OBUYANZI FOUNDATION

Community-Based Organisation — Bungoma County, Kenya

PRIVACY POLICY

 

Effective Date: 11 May 2026

Last Updated: 11 May 2026

Website: https://obuyanzi.org

Contact: info@obuyanzi.org  |  +254 726945086

 

This Privacy Policy is prepared in compliance with Kenya’s Data Protection Act, 2019 (Act No. 24 of 2019), and the Data Protection (General) Regulations, 2021. It governs how the Obuyanzi Foundation collects, uses, stores, shares, and protects personal data through its website obuyanzi.org.

 

1. Who We Are

Obuyanzi Foundation is a community-based organization (CBO) registered and operating in Bungoma County, Kenya. We are dedicated to empowering vulnerable youth through education sponsorship and skills training.

 

For the purposes of Kenya’s Data Protection Act, 2019, Obuyanzi Foundation is the data controller in respect of personal data collected through this website.

 

Registered Address: Bungoma County, Kenya

Phone: +254 726945086

Email: info@obuyanzi.org

 

2. What Personal Data We Collect

We collect personal data in the following circumstances when you interact with our website:

 

2.1 Data You Provide Directly

  • Name (first and last) — when submitting donation confirmations or contact forms.
  • Email address—when submitting donation confirmations, contact forms, or registering a donor account.
  • Phone number — if voluntarily provided through a contact form.
  • Donation confirmation details — including M-Pesa transaction reference numbers and donation amounts, when you voluntarily submit these to us.
  • Account credentials — username and password when registering a Donor Dashboard account.
  • Any other information you choose to include in contact form messages or communications with us.

2.2 Data Collected Automatically

  • IP address — collected automatically by our web server and WordPress platform for security and spam detection purposes.
  • Browser type and version — used to improve website compatibility.
  • Pages visited and time spent on pages — collected via website analytics.
  • Referring URLs — to understand how visitors find our website.
  • Cookie data — see Section 6 (Cookies) for full details.

2.3 Data We Do Not Collect

We do not collect, store, or process:

  • Full M-Pesa PIN numbers or mobile banking credentials (these are handled entirely by Safaricom’s secure platform and never reach our website).
  • National ID numbers, KRA PINs, or government identification numbers.
  • Biometric data.
  • Sensitive personal data (health data, religious beliefs, ethnicity, and political opinions) unless you explicitly include such information in a message to us, in which case it is processed only for the purpose of responding to your query.

3. How and Why We Use Your Data

The table below summarizes how we use your personal data and the legal basis for each use under the Data Protection Act, 2019:

 

Type of Data

What We Collect

Why We Collect It

Legal Basis (DPA 2019)

Identity & Contact Data

Name, email address

Processing donation confirmations; responding to enquiries

Consent (s. 30 DPA) / Legitimate interests

Donation Data

M-Pesa confirmation details, amounts

Recording and tracking charitable donations; financial accountability

Legitimate interests; legal obligation

Account Data

Username, email, password (hashed)

Managing Donor Dashboard accounts and login sessions

Consent; contract performance

Technical Data

IP address, browser type, cookies

Website security, spam prevention, performance analytics

Legitimate interests

Communication Data

Form messages, queries

Responding to your enquiries and requests

Consent; legitimate interests

Children’s Data (beneficiaries)

Photos, names (with consent)

Impact stories, fundraising, programme reporting

Explicit parental/guardian consent

We will not use your personal data for any purpose other than those listed above without first notifying you and, where required, obtaining your consent.

 

4. Donor Data and M-Pesa Transactions

Donations are processed via Safaricom’s M-Pesa Paybill service. Obuyanzi Foundation does not receive, store, or have access to your M-Pesa PIN, mobile banking credentials, or full financial account details. The only donation data we receive is what you voluntarily submit through our donation confirmation form (your name, email, and transaction reference).

Safaricom processes the financial transaction entirely on their own platform. By making a donation via M-Pesa, you are also subject to Safaricom’s Terms and Privacy Policy. We encourage you to review Safaricom’s privacy practices at www.safaricom.co.ke.

Donation records are retained for a minimum of seven (7) years for financial accountability and audit purposes, in accordance with good governance practices for nonprofit organizations and applicable Kenyan financial regulations.

