Data Protection Policy

Volcha Enterprises Limited is committed to protecting the privacy and personal data of all individuals who interact with our websites, products, and services. This Data Protection Policy sets out how we collect, process, store, and safeguard personal data in compliance with:

• The Kenya Data Protection Act, 2019 (No. 24 of 2019)
• The Kenya Data Protection (General) Regulations, 2021
• The EU General Data Protection Regulation (GDPR), where applicable
• The Computer Misuse and Cybercrimes Act, 2018

This policy applies to all employees, contractors, partners, and third parties who process personal data on our behalf.

Data Controller: Volcha Enterprises Limited

Data Protection Officer (DPO): The DPO is responsible for overseeing data protection strategy and implementation, ensuring compliance, and serving as the point of contact for data subjects and the Office of the Data Protection Commissioner (ODPC).

Contact the DPO:

All personal data processed by Volcha Enterprises is handled in accordance with the following principles:

• Lawfulness, Fairness & Transparency: Data is processed lawfully, fairly, and in a transparent manner.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Data Minimisation: We collect only what is necessary and relevant for the intended purpose.
• Accuracy: We ensure personal data is accurate and kept up to date.
• Storage Limitation: Data is retained only for as long as necessary.
• Integrity & Confidentiality: Data is processed securely using appropriate technical and organisational measures.
• Accountability: We are responsible for and able to demonstrate compliance with these principles.

Under the Kenya Data Protection Act 2019 and GDPR, data subjects have the following rights:

• Right to be Informed: Know what data is collected and how it is used.
• Right of Access: Request a copy of your personal data.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data under certain conditions.
• Right to Restrict Processing: Limit how we process your data.
• Right to Data Portability: Receive your data in a structured, commonly used format.
• Right to Object: Object to processing based on legitimate interests or direct marketing.
• Right not to be Subject to Automated Decision-Making:including profiling that produces legal or similarly significant effects.

To exercise any of these rights, please contact our DPO. We will respond within 30 days of receiving your request.

We implement a comprehensive security framework to protect personal data against unauthorised access, alteration, disclosure, or destruction:

• Encryption: SSL/TLS for data in transit; AES-256 encryption for sensitive data at rest.
• Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and strong password policies.
• Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning.
• Backups: Encrypted, redundant backups with regular restoration testing.
• Incident Response: Documented breach notification procedures compliant with the 72-hour ODPC reporting requirement.
• Staff Training: Regular data protection and cybersecurity awareness training for all staff.

Where personal data is transferred outside Kenya or the EEA, we ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the EU Commission and recognised by the ODPC.
• Data transfer impact assessments (DTIAs) conducted for all high-risk transfers.
• Preference for cloud service providers with data residency options in Africa or the EEA where feasible.

In the event of a personal data breach, we will:

1. Assess the breach promptly to determine the risk to data subjects.
2. Notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, where required.
3. Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
4. Document all breaches, including the facts, effects, and remedial actions taken.

We engage third-party processors who handle personal data on our behalf, including:

• Cloud hosting and infrastructure providers
• Payment processing services (M-Pesa APIs, card processors)
• Email and communication platforms
• Analytics and marketing tools
• Customer support platforms (e.g., Tawk.to)

All processors are bound by written contracts that require them to process data only on our documented instructions and to implement appropriate security measures.

If you have any questions about this Data Protection Policy or believe we have not handled your data appropriately, please contact us:

You also have the right to lodge a complaint with the Office of the Data Protection Commissioner, Kenya: