Kenya Coffee School & Barista Mtaani

Data Protection, GDPR Compliance, and Responsible Cookies Policy & Privacy.

Effective Date: 1 January 2026
Last Updated: 21 December 2025

This Policy sets out the binding principles, commitments, and operational measures by Kenya Coffee School and Barista Mtaani (together, “we”, “us”, or “our”) to respect privacy, protect personal data, uphold data rights, and ensure responsible and transparent use of cookies and related technologies.

We recognize that trust is the foundation of education, training, community development, and ethical business. As institutions working with learners, professionals, farmers, youth, partners, donors, and the public, we commit to the highest standards of data protection, confidentiality, and lawful processing—globally and locally.

1. Purpose and Scope

1.1 Purpose

The purpose of this Policy is to:

  • Demonstrate our commitment to privacy and data protection by design and by default
  • Ensure compliance with applicable data protection laws and regulations, including international best practice standards
  • Define clear rules for the lawful, fair, and transparent processing of personal data
  • Prevent spam, misuse, unauthorized access, sale, or exploitation of personal data
  • Explain how cookies and similar technologies are used responsibly and with user control
  • Protect the rights and freedoms of all individuals whose data we process

1.2 Scope

This Policy applies to all personal data processed by Kenya Coffee School and Barista Mtaani, including data collected through:

  • Websites, portals, and learning management systems
  • Online forms, applications, registrations, and surveys
  • Training programs, examinations, certifications, and transcripts
  • Events, pop-ups, coffee carts, and community outreach
  • Email, messaging platforms, phone calls, and social media
  • Employment, volunteering, internships, and partnerships

It applies to all staff, trainers, contractors, volunteers, consultants, students, alumni, partners, and third-party service providers acting on our behalf.

2. Core Principles of Data Protection

We process personal data in line with the following foundational principles:

2.1 Lawfulness, Fairness, and Transparency

Personal data shall be processed lawfully, fairly, and in a transparent manner. Individuals will always be informed about:

  • What data we collect
  • Why we collect it
  • How it will be used
  • Who it may be shared with
  • How long it will be retained
  • What rights they have

We do not process data secretly, deceptively, or in ways that individuals would not reasonably expect.

2.2 Purpose Limitation

We collect personal data only for specific, explicit, and legitimate purposes related to education, training, certification, operations, communication, and community development.
Data shall never be reused for unrelated purposes without a valid lawful basis and clear notice.

2.3 Data Minimization

We collect only the minimum data necessary to fulfill a defined purpose.
We do not request excessive, irrelevant, or intrusive information.

2.4 Accuracy

We take reasonable steps to ensure that personal data is accurate, complete, and up to date.
Individuals are encouraged to notify us of any changes or corrections.

2.5 Storage Limitation

Personal data is retained only for as long as necessary to fulfill its purpose or meet legal, academic, regulatory, or contractual requirements.
When no longer required, data is securely deleted, anonymized, or archived.

2.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to protect data against:

  • Unauthorized access
  • Accidental loss
  • Destruction or damage
  • Unlawful disclosure or alteration

2.7 Accountability

We take responsibility for compliance and can demonstrate adherence to this Policy and applicable data protection laws at all times.

3. Lawful Bases for Processing Personal Data

We process personal data only when one or more lawful bases apply, including:

3.1 Consent

Where required, we obtain freely given, specific, informed, and unambiguous consent.
Consent can be withdrawn at any time without penalty.

3.2 Contractual Necessity

Processing is necessary to perform a contract or take steps prior to entering into a contract (e.g., enrollment, certification, employment).

3.3 Legal Obligation

Processing is required to comply with legal, regulatory, or statutory obligations.

3.4 Legitimate Interests

Processing is necessary for our legitimate interests, provided those interests do not override the rights and freedoms of individuals (e.g., quality assurance, security, program improvement).

3.5 Vital Interests

Processing is necessary to protect someone’s life or physical safety.

3.6 Public Interest / Educational Mission

Processing is carried out in pursuit of education, skills development, sustainability, and public-good objectives.

4. Categories of Personal Data We May Collect

Depending on interaction, we may collect:

  • Identification data (name, nationality, date of birth)
  • Contact details (email, phone number, postal address)
  • Academic and training records
  • Certification and transcript data
  • Payment and billing information
  • Employment and HR-related data
  • Attendance, assessment, and performance records
  • Website usage and technical data (IP address, device type)
  • Images, audio, or video recordings (with notice and consent)

We do not intentionally collect sensitive personal data unless strictly necessary and lawful.

5. Data Rights of Individuals

We fully respect and uphold individual data rights, including the right to:

5.1 Access

Request confirmation of whether we process personal data and obtain a copy of that data.

5.2 Rectification

Request correction of inaccurate or incomplete data.