 

5. Children’s Data and Beneficiary Privacy

This section is particularly important given that our beneficiaries include minors (students, teenage mothers, and young fathers who may be under 18 years of age).

 

Obuyanzi Foundation works with vulnerable populations, including minors. We take the protection of children’s personal data with the utmost seriousness, in compliance with:

  • Kenya’s Data Protection Act, 2019 — Section 26 (Processing of children’s personal data requires parental or guardian consent).
  • The Children Act, 2022 (Kenya)—which protects the privacy, dignity, and best interests of children.

Where we publish photographs, names, or impact stories involving minors (such as in our Our Impact section or gallery):

  • We obtain explicit written consent from the child’s parent or legal guardian before publishing any identifiable information or images.
  • We use the child’s first name only or a pseudonym where full identification is not necessary.
  • We do not publish information that could expose a child to harm, stigma, or exploitation.
  • Consent may be withdrawn at any time; upon withdrawal, we will remove the relevant content within a reasonable timeframe.

If you are a parent or guardian and believe that identifiable content involving your child has been published without proper consent, please contact us immediately at info@obuyanzi.org.

 

6. Cookies

Cookies are small text files stored on your device when you visit a website. Obuyanzi Foundation’s website uses the following types of cookies:

 

6.1 Essential Cookies (always active)

  • Session cookies — keep you logged into your Donor Dashboard account during your visit.
  • Security cookies — help protect against CSRF attacks and fraudulent form submissions.
  • WordPress operational cookies — required for the website’s core functionality.

6.2 Preference Cookies

  • Remember Me cookies — retain your login for up to 14 days if you select this option.
  • Display preference cookies — remember your screen display settings.

6.3 Analytics Cookies (optional)

  • If analytics tools are active, we may use cookies to understand how visitors use our website—which pages are most visited, how long visitors stay, and where they came from. This data is used in aggregate and does not identify individual users.

6.4 Third-Party Cookies

  • Embedded content from Facebook, Instagram, or YouTube may set their own cookies when you interact with such content on our website. We do not control these cookies. Please refer to the respective platforms’ privacy policies.
  • The Gravatar service (used for user comment profile pictures) may set a cookie linked to your email address. See Automattic’s privacy policy at https://automattic.com/privacy/.

6.5 Managing Cookies

You can control or delete cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or be notified when a cookie is set. Please note that disabling cookies may impair the functionality of the Donor Dashboard, login features, and donation confirmation forms.

 

Guidance on managing cookies in popular browsers:

  • Google Chrome: Settings > Privacy and Security > Cookies and other site data
  • Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Microsoft Edge: Settings > Cookies and Site Permissions

7. How We Share Your Data

Obuyanzi Foundation does not sell, rent, or trade your personal data to any third party for commercial purposes. We may share your data only in the following limited circumstances:

 

7.1 Service Providers

We may share data with trusted third-party service providers who assist in operating our website and services, including:

  • Web hosting providers (who host the obuyanzi.org website and its database).
  • Email service providers (used to respond to your messages).
  • Spam detection services (such as Akismet, used by WordPress to screen form submissions).

All service providers are required to process your data only on our instructions and in accordance with applicable data protection laws.

 

7.2 Legal Obligations

We may disclose your personal data if required to do so by law, court order, or in response to a lawful request from Kenyan regulatory or law enforcement authorities, including the Office of the Data Protection Commissioner.

 

7.3 Safeguarding and Child Protection

Where we have reasonable grounds to believe that a child is at risk of harm, we may share relevant information with appropriate child protection authorities in accordance with the Children Act, 2022.

 

7.4 Organisational Change

In the event of a merger, dissolution, or transfer of the organization’s activities to another registered entity, your data may be transferred to the successor organization, subject to equivalent data protection standards.

 

8. International Data Transfers

 

Obuyanzi Foundation’s website is hosted on servers that may be located outside Kenya (depending on the hosting provider). Where personal data is transferred outside Kenya, we ensure that appropriate safeguards are in place, as required under Section 25 of the Data Protection Act, 2019.

 

Additionally, third-party platforms such as Facebook, Instagram, and Google may process data in jurisdictions outside Kenya. We encourage you to review the privacy policies of these platforms if you have concerns about international data transfers.

