Short summary
This Privacy Policy explains what personal data Zuhura Solutions ("we", "us", "our") collects through our website at zuhurasolutions.com and the Halisi Trolley waitlist, why we collect it, how we look after it, and the rights you have over it. We only collect what we need, we keep it only as long as we need, and we do not sell your personal data or share it for third-party advertising.
We process personal data in line with the Kenya Data Protection Act, 2019 (the "DPA") and its regulations, and with the EU and UK General Data Protection Regulation (GDPR) where it applies to visitors from those regions.
1. Who we are (Data Controller)
Zuhura Solutions is the data controller for the personal information you share with us through this website.
- Trading name: Zuhura Solutions
- Address: Eastern Bypass, Nairobi, Kenya
- Email: info@zuhurasolutions.com
- Phone / WhatsApp: (+254) 725 260 260
For privacy questions or to exercise your rights, please email privacy@zuhurasolutions.com. If you prefer, info@zuhurasolutions.com will also reach us. Where we are required to register as a Data Controller with Kenya's Office of the Data Protection Commissioner, we will update this section with our registration details once issued.
2. Scope
This Policy applies to personal information you give us through this website, including when you join the Halisi Trolley waitlist or send us a message through the contact form. It does not cover offline dealings, information you give us through partner KYC processes, or any future products or apps we may launch, each of which will have its own notice.
3. What personal data we collect
We only collect information we genuinely need:
3.1 Information you give us
- Waitlist form: first name, last name, phone number, email address (optional), your area or estate, county, and country.
- Contact form: name, email address, phone number (optional), the type of inquiry, and the content of your message.
- Any other information you choose to send us by email, WhatsApp, or phone.
3.2 Information collected automatically
- Server logs: your IP address (stored in hashed form at rest), user agent, referring URL, pages viewed, request timestamps, and other standard HTTP metadata.
- Cookies and similar technologies: see our Cookie Policy. Today we only use strictly necessary cookies to make the site work and to protect our forms from abuse.
3.3 What we do not collect
We do not intentionally collect:
- Special categories of personal data under DPA Section 44 / GDPR Article 9 (health, biometric, genetic, religious beliefs, political opinions, sex life or sexual orientation, trade union membership);
- Payment card data or bank details;
- Government-issued identifiers such as National ID, passport, or KRA PIN.
Please do not send us special-category data, payment details, or ID numbers through the website. If we need to collect any of that later (for example, when you place a real order), we will do so through a separate, secure channel under a separate notice.
4. How we collect your data
- Directly from you when you fill in a form or contact us.
- Automatically through standard server logs and strictly necessary cookies when you visit the site.
- Never from purchased contact lists, data brokers, or unauthorised scraping.
5. Why we use your data and on what basis
The table below sets out, for each purpose, what data we use, our lawful basis for using it, and how long we keep it. Retention periods may be shortened if you ask us to delete your data and we are not required by law to keep it longer.
| Purpose | Data | Lawful basis | Retention |
|---|---|---|---|
| Manage your waitlist signup and contact you about availability, pricing, and logistics for the Halisi Trolley in your area | Name, phone, email, area, county, country | Your consent (GDPR Art. 6(1)(a); DPA s. 30(1)(b)(i)) | 24 months from signup, or until you withdraw consent or we confirm we cannot serve your area |
| Reply to your contact-form inquiry | Name, email, phone, inquiry type, message | Steps at your request prior to entering into a contract; our legitimate interest in replying (GDPR Art. 6(1)(b) and (f); DPA s. 30(1)(c) and (f)) | 24 months from the last contact on the matter |
| Protect the site: security, abuse prevention, rate-limiting | Hashed IP address, user agent, request metadata | Legitimate interest in keeping the service secure (GDPR Art. 6(1)(f); DPA s. 30(1)(f)) | Rolling 90 days in server logs |
| Comply with law and respond to lawful requests | Any data we already hold | Legal obligation (GDPR Art. 6(1)(c); DPA s. 30(1)(c)) | For the period required by the relevant law |
| Understand, in aggregate, how the site is used | De-identified usage statistics derived from logs | Legitimate interest in improving the service (GDPR Art. 6(1)(f); DPA s. 30(1)(f)) | Kept in de-identified form, indefinitely |
Where we rely on your consent, you can withdraw it at any time by emailing info@zuhurasolutions.com. Withdrawing consent will not affect the lawfulness of processing we carried out before the withdrawal. Where we rely on legitimate interests, we have considered your rights and interests and will stop processing on objection unless we have compelling grounds to continue.
