Legal

Data Protection

Last updated: 1 March 2026

This document describes how Nirudishie complies with the Kenya Data Protection Act, 2019, and how we protect your personal data.

Compliant with Kenya Data Protection Act, 2019

1. Our Legal Basis

Nirudishie processes personal data in accordance with the Kenya Data Protection Act, 2019 (the "DPA"). Our legal bases for processing personal data are: (a) the performance of a contract - processing is necessary to provide the Nirudishie loan tracking service you have signed up for; (b) legitimate interests - we process limited usage data to improve platform security and performance; and (c) consent - we obtain your consent for optional processing such as analytics cookies and marketing communications.

2. Data Controller

Nirudishie acts as the Data Controller for all personal data collected through the platform. As Data Controller, we are responsible for determining the purposes and means of processing your personal data and for ensuring that processing complies with the DPA. You can reach our Data Protection Officer at hello@nirudishie.com.

3. Categories of Personal Data

We process the following categories of personal data: Identity data (name, email address); Account data (hashed password, plan type, account creation date); Loan data (borrower names, email addresses, loan amounts, due dates, repayment records); Usage data (IP address, browser type, pages visited, session duration); and Communications data (messages sent to our support team).

4. Data Subject Rights

Under the Kenya Data Protection Act, 2019, you have the following rights: Right of access - request a copy of the personal data we hold about you. Right to rectification - request correction of inaccurate or incomplete data. Right to erasure - request deletion of your personal data where there is no compelling reason for continued processing. Right to restriction - request that we restrict processing of your data in certain circumstances. Right to data portability - receive your data in a structured, commonly used, machine-readable format. Right to object - object to processing based on legitimate interests. To exercise any of these rights, email hello@nirudishie.com with your request.

5. International Data Transfers

Your data may be stored on servers located outside Kenya, including within the European Economic Area. Where we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses approved by relevant data protection authorities and sub-processor agreements that mirror the protections required by the DPA.

6. Data Processor Relationships

We work with third-party service providers who process personal data on our behalf as Data Processors. These include cloud infrastructure providers, transactional email delivery services, and error monitoring tools. All Data Processors are bound by written data processing agreements requiring them to process data only on our documented instructions, maintain appropriate security measures, and notify us of any personal data breach without undue delay.

7. Data Breach Response

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of the breach, as required by the DPA. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

8. Privacy by Design

We apply data protection principles by design and by default. This means we collect only the minimum personal data necessary to provide the service, implement technical and organisational measures to protect data from the outset of system design, limit internal access to personal data on a need-to-know basis, and regularly review and update our security practices.

9. Complaints

If you believe we have not complied with your data protection rights, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya. We would, however, appreciate the opportunity to address your concerns before you approach the ODPC, so please contact us first at hello@nirudishie.com.

10. Contact the Data Protection Officer

For any data protection queries, subject access requests, or complaints, contact our Data Protection Officer at: hello@nirudishie.com. We aim to respond to all requests within 30 days as required by the DPA.