without exception and irrespective of any business circumstance.
5.2 Authorized Data Recipients: We may disclose personal data to the following categories of recipients only when necessary and on a need-to-know basis:
- Logistics Partners & Courier Services: Delivery address, contact name, phone number, and delivery instructions are shared exclusively with courier companies and logistics providers contracted to deliver your orders. These partners are bound by confidentiality agreements and may only use your data for delivery purposes.
- Payment Processors & Banks: Bank account information and payment details (for RTGS/EFT transactions) are transmitted securely to financial institutions to process payments. We do not share full banking details with any third party.
- Email Service Providers: Email addresses are provided to our email service provider to send order confirmations, invoices, and communications. These providers maintain strict confidentiality.
- Accounting & Tax Advisors: Limited business information may be shared with our accountants and tax consultants for regulatory compliance and financial management, under strict confidentiality obligations.
- Legal Advisors & Attorneys: Relevant information may be disclosed to legal counsel for dispute resolution, contract enforcement, or legal compliance matters.
- Government & Regulatory Authorities: Personal data may be disclosed to government agencies, tax authorities, or regulators when required by law, court order, or government directive.
- Business Acquirers: In the event of merger, acquisition, bankruptcy, or similar business transaction, personal data may be transferred as part of the transaction. You will be notified of any such transfer.
5.3 Data Processing Agreements: All Data Processors and third-party recipients are contractually bound by Data Processing Agreements requiring them to: (i) process data only as instructed; (ii) maintain confidentiality; (iii) implement adequate security measures; (iv) comply with applicable data protection laws; and (v) not disclose data to unauthorized parties.
5.4 Restrictions on Disclosure: We prohibit third-party recipients from using personal data for purposes other than those explicitly authorized. Third parties are required to delete personal data once the authorized purpose is completed or when data is no longer needed, whichever occurs first.
5.5 International Data Transfers: If personal data is transferred outside Kenya or East Africa (which is not anticipated for routine transactions), such transfer shall be made only to jurisdictions with adequate data protection laws or to recipients subject to binding corporate rules and contractual safeguards ensuring equivalent protection.
6. Data Security & Protection Measures
6.1 Security Infrastructure: Crown Engine Oils Distributors implements comprehensive technical, organizational, and administrative safeguards to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption: All personal data transmitted to and from our website is encrypted using SSL/TLS encryption protocols. Sensitive data is encrypted both in transit and at rest.
- Access Controls: Access to personal data is restricted to authorized employees who require access to perform their job functions. Access is controlled through unique user credentials and role-based permissions.
- Firewalls & Network Security: Our servers are protected by firewalls and intrusion detection systems to prevent unauthorized network access.
- Data Backups: Personal data is regularly backed up to prevent loss due to system failure, corruption, or disaster. Backups are stored securely and separately from primary servers.
- Employee Training: All employees handling personal data receive regular data protection and security training to ensure proper handling practices.
- Audit & Monitoring: We conduct regular security audits, penetration testing, and log monitoring to identify and address vulnerabilities.
- Physical Security: Physical access to servers and facilities containing personal data is restricted and monitored.
6.2 Payment Card Data Security: Crown Engine Oils Distributors explicitly states that we do not collect, store, or process credit card numbers, debit card data, or other payment card sensitive information. Payment card transactions are handled exclusively by PCI-DSS compliant payment processors. We receive only non-sensitive transaction confirmation information.
6.3 Limitations of Security: While we employ industry-standard security measures, no security system is absolutely impenetrable. We cannot guarantee absolute security against determined attacks or internal breaches. Data transmission over the internet is inherently subject to risks. Users assume responsibility for maintaining the confidentiality of their account credentials.
6.4 Third-Party Security Audits: We engage independent security professionals to conduct periodic security assessments and vulnerability testing. We maintain records of security compliance and remediation activities.
7. Data Retention & Deletion Policies
7.1 Retention Principles: We adhere to the principle of "data minimization," which means we retain personal data only for so long as necessary to serve the purposes for which it was collected. However, we may retain data longer when required by applicable laws or for legitimate business purposes.
7.2 Retention Periods by Data Category: We maintain the following retention timelines:
- Transaction Data (orders, invoices, payments): Retained for seven (7) years from transaction date for tax compliance and legal purposes.
- Contact Information for Active Customers: Retained during the business relationship and for two (2) years after last transaction.
- Customer Communications & Support Records: Retained for three (3) years from last communication.
