NyumbaPro's commitment to data protection and compliance with the General Data Protection Regulation (GDPR).
This GDPR Compliance Statement outlines how NyumbaPro Ltd ("we," "us," or "our") complies with the General Data Protection Regulation (GDPR) for our users in the European Union and European Economic Area.
NyumbaPro is committed to protecting your personal data and ensuring compliance with GDPR requirements. This page provides detailed information about our compliance measures, your rights, and how we handle your data.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, in the European Union. It regulates how organizations collect, use, store, and protect personal data of individuals in the EU.
NyumbaPro is fully committed to GDPR compliance for all our EU users. We have implemented comprehensive measures to ensure we meet all GDPR requirements.
We adhere to the seven key principles of GDPR in all our data processing activities:
We process personal data lawfully, fairly, and transparently. Our Privacy Policy and Terms of Service clearly explain how we use your data.
We collect personal data only for specified, explicit, and legitimate purposes. We do not process data in ways incompatible with these purposes.
We only collect data that is adequate, relevant, and limited to what is necessary for our purposes.
We take reasonable steps to ensure personal data is accurate and kept up to date.
We keep personal data only for as long as necessary for the purposes for which it was collected.
We implement appropriate security measures to protect personal data against unauthorized access, loss, or damage.
We are responsible for and can demonstrate compliance with all GDPR principles.
Under GDPR, you have the following rights regarding your personal data:
You have the right to obtain confirmation about whether we process your personal data and access to that data.
You have the right to have inaccurate personal data corrected and incomplete data completed.
You have the right to have your personal data deleted under certain circumstances ("right to be forgotten").
You have the right to restrict the processing of your personal data under certain conditions.
You have the right to receive your personal data in a structured, commonly used format and transmit it to another controller.
You have the right to object to the processing of your personal data under certain circumstances.
You have the right not to be subject to decisions based solely on automated processing that produce legal effects.
Where processing is based on consent, you have the right to withdraw consent at any time.
To exercise any of your GDPR rights, please:
We will respond to all valid requests within 30 calendar days as required by GDPR.
We offer a GDPR-compliant Data Processing Agreement to all our EU customers. This agreement outlines our responsibilities as a data processor and your rights as a data controller.
We conduct regular Data Protection Impact Assessments for high-risk processing activities to identify and mitigate data protection risks.
We maintain detailed records of all data processing activities as required by GDPR Article 30.
We implement appropriate technical and organizational measures including:
| GDPR Requirement | Our Implementation | Status |
|---|---|---|
| Data Protection Officer | Appointed DPO and contact information provided | Compliant |
| Privacy by Design | Data protection integrated into all systems and processes | Compliant |
| Data Breach Notification | 72-hour notification process implemented | Compliant |
| Data Subject Rights | Mechanisms for exercising all GDPR rights | Compliant |
| International Transfers | Standard Contractual Clauses in place | Compliant |
| Records of Processing | Complete records maintained and updated regularly | Compliant |
We process personal data based on the following lawful bases:
Our data processing follows this structured flow:
Data Collection
Consent & Validation
Secure Storage
Processing
Protection
For data transfers outside the EEA, we use appropriate safeguards including:
We have implemented a comprehensive data breach response plan that includes:
Immediate detection and containment of any suspected breach within 24 hours
Risk assessment and notification to supervisory authority within 72 hours if required
Communication to affected data subjects without undue delay
Implementation of corrective measures and prevention of recurrence
Complete documentation of the breach and review of response procedures
In the event of a data breach, we will:
NyumbaPro has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance and handle all data protection inquiries.
Name: Data Protection Officer
Email: dpo@nyumbapro.co.ke
Phone: +254 725 965 041 (ext. 101)
Address: NyumbaPro Ltd, Westlands Business Center, Nairobi, Kenya
Our DPO is available to handle all GDPR-related inquiries, data subject requests, and privacy concerns.
Yes, GDPR applies to any organization that processes personal data of individuals in the European Union, regardless of where the organization is located. Since NyumbaPro has users in the EU, we are subject to GDPR requirements.
You can submit a DSAR by emailing our DPO at dpo@nyumbapro.co.ke. Please include "Data Subject Access Request" in the subject line and provide sufficient information to verify your identity. We will respond within 30 calendar days as required by GDPR.
When you cancel your account, we retain your data for 30 days in case you wish to reactivate. After 30 days, we begin the data deletion process. Some data may be retained for legal or legitimate business purposes as outlined in our Privacy Policy. You can request immediate deletion by contacting our DPO.
Yes, we use some third-party sub-processors (like cloud hosting providers). All our sub-processors are carefully vetted and required to sign Data Processing Agreements that include GDPR compliance obligations. We maintain a list of sub-processors that is available upon request.
For data transfers outside the European Economic Area, we use Standard Contractual Clauses (SCCs) approved by the European Commission. We also implement additional technical safeguards to ensure adequate protection of personal data during international transfers.
We regularly review and update our GDPR compliance measures. This page was last updated on January 30, 2026. Significant changes will be communicated to affected users.
Upon request, we can provide:
For GDPR-related inquiries, please contact:
If you have additional questions about our GDPR compliance or need assistance with data protection matters, please don't hesitate to contact us.
NyumbaPro is dedicated to protecting your personal data and ensuring full compliance with international data protection regulations.