Privacy Policy
Wazi Community Based Organization (“Wazi”, “we”, “us”, “our”) is a youth-led, registered Community-Based Organization (Registration No. HUD.GPO/KAS/CBO/08/2023/015) founded in 2018 and based in Ruaraka, Nairobi, Kenya. We champion the domestication of the United Nations Sustainable Development Goals across four pillars: Health, Education, Advocacy, and Environment.
We respect your privacy and are committed to protecting the personal data of everyone who visits our website at wazikenya.org, contacts us, applies to volunteer, partners with us, donates, or otherwise engages with our work. This Privacy Policy is written to meet and exceed the requirements of the Kenya Data Protection Act, 2019 and its accompanying Regulations (the law that governs us as a Kenyan organization), and the European Union General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR, so that our supporters, partners, and funders in Kenya, the European Union, the United Kingdom, Australia, and elsewhere can engage with us in full confidence.
Please read this policy carefully. By using our website or sharing your personal data with us, you acknowledge that you have read and understood this policy. If you do not agree with it, please do not use the website or submit personal data to us.
Effective date: 3 June 2026. Version: 2.0.
1. Definitions
To make this policy easier to follow, the key terms used carry the following meaning:
- Personal data means any information relating to an identified or identifiable natural person (a “data subject”), such as a name, email address, phone number, or identification number.
- Processing means any operation performed on personal data, including collecting, recording, storing, using, sharing, and deleting it.
- Data controller means the person or organization that determines the purposes and means of processing personal data. For the data described here, Wazi is the data controller.
- Data processor means a third party that processes personal data on behalf of the controller, under contract (for example, our website host).
- Special category (sensitive) data means data revealing health, sex life or sexual orientation, race or ethnicity, religious or philosophical beliefs, political opinions, trade-union membership, genetic or biometric data.
- Data subject means the living individual to whom the personal data relates, which is you.
- Consent means a freely given, specific, informed, and unambiguous indication of your agreement to the processing of your personal data.
2. The data controller and how to contact us
Wazi Community Based Organization is the data controller responsible for your personal data. Because of our size we are not legally required to appoint a Data Protection Officer, but we have designated a privacy contact who is responsible for overseeing this policy and answering your questions:
- Privacy contact: The Operations Lead, Wazi Community Based Organization
- Email: dataprotection@wazikenya.org
- Postal address: Wazi Community Based Organization, Ruaraka, Nairobi, Kenya
- Telephone: +254 755 819 889
If you have any question, concern, or request about this policy or your personal data, please contact us using the details above. We aim to acknowledge every enquiry promptly.
3. The scope of this policy
This policy applies to personal data we collect:
- through this website, including its contact form, volunteer and partnership enquiry forms, and donation prompts;
- when you email, call, or message us on social media;
- when you donate to us through M-Pesa or another channel;
- when you attend our events, workshops, or programs and choose to share contact details with us.
It does not cover the privacy practices of third-party websites we link to (such as M-Changa, partner organizations, or social media platforms), which have their own policies. It also does not cover offline program data governed by separate program consent and safeguarding agreements.
4. The personal data we collect
4.1 Data you provide to us directly
- Contact and enquiry data: your name, email address, telephone number (where you provide it), and the content and subject of any message you send through the contact form or by email.
- Volunteer application data: your name, contact details, age range, area of study or profession, availability, skills, interests, your reasons for wanting to volunteer, and any other details you choose to include in your application.
- Partnership and funder data: your name, organization, job title, contact details, and the content of your partnership or funding proposal.
- Donation data: where you donate via M-Pesa or another channel, we receive the transaction amount, date, reference, and the name or phone number associated with the payment. We do not collect, see, or store your full M-Pesa PIN, card number, or banking login credentials.
- Correspondence: records of your communications with us, so we can keep track of your enquiry and respond properly.
4.2 Data we collect automatically when you use the website
- Technical and device data: your IP address (typically truncated or anonymised by our analytics), browser type and version, device type, operating system, and screen settings.
- Usage data: the pages you visit, the order in which you visit them, the links you click, the date and time of your visit, and the website or source you arrived from.
- Approximate location: derived at country or city level from your IP address, never precise GPS location.
- Cookie data: see section 9 for the specific cookies we use.
- Server logs: standard security logs kept by our hosting provider to detect and prevent abuse, which may include IP addresses and request data.
4.3 Data we do not knowingly collect
We do not ask you to provide special category (sensitive) data through this website, and we ask that you do not include such information in messages to us unless it is genuinely necessary. We do not collect government identification numbers through the website. We do not knowingly collect personal data from children through the website (see section 11).