- Website Analytics & Technical Data: Retained for twelve (12) months from collection date.
- Marketing & Consent Records: Retained for the duration of the marketing relationship and two (2) years after opt-out.
- Payment Records: Retained for seven (7) years for accounting and audit purposes.
- Dispute & Complaint Records: Retained for seven (7) years from resolution date or as required by applicable laws.
- Account Inactive for Two Years: Account data may be archived or anonymized.
7.3 Secure Deletion Procedures: Upon expiration of retention periods, personal data is securely deleted or anonymized using methods that render data unrecoverable and irretrievable. Deletion methods may include:
- Secure file deletion with cryptographic erasure
- Physical destruction of storage media
- Anonymization of data to remove identifying characteristics
- Destruction of backup copies
7.4 Legal Hold & Extended Retention: Notwithstanding standard retention periods, personal data may be retained indefinitely if: (i) legally required by statute or court order; (ii) subject to litigation or disputes; (iii) necessary for fraud prevention or law enforcement; or (iv) required for tax or accounting purposes.
7.5 Right to Erasure Exception: If you request deletion of personal data, we shall comply unless data retention is required by law, necessary for transaction completion, or required for fraud prevention or legal compliance.
8. Your Privacy Rights & Data Subject Rights
8.1 Right of Access: You have the right to request access to personal data we hold about you. Upon receipt of a written access request, we shall provide you with a copy of your personal data in a commonly used format within thirty (30) days. The information shall include: (i) categories of data processed; (ii) purposes of processing; (iii) recipients of data; (iv) retention period; and (v) your rights regarding the data.
8.2 Right of Correction/Rectification: If you believe personal data we hold is inaccurate, incomplete, or outdated, you may request correction or completion. We shall make corrections and notify third parties who received the incorrect data, unless impracticable. Corrections shall be made within twenty (20) business days of request.
8.3 Right to Erasure ("Right to Be Forgotten"): You may request deletion of personal data we hold, provided that: (i) the data is no longer necessary for the purposes collected; (ii) you withdraw consent on which processing is based; (iii) you object to processing and there is no legitimate ground for continued processing; or (iv) processing is unlawful. We shall delete data within thirty (30) days unless data retention is legally required.
8.4 Right to Restrict Processing: You may request that we restrict processing of personal data in certain circumstances, including: (i) you dispute accuracy of data pending verification; (ii) processing is unlawful but you oppose erasure; (iii) we no longer need the data but you require it for legal claims; or (iv) you object to processing pending review. When processing is restricted, we shall store data but not actively use it for processing.
8.5 Right to Data Portability: You have the right to receive personal data you provided to us in a structured, commonly-used, machine-readable format and to transmit this data to another organization without hindrance from us. We shall provide data in a suitable format (CSV, JSON, or XML) within thirty (30) days of request.
8.6 Right to Object to Processing: You may object to processing of personal data for direct marketing purposes, profiling, or other non-essential purposes. Upon receipt of an objection, we shall cease processing for the objected purposes within twenty (20) business days. You may object to marketing communications by clicking "unsubscribe" links in emails or requesting removal from our mailing list.
8.7 Right to Withdraw Consent: If processing is based on your consent, you may withdraw consent at any time. Withdrawal shall not affect the lawfulness of processing prior to withdrawal. Withdrawal may be done via email or by following opt-out instructions in communications.
8.8 Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. We shall not make purely automated decisions affecting your rights without human review and your opportunity to express your perspective.
8.9 Exercising Your Rights: To exercise any of the above rights, submit a written request to info@crownoils.com including: (i) your full name; (ii) contact information; (iii) specific right being exercised; (iv) detailed explanation of the request; and (v) any supporting documentation. We shall respond to all requests within the statutory timeframes. You may also contact us by phone at 0712 012 113 or mail at Nairobi, Kenya.
8.10 Right to Lodge Complaints: If you believe we have violated your privacy rights or applicable data protection laws, you have the right to lodge a formal complaint with the Office of the Data Protection Commissioner in Kenya or the relevant data protection authority in your jurisdiction.
9. Cookies, Tracking Technologies & Website Analytics
9.1 Cookie Usage: Our website uses cookies, which are small data files stored on your device that help us remember your preferences and improve your browsing experience. We use the following types of cookies:
- Essential Cookies: Required for basic website functionality, login, security, and order processing. These cookies cannot be disabled without impairing website functionality.
- Performance Cookies: Collect information about how you use our website, including pages visited, time spent, and features used. This helps us optimize website performance and user experience.
