Constitution of Kenya, 2010 — Article 31 (right to privacy)
Data Protection Act, No. 24 of 2019
Data Protection (General) Regulations, 2021
Data Protection (Complaints Handling and Enforcement) Regulations, 2021
Computer Misuse and Cybercrime Act, 2018
Enforced by: Office of the Data Protection Commissioner (ODPC) — www.odpc.go.ke
Chapter Zero Kenya is a non-profit initiative that supports board directors in Kenya to understand and respond to the risks and opportunities that climate change presents to their organisations. We are committed to handling personal data responsibly and transparently.
This Privacy Policy applies to personal data we collect when you visit our website (the “Website”), register as a member, attend our events, or otherwise engage with our membership, forum, and resource services (collectively, the “Services”).
Please read this policy carefully. By using our Website or Services you acknowledge the practices described here. We may update this policy from time to time; the current version is always available on this page.
Chapter Zero Kenya is the data controller for personal data processed in connection with the Website and Services. We are registered with the Office of the Data Protection Commissioner in accordance with the Data Protection Act, 2019.
Chapter Zero Kenya
Email: info@chapterzero.ke
Postal address: P.0.BOX 4960-00200, Nairobi, Kenya
Questions about this policy or how your data is handled may be directed to us at the address above, or to the ODPC at www.odpc.go.ke.
When you register or interact with our Services we may collect:
When you visit our Website we may collect automatically:
If you apply for a position with Chapter Zero Kenya we may collect your CV, cover letter, completed application form, interview notes, and any supporting assessment materials.
We do not ordinarily collect special categories of personal data as defined in Section 44 of the Data Protection Act, 2019 — such as health data, racial or ethnic origin, or political opinions. Where such data is provided voluntarily, it will be handled with the heightened safeguards the Act requires and processed only on the basis of your explicit consent.
We collect only the data that is necessary for the purposes described in this policy. Where providing information is optional, we will tell you so, and choosing not to provide it will not affect your access to our core Services.
We use your personal data to:
Under Section 30 of the Data Protection Act, 2019 we must have a lawful basis before processing your data. We rely on the following bases:
| Activity | Legal basis |
|---|---|
| Providing membership and Website access | Performance of a contract |
| Running events, workshops, and conferences | Performance of a contract / legitimate interests |
| Member communications and monthly bulletin | Legitimate interests |
| Marketing relevant events and materials | Consent — withdrawable at any time |
| Internal membership administration | Legitimate interests |
| Website analytics and security | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Processing job applications | Pre-contractual steps at your request |
Where we rely on legitimate interests, we have assessed that those interests are not outweighed by any prejudice to you. You have the right to object — see Section 11.
We use an analytics service to understand how visitors use our Website. The analytics tool uses cookies — small text files placed on your device — that collect anonymous statistical data such as page visits and session duration. These cookies do not identify you personally.
Analytics data may be transferred to and processed on servers outside Kenya. We ensure that any such transfer complies with Section 48 of the Data Protection Act, 2019.
Our email and newsletter service collects standard engagement data such as open rates and link clicks. This helps us ensure our communications are relevant and well-timed. We gather this data only from members who have consented to receive communications from us.
When you first visit our Website a cookie consent notice will appear. You may accept or decline non-essential cookies at that point, or change your preferences at any time through your browser settings.
To opt out of website analytics tracking altogether, most analytics providers offer a browser opt-out tool; please consult your browser’s help documentation for further options.
We do not sell or trade your personal data. We share it only in the following circumstances:
We may share your data with organisations that co-host events with us or provide specialist support to our members. Those organisations may process your data for their own purposes; we recommend reviewing their privacy policies. We will tell you which partners are involved at the relevant time.
Board members with governance responsibility may access personal data strictly within their governance mandate. They are not permitted to use your data for their own purposes.
We work with third-party providers — including hosting, CRM, and communications platforms — who process data on our behalf under binding agreements that prohibit them from using your data for any purpose other than delivering the services we have engaged them to provide.
