“Nunuzi – The Ultimate “everything-in-one” Marketplace! | Nunuzi - The ultimate “everything-in-one” marketplace!

Nunuzi Privacy Policy

Effective Date: 1 April 2025

Last Updated: 20 April 2025

This Privacy Policy explains how Nunuzi ("Platform”), owned by Mamagas & Power Limited and operated by Saron Management Group Ltd ("we,” "us,” or "our”), collects, uses, stores, and protects your personal information when you use our website, mobile app, or related services.

By using Nunuzi, you consent to the collection and processing of your data in accordance with this Policy.

1. Scope & Compliance

This Policy is designed to comply with:

Kenya Data Protection Act, 2019

EU General Data Protection Regulation (GDPR) where applicable

2. Information We Collect

We collect the following types of information:

a. Information You Provide

Name, email address, phone number, and delivery address

Account login credentials

Payment and billing details

Merchant business information

b. Information We Collect Automatically

Device and browser type

IP address and location data

Platform usage and activity logs

Cookies and similar tracking technologies

c. Third-Party Data

Payment confirmations from payment processors

Delivery status updates from logistics partners

3. How We Use Your Information

We process personal data to:

Create and manage your account

Process orders and payments

Deliver products and services

Provide customer and technical support

Improve Platform performance and security

Send relevant updates, promotions, and offers (with your consent)

Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your data under one or more of the following legal bases:

Contractual necessity – to fulfil our service obligations to you

Legitimate interests – for business operations, fraud prevention, and service improvement

Consent – for marketing communications and optional features

Legal compliance – to meet statutory and regulatory requirements

5. Data Sharing

We may share your data with:

Payment providers – to process transactions securely

Merchants and riders – to fulfil your orders

IT and hosting providers – for platform operation and maintenance

Regulatory bodies – if required by law

We do not sell personal data to third parties.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this Policy or as required by law. When no longer needed, data is securely deleted or anonymised.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including encryption, secure servers, and restricted access controls.

8. International Data Transfers

If your data is transferred outside Kenya or the EU, we ensure appropriate safeguards are in place, including standard contractual clauses or equivalent protections.

9. Your Rights (GDPR & Kenya DPA)

You have the right to:

Access a copy of your personal data

Request correction of inaccurate or incomplete data

Request deletion ("right to be forgotten”)

Object to processing for marketing or legitimate interest

Restrict processing in certain circumstances

Withdraw consent at any time

Requests can be made via support@nunuzi.com, and we will respond within the legally required time frame.

10. Cookies Policy

We use cookies to:

Keep you logged in

Analyse platform performance

Personalise content and offers

You can manage or disable cookies via your browser settings, but this may affect platform functionality.

11. Children’s Privacy

The Platform is not intended for individuals under 18 years old. We do not knowingly collect data from minors.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Updates will be posted here with the "Last Updated” date, and continued use of the Platform constitutes acceptance of the updated policy.

13. Contact Us

Mamagas & Power Limited (Owner)

Operated by Saron Management Group Ltd

Attn: Data Protection Officer – Nunuzi

📧 Email: support@nunuzi.com

📞 Phone: +254 748 123 920

📍 Nairobi, Kenya

Data Processing Addendum (DPA)

Under the EU GDPR & Kenya Data Protection Act, 2019

Effective Date: 1 April 2025

Last Updated: 20 April 2025

This Data Processing Addendum ("Addendum”) forms part of the Merchant Agreement between:

Mamagas & Power Limited (Owner) and Saron Management Group Ltd (Operator), collectively referred to as "Nunuzi”, and the Merchant (referred to as "Processor”), together the "Parties.”

1. Purpose of this Addendum

This Addendum ensures that any processing of Personal Data by the Merchant on behalf of Nunuzi complies with the:

Kenya Data Protection Act, 2019

EU General Data Protection Regulation (GDPR) (where applicable)

2. Definitions

Controller – Nunuzi (Mamagas & Power Limited, operated by Saron Management Group Ltd), which determines the purposes and means of processing Personal Data.

Processor – The Merchant, which processes Personal Data on behalf of the Controller.

Personal Data – Any information relating to an identified or identifiable natural person (customer).

Processing – Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.

3. Scope of Processing

The Processor will process Personal Data solely for the purposes of:

Fulfilling customer orders placed on the Nunuzi Platform

Coordinating delivery with riders

Communicating order updates to customers

The Processor must not process Personal Data for any other purpose without written approval from the Controller.

4. Data Categories

The Personal Data processed may include:

Customer name

Phone number

Delivery address

Order details

Payment confirmation (non-card details)

5. Merchant (Processor) Obligations

The Processor shall:

Process data only in accordance with the documented instructions of the Controller.

Implement security measures (including encryption and restricted access) to protect Personal Data.

Maintain confidentiality and ensure all staff with access to data are bound by confidentiality agreements.

Notify the Controller within 48 hours of any actual or suspected data breach.

Assist the Controller in fulfilling customer rights requests (access, correction, deletion, restriction).

Not transfer data outside Kenya or the EEA without prior written consent and lawful safeguards.

Delete or return all Personal Data to the Controller upon termination of the merchant agreement.

6. Security Measures

The Processor must adopt measures proportionate to the risk, including:

Encrypted data storage and transmission

Access controls and user authentication

Regular staff training on data protection

Secure disposal of printed or stored data

7. Sub-Processing

The Processor may not engage any sub-processor (e.g., another delivery service or third-party vendor) to process Personal Data without the written consent of the Controller.

8. Data Breach Notification

In case of a breach, the Processor must:

Notify the Controller within 48 hours

Provide full details of the breach, including affected data, number of data subjects, and remedial actions taken

9. Audit Rights

The Controller reserves the right to audit the Processor’s compliance with this Addendum on reasonable notice.

10. Term & Termination

This Addendum will remain in effect as long as the Merchant processes Personal Data on behalf of Nunuzi. Upon termination, the Processor must securely delete or return all data within 7 days.

11. Governing Law

This Addendum is governed by the laws of Kenya. Where GDPR applies, EU data protection law will also be observed. Any disputes shall be resolved in Kenyan courts.