Privacy Policy
Last Updated: 27th January 2026
INTRODUCTION
The Ndege Group, Africa’s Sovereign Development Trust® (“we,” “us,” or “our”), maintains an unwavering commitment to safeguarding your privacy and protecting your personal data with the highest standards of diligence and integrity. This commitment is anchored in our strict adherence to the Data Protection Act, 2019 of Kenya, the UK General Data Protection Regulation (UK GDPR), and the Seychelles Data Protection Act, 2021.
This Privacy Policy provides comprehensive detail on how we collect, use, store, share, and protect your personal data when you visit or interact with our website at www.thendegegroup.com (the “Website”), engage with our official social media channels, or communicate with us through any digital medium. By accessing or using the Website or engaging with our institutional presence across digital platforms, you acknowledge and consent to the data practices described herein.
ARTICLE 1: DATA CONTROLLER
The data controller responsible for the processing of personal data collected through the Website and associated digital platforms is:
Brand, People & Culture Desk
The Ndege Group Nominees Limited for Africa’s Sovereign Development Trust®
Head Office:
UN Crescent, Gigiri
P.O. Box 43112-00100
Nairobi, Kenya
Trust’s Domicile:
1st Floor, Eden Plaza, Eden Island
Victoria, The Seychelles
U.K. Mailing Address:
116 Pall Mall, St. James’s
London, SW1Y 5ED, United Kingdom
Primary Contact: hello@thendegegroup.com | +254 799 504 111
Legal Enquiries: legal@ndege.co.
ARTICLE 2: CATEGORIES OF PERSONAL DATA COLLECTED
We may collect and process the following categories of personal data when you interact with our digital properties:
2.1 Identity and Contact Information
This encompasses data such as your full name, professional title, organisational affiliation, email address, telephone number, postal address, and any other identifying information you provide when completing contact forms, subscribing to communications, submitting enquiries via the Website, or engaging through direct messages on social media platforms.
2.2 Technical and Usage Data
Information concerning your interaction with and navigation of the Website, including but not limited to: Internet Protocol (IP) address, browser type and version, device identifiers, operating system, time zone settings, referring and exit pages, clickstream data, pages viewed, time spent on pages, search queries, and other diagnostic data. This category also includes aggregated, non-personally identifiable data from your interactions with our social media channels (such as engagement metrics, reach data, and interaction patterns) as provided by social media platforms in accordance with their analytics services.
This data is collected through automated technologies including cookies, web beacons, server logs, and third-party analytics tools such as Google Analytics.
2.3 Communications and Correspondence Data
Details from emails, letters, telephone conversations, chat interactions, and any other communications you send to us or exchange with us, including information shared via direct messages on social media platforms. This includes the content of your messages, metadata associated with communications, and any attachments you provide.
2.4 Voluntarily Submitted Information
Any additional information you elect to provide, including but not limited to: feedback on our initiatives, survey responses, details related to project enquiries or collaboration interests, research participation data, event registration information, curriculum vitae or professional credentials submitted for partnership opportunities, and any other data you choose to share whether via the Website, social media platforms, or direct communication channels.
2.5 Special Categories of Data
We do not routinely collect special categories of personal data (also known as sensitive personal data), which include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. Should circumstances arise requiring the processing of such data, we will seek your explicit consent and implement enhanced safeguards as required by applicable data protection law.
2.6 Children’s Data
We do not knowingly collect, process, or solicit personal data from individuals under the age of 16 without verifiable parental or guardian consent. Our services are not directed towards children. If you believe that we may have inadvertently collected personal data from a child under 16 without appropriate consent, please contact us immediately at legal@ndege.co.ke so that we may take prompt action to investigate and, if necessary, delete such data in accordance with our legal obligations.
ARTICLE 3: METHODS OF DATA COLLECTION
We gather personal data through the following methodologies:
3.1 Direct Interactions and Voluntary Provision
You provide data directly when you: complete forms on our Website (including contact forms, newsletter subscriptions, enquiry forms, and registration forms); engage with live chat features or customer service interfaces; communicate with us via email, telephone, postal mail, or direct messaging on social media platforms; participate in surveys, feedback mechanisms, or research initiatives; register for events, webinars, or institutional programmes; submit applications for partnerships, collaborations, or professional opportunities; or voluntarily share information in the course of any interaction with our organisation.