6. Who we share your data with
We do not sell your personal data and we do not share it for third-party advertising. We only disclose your data to the categories of recipients below, under written contracts or legal obligations that keep your data protected:
- Our service providers (data processors):
- Google Cloud Platform / Firebase (operated by Google Ireland Limited)
— we use Cloud Firestore (Google's managed database) in the
europe-west1region (Belgium) to store waitlist entries and contact inquiries, and Cloud Functions in the same region to process them. - A third-party transactional SMTP provider (for example Zoho, Brevo, Mailgun, Postmark, Resend, or Amazon SES) — we send internal notifications and auto-reply acknowledgements via this provider's authenticated SMTP relay. We will list the current provider and its hosting location in this Policy once selected; you can request the current name at any time by emailing privacy@zuhurasolutions.com.
- Error-monitoring and analytics providers if and when we add them, with notice to you in this Policy before any data begins to flow to them.
- Google Cloud Platform / Firebase (operated by Google Ireland Limited)
— we use Cloud Firestore (Google's managed database) in the
- Professional advisors such as lawyers, accountants, insurers, and auditors, under duties of confidentiality.
- Courts, regulators, and law-enforcement agencies where we are legally required or permitted to disclose, including in response to lawful ODPC directions.
- A successor entity in the event of a merger, acquisition, restructuring, or asset sale. We will notify you where required and continue to protect your data under this Policy or an equivalent one.
We keep a current list of our sub-processors and the country in which they host data. You can request a copy by emailing info@zuhurasolutions.com.
7. International data transfers
When you submit a form, your data is sent from Kenya to our Google Cloud infrastructure in
the European Union (Belgium, europe-west1). Our email notifications pass through
a third-party transactional SMTP provider, whose data centres may be in the European Union,
the United Kingdom, or the United States depending on the provider we select. These
cross-border transfers are made under the following safeguards, which satisfy DPA sections
48, 49, and 50 and GDPR Chapter V:
- Google Cloud Data Processing and Security Terms, which incorporate the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, and bind Google as our processor;
- Google's certifications and technical safeguards (encryption in transit and at rest, access controls, and regional data residency for Firestore);
- where a transfer is needed to respond to you and no other mechanism is available, your explicit consent.
We do not currently transfer personal data outside these arrangements. You can ask us for a copy of the relevant transfer mechanism by emailing info@zuhurasolutions.com.
8. How long we keep your data
We keep personal data only as long as we need it for the purpose we collected it for, as summarised in the table in section 5. When we no longer need it, we delete it or fully anonymise it. Where a law (for example, Kenyan tax law) requires us to keep certain records for longer, we keep those records for the period required and then delete them.
If you ask us to delete your data, we will do so unless we have an overriding legal reason to keep it, in which case we will explain that to you.
9. How we protect your data
We take reasonable and appropriate technical and organisational measures to protect your data against loss, misuse, and unauthorised access, alteration, or disclosure, including:
- encryption of data in transit using HTTPS / TLS;
- access controls and the principle of least privilege for our staff and processors;
- storing credentials and secrets outside our source code and away from the public internet;
- hashing your IP address before storage, so raw IPs are not kept;
- rate-limiting and honeypot controls on our forms to limit automated abuse;
- routine vendor due diligence before engaging new sub-processors.
No online service can be made completely secure. If you suspect something is wrong with your data, please email us immediately at info@zuhurasolutions.com.
10. Your rights
Subject to conditions and exceptions in the law, you have the rights below. We respect these rights whether you are in Kenya, the European Economic Area, the United Kingdom, or elsewhere.
- Right to be informed — you have this notice, and we will update it when things change (DPA s. 29; GDPR Arts. 13 and 14).
- Right of access — you can ask for a copy of the personal data we hold about you (DPA s. 26(b); GDPR Art. 15).
