Privacy Policy
Effective Date: June 12, 2026
Last Updated: June 12, 2026
Company: Aurex Intelligence Ltd
Registered Address: Fairview Building, KK 622 St, Kigali, Rwanda
Contact: dpo@aurex-int.com
1. Introduction
We are committed to protecting the privacy, security, and integrity of the personal and corporate data entrusted to us by our clients, partners, end‑users, and website visitors. This Privacy Policy outlines how we collect, use, process, and safeguard data in strict compliance with the Republic of Rwanda’s Law N° 058/2021 of 13/10/2021 relating to the protection of personal data and privacy, alongside relevant sector‑specific regulations (e.g., National Bank of Rwanda guidelines, healthcare confidentiality laws, and international data protection standards).
2. Scope of Application
- Clients & Partners: Government agencies, parastatals, financial institutions, healthcare providers, agricultural enterprises, and SMEs.
- End‑Users: Individuals interacting with the digital solutions, platforms, or applications developed, managed, or automated by Aurex Intelligence.
- Website Visitors: Users accessing our corporate website, portals, or marketing materials.
- Employees & Contractors: Personnel engaged in the delivery of our services.
3. Types of Data We Collect and Process
- Personal Identification Data: Names, contact details, national IDs, professional titles, and authentication credentials.
- Business & Corporate Data: Company registration details, financial records, organizational charts, and operational data.
- Technical & Usage Data: IP addresses, device information, browser types, system logs, API usage metrics, and telemetry data.
- Sensitive Personal Data: Processed only under a strict legal basis and enhanced security. This includes health/medical data (for Healthcare innovation projects), biometric data, and financial transaction data (for Fintech and banking solutions).
- AI & ML Training Data: Aggregated, anonymized, or pseudonymized datasets used to train, validate, or improve custom machine learning models, strictly governed by client data-sharing agreements.
4. Legal Basis for Processing
- Explicit Consent: Obtained directly from the data subject for specific purposes (especially required for sensitive data).
- Contractual Necessity: Required to fulfill our obligations under a service agreement, Software‑as‑a‑Service (SaaS) contract, or consulting engagement.
- Legal Obligation: To comply with statutory requirements, including tax laws, anti‑money laundering (AML) regulations, or directives from regulatory bodies.
- Legitimate Interest: For network security, fraud prevention, and internal administrative purposes, provided it does not override the fundamental rights and freedoms of the data subject.
5. How We Use Your Data
- Delivering, maintaining, and improving our AI, software engineering, and automation solutions.
- Conducting data analytics and generating insights as contracted by our clients.
- Ensuring system security, preventing unauthorized access, and conducting vulnerability assessments.
- Communicating with clients regarding project updates, support, and billing.
- Complying with audits, regulatory reporting, and legal requests from competent authorities.
Note on AI Development: Aurex Intelligence does not use client‑specific, confidential, or personally identifiable information (PII) to train public, foundational AI models. Custom ML models are developed in isolated, secure environments, and data used for training is strictly anonymized or pseudonymized unless explicit, written consent is provided by the data controller (our client).
6. Data Security and Server Infrastructure Protection
- Encryption: All data stored on our servers and transmitted across our networks is heavily encrypted, utilizing industry‑standard protocols for data in transit (e.g., TLS 1.2/1.3) and data at rest (e.g., AES‑256).
- Server Isolation & Architecture: Client data is strictly segregated. Depending on the sensitivity of the data and client requirements, we utilize logical isolation (dedicated virtual environments) or physical isolation (dedicated bare‑metal servers) to ensure no cross‑contamination of data between different clients or projects.
- Access Control: Strict Role‑Based Access Control (RBAC) and Multi‑Factor Authentication (MFA) are enforced for all personnel accessing our server environments, administrative panels, and client databases.
- Incident Response: A formalized Data Breach Notification Protocol is in place. In strict compliance with Articles 43 and 44 of Rwanda’s Law N° 058/2021, we will notify the relevant regulatory authorities and affected clients within 48 hours of becoming aware of a qualifying data breach or unauthorized server intrusion, alongside immediate steps to mitigate the impact.
7. Data Storage, Server Locations, and Localization
- Data Localization: For clients subject to strict data localization mandates under Rwandan law (such as specific government ministries, parastatals, and financial institutions regulated by the National Bank of Rwanda), personal and sensitive data is hosted exclusively on servers physically located within the Republic of Rwanda.
- International Server Environments: For engagements where local hosting is not legally mandated, data may be hosted on secure, internationally certified server environments. In such cases, the servers are located in jurisdictions that provide adequate data protection, or we implement strict legal and technical safeguards to ensure the data remains protected to the standard required by Rwandan law.
8. Data Sharing and Third‑Party Server Processors
- Authorized Sub‑processors: We may utilize trusted third‑party server hosting and cloud infrastructure providers to assist in processing and storing data. All such third‑party server providers are bound by strict Data Processing Agreements (DPAs) and are contractually obligated to maintain security standards equivalent to or greater than our own, and to comply with all applicable data protection laws.
- Legal Requirements: When compelled by a valid court order, subpoena, or lawful request from competent regulatory or law enforcement bodies.
- Corporate Transactions: In the event of a merger, acquisition, or asset sale, subject to strict confidentiality and data protection undertakings.
9. Cross‑Border Data Transfers
- The destination country provides an adequate level of data protection as recognized by Rwandan authorities, OR
- We implement appropriate safeguards, such as approved Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), and obtain necessary authorizations from the relevant regulatory body prior to the transfer.
10. Data Retention
11. Rights of the Data Subject
- Be Informed: Know how their data is being processed.
- Access: Request a copy of their personal data held by us.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure (“Right to be Forgotten”): Request deletion of their data, subject to legal retention requirements.
- Restriction & Objection: Object to or restrict the processing of their data under certain conditions.
- Data Portability: Receive their data in a structured, commonly used, and machine‑readable format.
To exercise these rights, please contact our Data Protection Officer (DPO). We will respond to verified requests within thirty (30) days, as mandated by law.
12. Cookies and Tracking Technologies
13. Children’s Privacy
14. Updates to This Privacy Policy
15. Contact Information and Regulatory Authority
Aurex Intelligence
Attention: Data Protection Officer
Email: dpo@aurex-int.com
Phone: +250 799 530 503
Physical Address: Fairview Building, KK 622 St, Kigali, Rwanda
In the event of an unresolved complaint, data subjects have the right to lodge a formal complaint with the National Cyber Security Authority (NCSA) / Data Protection Office, the designated regulatory authority for data protection in the Republic of Rwanda.