3.2 Automated Collection Technologies
As you navigate and interact with our Website, we automatically collect Technical and Usage Data through: cookies (small text files stored on your device); web beacons and pixel tags (transparent graphic images placed on web pages or in emails); server logs (records of server activity); analytics platforms such as Google Analytics, which provide aggregated usage statistics; and session replay tools that may record anonymised browsing sessions to improve user experience.
For detailed information on our use of cookies and similar technologies, please refer to our Cookie Policy.
3.3 Social Media Platform Data
We collect aggregated usage and engagement data from social media platforms regarding interactions with our official social media channels. This data is provided by the platforms in accordance with their terms of service and is subject to the privacy settings and policies of those platforms. The extent of data we receive depends on your privacy settings on each platform and the permissions you have granted.
3.4 Third-Party Sources and Public Information
We may receive personal data about you from various third-party sources and publicly available channels, including but not limited to: analytics providers (such as Google Analytics) that supply technical and usage data; advertising networks and search information providers; publicly accessible databases, registries, and directories; social media platforms where you have made information publicly available or granted permission for data sharing; professional networking platforms; business partners, affiliates, or sub-contractors who provide services on our behalf; and publicly available sources such as institutional websites, published research, media articles, and government registries.
ARTICLE 4: PURPOSES AND LEGAL BASIS FOR PROCESSING
We process your personal data for specific, explicit, and legitimate purposes, relying on appropriate legal bases under the Data Protection Act, 2019 of Kenya:
4.1 Service Provision and Communication
Purpose: To fulfil your requests, respond to enquiries, provide information about our initiatives and projects, deliver services you have requested, manage our relationship with you, and facilitate communications initiated via any channel including social media.
Legal Basis: Performance of a contract with you, or taking steps at your request prior to entering into a contract (Section 32(a) of the Data Protection Act, 2019); or our legitimate interests in communicating effectively with stakeholders and managing our institutional operations (Section 32(f) of the Data Protection Act, 2019).
4.2 Website and Digital Platform Optimisation
Purpose: To analyse usage patterns, identify and resolve technical issues, conduct user experience research, enhance functionality, improve content relevance and quality, optimise navigation and accessibility, and refine our digital engagement strategies across all platforms.
Legal Basis: Our legitimate interests in understanding how our digital properties are utilised to continuously improve our services and better serve our stakeholders (Section 32(f) of the Data Protection Act, 2019).
4.3 Marketing, Communications, and Stakeholder Engagement
Purpose: To send newsletters, institutional updates, promotional materials, event invitations, research publications, policy briefs, and other information about our activities, services, programmes, and initiatives, where you have consented to receive such communications or where we have a legitimate interest in doing so.
Legal Basis: Your explicit consent (Section 32(b) of the Data Protection Act, 2019); or our legitimate interests in promoting our activities to relevant audiences, maintaining stakeholder relationships, and advancing the mission of Africa’s Sovereign Development Trust® (Section 32(f) of the Data Protection Act, 2019). You retain the absolute right to withdraw consent or object to processing at any time.
4.4 Legal and Regulatory Compliance
Purpose: To meet our regulatory, statutory, and legal obligations under Kenyan, Seychellois, and United Kingdom law, including but not limited to tax reporting, anti-money laundering requirements, counter-terrorism financing obligations, data protection compliance, financial reporting, audit requirements, and responding to lawful requests from regulatory authorities or law enforcement.
Legal Basis: Compliance with legal obligations to which we are subject (Section 32(c) of the Data Protection Act, 2019).
4.5 Protection of Rights, Security, and Fraud Prevention
Purpose: To prevent, detect, and investigate fraud, unauthorised access, security breaches, and other unlawful activities; enforce our Terms of Use and other legal agreements; protect and defend our intellectual property rights; maintain the security and integrity of our systems; prevent misuse of our services; and defend against legal claims or proceedings.
Legal Basis: Our legitimate interests in protecting our business, institutional reputation, rights, assets, and the security of our users and stakeholders (Section 32(f) of the Data Protection Act, 2019); compliance with legal obligations (Section 32(c) of the Data Protection Act, 2019).
4.6 Research, Development, and Institutional Advancement
Purpose: To conduct research into developmental frameworks, policy effectiveness, and institutional impact; develop new methodologies and services; advance the objectives of Africa’s Sovereign Development Trust®; and contribute to the body of knowledge in sovereign-scale development coordination.
