WEBSITE PRIVACY POLICY
Last updated: 14 July 2026
This Privacy Policy describes Our policies and procedures on the collection, use, and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You under the Kenya Data Protection Act, 2019 (“DPA”), the Data Protection (General) Regulations, 2021, the Children Act, 2022, and Article 260 of the Constitution of Kenya, 2010.
- Interpretation and Definitions
Company (referred to as either “the Company”, “We”, “Us” or “Our”) refers to NEL, Saachi Plaza, Argwings Kodhek Rd – Kilimani, Nairobi Municipality, Kenya.
Data Controller refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
Data Subject (referred to as “You” or “Your”) means an identified or identifiable natural person who is the subject of personal data.
Personal Data means any information relating to an identified or identifiable natural person.
Sensitive Personal Data means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.
Child means any person under the age of eighteen (18) years, in accordance with Article 260 of the Constitution of Kenya, 2010, section 2 of the Children Act, 2022, and section 33 of the DPA. This definition supersedes any reference elsewhere to a different age threshold.
Parent or Guardian means a parent, legal guardian, or other person who has parental responsibility for a Child under the Children Act, 2022.
- Categories of Data Subjects
We collect and process personal data from the following categories of data subjects:
- Website Visitors: Individuals who access our website and whose usage data is collected automatically.
- Registered Users: Individuals who create an Account to access specific parts of our Service.
- Customers: Individuals who enter into purchase contracts for products or services.
- Types of Personal Data Collected
- Identifiers: Name, email address, and phone number.
- Usage Data: IP address, browser type, device identifiers, and page visit duration collected automatically.
- Sensitive Data: While we generally do not collect broad categories of sensitive data, we may collect account login/password information and approximate geolocation where necessary for service delivery.
- Purposes of Processing
The Company processes Your Personal Data for the following purposes:
Service Delivery: To provide and maintain our Service and manage Your registration.
Contractual Performance: To fulfil purchase contracts for products or services.
Necessary Service Communications: To send You essential, non-promotional communications relating to Your orders, account, or Our Service – for example, order confirmations, delivery updates, changes to Our terms, and security or fraud alerts. These communications rely on the performance of a contract with You or Our legitimate interests, and You cannot opt out of them while You continue to use the Service, save where the law provides otherwise.
Marketing Communications: Where We wish to send You promotional content – such as news, offers, and marketing newsletters – We will only do so where You have given Your prior, express, opt-in consent, in accordance with section 37 of the DPA. We will not pre-tick any consent box or infer consent from inactivity. You may withdraw Your consent at any time, free of charge, by using the unsubscribe link in any marketing message, updating Your account preferences, or contacting Our Data Protection Officer using the details in Section 13.
Internal Analysis: For data analysis, identifying usage trends, and improving Our Service and the effectiveness of Our (opt-in) marketing. See Section 7 for Our position on automated decision-making and profiling, and Section 8 for the cookies and tracking technologies We use for this purpose.
- Lawful Bases for Processing
Under the Kenya Data Protection Act, we process data based on:
- Consent: You have given clear, specific consent for us to process Your personal data for a specific purpose – for example, marketing communications.
- Performance of a Contract: Processing is necessary for a contract we have with You.
- Legal Obligation: Processing is necessary for us to comply with the law.
- Legitimate Interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect Your personal data which overrides those interests.
- Your Rights as a Data Subject
In accordance with the Data Protection Act, you have the following rights:
Right to be Informed: To be notified of the use to which Your personal data is to be put.
Right of Access: To access Your personal data in our possession.
Right to Object: To object to the processing of all or part of Your personal data.
Right to Rectification: To request the correction of false or misleading data.
Right to Erasure: To request the deletion of false or misleading data or data we are no longer authorised to retain.
Right to Data Portability: To receive Your personal data in a structured, commonly used, and machine-readable format.
Right to Withdraw Consent: Where processing is based on Your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
Right to Object to Automated Decision-Making: To object to, and not be subject to, a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You, except in the limited circumstances permitted by law. See Section 7.
Right to Lodge a Complaint: To lodge a complaint with the Office of the Data Protection Commissioner (ODPC) if You believe Our processing of Your personal data infringes the DPA. We encourage You to contact Our Data Protection Officer first so that We can try to resolve Your concern, but You are not required to do so before contacting the ODPC. See Section 12 for the ODPC’s contact details.
- Automated Decision-Making and Profiling
We use analytics tools (see Section 8) to understand aggregate usage trends on Our Website and to measure the effectiveness of Our marketing. As at the date of this Policy, we do not carry out any automated decision-making, including profiling, that produces legal effects concerning You or similarly significantly affects You within the meaning of the DPA. We do not use automated tools to make decisions about, for example, Your eligibility for products, services, pricing, or credit, without human involvement.
If this changes, we will update this Policy before doing so and, where required by law, will obtain Your prior consent and explain the logic involved, the significance of the processing, and the envisaged consequences for You.
