Privacy Policy

Home / Privacy Policy

Last updated: June 16, 2026

1. Introduction

CREST LAW ("we", "our", or "the Firm") is a law firm registered and operating in Kigali, Rwanda, with offices at KG 264 St House No 19, Kimihurura, Kigali. We are committed to protecting your personal information in accordance with Rwanda's Law No. 058/2021 of 13/10/2021 on the Protection of Personal Data and Privacy (the "Data Protection Law") and applicable professional conduct rules governing attorney-client confidentiality.

This Privacy Policy explains how we collect, use, store, and protect personal information when you visit our website, contact us, or engage our legal services.

2. Information We Collect

We may collect the following categories of personal information:

2.1 Information You Provide Directly

  • Contact details: name, email address, phone number, physical address
  • Matter information: details about your legal situation that you share when contacting us or completing our intake form
  • Identity documents: where required for client verification under applicable professional rules
  • Correspondence: emails, letters, and messages you send to us

2.2 Information Collected Automatically

  • Technical data: IP address, browser type, device type, and operating system
  • Usage data: pages visited, time spent on pages, referring URLs
  • Cookies: session and preference cookies (see Section 7 below)

3. How We Use Your Information

We use your personal information for the following purposes:

  • To respond to your enquiries and provide the legal services you have requested
  • To conduct client due diligence and comply with Know Your Client (KYC) requirements
  • To manage our client relationship, including billing and file management
  • To send you legal updates, newsletters, and event invitations, where you have consented
  • To improve our website and services based on usage data
  • To comply with our legal and professional obligations

We process your personal data on the following legal bases: performance of a contract (provision of legal services), compliance with legal obligations, our legitimate interests (improving our services, preventing fraud), and, where required, your explicit consent.

4. Attorney-Client Privilege & Confidentiality

All information you share with us in the context of seeking or receiving legal advice is protected by attorney-client privilege and our professional duty of confidentiality. This protection is separate from and in addition to our obligations under this Privacy Policy.

We will not disclose confidential client information to any third party except: (a) with your express consent; (b) where required by law or court order; (c) to the extent necessary to provide the legal services you have engaged us for (e.g., sharing information with opposing counsel or the court with your authorisation).

5. Sharing Your Information

We do not sell, rent, or trade your personal information. We may share your information with:

  • Service providers: trusted third parties who assist us in operating our website or business (e.g., email service providers, cloud storage providers), bound by confidentiality obligations
  • Regulatory authorities: where required by law, court order, or applicable professional regulations
  • Legal counterparties: courts, opposing counsel, regulatory bodies — only to the extent necessary and authorised to deliver your legal services

All third parties with whom we share data are required to maintain the security and confidentiality of that data and to process it only for the specified purpose.

6. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including satisfying legal, accounting, and professional obligations. For client matter files, we typically retain records for a minimum of seven (7) years after the conclusion of a matter, in accordance with professional practice standards.

Website usage data is retained for no longer than two (2) years. Marketing contact preferences are retained until you withdraw consent.

7. Cookies

Our website uses cookies — small text files stored on your device — to enhance your browsing experience. We use:

  • Essential cookies: required for the website to function. These cannot be disabled.
  • Analytics cookies: help us understand how visitors interact with the site (e.g., pages visited, time spent). We use anonymised analytics only.
  • Preference cookies: remember choices you make (e.g., language preferences).

You can control and delete cookies through your browser settings. Note that disabling certain cookies may affect website functionality.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, disclosure, alteration, or destruction. These include:

  • SSL/TLS encryption for all data transmitted to and from our website
  • Access controls limiting data access to authorised personnel on a need-to-know basis
  • Regular security assessments and staff training on data protection
  • Secure physical storage of paper-based client files

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately.

9. Your Rights

Under Rwanda's Data Protection Law, you have the following rights regarding your personal data:

  • Right to access: request a copy of the personal data we hold about you
  • Right to rectification: request correction of inaccurate or incomplete data
  • Right to erasure: request deletion of your data, subject to our legal and professional retention obligations
  • Right to restriction: request that we limit how we use your data in certain circumstances
  • Right to data portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interests or for direct marketing purposes
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us using the details in Section 11. We will respond within 30 days.

10. Links to Third-Party Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy policies of any third-party sites you visit.

11. Contact & Complaints

For any questions about this Privacy Policy, to exercise your data rights, or to raise a complaint about how we handle your personal data, please contact:

Data Protection Officer — Crest Law
KG 264 St House No 19, Kimihurura-Kigali, Rwanda
privacy@crestlaw.rw
+(250) 788 302 432

If you are not satisfied with our response, you have the right to lodge a complaint with Rwanda's National Cyber Security Authority (NCSA), which is responsible for data protection oversight.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this Policy periodically.

Continued use of our website or services after any changes constitutes acceptance of the updated policy.