Legal Basis: Our legitimate interests in advancing our institutional mission, contributing to academic and policy discourse, and developing innovative approaches to continental development challenges (Section 32(f) of the Data Protection Act, 2019).
4.7 Business Operations and Strategic Planning
Purpose: To administer and improve our internal operations, conduct data analysis and testing, maintain records, perform financial and accounting functions, engage in strategic planning, assess institutional performance, and ensure business continuity.
Legal Basis: Our legitimate interests in operating efficiently and effectively as an organisation (Section 32(f) of the Data Protection Act, 2019).
ARTICLE 5: DATA SHARING, DISCLOSURE, AND INTERNATIONAL TRANSFERS
5.1 Categories of Recipients
We may share your personal data with the following categories of recipients, subject to appropriate safeguards and contractual obligations:
5.1.1 Service Providers and Processors
Trusted third-party service providers who perform functions on our behalf, including but not limited to: website hosting and infrastructure providers; cloud storage and computing services; data analytics and business intelligence platforms; email delivery and marketing automation services; customer relationship management (CRM) systems; social media management and monitoring tools; IT support, maintenance, and security services; professional advisors including legal counsel, auditors, and consultants; payment processors and financial service providers; and research partners and academic institutions.
These service providers are contractually obligated to process your data only as instructed by us, maintain confidentiality, implement appropriate security measures, and comply with applicable data protection laws.
5.1.2 Legal and Regulatory Authorities
When required by law, court order, legal process, or governmental request, we may disclose your personal data to: law enforcement agencies; regulatory bodies and supervisory authorities; tax authorities; courts and tribunals; and other public authorities or government entities.
We will only disclose the minimum amount of information necessary to comply with the legal requirement and will, where legally permissible, notify you of such disclosure.
5.1.3 Business Transfer Recipients
In the event of a merger, acquisition, sale of assets, reorganisation, restructuring, dissolution, or other corporate transaction or proceeding, your personal data may be transferred to the acquiring or successor entity. We will ensure that any such transfer is subject to equivalent or stronger data protection standards and will, where required by law, notify you of the transfer and provide you with choices regarding your data.
5.1.4 Professional Advisors and Partners
We may share data with professional advisors such as lawyers, accountants, auditors, and consultants who provide professional services to us, as well as strategic partners and collaborators involved in joint initiatives, subject to appropriate confidentiality obligations.
5.2 International Data Transfers
Given that Africa’s Sovereign Development Trust® maintains operational presence across multiple jurisdictions (Kenya, The Seychelles, and the United Kingdom), and utilises global service providers, some data processing activities may occur outside Kenya and may involve transfers to countries that have not received an adequacy determination from the Office of the Data Protection Commissioner (ODPC) in Kenya.
When transferring your personal data internationally, we ensure full compliance with the Data Protection Act, 2019 of Kenya by implementing appropriate safeguards, which may include:
5.2.1 Adequacy Decisions: Transferring data to countries or territories that have been determined by the ODPC to provide an adequate level of data protection.
5.2.2 Standard Contractual Clauses: Implementing Standard Contractual Clauses (also known as Model Clauses) approved by the ODPC or recognised international data protection authorities, which impose strict contractual obligations on the recipient to protect your data.
5.2.3 Binding Corporate Rules: Where applicable, relying on Binding Corporate Rules approved by competent data protection authorities.
5.2.4 Specific Consent: In certain circumstances, obtaining your explicit, informed consent for the specific transfer.
5.2.5 Jurisdictional Compliance: Ensuring that transfers to entities in the United Kingdom comply with the UK GDPR and that transfers to The Seychelles comply with the Seychelles Data Protection Act, 2021.
We take all reasonable steps to ensure that your data is treated securely and in accordance with this Privacy Policy and the requirements of applicable data protection law, regardless of where it is processed.
5.3 No Sale of Personal Data
We do not sell, rent, or trade your personal data to third parties for their marketing purposes. Any sharing of data is conducted solely for the purposes outlined in this Privacy Policy and under strict contractual and legal safeguards.
ARTICLE 6: DATA SECURITY AND PROTECTION MEASURES
6.1 Security Framework
We have implemented comprehensive technical and organisational measures designed to protect your personal data from accidental loss, unauthorised or unlawful access, use, alteration, disclosure, or destruction. Our security framework adheres strictly to the principles of security by design and by default as required by the Data Protection Act, 2019 of Kenya.
