How we collect, use, protect and share personal data, and your rights under Kenya's Data Protection Act, 2019.
P.O. Box 254-80105, Kaloleni, Kenya
Business Name Registration Number: BN-RPCM7BJX
Registered Proprietor: Harun Mwadena Muyesi
Website: www.collaborativeapproach.africa
Email: info@collaborativeapproach.africa
Phone: +254141235857 (prefer whatsapp)
Effective Date: 23 June 2026
The responsible data controller for the processing of personal data on this website and the services made available through it is Collaborative Approach, a business name registered in Kenya under Business Number BN-RPCM7BJX and carried on by Harun Mwadena Muyesi. Our registered address is P.O. Box 254-80105, Kaloleni, Kenya. You may contact us by email through info@collaborativeapproach.africa or by phone through +254 141 235 857 (we prefer whatsapp).
For purposes of this Privacy Notice, the words “Collaborative Approach”, “we”, “us” or “our” refer to Collaborative Approach as the organisation responsible for operating this website, managing its services, and determining how personal data is collected and used in connection with the website and related activities.
We are in the process of completing our data protection compliance and ODPC registration assessment. Once an ODPC registration number or formal data protection officer designation is issued or confirmed, this Privacy Notice will be updated accordingly. In the meantime, all privacy and data protection enquiries may be sent to website@collaborativeapproach.africa and cc; info@collaborativeapproach.africa with the subject line “Data Protection Request”.
This Privacy Notice explains how we process personal data when you use our website, contact us, subscribe to updates, create or use an account, participate in our services, register for events, make payments, access knowledge products, use referral links, interact with our referral system, communicate through WhatsApp or engage with our programmes, trainings, consultancy services, hikes, retreats and community activities.
We process personal data in accordance with applicable data protection law, including Kenya’s Data Protection Act, 2019, the Data Protection General Regulations, 2021, relevant guidance from the Office of the Data Protection Commissioner, and international privacy principles such as transparency, fairness, purpose limitation, data minimisation, storage limitation, security, accountability and respect for data subject rights. In general, we collect and use personal data only where it is necessary to operate the website, respond to users, deliver services, manage bookings and payments, support agents and referrals, communicate with our ecosystem, share knowledge resources, protect the security of our platform, comply with legal obligations, document our work, or pursue legitimate organisational purposes fairly and proportionately.
Where we rely on consent, you may withdraw that consent at any time. Where we rely on legitimate interest, we do so only where the processing is necessary, fair, and balanced against your rights and freedoms. Where we process data to deliver a service, booking, order, event or consultancy engagement, the processing is usually necessary for the performance of a contract or to take steps before entering into a contract. Where we retain financial, tax, accounting, audit, security, or legal records, processing may be necessary for legal compliance or the protection of rights. Only authorised persons who need access for a proper purpose may access personal data. This may include authorised members of Collaborative Approach, technical service providers, payment providers, email service providers, event facilitators, consultants, accountants, legal advisers, hosting providers or other carefully selected third parties who support our work. We do not sell personal data.
When you visit our website without registering, ordering, subscribing or contacting us, we may automatically process limited technical information that your browser, device or internet connection transmits to our server or analytics tools. This information may include the page visited, date and time of access, browser type, operating system, device information, referring page, IP address, session information and basic website usage information. This information is processed so that the website can be displayed correctly, remain stable, remain secure, detect misuse, understand general usage patterns and improve the user experience.
The legal basis for this processing is our legitimate interest in operating a functional, secure and accessible website, and, where applicable, your use of the website or consent for non-essential analytics or cookie-based tools. Technical logs are normally retained for a limited period and then deleted, anonymised or overwritten unless they are needed for security investigation, legal compliance or protection of rights.
