1. Data Controller
- Company
- SBCGrow SARL
- RCCM
- SN.DKR.2024.B.1836
- NINEA
- 010940676 2V2
- Registered address
- Lot No. 130 Liberty 6 extension, Dakar, Senegal
- Legal representative
- Mame Michele Laye Diop — Manager
- Data protection contact
- admin@sbcgrow.com
- Phone
- +221 33 843 78 49
- Website
- www.sbcgrow.com
2. Purpose and Scope
This policy informs clients of SBCGrow SARL (current and prospective) about the conditions under which their personal data is collected, processed, and protected.
It applies to all interactions between the client and SBCGrow: initial contact, contracting, service delivery, commercial prospecting, and communication.
In accordance with Senegalese law (Law No. 2008-12 of January 25, 2008 on the protection of personal data) and international standards (GDPR as a best-practice reference, ISO 27701), SBCGrow is committed to processing its clients' personal data with the highest diligence.
This policy forms part of SBCGrow's General Data Protection Policy (SBCGrow/POL/PDP/2026/v1.0).
3. Data Collected and Purposes
| Data | Purpose | Nature |
|---|---|---|
| Last name, first name | Identification of the contracting party | Mandatory |
| Email address | Communication, document delivery | Mandatory |
| Phone number | Operational contact | Mandatory |
| Company name, business address | B2B client relationship management | Mandatory (B2B) |
| Industry sector | Service personalization | Optional |
| Exchange history | Contractual relationship tracking | Automatic |
| Billing data | Accounting and tax obligations | Mandatory |
| Browsing data (cookies) | Website improvement | Consent |
No sensitive data (health, political opinions, religion, biometrics, criminal records) is collected. Any accidental receipt of sensitive data is immediately deleted with notification to the sender.
4. Legal Basis
| Processing | Legal basis |
|---|---|
| Service delivery | Contract execution |
| Invoicing and accounting | Legal obligation (tax law) |
| Commercial prospecting (B2B) | Legitimate interest |
| Newsletter | Consent (opt-in) |
| Cookies (analytics/marketing) | Consent (opt-in) |
| Response to legal requests | Legal obligation |
5. Data Retention
| Data type | Retention period |
|---|---|
| Contractual data (contracts, deliverables) | Duration of contract + 5 years |
| Accounting data (invoices, payments) | 10 years (tax obligations) |
| Prospecting data (non-clients) | 2 years after last contact |
| Cookies and browsing data | 13 months |
Data is permanently deleted within 30 days after the retention period expires.
6. Data Recipients
Personal data is accessible only to:
- Authorized SBCGrow personnel — on a strict need-to-know basis (principle of least privilege)
- Microsoft Ireland Operations Limited — data processor (cloud hosting), bound by a Data Processing Agreement (DPA)
- Competent authorities — in case of legal obligation (CDP, judicial authority, tax administration)
SBCGrow never sells, rents, or transfers client data to third parties for commercial purposes.
7. International Transfers
Client data is hosted on Microsoft Cloud (data centers in Ireland and/or the Netherlands, European Union). This transfer is governed by:
- A Data Processing Agreement (DPA) with Microsoft Ireland Operations Limited
- Standard Contractual Clauses (SCCs) in accordance with European Commission decisions
- An Authorization Request filed with the CDP (Articles 49–51, Law 2008-12)
- Microsoft certifications: ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3
- Data encryption at rest (AES-256) and in transit (TLS 1.2+)
- Data residency in Europe (EMEA region) — no transfer outside the EU
8. Security Measures
SBCGrow implements the following measures to protect client data:
| Measure | Description |
|---|---|
| Encryption | AES-256 at rest, TLS 1.2+ in transit |
| Authentication | Access by unique identifier and password (12 characters min., renewal every 90 days) |
| Logging | Access traceability via Microsoft 365 Audit Log |
| Access control | Principle of least privilege — access limited to authorized personnel |
| Backup | Continuous automatic backup on Microsoft Cloud |
| Physical security | Secured premises; Microsoft data centers certified ISO 27001 |
9. Your Rights
In accordance with Articles 58 to 68 of Law No. 2008-12 and GDPR principles, every client has the following rights:
| Right | Description | Response time |
|---|---|---|
| Information | Know what data is collected and why | Immediate (at collection) |
| Access | Obtain a copy of your data in a readable format | 15 business days |
| Rectification | Correct inaccurate or incomplete data | 15 business days |
| Opposition | Object to processing on legitimate grounds | 15 business days |
| Deletion | Request erasure of your data | 30 business days |
| Portability | Receive your data in a structured, reusable format | 30 business days |
| Restriction | Freeze processing pending verification | 15 business days |
How to exercise your rights: send an email to admin@sbcgrow.com with a copy of your ID document. In case of a reasoned refusal, you may file a complaint with the Commission des Données Personnelles (CDP): www.cdp.sn — contact.cdp@cdp.sn.
10. Cookies
The website www.sbcgrow.com may use the following cookies:
| Type | Purpose | Consent |
|---|---|---|
| Essential cookies | Website functionality | Not required (strictly necessary) |
| Analytics cookies | Audience measurement, improvement | Consent required (opt-in) |
| Marketing cookies | Targeted advertising | Consent required (opt-in) |
You can manage your cookie preferences via the consent banner or your browser settings. Consent is valid for 13 months.
11. Policy Changes
SBCGrow reserves the right to modify this policy to maintain compliance with legislative changes or operational needs. Any substantive change will be communicated to clients by email and/or publication on the website, with 30 days' prior notice before taking effect.
12. Contact and Complaints
- Data protection contact
- admin@sbcgrow.com
- Postal address
- SBCGrow SARL — Lot No. 130 Liberty 6 extension, Dakar, Senegal
- Phone
- +221 33 843 78 49
- Supervisory authority
- Commission des Données Personnelles (CDP) — 76, Mermoz Pyrotechnie, VDN-Dakar — www.cdp.sn — contact.cdp@cdp.sn
Applicable law: Law No. 2008-12 of January 25, 2008 on the protection of personal data and its implementing Decree No. 2008-721 of June 30, 2008.