6.2 Technical Security Measures
Our technical security measures include, but are not limited to: encryption of data in transit using industry-standard protocols (such as TLS/SSL); encryption of sensitive data at rest; pseudonymisation and anonymisation techniques where appropriate; secure authentication mechanisms including multi-factor authentication; regular security patching and system updates; intrusion detection and prevention systems; firewalls and network segmentation; secure backup and disaster recovery systems; and regular vulnerability assessments and penetration testing.
6.3 Organisational Security Measures
Our organisational security measures include: strict access controls based on the principle of least privilege; role-based access management; confidentiality obligations and training for all personnel with access to personal data; background checks for personnel in sensitive roles; data protection impact assessments for high-risk processing activities; incident response and breach notification procedures; regular security awareness training; documented security policies and procedures; and third-party security audits and compliance assessments.
6.4 Limitations on Security
Whilst we implement rigorous security measures, it is important to acknowledge that no method of transmission over the internet or method of electronic storage is entirely secure. The transmission of information via the internet carries inherent risks. Whilst we strive to protect your personal data using industry-standard security practices, we cannot guarantee absolute security of data transmitted to our Website or through third-party platforms such as social media.
You are responsible for maintaining the confidentiality of any passwords or authentication credentials you use to access our services. We recommend using strong, unique passwords and enabling two-factor authentication where available.
ARTICLE 7: DATA RETENTION AND DELETION
7.1 Retention Principles
We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, satisfy legal, accounting, or reporting requirements, establish or defend legal claims, or pursue legitimate business interests. Our retention practices are guided by the principles of data minimisation and storage limitation.
7.2 Specific Retention Periods
The retention periods for different categories of data are as follows:
7.2.1 Contact and Enquiry Data: Retained for the duration necessary to resolve your enquiry or fulfil your request, plus a reasonable administrative period (typically 12 to 24 months), or until you opt out of communications. Communications related to ongoing projects or partnerships may be retained for the duration of the relationship plus a period required for record-keeping purposes.
7.2.2 Usage and Analytics Data: Typically retained for a maximum of 24 months for analytical and Website optimisation purposes, unless a longer period is required for specific investigations, security monitoring, or legal obligations. Aggregated, anonymised analytics data may be retained indefinitely.
7.2.3 Marketing Communications Data: Retained until you unsubscribe or withdraw consent, plus a reasonable period to process your opt-out request and maintain suppression records to prevent future contact.
7.2.4 Legal and Compliance Data: Retained for periods mandated by applicable laws and regulations in Kenya, The Seychelles, and the United Kingdom. This may include retention for tax purposes (typically 6 to 7 years), audit requirements, litigation hold periods, or other statutory obligations.
7.2.5 Security and Fraud Prevention Data: Retained for as long as necessary to protect against security threats, investigate incidents, prevent fraud, and maintain the integrity of our systems, subject to legal retention requirements.
7.3 Secure Deletion and Anonymisation
Once personal data is no longer required for any lawful purpose and all retention obligations have expired, it is securely and permanently deleted or anonymised in a manner that prevents its reconstruction or re-identification. Deletion methods include secure erasure protocols, data shredding, and cryptographic deletion of encryption keys.
7.4 Archival and Historical Data
In limited circumstances, we may retain certain data for archival purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of appropriate safeguards for your rights and freedoms.
ARTICLE 8: YOUR DATA PROTECTION RIGHTS
Under the Data Protection Act, 2019 of Kenya, you possess comprehensive rights concerning your personal data. We are committed to facilitating the exercise of these rights:
8.1 Right to be Informed
You have the right to receive clear, transparent, and easily understandable information about how we collect, use, share, and protect your personal data, and about your rights. This Privacy Policy serves to fulfil this obligation.
8.2 Right of Access (Subject Access Right)
You have the right to obtain confirmation as to whether or not your personal data is being processed by us, and where that is the case, to access the personal data along with specific information about the processing, including: the purposes of processing; the categories of personal data concerned; the recipients or categories of recipients to whom the data has been or will be disclosed; the envisaged retention period; the source of the data if not collected directly from you; and the existence of automated decision-making, including profiling.
You may request a copy of your personal data undergoing processing. The first copy will be provided free of charge; additional copies may be subject to a reasonable administrative fee.