5. How and why we use your data, and our lawful bases
Under the GDPR and the Kenya Data Protection Act we must have a lawful basis for each processing activity. The table below sets out what we do, the data involved, and the lawful basis we rely on.
| Purpose | Data used | Lawful basis |
|---|---|---|
| Respond to your enquiries and provide requested information | Contact and enquiry data, correspondence | Consent; and our legitimate interest in answering people who contact us |
| Receive, assess, and manage volunteer applications and placements | Volunteer application data | Consent; and steps taken at your request prior to a volunteering arrangement |
| Assess and manage partnerships and funding relationships | Partnership and funder data | Legitimate interests; and steps towards or performance of an agreement |
| Process and acknowledge donations and issue receipts | Donation data | Performance of your donation; legal obligation (financial record-keeping) |
| Send updates, newsletters, and appeals you have asked for | Name and email | Consent (you may withdraw at any time) |
| Operate, maintain, secure, and improve the website | Technical, usage, and cookie data | Legitimate interests in a secure, functioning, useful website; consent for non-essential cookies |
| Keep proper organizational, financial, and regulatory records | As relevant to each record | Legal obligation; legitimate interests |
| Protect our rights, safety, property, and those of our community | As relevant | Legitimate interests; legal obligation |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms and concluded that our processing does not override them. You may ask us for more detail on this balancing assessment at any time.
6. Marketing and your choices
We will only send you newsletters, impact updates, or appeals where you have asked to receive them. Every such message includes a clear way to unsubscribe, and you can also opt out at any time by emailing dataprotection@wazikenya.org. We do not sell or rent your contact details to anyone for their own marketing, and we never will.
7. Who we share your data with
We do not sell your personal data. We share it only in the limited circumstances below, and only with the minimum necessary.
7.1 Service providers (data processors)
We use carefully selected third parties to help us run our website and operations. They act only on our documented instructions and are bound by contract to protect your data. These include:
- Website hosting provider (stores the website and its database, keeps security logs).
- Form and email service (delivers messages submitted through our forms and our correspondence with you).
- Website analytics provider (helps us understand, in aggregate, how the site is used).
- Content delivery and font providers (serve website scripts, styles, and fonts efficiently and securely).
7.2 Payment and mobile-money providers
When you donate, the relevant mobile-money or payment provider (for example, Safaricom M-Pesa) processes the transaction under its own privacy terms. We receive only the confirmation details needed to acknowledge and record your gift.
7.3 Funders, auditors, and regulators
We may share information with funders and auditors where we are required to report on the use of funds, usually in aggregate form that does not identify individual supporters unless the law or your agreement requires otherwise. We may share data with regulators or authorities where we are legally obliged to.
7.4 Legal and safety disclosures
We may disclose personal data where necessary to comply with the law, enforce our agreements, or protect the rights, safety, and property of Wazi, the community we serve, our staff and volunteers, or the public.
8. International transfers of your data
Wazi is based in Kenya, and many of our supporters, partners, and funders are located in the European Economic Area, the United Kingdom, Australia, and other regions. Some of our service providers may store or process data in countries outside your own, including outside the EEA and outside Kenya. Whenever we transfer personal data internationally, we take steps to ensure it continues to receive an adequate level of protection, including relying on contractual safeguards (such as standard contractual clauses) with our providers and choosing providers with strong security and privacy practices, consistent with the GDPR and the Kenya Data Protection Act. You may contact us for more information about the safeguards in place for a specific transfer.
9. Cookies and similar technologies
Cookies are small text files placed on your device when you visit a website. We use a small number of cookies and similar technologies. You can control them through your browser settings and, where shown, through any cookie banner on our site.
| Type | Purpose | Typical duration |
|---|---|---|
| Strictly necessary | Keep the website working and secure, remember basic preferences. These cannot be switched off in our systems. | Session to 1 year |
| Analytics | Help us understand, in aggregate and without identifying you, how visitors use the site so we can improve it. Used only where permitted. | Up to 2 years |
| Embedded content | Some pages embed content (for example videos or social posts) that may set their own cookies under the third party’s policy. | Varies by provider |
Blocking some cookies may affect how the website functions. Most browsers let you refuse or delete cookies; see your browser’s help pages for instructions.