If you contact us by email, phone, website form, WhatsApp, social media message or any other communication channel, we will process the personal data you provide in order to respond to your enquiry. This may include your name, email address, phone number, organisation, role, message content, attachments, service interest, preferred communication channel and any other information you choose to provide. We use this information to understand your request, respond to you, provide information, prepare follow-up communication, maintain records of correspondence and, where appropriate, take steps towards a service, partnership, event, consultancy engagement or other relationship.
The legal basis for this processing is usually your consent, our legitimate interest in responding to communications, or the need to take steps before entering into a contract or service relationship. If your communication relates to an existing service, order, booking, account, payment, partnership or consultancy engagement, the processing may also be necessary for the performance of that relationship. We encourage you not to send highly sensitive personal information through ordinary email, WhatsApp or website forms unless it is necessary and requested for a specific purpose.
You may subscribe to receive newsletters, updates, opportunities, event information, publications, learning resources, community news or service-related information from Collaborative Approach. When you subscribe, we may process your email address or whatsapp number, name if provided, subscription date, communication preferences and engagement information such as delivery, opening, or click activity where supported by the email or whatsapp marketing tool. We use this information to send relevant updates and to understand whether our communications are useful to our community.
The legal basis for newsletter processing is consent, unless another lawful basis applies in a specific existing relationship. You may withdraw your consent at any time by using the unsubscribe option included in the communication or by contacting us at info@collaborativeapproach.africa. Where we use an email service provider to send newsletters or confirmations, the provider may process your email address, name and message-related information on our behalf. We select such providers with care and expect them to apply appropriate confidentiality and security safeguards.
Some parts of our website or platform may require registration or authorised access. This may include user accounts, agent accounts, referral dashboards, notices, service tracking, commission information or other restricted features. Where you create or use an account, we may process your name, username, email address, phone number, account status, login information, hashed password, account creation date and information connected to your authorised use of the platform. Passwords are not stored in plain text. We process this information to create, approve, and manage accounts, authenticate users, protect restricted areas, provide account-related services, send internal notices, prevent unauthorised access, maintain security and support the proper administration of user or referral relationships.
The legal basis for this processing is usually performance of a service relationship, our legitimate interest in secure platform management, and legal compliance where records must be retained for audit, accountability or dispute resolution. You are responsible for keeping your login credentials confidential and for notifying us if you suspect unauthorised access to your account.
Collaborative Approach may use referral links, service links, agent links or campaign links to understand how users discover our services and to attribute eligible referrals to authorised agents or partners. When a referral link is used, we may process limited information such as referral reference, click time, service interest, basic device or browser information, IP address, session information, conversion status, customer contact details where submitted, and order or booking reference where applicable. We use this information to manage referrals, confirm valid service enquiries, attribute conversions, prevent fraud, calculate eligible commissions, resolve disputes and understand the effectiveness of our outreach.
The legal basis for this processing is our legitimate interest in managing referrals and protecting the integrity of our services, performance of agent or referral arrangements where applicable, and performance of a service relationship where the referral leads to a booking, order or client engagement.
When you register for a service, make a booking, order merchandise, request a paid experience, join a training, reserve an event slot or engage a Collaborative Approach service, we may process personal data necessary to manage that transaction. This may include your name, phone number, email address, selected service, event or product, date, venue or meeting point where relevant, amount payable, amount paid, payment status, transaction date, payment reference, order reference and communication relating to the booking or order. We use this information to confirm bookings, deliver services, communicate logistics, manage attendance, issue confirmations, process payments, handle customer support, maintain financial records, manage refunds where applicable, attribute referrals where relevant, and comply with accounting or legal obligations.
The legal basis for this processing is usually the performance of a contract or service relationship, steps taken before entering into such a relationship, legal compliance for financial records, and our legitimate interest in managing services safely and efficiently.
Where we work with authorised agents or referral partners, we may process information necessary to administer commissions, withdrawals, agent communication and accountability. This may include agent account details, referral activity, confirmed conversions, commission status, earned amounts, withdrawal requests, payment status, approval or rejection records, internal notes and related communication. We use this information to administer commission arrangements, verify payment eligibility, prevent misuse, resolve disputes, maintain audit trails and comply with accounting requirements.