8.3 Right to Rectification
You have the right to request the correction of inaccurate personal data concerning you without undue delay. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.4 Right to Erasure (Right to be Forgotten)
You have the right to request the deletion or removal of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent on which processing is based and there is no other legal ground for processing; you object to processing and there are no overriding legitimate grounds for processing; the data has been unlawfully processed; the data must be erased for compliance with a legal obligation; or the data was collected in relation to the offer of information society services to a child.
This right is not absolute and may be limited where processing is necessary for: compliance with legal obligations; establishment, exercise, or defence of legal claims; archiving purposes in the public interest; or other lawful purposes specified in the Data Protection Act, 2019.
8.5 Right to Restriction of Processing
You have the right to request that we limit the way we use your personal data in the following circumstances: you contest the accuracy of the personal data (restriction applies during the period necessary to verify accuracy); the processing is unlawful but you oppose erasure and request restriction instead; we no longer need the personal data for processing purposes but you require it for the establishment, exercise, or defence of legal claims; or you have objected to processing pending verification of whether our legitimate grounds override your interests.
Where processing is restricted, we may store the data but not further process it without your consent, except for establishment, exercise, or defence of legal claims, protection of rights of another person, or reasons of important public interest.
8.6 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance, where: the processing is based on your consent or on the performance of a contract; and the processing is carried out by automated means.
You also have the right to have your personal data transmitted directly from us to another controller where technically feasible.
8.7 Right to Object
You have the right to object, on grounds relating to your particular situation, to processing of your personal data which is based on legitimate interests (including profiling). We will cease processing unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
You have the absolute right to object to processing of your personal data for direct marketing purposes at any time, including profiling related to such marketing. Upon such objection, we will cease processing your data for these purposes.
8.8 Right to Withdraw Consent
Where we rely on your consent as the legal basis for processing your personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You may withdraw consent by contacting us at legal@ndege.co.ke or by using the unsubscribe mechanism provided in marketing communications.
8.9 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates applicable data protection law.
The relevant supervisory authorities are:
In Kenya: Office of the Data Protection Commissioner (ODPC) - www.odpc.go.ke
In The Seychelles: Data Protection Commissioner
In the United Kingdom: Information Commissioner’s Office (ICO) - www.ico.org.uk
8.10 Exercise of Rights
To exercise any of these rights, please contact our Legal Desk at legal@ndege.co.ke with sufficient detail to enable us to identify you and process your request. We may require additional information to verify your identity before processing your request to ensure that personal data is not disclosed to unauthorised persons.
We will respond to your request without undue delay and in any event within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests, in which case we will inform you of such extension and the reasons for delay.
We will not charge a fee for processing your request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to act on the request.
ARTICLE 9: AUTOMATED DECISION-MAKING AND PROFILING
We do not currently engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. Should our practices change, we will update this Privacy Policy accordingly and, where required by law, obtain your explicit consent or provide you with the right to object.
Any analytics or profiling we conduct is for aggregate analysis purposes only and does not result in automated decisions that affect your legal rights or have similarly significant effects.
ARTICLE 10: THIRD-PARTY WEBSITES AND SERVICES
10.1 External Links
Our Website and social media channels may contain links to third-party websites, applications, plug-ins, or services not owned, controlled, or operated by The Ndege Group®. These links are provided solely for your convenience and information.
10.2 Third-Party Privacy Practices
We do not control and are not responsible for the privacy statements, content, or data practices of these third-party websites and services. When you click on such links or enable such connections, those third parties may collect or share data about you according to their own privacy policies.
We strongly encourage you to read the privacy policy and terms of use of every third-party website or service you visit or use.
10.3 Social Media Platforms
Your interactions on social media platforms are governed by the terms of service, privacy policies, and data practices of those specific platforms. We receive only the data that the platforms provide to us in accordance with your privacy settings and permissions on those platforms.
ARTICLE 11: UPDATES AND AMENDMENTS TO THIS PRIVACY POLICY
11.1 Right to Modify
We reserve the right to update, modify, or replace this Privacy Policy periodically to reflect changes in our data processing practices, organisational structure, legal obligations, regulatory requirements, technological developments, or best practices in data protection.
11.2 Notification of Changes
Any revisions will be effective immediately upon posting the updated Privacy Policy on the Website. The “Last Updated” date at the beginning of this policy will be revised to reflect the date of the most recent changes.