10. How long we keep your data (retention)
We keep personal data only for as long as we need it for the purposes set out in this policy, after which we securely delete or anonymise it. Our general retention periods are:
| Record type | Retention period |
|---|---|
| General enquiries and correspondence | Up to 2 years from your last contact |
| Unsuccessful volunteer applications | Duration of the intake cycle plus up to 12 months |
| Active volunteer records | Duration of your involvement plus a reasonable period afterwards |
| Partnership records | Duration of the relationship plus the period required by law |
| Donation and financial records | As required by Kenyan financial, tax, and regulatory law (commonly up to 7 years) |
| Newsletter subscriptions | Until you unsubscribe, then promptly removed |
| Website analytics | Up to 26 months, in aggregate form |
11. Children, young people, and safeguarding
Wazi works directly with adolescents (11 to 18) and young people through its programs. That offline work is governed by separate, robust consent and safeguarding procedures, including guardian consent where appropriate. This website, however, is intended for a general adult audience (donors, volunteers aged 18 and over, partners, and researchers) and is not designed to collect personal data from children. We do not knowingly collect personal data from anyone under 18 through this website. If you believe a child has provided us personal data through the website, please contact us immediately and we will delete it. Safeguarding the children and young people we work with is a core organizational commitment, not an afterthought.
12. Automated decision-making and profiling
We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, and we do not carry out profiling of that kind. Our analytics produce only aggregate, non-identifying insights to help us improve the website.
13. How we keep your data secure
We take appropriate technical and organizational measures to protect your personal data against loss, misuse, unauthorised access, alteration, and disclosure, including:
- serving the entire website over a secure, encrypted (HTTPS) connection;
- limiting access to personal data to the people who genuinely need it for their role;
- using reputable, security-conscious service providers under data protection contracts;
- keeping our website software and plugins updated, and applying security best practices;
- reviewing our practices periodically and responding quickly to any suspected incident.
No method of transmission over the internet or method of electronic storage is completely secure, so while we work hard to protect your data we cannot guarantee absolute security. You also have a role to play: please keep any account or correspondence details confidential and let us know promptly of any suspected misuse.
14. Personal data breaches
We maintain procedures to detect, report, and investigate personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the Office of the Data Protection Commissioner of Kenya (and, where applicable, the relevant EU/EEA supervisory authority) within the timeframes required by law, and we will inform affected individuals where the law requires it.
15. Your rights over your personal data
Subject to the conditions and exemptions in the GDPR and the Kenya Data Protection Act, you have the following rights:
- The right to be informed about how we collect and use your personal data (this policy).
- The right of access to the personal data we hold about you, and to receive a copy of it.
- The right to rectification of personal data that is inaccurate or incomplete.
- The right to erasure (“the right to be forgotten”) where there is no overriding lawful reason for us to keep your data.
- The right to restrict processing in certain circumstances, for example while a dispute about accuracy is resolved.
- The right to data portability, to receive certain data you provided in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
- The right to object to processing based on legitimate interests, and an absolute right to object to direct marketing.
- The right to withdraw consent at any time where we rely on consent, without affecting the lawfulness of processing before withdrawal.
- The right not to be subject to a decision based solely on automated processing that significantly affects you (we do not carry out such processing).
- The right to lodge a complaint with a supervisory authority (see section 17).
16. How to exercise your rights
To exercise any of your rights, please email dataprotection@wazikenya.org or write to us at the postal address in section 2. To protect your data, we may need to verify your identity before acting on a request. We will respond without undue delay and within the timeframe required by law (generally within 30 days under the GDPR, and within the period set by the Kenya Data Protection Act), and we will tell you if we need more time for a complex request. Exercising your rights is free of charge in normal circumstances, and we will never penalise you for doing so.
17. Complaints
If you have a concern about how we handle your personal data, please contact us first at dataprotection@wazikenya.org so we can try to put it right. You also have the right to lodge a complaint with a data protection authority:
- In Kenya: the Office of the Data Protection Commissioner (ODPC), www.odpc.go.ke.
- In the EU/EEA: the supervisory authority in your country of residence or work.
- In the UK: the Information Commissioner’s Office (ICO), ico.org.uk.
18. Links to other websites and third-party services
Our website may link to or embed content from other websites and services, including funders, partners, donation platforms (such as M-Changa), and social media platforms (Instagram, LinkedIn, TikTok, X). We are not responsible for the privacy practices or content of those third parties. When you follow a link or interact with embedded content, the third party may collect data about you under its own policy. We encourage you to read the privacy policy of any third-party site you visit.
19. Changes to this policy
We may update this policy from time to time to reflect changes in our practices, our services, or the law. When we do, we will post the revised version on this page and update the “Effective date” and “Version” at the top. Where changes are significant, we will take reasonable steps to bring them to your attention. We encourage you to review this page periodically.
20. Contact us
If you have any questions about this Privacy Policy, or wish to exercise your rights, please contact:
Wazi Community Based Organization
Registration No. HUD.GPO/KAS/CBO/08/2023/015
Ruaraka, Nairobi, Kenya
Email: dataprotection@wazikenya.org
Phone: +254 755 819 889