The legal basis for this processing is performance of the agent or referral relationship, legal compliance, and our legitimate interest in maintaining a fair, secure and accountable referral system. Commission and withdrawal information is treated as restricted operational information. Access is limited to authorised persons who need the information for administration, finance, compliance, dispute resolution or technical support.
Our website may provide access to blogs, publications, learning resources, reports, PDFs, videos and other knowledge products. When you access these resources, we may process limited usage information, such as the resource accessed, download count, date and time of access, IP address in server logs and general device or browser information. We use this information to share knowledge resources, understand which materials are useful, improve our content, protect the platform, maintain server security and report aggregated engagement where appropriate. We do not use this information to expose individual reading or download behaviour publicly.
The legal basis for this processing is our legitimate interest in knowledge sharing, platform improvement, security and impact learning, and, where a download or resource access requires registration, the service relationship with the user.
Collaborative Approach organises or supports events, hikes, retreats, trainings, workshops, community gatherings, corporate experiences and other in-person or virtual activities. When you register for or participate in such activities, we may process personal data necessary to plan, communicate, deliver and document the activity. This may include your name, phone number, email address, organisation, role, payment confirmation, attendance information, emergency contact details, dietary needs, accessibility needs, health or allergy information where necessary for safety, waiver records, photographs, video, testimonials and post-event feedback. We use this information to manage registration, communicate logistics, confirm payments, support participant safety, respond to emergencies, provide inclusive participation, document learning, evaluate activities and maintain accountability to participants, partners or funders where applicable.
The legal basis may include performance of a service relationship, consent, vital interests in emergencies, legitimate interests in safe event management, and legal compliance where records must be retained. Health, accessibility and emergency information are handled with extra care and only shared with authorised persons where necessary for safety, inclusion or emergency response.
Where Collaborative Approach provides or participates in consultancy, research, training, organisational development, partnership brokerage, proposal development, ecosystem support, donor engagement or institutional collaboration, we may process personal data related to clients, partners, consultants, staff, board members, community representatives, applicants, participants or beneficiaries. This may include contact information, organisational role, correspondence, meeting notes, project documents, invoices, contracts, reports, participant information, application details, programme records, feedback and other information provided for the engagement. We process this information to deliver the agreed work, communicate with stakeholders, prepare outputs, manage contracts, comply with donor or client requirements, maintain records, issue invoices, support accountability and protect legal or professional interests.
Where a client, partner or institution provides us with personal data about other people, that client, partner or institution is responsible for ensuring that the data was collected lawfully and may be shared with us for the relevant purpose. Where we process such data on behalf of another organisation, we will process it in line with the applicable agreement and data protection law.
Collaborative Approach uses storytelling to document learning, amplify community voices, share impact and build trust with partners, participants and the wider ecosystem. This may involve photographs, videos, audio recordings, interviews, testimonials, quotes, case studies or participant stories. Where identifiable media or stories are used publicly, we will apply an appropriate lawful basis, usually consent, legitimate interest or contractual reporting requirements, depending on the context. Where the media involves children, vulnerable persons, sensitive communities or people whose public exposure may create risk, we apply stricter safeguarding and consent standards.
We may use approved media and stories on our website, social media, newsletters, reports, proposals, publications, learning materials, donor communication, partner visibility and institutional memory. We will not knowingly use a person’s image or story in a way that misrepresents them, exposes them to avoidable harm, or violates their dignity. If you have given consent for identifiable media use, you may withdraw consent for future use by contacting us via info@collaborativeapproach.africa. Withdrawal will not affect lawful use already made before withdrawal, but we will take reasonable steps to stop future use where technically and practically possible.
