Privacy Policy
Member Portal Data Protection and Privacy Statement
1. Introduction and Scope
The Nyandarua County Tertiary Students Association (hereafter referred to as "NCTSA," "we," "our," or "us") is committed to protecting the privacy and security of your personal information. This comprehensive Privacy Policy outlines in detail our practices concerning the collection, use, storage, protection, and disclosure of personal data you provide when accessing and utilizing the NCTSA Member Portal and associated services.
This document applies exclusively to registered users, prospective members, and applicants who interact with our digital platform. It is expressly designed to inform you about your privacy rights and how the law protects you within the context of our association's operations. We process personal data in accordance with applicable data protection laws, including but not limited to the Data Protection Act of Kenya.
By accessing our portal, creating an account, submitting applications, or utilizing any of our services, you explicitly acknowledge that you have read, understood, and consent to the terms articulated in this Privacy Policy. Should you disagree with any aspect of this policy, you must immediately discontinue use of our services and refrain from providing any personal information through our platforms.
2. Information We Collect
We collect various categories of personal data to facilitate our services, which are categorized as follows:
2.1 Account Registration Information
During the account creation process, we collect essential identifying information including but not limited to:
- Full legal name (first name, middle name if applicable, and last name)
- Valid email address for communication and account verification
- Telephone number for authentication and service notifications
- Profile photograph (optional) for identification purposes
- Encrypted password credentials for account security
2.2 Academic and Institutional Information
To verify your student status and provide relevant services, we collect comprehensive educational data:
- Name of your tertiary institution or university
- Official course or program of study
- Current academic year (e.g., 1st Year, 2nd Year, 3rd Year, etc.)
- Level of academic pursuit (Certificate, Diploma, Degree, Masters, PhD)
- Institutional identification details where applicable
2.3 Demographic and Geographic Information
For constituency representation and regional services, we collect:
- Date of birth for age verification and eligibility determinations
- Biological gender for demographic analysis and targeted programming
- County of ancestral origin for regional representation purposes
- Current residential details including sub-county, constituency, ward, and physical address
- Home address for correspondence and emergency contact purposes
2.4 Application and Participation Data
When you engage with specific NCTSA programs, we collect additional information:
- Event Applications: Full name, contact details, payment information, special requests, and consent acknowledgments
- Leadership Applications: Academic details, manifesto submissions, biographical information, and campaign materials
- Employment Applications: Academic history, cover letters, resumes, reference documents, and employment preferences
- Financial Aid Applications: Family information, financial documentation, academic transcripts, and banking details
- Inquiry Submissions: Contact information and message content when utilizing communication channels
2.5 Financial Transaction Information
For processing payments related to events or services:
- MPESA transaction details including phone numbers, transaction amounts, and payment references
- Bank account information for financial aid disbursements (where applicable)
- Payment confirmation receipts and transaction status records
3. Purpose and Legal Basis for Processing
We process your personal data based on the following legal grounds and for these specified purposes:
3.1 Contractual Necessity
Processing is necessary for the performance of our contractual obligations to you as a member, which includes creating and maintaining your membership account and profile, processing your applications for events, leadership positions, employment opportunities, and financial aid programs, administering elections and voting processes within the association, facilitating communication regarding association activities and member benefits, and providing technical support and troubleshooting assistance.
3.2 Legitimate Interests
Processing is necessary for our legitimate organizational interests, balanced against your rights and freedoms, including improving and optimizing our platform functionality and user experience, preventing fraudulent activities and ensuring platform security, conducting anonymized statistical analysis for service enhancement, managing internal administrative processes and record-keeping, and promoting association events and initiatives to relevant members.
3.3 Legal Obligations
Processing is necessary for compliance with legal and regulatory requirements, including maintaining accurate membership records as required by association bylaws, responding to lawful requests from government authorities or law enforcement, complying with financial regulations regarding transaction processing, and meeting audit and accountability requirements.
3.4 Explicit Consent
Processing is based on your explicit consent for specific purposes, including sending promotional communications and newsletters, sharing photographs or videos from events where you appear, publishing reviews or testimonials you voluntarily submit, and processing special categories of data where required by specific applications.
4. Data Sharing and Third-Party Disclosure
We maintain strict protocols regarding the sharing of your personal information. Within the NCTSA organizational structure, your information may be accessed by elected leadership members for legitimate association purposes, designated administrative personnel responsible for specific program areas, technical support staff for system maintenance and troubleshooting, and event organizers for participation management and coordination. All internal access is governed by strict need-to-know principles and confidentiality agreements.
We engage carefully selected third-party service providers who process data on our behalf under contractual obligations, including cloud hosting providers for secure data storage and platform hosting, payment processing services for financial transactions, email service providers for communication delivery, and SMS gateway providers for authentication and notification purposes. All third-party processors are contractually bound to implement appropriate security measures and are prohibited from using your data for any purpose other than providing services to NCTSA.