For material changes that significantly affect your rights or our processing practices, we will provide more prominent notice, which may include email notification to the address you have provided, a notice on our Website homepage, or other appropriate communication methods.
11.3 Continued Use Constitutes Acceptance
Your continued use of the Website or engagement with our digital platforms following the posting of any changes indicates your acknowledgement and acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy regularly to remain informed about how we are protecting your information and your rights.
ARTICLE 12: CHILDREN’S PRIVACY
12.1 Age Limitation
Our services are not intended for, marketed to, or designed to attract individuals under the age of 18. We do not knowingly collect, process, or solicit personal data from children under 18 years of age without verifiable parental or legal guardian consent.
12.2 Parental Responsibility
If you are a parent or legal guardian and become aware that your child has provided us with personal data without your consent, please contact us immediately at legal@ndege.co.ke. We will take prompt action to investigate and, if confirmed, delete such data from our systems unless we have a legal obligation to retain it.
12.3 Age Verification
If we learn that we have collected personal data from a child under 18 without appropriate parental consent, we will take immediate steps to delete that information and terminate the child’s account or access, if applicable.
ARTICLE 13: CONTACT INFORMATION AND DATA PROTECTION ENQUIRIES
13.1 Primary Contact
For any questions, comments, concerns, or requests regarding this Privacy Policy, our data processing practices, or to exercise your data protection rights, please contact:
Legal Desk
The Ndege Group Nominees Limited for Africa’s Sovereign Development Trust®
Head Office:
UN Crescent, Gigiri
P.O. Box 43112-00100
Nairobi, Kenya
Trust’s Domicile:
1st Floor, Eden Plaza, Eden Island
Victoria, The Seychelles
U.K. Mailing Address:
116 Pall Mall, St. James’s
London, SW1Y 5ED, United Kingdom
Email: legal@ndege.co.ke
Telephone: +254 799 504 111
General Enquiries: hello@thendegegroup.com
13.2 Response Commitment
We are committed to addressing your enquiries and requests promptly and thoroughly. We will acknowledge receipt of your communication and provide a substantive response within the timeframes required by applicable data protection law.
© 2026 David Okiki Amayo Jr. and The Ndege Group®. All rights reserved.
Africa’s Sovereign Development Trust® (ASDT) anchors the future.
www.thendegegroup.com
Cookie Policy
Last Updated: 27th January 2026
INTRODUCTION
The Ndege Group utilises cookies and similar tracking technologies on www.thendegegroup.com (the “Website”) to enhance your user experience, analyse Website performance and usage patterns, provide personalised content where appropriate, and maintain the security and functionality of our digital infrastructure.
This Cookie Policy provides comprehensive and transparent information about what cookies are, the specific types of cookies we employ, the purposes for which we use them, the duration for which they remain active, and the choices available to you regarding their use and management.
This Cookie Policy should be read in conjunction with our Privacy Policy, which provides detailed information about how we collect, use, and protect your personal data.
ARTICLE 1: UNDERSTANDING COOKIES AND SIMILAR TECHNOLOGIES
1.1 What Are Cookies?
Cookies are small text files containing strings of characters that are downloaded and stored on your computer, smartphone, tablet, or other internet-enabled device when you visit a website. These files enable websites to recognise your device, remember your preferences, track your browsing behaviour, and provide enhanced functionality.
Cookies typically contain information such as a unique identifier, the website domain name from which the cookie originated, the cookie’s lifespan, and a value (usually a randomly generated unique number).
1.2 How Cookies Function
When you visit a website, your web browser (such as Chrome, Firefox, Safari, or Edge) may accept cookies and store them on your device. On subsequent visits to the same website, the stored cookies are sent back to the originating website or to another website that recognises that cookie. This mechanism allows the website to recognise your device and remember information about your visit.
1.3 Types of Cookie Technologies
In addition to traditional cookies, we may employ similar technologies that serve comparable functions:
Web Beacons (also known as Pixel Tags or Clear GIFs): Tiny transparent graphic images placed on web pages or in emails that work in conjunction with cookies to track user behaviour, measure the effectiveness of communications, and gather usage statistics.
Local Storage Objects: Technologies such as HTML5 Local Storage and Flash Local Shared Objects that enable websites to store data locally on your device. These may have greater storage capacity than traditional cookies and may persist even after you clear your browser cookies.
Session Storage: Temporary storage that exists only for the duration of your browsing session and is deleted when you close your browser.
