Privacy Policy

Last updated: 07 May 2026

Effective date: 07 May 2026

Summary — what this means for you

  • ✓ We collect only what we need to serve you and Kenya's teachers.
  • ✓ We never sell, rent, or trade your personal information.
  • ✓ Counselling records are strictly confidential under Kenyan professional ethics law.
  • ✓ You can request access to, correction of, or deletion of your data at any time.
  • ✓ We comply with the Kenya Data Protection Act, 2019 (No. 24 of 2019).

1. Who We Are

MwalimuCare Foundation ("we," "our," or "the Foundation") is a legally registered non-profit organization in Kenya dedicated to supporting public school teachers through holistic wellness programmes. We are the data controller for all personal data collected through this website, our contact form, and our programmes.

This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the Kenya Data Protection Act, 2019 (No. 24 of 2019) ("DPA"), its General Regulations 2021, and Article 31 of the Constitution of Kenya, 2010 — which guarantees every person the right to privacy.

This policy applies to anyone who visits our website at www.mwalimucarefoundation.org, submits our contact or donation forms, or participates in our programmes.

2. What Personal Data We Collect

We collect only the minimum data necessary for the specific purpose it is needed — a principle called data minimization under the DPA.

2.1 Contact form

  • Full name (first and last)
  • Email address
  • Phone number (optional)
  • Organization or school name (optional)
  • Your role (e.g. teacher, education officer)
  • Subject and message content
  • Enquiry type (e.g. general, partnership, volunteering)

2.2 Donation form

  • Full name and email address
  • Phone number (for M-Pesa processing)
  • Donation amount and frequency
  • Payment reference number (generated by Paystack — we do not store full card details)

2.3 Program participation

  • Contact information and school details
  • Employment information (teaching level, subject, years of service)
  • Programme registration and attendance records
  • Feedback and evaluation responses
  • Information shared during counselling sessions (see Section 5 below)

2.4 Automatically collected data

When you visit our website, our hosting and analytics provider (Vercel Analytics) may collect anonymized technical data including:

  • Browser type and version
  • Operating system and device type
  • Anonymized IP address (not linked to your identity)
  • Pages visited and time spent on each page
  • Date and time of visit
  • Referring website or source

Vercel Analytics is a privacy-first, cookie-free analytics tool. No personally identifiable information is stored in our analytics data.

3. Our Lawful Basis for Processing

Under Section 30 of the Kenya Data Protection Act, 2019, we must have a lawful reason before processing any personal data. We rely on the following bases:

ActivityLawful basis
Responding to contact form submissionsConsent — you voluntarily submitted the form
Processing donations via PaystackContractual necessity — to complete your donation
Delivering programme services to teachersContractual necessity + Legitimate interests
Maintaining counselling recordsLegal obligation + Vital interests (duty of care)
Sending service-related emailsConsent + Contractual necessity
Website analytics (anonymized)Legitimate interests — improving our services
Donor records and audit complianceLegal obligation under Kenyan financial law

Where we rely on consent as our lawful basis, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing carried out before you withdrew it.

4. How We Use Your Information

  • To respond to your enquiries and deliver our programmes and services
  • To coordinate counselling sessions, workshops, and retreat logistics
  • To process your donations securely via Paystack
  • To send you service-related communications (e.g. session reminders, receipts)
  • To conduct programme impact evaluations and improve our services
  • To meet our legal and regulatory obligations under Kenyan law
  • To maintain records required for financial audits and donor reporting (using anonymized data where possible)

We will never use your personal data for unsolicited marketing, profiling, or sale to third parties.

5. Special Protection: Counselling Confidentiality

All individual counselling and therapy sessions conducted by MwalimuCare Foundation are strictly confidential and protected by:

  • The Kenya Counsellors and Psychologists Act (Cap. 263E)
  • The Kenya Data Protection Act, 2019 — which classifies health and mental health data as sensitive personal data requiring explicit consent and heightened protection
  • Applicable codes of professional ethics governing licensed counsellors in Kenya

Specifically, this means:

  • Your counselling records will never be shared with your school, employer, or colleagues without your prior written consent
  • Records are stored securely and accessible only to your assigned counsellor and authorized supervisors
  • Session notes are kept separately from general programme data
  • Confidentiality may be overridden only in the following narrow circumstances required by Kenyan law: (a) where there is a credible risk of serious harm to you or another person; (b) where a court order requires disclosure; or (c) where disclosure is required to prevent or detect a serious crime
  • In any such case, we will inform you before disclosure wherever it is safe and lawful to do so

6. Who We Share Your Data With

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

6.1 Service providers

  • Paystack — our payment processor. Paystack processes donation transactions on our behalf and is subject to its own privacy policy and PCI-DSS compliance standards. We receive only a transaction reference — never your full card details.
  • Google (Gmail/Workspace) — we use Gmail to receive and respond to contact form submissions. Google processes email data on our behalf under its data processing terms.
  • Vercel Analytics — our website analytics provider. Vercel is cookie-free and processes only anonymized data.
  • Nodemailer / SMTP — used to send automated email confirmations. Email content is transmitted over TLS-encrypted connections.