Some of our work involves young people, community leaders, grassroots organisers, persons with disabilities, refugees, minorities, women, activists, students, professionals and other groups whose personal information may require special care. We do not seek to collect sensitive personal data unless it is necessary for a specific lawful purpose. Sensitive data may include health information, disability or accessibility information, emergency details, information about minors, sensitive identity information or information that could expose a person to stigma, discrimination, safety risk or unwanted public attention.
Where sensitive personal data is necessary, we will collect only what is relevant, explain why it is needed, limit access, protect it carefully and retain it only as long as necessary. Where the law requires explicit consent, guardian consent or additional safeguards, we will seek such consent before processing. Where children or persons under the age of 18 participate in our activities, we may require consent from a parent, guardian, school, organisation or other authorised person. We process children’s data with particular care and with the best interests of the child as a primary consideration. Safeguarding information is handled confidentially and shared only where necessary to protect a person, respond to an incident, comply with law, or ensure safe programme delivery.
We may use third-party service providers to operate the website, process payments, send emails, manage analytics, support communications, protect the platform, host content and improve our services.
We select service providers with care and expect them to process personal data only for authorised purposes, apply appropriate security measures and comply with applicable data protection requirements. Where third-party providers process personal data on our behalf, they act as service providers. Where you choose to interact directly with a third-party platform, that platform may also process your data under its own privacy notice and terms.
Where payments are made through M-Pesa or another authorised payment channel, payment-related information may be processed by the payment provider and by Collaborative Approach. This may include phone number, amount, transaction reference, transaction status, timestamp and order or booking reference. We use this information to confirm payments, manage bookings and orders, process refunds where applicable, maintain financial records, prevent fraud, attribute eligible referrals and comply with accounting requirements.
Payment providers process payment data under their own legal and security frameworks. We do not control the full processing environment of a third-party payment provider, and users are encouraged to review the relevant provider’s privacy and service terms where necessary.
We may use Google Analytics or similar analytics tools to understand how visitors use the website, which pages are useful, how users navigate the site and how the website can be improved. Analytics tools may process information such as IP address, device information, browser information, visited pages, referrer information, download activity, date and time of visit and general usage data. Where required, analytics cookies or similar tools will be used only after you have given consent through the cookie consent tool.
The legal basis for non-essential analytics is usually consent. For limited technical logs necessary for website functionality, stability and security, the legal basis may be our legitimate interest in operating a secure and functional website. Analytics providers may process data outside Kenya. Where this happens, we will take reasonable steps to ensure that transfers are protected through appropriate safeguards, contractual measures, consent where required, or another lawful transfer mechanism.
We may use email service providers to send newsletters, order confirmations, service updates, event communication, notices or other messages. In this context, the provider may process information such as your name, email address, message content, delivery information and engagement information where supported. We use these services to communicate efficiently and securely with users, participants, agents, clients, partners and subscribers. Where communications are marketing or newsletter-based, you may unsubscribe or opt out. Where communications are essential to a service, payment, event, account or legal matter, we may continue sending necessary operational messages even if you opt out of marketing.
Our website may provide WhatsApp links to make it easier for users to contact us about services, events, products or opportunities. When you click a WhatsApp link or send us a message through WhatsApp, your phone number, profile name, message content, and any information you choose to share may be processed by WhatsApp and by Collaborative Approach. WhatsApp is a third-party platform and has its own privacy practices. You should avoid sending unnecessary sensitive information through WhatsApp. Where a matter involves sensitive personal data, formal legal matters, safeguarding, payments, medical information or data protection rights, we may ask you to use email or a more appropriate channel.
Our website is hosted and protected using technical service providers such as hosting companies, content delivery networks, cloud infrastructure providers, security tools and related technical support. These providers may process technical data such as IP address, browser information, device information, server logs, security logs, page requests and system-level events. This processing is necessary to host the website, load pages, prevent attacks, cache content, monitor uptime, protect against misuse, maintain backups and keep the website secure. The legal basis for this processing is our legitimate interest in operating a secure, reliable and accessible website, and legal compliance where logs or records are needed for security or audit purposes.