We may disclose your data to the ODPC, Kenyan law enforcement agencies, courts, or other competent authorities where required by applicable law or a valid court order. We will only make such disclosures to the extent required and after satisfying ourselves that the request is lawful.
We may share data with legal, financial, or audit advisors strictly for professional services rendered to Chapter Zero Kenya, subject to appropriate confidentiality obligations.
In the event of a merger, restructuring, or transfer of assets, personal data may be transferred to the incoming entity. We will notify you before any such transfer takes effect wherever this is practicable.
If we use a recruitment agency to help fill a role, we may share application data with that agency under binding confidentiality terms. Recruitment data is deleted at the end of the process unless you consent to its retention for future vacancies.
Where our platform allows you to post in public or shared areas, any data you choose to share may be visible to other members. We are unable to control how others use such information. We will never share your profile data with other individual members without your explicit permission.
Some of our service providers store or process data outside Kenya. In accordance with Section 48 of the Data Protection Act, 2019, we will only transfer personal data outside Kenya where:
Where we cannot rely on an adequacy finding, we put in place appropriate contractual safeguards — such as standard contractual clauses — before any transfer takes place.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, loss, or destruction, in accordance with Section 41 of the Data Protection Act, 2019. These include:
In the event of a personal data breach that is likely to affect your rights or freedoms, we will notify the ODPC without undue delay and, where required, notify you directly as well — both in line with Section 43 of the Data Protection Act, 2019.
No method of transmitting data over the internet is completely secure. While we take every reasonable precaution, we cannot guarantee the absolute security of data you send to us electronically.
We keep personal data only for as long as is necessary for the purpose for which it was collected, in accordance with Section 39 of the Data Protection Act, 2019:
When data is no longer required we delete it securely, or anonymise it so that it can no longer be linked to you.
If your details change — a new role or a different email address — please let us know and we will update your record. We may also use publicly available information (for example, published board appointments) to keep your membership profile accurate.
| Right | What it means |
|---|---|
| Right of access (s.26) | Request a copy of the personal data we hold about you. |
| Right to rectification (s.27) | Ask us to correct any inaccurate or incomplete data. |
| Right to erasure (s.38) | Ask us to delete your data where it is no longer necessary or processing is unlawful. |
| Right to object (s.35) | Object to processing based on legitimate interests, or to direct marketing. |
| Right to restrict (s.36) | Ask us to pause processing while a dispute about your data is resolved. |
| Right to portability (s.37) | Receive your data in a machine-readable format for transfer to another provider. |
| Withdraw consent | Where we rely on consent you may withdraw it at any time without affecting prior processing. |
| Right to complain (s.56) | Lodge a complaint with the ODPC if you believe your rights have been breached. |
Our Services are directed at board directors and senior professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe we may hold data relating to a child, please contact us immediately and we will delete it without delay.
Any processing involving children that may become necessary will comply with Section 33 of the Data Protection Act, 2019, including obtaining appropriate parental or guardian consent.
Our Website may include links to external websites operated by third parties. Chapter Zero Kenya has no control over and takes no responsibility for the content or privacy practices of those sites. We encourage you to read the privacy policy of any external site you visit.
We review this policy regularly and may update it to reflect changes in our practices, applicable law, or the services we provide. Where a change is material we will notify you by email and post a prominent notice on our Website before the change takes effect. The “last updated” date at the top of this document will always reflect the most recent revision.
Continued use of our Website or Services after notification of a material change constitutes acceptance of the updated policy.
If you have any questions about this policy, wish to exercise a right, or have a concern about how we have handled your personal data, please get in touch:
Chapter Zero Kenya
Email: info@chapterzero.ke
Postal address: P.o.Box 4960 -00200, Nairobi, Kenya
We aim to resolve all privacy concerns fairly and promptly. If you remain dissatisfied after contacting us, you have the right to escalate your complaint to the ODPC at www.odpc.go.ke.