 

9. How Long We Keep Your Data

 

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, or as required by law. Our standard retention periods are:

 

  • Donation confirmation records: 7 years (for financial accountability and audit purposes).
  • Donor account data: For the duration of your account, plus 2 years after account closure or last activity.
  • Contact form submissions: 2 years from the date of submission, unless ongoing correspondence requires longer retention.
  • Website technical logs (IP addresses, access logs): Up to 12 months, for security monitoring purposes.
  • Cookies: Variable — see Section 6 for specific cookie lifetimes.
  • Beneficiary consent records (including children’s consent forms): For the duration of the published content plus 5 years.

After the applicable retention period, data is securely deleted or anonymized.

 

10. Your Rights Under the Data Protection Act, 2019

 

As a data subject under Kenya’s Data Protection Act, 2019, you have the following rights:

 

Right of Access (Section 26)

You have the right to request a copy of the personal data we hold about you.

 

Right to Rectification (Section 26)

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

 

Right to Erasure (Section 26)

You have the right to request deletion of your personal data, subject to our legal obligations to retain certain records (e.g., donation records for financial accountability).

 

Right to Object (Section 26)

You have the right to object to the processing of your personal data where we rely on legitimate interests as our legal basis.

 

Right to Withdraw Consent (Section 30)

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

 

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

 

Right to Lodge a Complaint

You have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC) if you believe we have violated your data protection rights.

 

ODPC Contact: Website: www.odpc.go.ke  |  Email: info@odpc.go.ke  |  Phone: +254 (020) 2628 000

 

How to Exercise Your Rights

To exercise any of the rights listed above, please contact us at:

  • Email: info@obuyanzi.org
  • Phone: +254 726945086
  • Subject line: “Data Subject Request” — please describe your request clearly.

We will respond to all data subject requests within 30 days of receipt, in accordance with the Data Protection Act, 2019.

 

11. Data Security

Obuyanzi Foundation implements appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or disclosure. These measures include:

  • HTTPS encryption on all pages of the website, ensuring data transmitted between your browser and our server is encrypted.
  • Hashed (not plain-text) storage of user account passwords.
  • Regular WordPress core, theme, and plugin updates to address security vulnerabilities.
  • Limited access to personal data — only authorized personnel have access to donor and contact records.
  • Spam detection services to prevent fraudulent form submissions.

While we take all reasonable precautions, no method of data transmission over the internet is completely secure. In the unlikely event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the Office of the Data Protection Commissioner as required by law.

 

12. Third-Party Websites and Social Media

Our website contains links to third-party websites and social media platforms, including Facebook (Meta) and Instagram. These links are provided for your convenience. When you leave obuyanzi.org by clicking on a third-party link, we are no longer responsible for the privacy practices or content of that website.

We encourage you to read the privacy policies of any third-party websites you visit:

  • Safaricom M-Pesa: www.safaricom.co.ke/privacy
  • Meta (Facebook & Instagram): https://www.facebook.com/privacy/policy/
  • Google/YouTube: https://policies.google.com/privacy

13. Embedded Content

Pages on this website may include embedded content such as videos, social media posts, or images hosted on external platforms. Embedded content from other websites behaves as though you have visited that website directly. Those websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with the embedded content—including if you are logged into those platforms.

 

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or our website features. When we make material changes, we will update the “Last Updated” date at the top of this page. We encourage you to review this Privacy Policy periodically.

Your continued use of obuyanzi.org after a change to this Privacy Policy constitutes your acceptance of the updated policy.

15. Contact and Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

 

Obuyanzi Foundation — Data Controller

Bungoma County, Kenya

Email: info@obuyanzi.org

Phone: +254 726945086

Website: https://obuyanzi.org

 

If you are not satisfied with our response, you have the right to escalate your complaint to the Office of the Data Protection Commissioner (ODPC) of Kenya at www.odpc.go.ke.

 

This Privacy Policy was prepared in compliance with the Data Protection Act, 2019 (Act No. 24 of 2019)

and the Data Protection (General) Regulations, 2021 (Kenya).

© 2026 Obuyanzi Foundation. All rights reserved.