- Preference Cookies: Remember your preferences, such as language settings, currency selection, and display preferences.
- Marketing Cookies: Track your interaction with our content to deliver targeted marketing messages and advertisements. These cookies require your explicit consent.
9.2 Cookie Consent & Management: Upon your first visit to our website, you are presented with a cookie consent banner explaining cookie usage. You may accept all cookies, refuse non-essential cookies, or customize your preferences. Your choices are recorded and respected for future visits. You may modify cookie preferences at any time through your browser settings or our privacy preferences page.
9.3 Third-Party Cookies: We use analytics services (such as Google Analytics) that may set their own tracking cookies. These third parties maintain their own privacy policies governing their cookie usage. You can disable third-party cookies through your browser settings.
9.4 Browser Controls: Most web browsers allow you to control cookies through settings. You may delete existing cookies and set preferences to accept or reject future cookies. Instructions for managing cookies in popular browsers are available on browser manufacturers' websites. Disabling cookies may impact website functionality.
9.5 Do-Not-Track Signals: Some browsers include a "Do Not Track" (DNT) feature. While we respect DNT signals, we do not alter our data collection practices in response to DNT signals due to lack of industry standardization.
9.6 Local Storage & Web Beacons: Beyond cookies, we may use local storage and similar technologies to store information on your device. We use web beacons (invisible tracking pixels) in emails and on web pages to track email opens and page visits. These technologies are used to measure engagement and improve our services.
10. Marketing Communications & Email Preferences
10.1 Marketing Consent: We send marketing communications (product updates, promotional offers, newsletters, industry news) only to individuals who: (i) have explicitly opted in and provided consent; (ii) have an existing business relationship with us and have not objected; or (iii) have requested product information. All marketing communications include clear identification of the sender and subject matter.
10.2 Email Marketing Compliance: All email marketing complies with the Kenya Information and Communications (Consumer Protection) Regulations and international email marketing best practices. Each marketing email includes: (i) sender identification; (ii) clear subject line; (iii) opt-out/unsubscribe mechanism; (iv) privacy policy link; and (v) physical business address.
10.3 Unsubscribe & Opt-Out: You may unsubscribe from marketing communications at any time by: (i) clicking the "Unsubscribe" link in any marketing email; (ii) updating preferences on your account; or (iii) sending written request to info@crownoils.com. Upon unsubscribe, we shall cease sending marketing communications within five (5) business days. Unsubscribe requests apply to all future communications but do not affect transactional or order-related messages.
10.4 Transactional Communications: Even if you unsubscribe from marketing, we shall continue to send transactional communications necessary for order processing, delivery, payment, and customer service. These communications are not marketing and are essential for business operations.
10.5 Preference Center: We maintain a preference center allowing you to manage email frequency, communication types, and product categories of interest. You may customize your communication preferences without completely opting out.
10.6 Third-Party Marketing: We do not share your email address with third parties for their marketing purposes. If you receive marketing from other organizations claiming to have obtained your email from us, please notify us immediately at info@crownoils.com.
11. Data Breach Notification & Incident Response
11.1 Breach Response Protocol: In the event of a confirmed Data Breach, we shall: (i) immediately investigate the breach and assess its scope; (ii) implement containment measures to prevent further unauthorized access; (iii) notify affected individuals and relevant authorities as required by applicable laws; and (iv) document the breach and remediation actions.
11.2 Notification Timeline: We shall notify affected individuals without undue delay, and in no case later than thirty (30) days following discovery of a confirmed breach. Notification shall be provided via email, phone, or mail to the last known contact information in our records.
11.3 Breach Notification Content: Breach notifications shall include: (i) description of the breach; (ii) likely consequences; (iii) measures taken to address the breach; (iv) your rights and remedies available; (v) contact information for further inquiries; and (vi) recommendations for protective action.
11.4 Authority Notification: We shall notify the Office of the Data Protection Commissioner and other relevant authorities of any confirmed Data Breach affecting personal data of residents of Kenya, as required by applicable data protection laws.
11.5 Documentation & Record-Keeping: We maintain detailed records of all Data Breaches, including date discovered, data affected, individuals impacted, breach cause, remediation actions, notifications made, and costs incurred. These records are retained for at least seven (7) years.
11.6 Breach Prevention & Continuous Improvement: Following any breach, we conduct a thorough post-breach analysis to identify vulnerabilities and implement preventive measures to reduce future breach risk. We may conduct independent security audits and update security protocols based on breach findings.