5.3 Erasure (“Right to be Forgotten”)

Request deletion of personal data where there is no lawful reason for continued processing.

5.4 Restriction of Processing

Request limitation of processing under certain conditions.

5.5 Data Portability

Receive personal data in a structured, commonly used, and machine-readable format where applicable.

5.6 Object

Object to processing based on legitimate interests or direct communications.

5.7 Withdraw Consent

Withdraw consent at any time where processing is based on consent.

We respond to rights requests promptly, lawfully, and without discrimination.

6. No Spamming Policy

6.1 Zero Tolerance for Spam

We strictly prohibit spam.

This means:

  • No unsolicited bulk emails
  • No unsolicited SMS or messaging
  • No unauthorized promotional communication
  • No selling, renting, or trading of contact lists

6.2 Communications

Communications are sent only when:

  • An individual has opted in
  • It is necessary for training, certification, or contractual purposes
  • There is a legitimate educational or operational need

6.3 Opt-Out

Every non-essential communication includes a clear and simple opt-out mechanism.

7. No Unauthorized Use or Sharing of Data

7.1 Prohibition

Personal data shall never be:

  • Sold
  • Traded
  • Licensed
  • Shared with third parties for marketing
  • Used for political profiling or manipulation

7.2 Third Parties and Processors

Where third-party service providers are used (e.g., hosting, email, payment systems), we ensure:

  • Written data protection agreements
  • Confidentiality obligations
  • Adequate security standards
  • Use of data strictly according to our instructions

8. Responsible Use of Cookies and Similar Technologies

8.1 What Are Cookies

Cookies are small text files placed on a device to enable functionality, security, analytics, and user experience improvements.

8.2 Types of Cookies We Use

a) Strictly Necessary Cookies

Required for website functionality, security, and access to services. These cannot be disabled.

b) Functional Cookies

Remember preferences such as language or session settings.

c) Analytical Cookies

Help us understand website usage patterns to improve content and services.
These are used only in aggregated and anonymized form.

d) Performance Cookies

Monitor technical performance and system reliability.

8.3 What We Do NOT Do with Cookies

  • No tracking for invasive advertising
  • No cross-site behavioral profiling
  • No sale of cookie data
  • No hidden or deceptive cookie placement

8.4 Cookie Consent and Control

Users are informed about cookies and can:

  • Accept or reject non-essential cookies
  • Modify cookie preferences
  • Clear cookies at any time through browser settings

9. Data Security Measures

We apply layered security controls, including:

  • Encrypted data storage and transmission
  • Secure servers and hosting environments
  • Access controls and role-based permissions
  • Staff confidentiality obligations
  • Regular system updates and security reviews
  • Secure backups and disaster recovery planning

10. Staff, Trainers, and Volunteers Responsibilities

All personnel must:

  • Access data strictly on a need-to-know basis
  • Maintain confidentiality at all times
  • Avoid copying or exporting data without authorization
  • Report suspected breaches immediately
  • Complete data protection awareness training

Violation of this Policy may result in disciplinary action, termination, or legal consequences.

11. Data Breach Management

In the event of a personal data breach, we will:

  1. Act immediately to contain and assess the breach
  2. Investigate root causes
  3. Notify affected individuals where required
  4. Notify authorities where legally mandated
  5. Implement corrective and preventive measures

12. Children and Youth Data Protection

We take special care when processing data relating to youth:

  • Lawful basis and parental/guardian consent where required
  • Enhanced safeguards
  • Minimal data collection
  • No profiling or marketing to minors

13. International Data Transfers

Where data is transferred across borders, we ensure:

  • Adequate legal safeguards
  • Equivalent levels of protection
  • Secure transfer mechanisms

14. Retention and Deletion Policy

Data retention periods are defined according to:

  • Academic and certification requirements
  • Legal and regulatory obligations
  • Financial and audit needs

Secure deletion methods are used when retention periods expire.

15. Governance and Accountability

We designate internal responsibility for data protection compliance, oversight, and policy enforcement.
Regular reviews ensure continuous improvement.

16. Complaints and Dispute Resolution

Individuals may raise concerns or complaints regarding data handling without fear of retaliation.
We commit to fair, timely, and transparent resolution.

17. Policy Updates

This Policy may be updated to reflect legal, technological, or operational changes.
Material updates will be communicated clearly.

18. Our Commitment

Kenya Coffee School and Barista Mtaani believe that data dignity is human dignity.
We are committed to ethical education, sustainable development, and trust—online and offline.

No spamming.
No unauthorized data use.
No compromise on privacy.

This Policy reflects who we are and how we serve—with integrity, responsibility, and respect.

Don’t miss out on the Kenya Coffee School (K.C.S) Barista & Specialty Coffee Tips & Special Offers / News!

We don’t spam! Read our privacy policy for more info.
Call : 0707503647 or 0704375390