Fingerprinting Technologies: Techniques that collect information about your device configuration, browser settings, and other attributes to create a unique identifier for your device.
ARTICLE 2: CATEGORIES OF COOKIES WE USE
We employ various categories of cookies on our Website, each serving distinct purposes:
2.1 Essential Cookies (Strictly Necessary Cookies)
2.1.1 Purpose and Function
Essential cookies are fundamental to the operation of our Website and enable core functionalities without which the Website cannot function properly or provide certain features you have requested. These cookies are necessary for basic Website operations and security.
Specific functions include: authenticating users and preventing fraudulent use of login credentials; maintaining secure connections during your session; remembering your cookie consent preferences and choices; enabling shopping basket or form submission functionality; providing core security features such as CSRF (Cross-Site Request Forgery) protection; load balancing across servers to ensure optimal performance; and maintaining session state as you navigate between pages.
2.1.2 Legal Basis
Under the Data Protection Act, 2019 of Kenya and applicable data protection regulations, essential cookies do not require your explicit consent because they are strictly necessary for the provision of services you have explicitly requested or for the transmission of communications over an electronic communications network.
2.1.3 Examples
Examples of essential cookies we may use include: session identification cookies; authentication and security cookies; load balancer cookies; cookie consent status cookies; and user interface customisation cookies for accessibility features.
2.2 Performance and Analytics Cookies
2.2.1 Purpose and Function
Performance and analytics cookies collect information about how visitors interact with and use our Website. This data helps us understand usage patterns, identify popular content, diagnose technical issues, and continuously improve Website performance, content relevance, and user experience.
These cookies collect aggregated, anonymised information and do not identify you personally. The data gathered typically includes: pages visited and the order in which they were accessed; time spent on each page; Website navigation paths and user flows; links clicked and elements interacted with; error messages encountered; browser type, version, and plugins; device type, screen resolution, and operating system; referring websites and search terms used to find our Website; and geographic location at country or city level based on IP address.
2.2.2 Analytics Tools
We primarily utilise Google Analytics, a web analytics service provided by Google LLC. Google Analytics employs cookies to analyse Website usage and generate reports on Website activity. The information generated by the cookie about your use of the Website (including your IP address, which may be anonymised) is transmitted to and stored by Google on servers which may be located outside Kenya.
Google uses this information to evaluate your use of the Website, compile statistical reports on Website activity, and provide other services relating to Website and internet usage. Google may also transfer this information to third parties where required by law or where such third parties process the information on Google’s behalf.
2.2.3 Legal Basis
Your explicit consent is required for the use of performance and analytics cookies under the Data Protection Act, 2019 of Kenya. We will only deploy these cookies after you have provided your consent through our cookie consent mechanism.
2.2.4 Examples
Examples include: Google Analytics cookies (_ga, _gid, _gat); heatmap and session recording cookies; performance monitoring cookies; and A/B testing cookies.
2.3 Functionality Cookies
2.3.1 Purpose and Function
Functionality cookies enable enhanced features and personalisation of the Website based on your preferences and previous interactions. These cookies remember choices you make (such as language preference, region selection, or font size) to provide a more personalised, convenient, and efficient browsing experience.
Functions may include: remembering your language and regional preferences; recalling customisation choices such as text size, font preferences, or colour contrast settings for accessibility; storing information you have entered into forms to avoid re-entry; remembering whether you have been shown certain content to avoid repetitive displays; maintaining your preferences for multimedia content (such as video quality or autoplay settings); and providing personalised content recommendations based on your browsing history on our Website.
2.3.2 Legal Basis
Your consent is required for functionality cookies that are not strictly necessary for basic Website operation. We will request your consent through our cookie banner when you first visit the Website.
2.3.3 Examples
Examples include: language preference cookies; user interface customisation cookies; volume setting cookies for media content; and preference cookies for content display.
2.4 Targeting and Advertising Cookies (Marketing Cookies)
2.4.1 Purpose and Function
Targeting and advertising cookies track your browsing activity across our Website and across other websites to build a profile of your interests. This profile is then used to deliver advertisements, content, or communications that are more relevant and tailored to your interests.
These cookies may be set by us or by third-party advertising networks and partners with our permission. Functions include: tracking which pages you visit on our Website; tracking your visits to other websites; recording advertisements shown to you and whether you clicked on them; building an interest profile based on your browsing behaviour; delivering targeted advertisements on third-party websites (remarketing); measuring the effectiveness of advertising campaigns; limiting the number of times you see particular advertisements (frequency capping); and determining which advertisements to display based on your inferred interests.