- Cookies and Other Tracking Technologies
Our website uses cookies and similar tracking technologies (such as web beacons and local storage) to operate, secure, and improve Our Service, and to understand how visitors use Our Website.
Strictly Necessary Cookies: Required for the Website to function for example, to keep you logged in or remember items in a cart. These cannot be switched off in Our systems.
Performance and Analytics Cookies: Help us understand how visitors interact with Our Website, such as which pages are visited most often, so We can improve our Service. (NEL to confirm the specific analytics tools used, e.g. Google Analytics, and whether any related data is transferred outside Kenya see Section 10.)
Functionality Cookies: Remember choices You make (such as language or region) to provide a more personalised experience.
Marketing Cookies: Used only where You have given opt-in consent under Section 4, to help Us and Our partners deliver relevant marketing and measure its performance. (NEL to confirm if marketing/advertising cookies are currently in use.)
You can manage or withdraw your cookie preferences at any time through (our cookie preference centre / banner, NEL to insert link) or through your browser settings, most of which allow you to refuse or delete cookies. Please note that blocking strictly necessary cookies may affect the functioning of our website.
- Data Retention and Security
Retention: We retain Personal Data only for as long as necessary to fulfil the purposes outlined in this Policy or to comply with legal obligations.
Security: We use appropriate technical and organisational measures including access controls, encryption where appropriate, and staff confidentiality obligations to protect your Personal Data.
However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
Breach Notification: We maintain a data breach response procedure in line with the DPA. Where a security compromise is likely to result in a risk to Your rights and freedoms, we will notify the ODPC without unreasonable delay and, in any event, within seventy-two (72) hours of becoming aware of the breach, where feasible. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, without undue delay, describing the likely consequences of the breach and the measures taken or proposed to address it.
- International Data Transfers
Your information may be transferred to, and processed in, countries outside Kenya for example, where Our hosting or service providers operate servers abroad. Where We make such a transfer, we rely on one or more of the following safeguards required by section 48 of the DPA:
Your Consent: Where You have given Your explicit, informed consent to a specific transfer, having been told of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards.
Contractual Necessity: Where the transfer is necessary for the performance of a contract between You and Us, or for the implementation of pre-contractual measures taken at Your request.
This section reflects, and must be read together with, the transfer mechanisms and safeguards documented in NEL’s Data Protection Impact Assessment (DPIA 003). Where the two documents differ, NEL will reconcile them so that both reflect the same, accurate account of our international transfers.
- Children’s Privacy
We do not knowingly collect or process the personal data of a child without the verifiable consent of that child’s parent or guardian. Where our Service, or a part of it, is intended for use by a child, We will:
- obtain the consent of a parent or guardian before collecting the child’s personal data, using [NEL to insert mechanism for example: an online consent form requiring the parent/guardian’s name, contact details, and confirmation of their relationship to the child, verified by [method]];
- take reasonable steps, appropriate to the available technology, to verify that the person giving consent is in fact the child’s parent or guardian; and
- limit the collection and use of the child’s personal data to what is necessary to provide the relevant part of the Service, in the child’s best interests.
If We become aware that We have collected personal data from a child without the required parental or guardian consent, we will take reasonable steps to delete that data promptly. A parent or guardian who believes their child has provided us with personal data without their consent may contact at info@nelent.com to request its review or deletion.
- Your Right to Lodge a Complaint
If you are not satisfied with how We have handled Your personal data or responded to a request from you, you have the right to lodge a complaint with the data protection supervisory authority in Kenya:
|
Authority |
Office of the Data Protection Commissioner (ODPC), Kenya |
|
Address |
Britam Towers, Hospital Road, Upper Hill, Nairobi, Kenya |
|
Website |
www.odpc.go.ke |
You may also contact first using the details in Section 13, and We will do our best to resolve your concern directly; however, you are not obliged to do so before approaching the ODPC.
- Contact Details and Data Subject Requests
For any questions regarding this Privacy Policy or to exercise your rights, including data subject inquiries and requests for data deletion, You can contact Our Data Protection Officer via the following channels:
By Email: info@nelent.com
By visiting our website: https://nelent.com/contact-us/
Physical Address: NEL, Saachi Plaza, Argwings Kodhek Rd – Kilimani, Nairobi Municipality, Kenya
- Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Each version of this Policy is numbered and dated, and a summary of material changes is recorded in the changelog below, so that amendments are traceable over time. We will notify you of material changes by (posting a notice on Our Website / emailing registered users, NEL to confirm the notification method) before the change takes effect, and by updating the “Last updated” date at the top of this Policy.
Version history
|
Version |
Date |
Summary of changes |
|
1.0 |
20 May 2026 |
Initial Privacy Policy. |
|
2.0 |
14 July 2026 |
Aligned the definition of a child with Kenyan law (under 18); added the parental/guardian consent and age-verification mechanism; moved marketing communications to an opt-in consent model and separated these from necessary service communications; added the right to lodge a complaint with the ODPC and ODPC contact details; added a statement on automated decision-making and profiling; added a cookies and tracking technologies section; added a data breach notification commitment; and specified the international transfer mechanism(s) used |