Rehema Rescue CBO - Privacy Policy

Overview

Rehema Rescue CBO privacy policies align with The Data Protection Act 2019, PBO Act, Children Act and The Constitution of Kenya.

1. Introduction

Rehema Rescue CBO (“we”, “our”, “us”) is committed to protecting the privacy, dignity and rights of all people whose personal data we collect and process through our website and services. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, how we protect it, and your rights as a data subject under Kenyan Law. This policy applies to personal data collected by Rehema Rescue via: this website (actual website domain), donation and volunteer forms, email, phone, WhatsApp, and any offline forms that are later digitized. Our policies and procedures comply with the Constitution of Kenya (right to privacy) and the Data Protection Act, 2019. [Kenya Law Reform Commission (KLRC)]

2. Who We Are as Contact & Data Protection Officer (DPO)

• Organization: Rehema Rescue CBO
• Address: Thika, Kiambu County, Kenya
• General email: info@rehemarescue.org.
• DPO / Privacy contact: (+2547 13370599)

3. Legal basis and principles for processing

We process personal data only where we have a lawful basis, including:

• Consent (e.g., newsletter sign-up, testimonials);
• Contractual necessity (e.g., volunteer agreements, service delivery);
• Legal obligation (e.g., regulatory reporting required by the PBO Act or taxation laws);
• Legitimate interests (e.g., protecting organizational security, communicating programme updates).

All balanced against individual rights.

NOTE: All processing follows the Data Protection Act’s principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

4. Types of personal data we collect

We may collect the following categories of personal data depending on the service:

• Basic identity & contact data - Full name, date of birth, gender, postal & email address, phone number, emergency contact.
• Sensitive / special categories (only when strictly necessary)
• Health Information (e.g., HIV status, chronic illness) and disability information for service provision — collected with explicit consent and strict safeguards. [Kenya Law]
• Children & minors’ Name, age, guardian contact, case notes, and assessment information necessary to deliver support— processed in line with the Children Act and Data Protection Act requirements (parent/guardian consent and best- interest safeguards).
• Program records & case management - Beneficiary assessments, progress notes, referral records, attendance logs.
• Donations & payments - Donor name, contact, transaction metadata; card or mobile payment details may be processed by secure third-party payment processors (we DO NOT store full card numbers on our servers).
• Website & technical data - IP addresses, device/browser types, and pages visited, cookies, timestamps, and other analytics data.
• Communications - Emails, messages, application forms, chat transcripts (if you use contact/chat on the site).

5. How we collect data

• Directly from you — donation forms, volunteer/beneficiary registration, email, phone, in-person forms.
• From third parties — referrals from partner organizations, schools, hospitals (only with lawful basis and consent as required by law).
• Automated collection — website cookies and analytics when you visit our site.

6. Use of photographs, videos & testimonials

We may ask for consent to use photographs, videos, or testimonials for fundraising, reporting and awareness-raising. We will:

• Ask for explicitly/ informed consent for identifiable images/videos, and for children obtain parental/guardian consent.
• Provide an opt-out or withdrawal route (noting withdrawal may not remove images already in printed material or already shared with third parties).
• Avoid using images that reveal sensitive information (e.g., medical status) without informed consent.

7. Processing children’s data

We take special care with children's data:

• We obtain informed parental/guardian consent before collecting personal data of a child, except where the law allows (e.g., provision of counselling or child protection services where consent rules have specific exceptions).
• We implement appropriate age verification measures and process only the minimum data necessary for the child’s care.

8. Sharing and third parties

We WILL NOT sell your personal data. We MAY share data with:

• Service providers (auditors, payment processors, cloud hosting, CRM platforms) under written data processing agreements that require them to protect the data.
• Government/Regulatory authorities when legally required (e.g., reporting under the PBO Act) or responding to lawful requests.
• Partner organizations for referrals or joint service delivery (only with informed consent or other legal basis).
• Emergency services or child protection authorities when essential to safeguard a child or vulnerable person.

NOTE: When transferring data outside Kenya, we will only do so where the transfer complies with the Data Protection Act requirements (adequate safeguards, contracts, or explicitly informed consent).

9. Retention / how long we keep data

We retain personal data only as long as necessary for the purpose collected and to meet legal obligations. Example retention schedule (adapt to operations):

• Donor records: 7 years (tax and audit requirements).
• Beneficiary case files: 10 years after case closure (or longer where required by law).
• Child protection records: retained securely for the period legally required by child protection rules (consult legal advisor for exact durations).
• Volunteer & staff records: as per employment and organizational policy (commonly 7 years).
• Website analytics & cookies: up to 2 years (with opt-out where required).

