Data Protection Policy

Our commitment

Nrold Ltd is committed to handling all personal data in accordance with the Kenya Data Protection Act 2019 (DPA) and any applicable regional data protection regulations in the markets we operate.

Data controller

Nrold Ltd acts as the data controller for all personal data collected through nrold.com and its associated services.

Lawful basis for processing

We process personal data on the following lawful bases:

• Contract performance — processing necessary to provide hosting services you have purchased.
• Legal obligation — processing required to comply with Kenyan tax and regulatory requirements.
• Legitimate interests — processing for fraud prevention, security monitoring, and service improvement.

Data minimisation

We collect only the data necessary to provide our services. We do not collect sensitive personal data as defined under the DPA unless specifically required for a service.

Cross-border data transfers

Some client data is processed outside Kenya by our infrastructure partners (Hetzner in South Africa, Cloudflare globally). These transfers are made under appropriate safeguards consistent with DPA requirements.

Data breach response

In the event of a personal data breach, we will:

• Contain the breach within 24 hours of discovery.
• Notify the Office of the Data Protection Commissioner within 72 hours where required.
• Notify affected clients without undue delay if there is a high risk to their rights and freedoms.

Data Protection Officer

For data protection queries, contact info@nrold.com with the subject line “Data Protection Query”.

Complaints

If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya at www.odpc.go.ke.