- Right to rectification — you can ask us to correct inaccurate or incomplete data (DPA s. 26(c); GDPR Art. 16).
- Right to erasure — you can ask us to delete your data when we no longer have a lawful reason to keep it (DPA ss. 26(d) and 40; GDPR Art. 17).
- Right to restrict processing — you can ask us to pause processing while we check a concern you have raised (DPA s. 26(e); GDPR Art. 18).
- Right to data portability — for data you gave us based on consent or a contract and which we process by automated means, you can ask for it in a structured, commonly-used, machine-readable format (DPA s. 26(f); GDPR Art. 20).
- Right to object — including an unconditional right to object to direct marketing; we will stop as soon as we receive your objection (DPA ss. 26(a), 38 and 40; GDPR Art. 21).
- Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal (DPA s. 32; GDPR Art. 7(3)).
- Rights regarding automated decision-making and profiling — we do not use your data for automated decisions that produce legal or similarly significant effects on you (DPA s. 35; GDPR Art. 22). If that ever changes, we will tell you and obtain your consent.
- Right to lodge a complaint — with the Office of the Data Protection Commissioner in Kenya (see section 15) or your local supervisory authority in the EEA / UK.
11. How to exercise your rights
Please email privacy@zuhurasolutions.com and tell us which right you would like to exercise and which data it relates to. Requests sent to info@zuhurasolutions.com will also be routed to our privacy team.
Before we act, we may ask you for a small amount of information to confirm your identity, so that we do not hand your data to someone else. We ask for no more than is necessary.
We aim to respond within seven (7) days, and in any event within thirty (30) days of a valid request. Where a request is particularly complex or we receive a number of requests from you, we may extend that period by up to a further sixty (60) days and will tell you why. Our responses are free of charge; we may decline or charge a reasonable fee for manifestly unfounded or excessive requests, and will explain if we do.
12. Children
Our website and waitlist are directed at adults, particularly micro-entrepreneurs aged 18 or older. We do not knowingly collect personal data from children. If you are a parent or guardian and believe a child has given us data, please contact us and we will delete it.
13. Direct marketing
We will only send you product updates, launch news, and waitlist communications where you have opted in to receive them. Every marketing message will include a simple way to opt out, and you can unsubscribe at any time by emailing info@zuhurasolutions.com with "Unsubscribe" in the subject line. To fully withdraw your consent under GDPR / DPA, email privacy@zuhurasolutions.com.
14. Data breach notification
If a personal data breach occurs that is likely to cause harm to your rights and freedoms, we will notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of it, as required by DPA section 43 and GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly, without undue delay, and explain the steps we are taking and what you can do to protect yourself.
15. Cookies and similar technologies
For how we use cookies and similar technologies, please see our Cookie Policy. Today we only set strictly necessary cookies. Before we set any analytics or marketing cookies, we will update our policies and ask for your consent through a visible banner.
16. Links to other websites
Our site links to third-party services such as LinkedIn, YouTube, TikTok, Facebook, and WhatsApp. We are not responsible for the privacy practices or the content of those services. Please check their own notices before using them.
17. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the effective date and version at the top of the page and, where we hold your contact details, tell you directly before the change takes effect.
18. Contact us and complaints
Talk to us first. Most issues can be resolved quickly if you email us.
- General contact: info@zuhurasolutions.com
- Privacy & data-rights requests: privacy@zuhurasolutions.com
- Phone: (+254) 725 260 260
- Post: Zuhura Solutions, Eastern Bypass, Nairobi, Kenya
If you are not satisfied with our response, you can complain to a supervisory authority:
- Office of the Data Protection Commissioner (Kenya) — https://www.odpc.go.ke, info@odpc.go.ke, (+254) 20 2628 000.
- In the European Economic Area or the United Kingdom, you may also complain to your local data-protection supervisory authority.
19. A few key terms
- Personal data / personal information means information that relates to an identified or identifiable living person.
- Processing means any operation performed on personal data, such as collecting, storing, using, sharing, or deleting it.
- Data controller means the person who decides why and how personal data is processed.
- Data processor means a person who processes personal data on behalf of a data controller.