Collaborative Approach may maintain pages, profiles or content on social media platforms such as LinkedIn, Instagram, Facebook, X, TikTok, YouTube or similar platforms. If you click a social media link from our website or interact with our social media pages, the relevant platform may process your personal data, including your profile information, interactions, device information, IP address and engagement activity. That processing is governed by the platform’s own privacy notice. We use social media to share updates, increase our reach, communicate opportunities, showcase learning, engage our community and build visibility for our work. Our legal basis is usually legitimate interest in public communication and community engagement, and consent where specific media use or marketing activity requires it.
Our website may include embedded videos or links to YouTube or similar media platforms. When you access or play embedded media, the relevant platform may receive information such as your IP address, device details, browser information, page visited and usage data. The platform may also use cookies or similar technologies. Whether you click and play embedded media is your choice. Where possible, you may access similar information through alternative communication from us. The processing by YouTube or other media platforms is governed by their own privacy notices. We use embedded media because visual storytelling helps explain our work, share learning and make content more accessible. The legal basis is our legitimate interest in presenting our work clearly and, where cookies or non-essential tracking are involved, your consent.
Our website may contain links to partner websites, donor platforms, application forms, event pages, social media platforms, documents, external resources or third-party services. When you click an external link, you leave our website, and the external provider may process your personal data under its own privacy notice and terms. Collaborative Approach is not responsible for the privacy practices, security, accuracy or content of external websites that we do not control. You should review the privacy notice of any external website before submitting personal data.
Cookies are small text files or similar technologies placed on your device when you visit a website. They may help the website work properly, remember your session, improve security, measure usage, support referral tracking, improve performance or provide analytics. Some cookies are necessary for the website to function. These may support security, session management, page loading, form submission, restricted access or fraud prevention. Other cookies, such as analytics or marketing cookies, are not strictly necessary and should only be used with your consent, where the law requires consent. Depending on your browser settings and consent choices, cookies may process information such as IP address, browser type, device information, visited pages, session identifiers, referral information, date and time of visit and general usage behaviour. You can control cookies through our cookie consent tool, where available and through your browser settings. If you disable cookies, some parts of the website may not function properly.
We may use a cookie consent tool to request, record and manage your choices for cookies and similar technologies. The cookie consent tool helps us remember whether you accepted or declined certain categories of cookies. To do this, the tool may process limited technical information such as consent status, session information, device or browser details, date and time of consent and the categories of cookies accepted or rejected. The legal basis for this processing is our legitimate interest and legal obligation to manage cookie consent in a transparent and accountable way. Where a cookie requires consent, we will process it based on the consent you provide. You may change or withdraw your cookie preferences at any time where the website provides that functionality.
We retain personal data only for as long as necessary for the purpose for which it was collected, unless a longer period is required for legal, tax, accounting, audit, security, reporting, safeguarding, contractual or dispute-resolution purposes. Website logs are normally kept for a limited period unless needed for a security investigation. Contact enquiries are kept for as long as necessary to respond and maintain appropriate records. Newsletter data is kept until you unsubscribe or the mailing list is reviewed. Payment, invoice, order, commission and accounting records may be kept for the period required under applicable financial, tax and audit laws. Event records are kept for the period necessary for administration, reporting, safety, evaluation and legal protection. Consultancy and partnership records may be retained according to the relevant contract, reporting duty or professional recordkeeping need. Where personal data is no longer needed, we will delete it, anonymise it, archive it securely or restrict access to it.
We use reasonable technical and organisational measures to protect personal data against unauthorised access, misuse, loss, alteration, disclosure or destruction. These measures may include access controls, password protection, hashed passwords, restricted administrative access, server logs, monitoring of login attempts, secure hosting, system-level security tools, internal accountability records, confidentiality expectations, payment verification controls and limited access to sensitive records. No digital system is completely risk-free. However, we take privacy and security seriously and work to reduce risks through proportionate safeguards. If we become aware of a personal data breach that is likely to affect your rights or freedoms, we will take steps to investigate, contain, document and notify relevant parties in accordance with applicable law.