NOTE: We will securely delete or anonymize personal data when no longer required.

10. Data subject rights - How you can exercise them

Under the Data Protection Act you have rights, and we provide the following procedures:

Your rights include:

• Right to be informed — this policy and our notices explain processing.
• Right of access — request a copy of personal data we hold.
• Right to rectification — request correction of inaccurate/incomplete data.
• Right to erasure (‘right to be forgotten’) where legal grounds permit.
• Right to restriction of processing — ask to limit processing in some circumstances.
• Right to data portability — receive a structured, machine-readable copy of personal data you provided.
• Right to object — object to processing on grounds of legitimate interests or direct marketing.
• Right not to be subject to automated decision-making (if applicable).

How to make a request:

• Send a written request to: DPO /Privacy contact or our postal address.
• Include your full name, contact details, proof of identity, and describe the request.
• We will respond within the statutory time period (the Act sets timelines for responding; if we need more time we will inform you and explain why).

11. Security measures

We protect personal data with appropriate administrative, technical and physical safeguards including:

• Role-based access controls and least-privilege for staff.
• Encrypted storage and secure backups.
• Secure transmission (HTTPS/TLS) for website and online forms.
• Data Processing Agreements with third-party processors.
• Regular staff training, password policies, and incident response procedures.

NOTE: We review and update security controls regularly in line with good practice and guidance from Data Protection Officer.

12. Data breach notification

If a personal data breach occurs, we will:

• Activate our incident response plan and contain the breach;
• Notify the Office of the Data Protection Commissioner without undue delay and, where feasible, within 72 hours of becoming aware of the breach where required by law.
• Notify affected data subjects promptly where the breach is likely to result in a high risk to their rights and freedoms.
• Keep records of the breach and remedial actions.

13. Cookies, tracking & analytics

Our website uses cookies and analytics tools to improve usability and measure site performance. We use:

• Essential cookies for site functionality (e.g., session cookies).
• Performance & analytics cookies (to collect anonymous usage data).
• Optional marketing cookies (preference-based only with consent).

NOTE: You can control cookies via your browser settings and our cookie banner/consent mechanism. For details on cookies stored and their retention.

14. Payment & donation details

We use reputable third-party payment processors for online donations (they process card or mobile money details). We do not retain full card numbers on our servers. Payment processors’ privacy and security practices apply to payment information. We will provide receipts and donor acknowledgement in line with donor consent preferences and Kenyan regulatory requirements related to PBOs.

15. CCTV, biometrics and surveillance

If we use CCTV or biometric systems in our premises for security, we will:

• Publish clear signage.
• Limit footage to security purposes only.
• Retain footage for a limited period (e.g., 30–90 days) unless retained for an incident investigation.
• Securely store and restrict access to footage.

16. Data protection by design & default

We adopt privacy-by-design and privacy-by-default: integrating data protection into projects, minimizing data collection, anonymizing or pseudonymising where possible, and conducting Data Protection Impact Assessments (DPIAs) for high-risk processing.

17. Links to other sites

Our website may link to other websites. This policy does not cover third-party websites. Please check their privacy policies before sharing personal data.

18. Changes to this policy

We may update this privacy policy from time to time. Substantive changes will be posted on this page with an updated on “Last updated” date and, where appropriate, notified to users by email or website notice.

Legal & regulatory context (summary)

• We process personal data in line with the Data Protection Act, 2019 (rights of data subjects, data breach notification, data processing principles, child data protections, transfers out of Kenya). [Kenya Law]
• We comply with the Constitution of Kenya (right to privacy). ([Kenya Law Reform Commission [KLRC])
• We operate within the regulatory framework of the Public Benefit Organizations (PBO) Act for filing, reporting and governance obligations. [Kenya Law]
• Child protection activities are also guided by the Children Act and national child protection policies. [Kenya Law]

How to complain

If you have a complaint about how we handled your personal data:

• Contact our DPO at: DPO Contact. (Or send a letter to our registered office).
• If not satisfied with our response, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) via https://www.odpc.go.ke or official complaints portals.

Sources & further reading.

I. Data Protection Act, 2019 (Kenya). [Kenya Law]
II. ODPC — Personal Data Protection Handbook & breach reporting guidance. [Data Protection Office]
III. Public Benefit Organizations Act, 2013 (PBO Act). [Kenya Law]
IV. Children Act 2022 (Kenya). [Kenya Law]
V. Constitution of Kenya — Article 31 (Privacy). [Kenya Law Reform Commission (KLRC)]