Gundi Consulting Privacy Policy

Effective Date: June 11, 2025

At Gundi Consulting ("we," "us," or "our"), we are committed to protecting the privacy and security of your personal data in compliance with the Kenya Data Protection Act (DPA) 2019. This Privacy Policy outlines how we collect, use, store, and protect your personal data, whether confidential or non-confidential, when you engage with our consulting services, visit our website (www.gundiconsulting.com), receive our proposals, or interact with us internally or externally. We aim to be transparent about our data practices and ensure you understand your rights as a data subject.

1. Scope of This Policy

This Privacy Policy applies to all personal data collected by Gundi Consulting in the course of our business activities, including:

• Data provided by clients, prospective clients, employees, contractors, and partners.

• Data collected through our website, email communications, customer proposals, surveys, or consulting engagements.

• Both confidential data (e.g., financial details, identification numbers) and non-confidential data (e.g., contact information, business preferences).

2. Data Controller

Gundi Consulting, registered in Kenya, is the data controller responsible for your personal data. For inquiries, contact our Data Protection Officer (DPO) at:

• Email: martin.muhiu@gundiconsulting.com

• Address: Gundi Consulting, Nandi Flame Road, Nairobi, Kenya

• Phone: +254 708158964

3. Principles of Data Processing

In accordance with the DPA 2019, we process personal data based on the following principles:

• Lawfulness, Fairness, and Transparency: We process data legally, fairly, and with clear communication to data subjects.

• Purpose Limitation: We collect data for specific, explicit, and legitimate purposes.

• Data Minimization: We collect only the data necessary for the intended purpose.

• Accuracy: We ensure data is accurate and updated where necessary.

• Storage Limitation: We retain data only for as long as required for the purpose or as mandated by law.

• Integrity and Confidentiality: We protect data with appropriate security measures.

• Accountability: We take responsibility for complying with the DPA 2019.

4. Types of Data We Collect

We collect and process the following categories of personal data:

• Contact Information: Name, email address, phone number, postal address.

• Identification Data: National ID number, passport details, or other identifiers (only when necessary for consulting services, e.g., financial or compliance audits).

• Business Data: Company details, financial records, transaction data, or other business-related information provided during consulting engagements.

• Employee/Contractor Data: Job role, department, performance data, or training records for internal processes.

• Website Usage Data: IP address, browser type, pages visited, and cookies (if applicable).

• Survey/Feedback Data: Responses to surveys or feedback forms used for consulting projects (e.g., organizational assessments).

• Other Data: Any additional data you voluntarily provide, such as preferences or comments in proposals or communications.

5. How We Collect Your Data

We collect personal data through:

• Direct Interactions: When you provide data via forms, emails, contracts, proposals, or consultations.

• Website: Through contact forms, newsletter sign-ups, or analytics tools (e.g., cookies, with your consent).

• Surveys and Feedback: Through tools like online, face to face Surveys for project-related data collection (e.g., Business Diagnostics).

• Third Parties: From partners, clients, or service providers (e.g., mobile money operators, regulatory bodies) with your consent or where legally permitted.

• Public Sources: Business registries or public records, where relevant to our consulting services.

6. Purposes and Legal Basis for Processing

We process personal data for the following purposes, with the corresponding legal basis under the DPA 2019:

• To Provide Consulting Services: Processing client or employee data to deliver services (e.g., financial audits, business transformation projects). Legal Basis: Contractual necessity (to fulfill our contract with you).

• To Communicate: Sending proposals, updates, or responses to inquiries. Legal Basis: Legitimate interest (to manage client relationships) or consent (for marketing communications).

• To Improve Services: Analyzing feedback or survey responses to enhance our offerings. Legal Basis: Legitimate interest or consent.

• To Comply with Legal Obligations: Meeting regulatory requirements (e.g., Central Bank of Kenya regulations, tax laws). Legal Basis: Legal obligation.

• To Ensure Security: Protecting our systems and data from unauthorized access. Legal Basis: Legitimate interest.

• To Conduct Research: Using anonymized data for market analysis or consulting insights. Legal Basis: Consent or legitimate interest (where anonymized).

7. Consent

Where consent is the legal basis for processing, we will:

• Obtain explicit consent before collecting or processing sensitive personal data (e.g., financial details, identification numbers).

• Provide clear information about the purpose of data collection.

• Allow you to withdraw consent at any time by contacting our DPO (martin.muhiu@gundiconsulting.co.ke). Withdrawal of consent will not affect the lawfulness of prior processing.