We may disclose your personal information where required by law or in response to court orders, subpoenas, or other legal processes, requests from government authorities with appropriate jurisdiction, investigations of potential violations of our terms of service, or protection of the rights, property, or safety of NCTSA, our members, or the public.
In limited circumstances and with appropriate safeguards, we may share information with your educational institution for verification of student status, employers or internship providers when facilitating placement opportunities, scholarship or bursary providers for application processing, and event co-organizers for participation management. Such sharing occurs only with your explicit consent or as necessary to fulfill specific services you have requested.
5. Data Security and Protection Measures
We implement comprehensive technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. All sensitive data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols. Passwords are stored using secure hashing algorithms with salt values. Strict role-based access controls limit data access to authorized personnel only, with multi-factor authentication implemented for administrative access.
Firewalls, intrusion detection systems, and regular security audits protect our network infrastructure from unauthorized access. We collect only data that is necessary for specific, legitimate purposes and retain it only for as long as required. Security assessments and vulnerability scans are conducted regularly to identify and address potential security weaknesses. All personnel with access to personal data receive comprehensive training on data protection principles and confidentiality obligations. We maintain a documented incident response plan to address potential data breaches promptly and effectively.
Despite these measures, no method of transmission over the Internet or electronic storage is completely secure. We encourage you to take appropriate precautions to protect your personal information, including maintaining the confidentiality of your account credentials.
6. Data Retention Periods
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements. Account information is retained for the duration of your membership plus six years following account deactivation for legal and administrative purposes. Event, leadership, employment, and financial aid application data is retained for five years after the conclusion of the relevant process for record-keeping and audit purposes.
Financial records including transaction and payment information are retained for seven years to comply with financial regulations. Correspondence and inquiries are retained for three years from the date of last contact. Log files and technical information are retained for one year for security monitoring and troubleshooting. Following the expiration of applicable retention periods, we securely delete or anonymize your personal data. Anonymized data may be retained indefinitely for statistical and analytical purposes.
7. Your Data Protection Rights
As a data subject, you possess specific rights regarding your personal information:
7.1 Right to Access
You have the right to request copies of the personal data we hold about you. This includes information about the categories of data being processed, the purposes of processing, the recipients or categories of recipients to whom the data has been disclosed, and the envisaged retention period or criteria used to determine that period. We will provide this information in a structured, commonly used, and machine-readable format within thirty days of receiving a verifiable request.
7.2 Right to Rectification
You have the right to request correction of inaccurate or incomplete personal data. You may update certain information directly through your account profile. For data that cannot be modified through self-service, you may submit a rectification request through our designated channels.
7.3 Right to Erasure (Right to be Forgotten)
Under specific circumstances, you have the right to request deletion of your personal data. This right applies when the data is no longer necessary for the purposes for which it was collected, you withdraw consent and there is no other legal ground for processing, you object to processing and there are no overriding legitimate grounds, the data has been unlawfully processed, or deletion is required to comply with a legal obligation. We may retain certain data where we have compelling legitimate grounds or legal obligations that override your request.
7.4 Right to Restrict Processing
You have the right to request restriction of processing of your personal data in specific situations, including when you contest the accuracy of the data, for a period enabling verification, processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.
7.5 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where processing is based on consent or contract and carried out by automated means.
7.6 Right to Object
You have the right to object to processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
7.7 Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You may manage your consent preferences through your account settings or by contacting us directly.
To exercise any of these rights, please submit a verifiable request through our designated privacy contact channels. We may require specific information to verify your identity before processing certain requests. We will respond to all legitimate requests within thirty calendar days, with possible extensions for complex requests as permitted by law.
8. Cookies and Tracking Technologies
Our platform utilizes essential cookies and similar tracking technologies to enhance functionality and user experience. Session cookies are temporary cookies that expire when you close your browser, used to maintain your login state and session information. Persistent cookies remain on your device for a set period or until manually deleted, used to remember your preferences and settings. Functional cookies enable enhanced functionality and personalization of your experience on our platform. Analytics cookies collect anonymized information about how visitors use our platform to help us improve our services.
You may control cookie preferences through your browser settings. However, disabling certain cookies may limit functionality and affect your ability to access some features of our platform.
9. International Data Transfers
As an organization primarily operating within Kenya, we process and store your personal data on servers located within the country. In limited circumstances where data may be transferred outside Kenya (for example, to international service providers), we ensure appropriate safeguards are implemented in accordance with applicable data protection laws, including standard contractual clauses or other approved mechanisms.
10. Children's Privacy
Our services are not directed to individuals under the age of eighteen. We do not knowingly collect personal information from children without parental consent. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child, please contact us immediately.
11. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. When we make material changes, we will notify you through prominent notices on our platform or via email at least thirty days before the changes take effect. The effective date at the beginning of this policy will be revised accordingly. We encourage you to review this Privacy Policy regularly to stay informed about how we protect your information.
12. Contact Information and Complaints
