Privacy Policy

Last updated: June 2026

1. Who We Are

Colourful Connections (“we”, “us”, or “our”) is a self-development and creative-wellness programme based in Nairobi, Kenya. We operate the website colourfulconnections.co.ke (the “Site”).

For the purposes of the Kenya Data Protection Act No. 24 of 2019 (DPA) and the EU General Data Protection Regulation (GDPR), we are the Data Controller of the personal data you provide to us.

Data Controller Contact:
Nyawira Kuria, Colourful Connections
Nairobi, Kenya
Email: nyawira.kuria@colourfulconnection.com

2. Scope of This Policy

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you:

• Visit our Site;
• Complete our self-assessment questionnaire;
• Subscribe to our newsletter or marketing communications;
• Enrol in any of our programmes;
• Participate in our workshops and submit artwork or photographs;
• Contact us by email, WhatsApp, or any other channel.

This Policy applies to all data subjects regardless of location but includes specific provisions for residents of the European Economic Area (EEA) under GDPR and residents of California, USA under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

3. Personal Data We Collect

3a. Data you give us directly

• Identity data: first name, last name, or preferred name;
• Contact data: email address, WhatsApp or phone number;
• Assessment data: your responses to our self-development questionnaire (which may touch on emotional wellbeing, personal goals, and life circumstances);
• Programme data: artwork, written reflections, and photographs you share during workshops or via our platforms;
• Financial data: we do not store card numbers or bank details; all payments are processed by our payment partners (M-Pesa / third-party processors) who maintain their own privacy policies.

3b. Data we collect automatically

• Technical data: IP address, browser type, device type, operating system, pages visited, and time stamps (via Vercel hosting logs);
• Usage data: how you interact with the Site, which links you click, and how long you stay on each page.

3c. Special Category Data (Sensitive Data)

Information about your emotional wellbeing and mental-health experiences that you voluntarily share in our assessment or workshops may constitute special category data (also called “sensitive personal data”) under the Kenya DPA 2019 (Section 45) and GDPR (Article 9). We only process such data with your explicit consent and for the limited purpose of helping us tailor our programme to your needs. You are never required to disclose clinical diagnoses or medical history to participate.

4. Legal Basis for Processing

Under the Kenya DPA 2019 (Sections 28–32) and GDPR (Article 6), we process your data on the following lawful bases:

5. How We Use Your Data

• To recommend the programme that best fits your current stage;
• To enrol you in and deliver the programme you purchase;
• To send session reminders, resources, and programme materials;
• To send our newsletter and updates where you have opted in;
• To display participant artwork and testimonials where you have given explicit consent;
• To respond to your queries and provide customer support;
• To improve our Site and the quality of our programmes;
• To detect and prevent fraud or misuse of our services;
• To comply with applicable laws and regulatory requirements.

We never sell, rent, or trade your personal data to third parties for their own marketing purposes.

6. Third Parties We Share Data With

We share data only where necessary and under strict contractual safeguards:

• Supabase Inc. (database and authentication) — our data is stored on servers in AWS regions. Supabase is SOC 2 Type II certified. See: supabase.com/privacy
• Vercel Inc. (website hosting) — Vercel collects server logs and technical data as described in their privacy policy.
• Payment processors (e.g., M-Pesa / Safaricom, Stripe, or Flutterwave) — we share only the transaction reference needed to confirm your enrolment.
• Email service providers — used exclusively to deliver programme communications you have opted into.
• Law enforcement or regulators — where we are legally required to disclose information under Kenyan law or a valid court order.

7. International Data Transfers

Our hosting and database infrastructure is located outside Kenya. Such transfers are conducted in compliance with Section 48 of the Kenya DPA 2019 and, where applicable, GDPR Chapter V. We rely on contractual safeguards (standard contractual clauses and data processing agreements) to ensure your data is protected to an equivalent standard regardless of where it is processed.

8. How Long We Keep Your Data

• Assessment and programme data: retained for the duration of your programme plus 2 years, to support any queries or disputes;
• Newsletter subscription data: retained until you unsubscribe, then deleted within 30 days;
• Financial records: retained for 7 years as required by the Kenya Tax Procedures Act 2015;
• Artwork and photographs: retained until you withdraw consent or submit a valid takedown request (see our Image Takedown Policy);
• Technical logs: automatically deleted after 90 days.

9. Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure, including:

• HTTPS encryption for all data in transit;
• Row-level security (RLS) on our database;
• Access controls limiting who within our team can view personal data;
• Regular review of our data handling practices.

No method of transmission over the internet is 100% secure. If you have reason to believe your data has been compromised, please contact us immediately at nyawira.kuria@colourfulconnection.com. We will notify the Office of the Data Protection Commissioner (ODPC) of any notifiable breach within 72 hours as required by the Kenya DPA 2019.

10. Cookies and Tracking

Our Site uses essential cookies required for the Site to function (e.g., session management). We do not currently use third-party advertising or tracking cookies. If we introduce analytics tools in future, we will update this Policy and seek your consent where required.

11. Your Rights

All users (Kenya DPA 2019)

Under the Kenya Data Protection Act 2019 (Sections 26–38), you have the right to:

• Access — request a copy of the personal data we hold about you;
• Rectification — ask us to correct inaccurate or incomplete data;
• Erasure — ask us to delete your data (subject to legal retention requirements);
• Object — object to processing based on legitimate interests;
• Restrict processing — ask us to pause processing while a dispute is resolved;
• Data portability — receive your data in a structured, machine-readable format;
• Withdraw consent — at any time, without affecting prior processing.

You may also lodge a complaint with the Office of the Data Protection Commissioner (ODPC): www.odpc.go.ke | Tel: +254 20 265 0000.

EEA / UK residents (GDPR)

In addition to the rights above, EEA and UK residents have the right not to be subject to solely automated decision-making that produces legal or similarly significant effects. We do not use automated decision-making of this nature.

EEA residents may also lodge a complaint with their local Data Protection Authority (DPA).

California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, or sell (we do not sell personal information);
• Delete personal information we hold about you;
• Correct inaccurate personal information;
• Opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising;
• Limit use of sensitive personal information — we only use sensitive data for the purpose for which you provided it;
• Non-discrimination — we will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise any of these rights, email us at nyawira.kuria@colourfulconnection.com with the subject line “Privacy Rights Request”. We will respond within 30 days (Kenya DPA / CCPA) or one calendar month (GDPR).

12. Children's Privacy

Our programmes are designed for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us immediately and we will delete it promptly.

13. Third-Party Links

Our Site may contain links to third-party websites (e.g., WhatsApp, Instagram, payment portals). We are not responsible for the privacy practices of those sites and encourage you to review their policies independently.

14. Changes to This Policy

We may update this Policy periodically. Material changes will be communicated by email (if you are a programme participant or subscriber) and by updating the “Last updated” date above. Continued use of the Site after an update constitutes acceptance of the revised Policy.

15. Contact Us

For all privacy-related requests, questions, or complaints:

• Email: nyawira.kuria@colourfulconnection.com
• Location: Nairobi, Kenya
• Image takedown requests: See our Image Takedown Policy