8. Data Sharing

We may share your personal data with:

• Service Providers: Third-party vendors (e.g., IT providers, third party survey platforms) who process data on our behalf, under DPA-compliant contracts.

• Partners: Mobile operators, financial institutions, or other partners involved in consulting projects, with your consent or where legally required.

• Regulatory Authorities: To comply with legal obligations (e.g., Central Bank of Kenya, Office of the Data Protection Commissioner).

• Internal Teams: Employees or contractors who need access to perform their duties, with strict access controls.

We do not sell or share your personal data for marketing purposes without your explicit consent.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption: Using SSL/TLS encryption for data transmission and secure storage for sensitive data.

• Access Controls: Restricting data access to authorized personnel only.

• Anonymization: Anonymizing data where possible for analysis or research.

• Secure Vendors: Ensuring third-party providers comply with DPA 2019 standards.

• Regular Audits: Conducting data protection audits to identify and mitigate risks.

In the event of a data breach, we will notify the Office of the Data Protection Commissioner and affected data subjects within 72 hours, as required by the DPA 2019.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected or to comply with legal requirements:

• Client Data: Retained for the duration of the consulting engagement and up to 7 years thereafter, as required by Kenyan tax and business laws.

• Employee/Contractor Data: Retained for the duration of employment/contract and up to 7 years post-termination, per legal requirements.

• Survey/Feedback Data: Retained for 6 months post-project completion, unless otherwise specified or consented.

• Website Data: Cookies and analytics data retained for up to 12 months, with your consent.

After the retention period, data is securely deleted or anonymized.

11. Your Rights as a Data Subject

Under the DPA 2019, you have the following rights:

• Right to be Informed: To know how your data is collected and used (as outlined in this policy).

• Right to Access: To request a copy of your personal data held by us.

• Right to Rectification: To correct inaccurate or incomplete data.

• Right to Erasure: To request deletion of your data, where no legal basis for retention exists.

• Right to Restrict Processing: To limit how we process your data in certain circumstances.

• Right to Data Portability: To receive your data in a structured, machine-readable format.

• Right to Object: To object to processing based on legitimate interests or direct marketing.

• Right to Withdraw Consent: To withdraw consent at any time, without affecting prior processing.

To exercise these rights, contact our DPO at martin.muhiu@gundiconsulting.com. We will respond within 30 days, as required by the DPA 2019.

12. International Data Transfers

If personal data is transferred outside Kenya (e.g., to cloud servers used by third-party providers), we ensure:

• The recipient country has adequate data protection laws, as determined by the Office of the Data Protection Commissioner.

• Appropriate safeguards are in place, such as standard contractual clauses or binding corporate rules.

• Your consent is obtained for such transfers, where required.

13. Cookies and Website Tracking

Our website may use cookies to enhance user experience and analyze site usage. Cookies are small text files stored on your device. We use:

• Essential Cookies: For website functionality (e.g., navigation).

• Analytics Cookies: To track site performance (e.g., Google Analytics, anonymized data).

• Marketing Cookies: For personalized content (only with your consent).

You can manage cookie preferences via our website’s cookie banner. For more details, see our Cookie Policy at www.gundiconsulting.com/cookie-policy.

14. Data Protection Impact Assessments (DPIAs)

For high-risk processing activities (e.g., large-scale customer data analysis), we conduct DPIAs to identify and mitigate risks, as required by the DPA 2019. Our DPO oversees these assessments to ensure compliance.

15. Complaints

If you have concerns about how we handle your data, please contact our DPO at martin.muhiu@gundiconsulting.com. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner:

• Email: complaints@odpc.go.ke

• Address: Office of the Data Protection Commissioner, CA Centre, Waiyaki Way, Nairobi, Kenya

16. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Updates will be posted on our website (https://www.gundiconsulting.com/privacy-policy) and, where required, communicated to you via email or other means. The effective date at the top of this policy will be updated accordingly.

17. Contact Us

For questions, concerns, or to exercise your data subject rights, contact our Data Protection Officer:

• Email: martin.muhiu@gundiconsulting.com

• Phone: +254 708158964

• Address: Gundi Consulting, Nandi Flame Road, Nairobi, Kenya

Thank you for trusting Gundi Consulting with your personal data. We are committed to safeguarding your privacy and ensuring compliance with the Kenya Data Protection Act 2019.