6.2 Qualified counselling professionals

Licensed counsellors and coaches engaged by the Foundation operate under signed confidentiality agreements and are bound by their professional ethical codes.

6.3 Legal requirement

We may disclose data when required by a valid court order, statute, or regulatory authority under Kenyan law. We will notify you of any such disclosure where permitted by law.

6.4 Aggregate anonymized data

We may share aggregated, anonymized data with funders, government partners, or the public for programme reporting purposes. This data cannot be used to identify any individual.

7. International Data Transfers

Some of our service providers (including Google and Paystack) may process data outside Kenya. Where this occurs, we ensure that appropriate safeguards are in place in accordance with Section 49 of the Kenya Data Protection Act, including:

  • Transfers only to countries with adequate data protection laws, or
  • Contractual clauses that require the recipient to protect your data to the same standard required under Kenyan law

8. How Long We Keep Your Data

We retain personal data only as long as necessary for the purpose it was collected, or as required by law:

Data typeRetention period
Contact form submissions2 years from date of submission
Donation records7 years (financial audit compliance under the Income Tax Act)
Programme participation records5 years from last programme activity
Counselling records7 years (professional ethics requirement)
Website analytics dataRolling 24 months (anonymized)

After the retention period expires, data is securely deleted or anonymized so it can no longer identify you.

9. How We Protect Your Data

  • All data transmitted to and from our website is protected by SSL/TLS encryption (HTTPS)
  • Donation payments are processed by Paystack using PCI-DSS compliant infrastructure — we never store card numbers on our servers
  • Access to personal data is restricted to authorized Foundation staff and counsellors on a need-to-know basis
  • Our servers and databases are hosted on secure, access-controlled infrastructure
  • We conduct regular security reviews and staff data protection training

While we take all reasonable measures to protect your data, no internet transmission is completely secure. If you believe your data has been compromised, please contact us immediately at mwalimucarefoundation@gmail.com.

10. Your Rights Under Kenyan Law

Under the Kenya Data Protection Act, 2019 (Sections 26–34), you have the following rights regarding your personal data:

Right of access:You can request a copy of the personal data we hold about you.
Right to rectification:You can ask us to correct any inaccurate or incomplete data.
Right to erasure:You can request that we delete your data where it is no longer necessary for the purpose it was collected, or where you withdraw consent.
Right to restriction:You can ask us to pause processing of your data in certain circumstances.
Right to data portability:You can request your data in a commonly used, machine-readable format.
Right to object:You can object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent:Where we rely on consent, you may withdraw it at any time without affecting processing that has already taken place.

To exercise any of these rights, contact our Data Protection Officer at:

Email: mwalimucarefoundation@gmail.com

Phone: +254 729 368 307

Address: MwalimuCare Foundation, Blessed Hse, Thika Rd

We will respond to all requests within 21 days as required by the DPA General Regulations.

If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.

11. Cookies and Tracking

Our website uses Vercel Analytics, a cookie-free, privacy-first analytics tool. Vercel does not set any tracking cookies and does not collect any personally identifiable information. No consent banner is required for our analytics because no cookies or personal data are involved.

If we introduce any additional cookies in future, we will update this policy and display an appropriate consent mechanism as required by the DPA.

12. Children's Privacy

Our website and services are directed at adult teachers and education professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us immediately and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in Kenyan law. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of our website or services after changes are posted constitutes your acceptance of the updated policy.

Acknowledgement

By using our website or services, you confirm that you have read and understood this Privacy Policy and agree to the collection and use of your information as described. If you do not agree, please discontinue use of our website and contact us to discuss alternative arrangements.

This policy is governed by the Kenya Data Protection Act, 2019 (No. 24 of 2019), its General Regulations 2021, and Article 31 of the Constitution of Kenya, 2010. MwalimuCare Foundation is registered under the laws of Kenya. This document does not constitute legal advice — if you have specific legal concerns, please consult a qualified Kenyan advocate.