You may contact us to exercise your rights in relation to your personal data. Subject to applicable law, these rights may include the right to be informed about how your data is used, the right to access personal data held about you, the right to request correction of inaccurate or incomplete data, the right to request deletion where legally permitted, the right to object to certain processing, the right to restrict processing, the right to withdraw consent, and the right to receive data in a portable format where applicable. You also have the right to object to direct marketing at any time. Where you object to direct marketing, we will stop using your personal data for that purpose. To exercise your rights, contact us by email at website@collaborativeapproach.africa and cc: info@collaborativeapproach.africa with the subject line “Data Protection Request”. We may ask for information to verify your identity before acting on the request. This is to protect your data from being disclosed to an unauthorised person.
We will respond to data subject requests within the timelines required by Kenyan data protection law and, where GDPR applies, within the applicable GDPR timelines.
Where you consent to receive newsletters, updates, opportunities, event information or marketing communication, we will use your contact information for that purpose. You may withdraw consent at any time. You may do this by using the unsubscribe link in an email, following the opt-out instructions in a message, or contacting us at info@collaborativeapproach.africa. Withdrawal of consent does not affect processing already carried out before withdrawal. It also does not prevent us from sending necessary non-marketing communication, such as payment confirmations, event logistics, account notices, safety updates, legal notices or responses to your requests. We do not sell your personal data to third-party marketers.
Some of the service providers we use may process or store personal data outside Kenya. This may happen where we use cloud hosting, analytics tools, email service providers, social media platforms, payment-related integrations, content delivery networks or other digital tools. Where personal data is transferred outside Kenya, we will take reasonable steps to ensure that the transfer is lawful and protected. This may include using reputable providers, limiting data to what is necessary, applying contractual safeguards, relying on consent where required, assessing the provider’s privacy protections, and complying with applicable ODPC requirements. Where GDPR applies, transfers outside the European Economic Area may be protected through appropriate safeguards such as adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms.
We do not use personal data for automated decision-making that produces legal or similarly significant effects on users without meaningful human involvement. Our website and platform may use system logic to support normal operations such as referral attribution, account access, payment status updates, download counting, analytics, security logging, commission administration or fraud prevention. These processes help us run the website and services efficiently, but they are not intended to make final legal or significant decisions about you without review. If you believe that a referral, payment, commission, account or service decision is incorrect, you may contact us and request human review.
Collaborative Approach is in the process of completing its ODPC registration assessment and related compliance documentation. Once registration is completed or an ODPC registration number is issued, this Privacy Notice will be updated. This statement does not reduce our responsibility to handle personal data lawfully, fairly, transparently and securely. We are taking steps to align our website, internal processes, service providers, forms, consent mechanisms and user notices with Kenya’s Data Protection Act, 2019 and applicable data protection regulations.
If you have a concern about how we process your personal data, we encourage you to contact us first so that we can review and respond to the issue. You may contact us through website@collaborativeapproach.africa and cc; info@collaborativeapproach.africa with the subject line “Data Protection Concern” or “Data Protection Request”.You also have the right to lodge a complaint with the Office of the Data Protection Commissioner in Kenya if you believe your personal data has been processed in a manner that does not comply with the law.
We may update this Privacy Notice from time to time to reflect changes in our website, services, legal obligations, ODPC guidance, data processing practices, third-party providers, payment systems, cookies, security measures or organisational structure. The current version will always be made available on our website. Where changes are material, we may provide additional notice through the website, email, account notice, WhatsApp or another appropriate communication channel. Your continued use of the website after an updated Privacy Notice is published means that you have had access to the updated information. Where the law requires fresh consent, we will request it separately.