12. Children's Privacy & Parental Consent
12.1 No Collection from Children: Crown Engine Oils Distributors does not knowingly collect personal data from individuals under 18 years of age. Our website and services are intended exclusively for business entities and adults aged 18 and above. Children should not provide personal information through our website.
12.2 Parental Discovery & Remediation: If a parent or guardian discovers that a child has submitted personal data to our website without consent, please immediately contact us at info@crownoils.com or call 0712 012 113. We shall take immediate action to verify the child's age and delete any personal data collected from the child.
12.3 Business Context: Our business operations involve B2B (business-to-business) transactions with commercial entities. We do not market products or services to children or knowingly engage with minors in business transactions.
13. Third-Party Links & External Websites
13.1 Disclaimer of Responsibility: Our website may contain links to external websites, social media platforms, and third-party services. Crown Engine Oils Distributors is not responsible for the privacy practices, security measures, or content of external websites. Each third-party website maintains its own privacy policy, and we encourage you to review their policies before submitting personal information.
13.2 No Endorsement: Inclusion of links to external websites does not constitute endorsement, approval, or affiliation with such websites. We have no control over the content, accuracy, or privacy practices of external websites.
13.3 Social Media: If you interact with our social media profiles (Facebook, LinkedIn, Instagram, Twitter, etc.), personal data you provide on those platforms is governed by the respective platform's privacy policies, not our Privacy Policy. We encourage you to review social media platform privacy settings and policies.
14. International Privacy Standards & Regional Compliance
14.1 Multi-Jurisdictional Compliance: Crown Engine Oils Distributors operates in multiple jurisdictions across East Africa. This Privacy Policy is designed to comply with the Data Protection Act of Kenya, data protection laws of Uganda, Tanzania, Rwanda, Burundi, and international privacy best practices including principles of the European Union's General Data Protection Regulation (GDPR) where applicable.
14.2 Kenya Data Protection Act Compliance: Our practices comply with the Data Protection Act of Kenya (2019), including requirements for lawful processing, data subject rights, accountability, and breach notification.
14.3 Cross-Border Data Flows: Personal data may be processed in different jurisdictions as part of our business operations. We ensure that international data transfers are protected through contractual safeguards, standard contractual clauses, and binding corporate rules where applicable.
14.4 Regional Variations: Some regions may have specific privacy requirements. Where applicable, we comply with regional data protection laws and may maintain separate privacy practices for specific regions. If you are in a specific region with enhanced privacy requirements, please contact us for region-specific information.
15. Policy Updates & Contact Information
15.1 Policy Changes: Crown Engine Oils Distributors may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any material changes shall be communicated to you via email or prominent notice on our website. Your continued use of our services following posting of revisions constitutes acceptance of the updated Privacy Policy.
15.2 Change Highlights: When significant changes are made, we shall provide a summary of changes and effective date. We shall maintain dated versions of this Policy to allow you to track how our practices have evolved.
15.3 Effective Date: This Privacy Policy is effective from the "Last Updated" date shown at the top of this page and applies to all personal data collected on or after this date. Prior versions may apply to data collected before the effective date.
15.4 Privacy Inquiries & Requests: If you have questions about this Privacy Policy, wish to exercise privacy rights, or have concerns about our privacy practices, please contact us:
- Email: info@crownoils.com
- Phone: 0712 012 113
- Address: Nairobi, Kenya
- Data Protection Officer: Available to discuss all privacy matters and investigate privacy concerns
- Business Hours: Monday - Friday, 9:00 AM - 5:00 PM EAT
We aim to respond to all privacy inquiries within five (5) business days. More complex requests may require up to thirty (30) days for full response.
15.5 Data Protection Authority Contact: If you have unresolved concerns about our privacy practices, you may lodge a complaint with:
- Office of the Data Protection Commissioner (ODPC), Kenya - Website: www.odpc.go.ke
- Local data protection authorities in your jurisdiction for non-Kenya residents
Privacy Acknowledgment
By using Crown Engine Oils Distributors's website, placing orders, submitting information through contact forms, or engaging in any business transaction with us, you acknowledge that you have read and understood this Privacy Policy and consent to our collection, processing, use, and storage of your personal data as described. You confirm that any personal data you provide is accurate and that you have authority to provide such data on behalf of your organization. If you do not consent to our privacy practices, please do not use our website or services.
Last updated: 7/6/2026 | This policy is effective immediately and applies to all data processing activities.