2.4.2 Third-Party Advertising Networks
We may work with third-party advertising networks such as Google Ads, Facebook Pixel, LinkedIn Insight Tag, or other platforms. These networks place cookies on your device when you visit our Website and may track your subsequent visits to other websites in their network to deliver targeted advertisements.
2.4.3 Legal Basis
Your explicit consent is required for the use of targeting and advertising cookies under the Data Protection Act, 2019 of Kenya and applicable regulations such as the EU ePrivacy Directive. We will only deploy these cookies after you have actively consented through our cookie consent interface.
2.4.4 Examples
Examples include: Google Ads cookies; Facebook Pixel; LinkedIn Insight Tag; remarketing and retargeting cookies; conversion tracking cookies; and third-party advertising network cookies.
2.5 Social Media Cookies
2.5.1 Purpose and Function
Social media cookies are set by social media platforms when we integrate their services or features into our Website, such as social sharing buttons, embedded content (videos, posts, feeds), or social login functionality.
These cookies enable you to share content easily on social media platforms and may track your browsing behaviour both on and off our Website to build a profile for targeted advertising on those platforms.
2.5.2 Third-Party Control
Social media cookies are controlled by the respective social media platforms (such as Facebook, Twitter, LinkedIn, Instagram, YouTube). We do not control these cookies or the data collected by them. Your interactions with these features are governed by the privacy policies and cookie policies of the respective platforms.
2.5.3 Examples
Examples include: Facebook social plugins; Twitter sharing buttons; LinkedIn share buttons; YouTube embedded video cookies; and Instagram embedded content cookies.
ARTICLE 3: COOKIE DURATION AND PERSISTENCE
Cookies can be classified based on their duration:
3.1 Session Cookies
Session cookies are temporary and are automatically deleted when you close your web browser. They are used to maintain your session state as you navigate through the Website and to provide essential functionality during your visit.
3.2 Persistent Cookies
Persistent cookies remain on your device for a set period specified in the cookie (ranging from minutes to years) or until you manually delete them. They are used to remember your preferences across multiple visits, track long-term usage patterns, and provide personalised experiences on return visits.
The specific duration of each cookie varies depending on its purpose. Essential cookies typically persist for the duration of your session or for short periods (days to weeks), whilst analytics and marketing cookies may persist for longer periods (months to years).
ARTICLE 4: PURPOSES AND LEGAL BASIS FOR COOKIE USE
We use cookies for the following purposes, relying on appropriate legal bases:
4.1 Essential Website Operation
Purpose: To ensure the Website functions correctly, provide services you have requested, maintain security, prevent fraud, and enable core features such as secure login, form submission, and session management.
Legal Basis: Strictly necessary for the performance of our services and for security purposes (no consent required under the Data Protection Act, 2019 of Kenya).
4.2 Performance Analysis and Optimisation
Purpose: To analyse how visitors interact with the Website, understand usage patterns, identify technical issues, measure the effectiveness of content, and continuously improve Website performance, functionality, content relevance, and user experience.
Legal Basis: Your explicit consent (Section 32(b) of the Data Protection Act, 2019).
4.3 Personalisation and Enhanced User Experience
Purpose: To remember your preferences, customisation choices, and settings to provide a tailored, convenient, and efficient browsing experience across multiple visits.
Legal Basis: Your explicit consent (Section 32(b) of the Data Protection Act, 2019).
4.4 Marketing and Advertising
Purpose: To deliver targeted advertisements based on your interests, measure advertising effectiveness, conduct remarketing campaigns, and promote our activities and initiatives to relevant audiences.
Legal Basis: Your explicit consent (Section 32(b) of the Data Protection Act, 2019).
ARTICLE 5: MANAGING YOUR COOKIE PREFERENCES
You have comprehensive control over cookie usage and multiple mechanisms to manage your preferences:
5.1 Our Cookie Consent Tool
5.1.1 Initial Consent
Upon your first visit to the Website, a cookie consent banner may appear (provided your browser meets our minimum security protocol requirements), allowing you to review the types of cookies we use and make informed choices about which categories to accept or reject.
You may be able to choose to: accept all cookies; reject all non-essential cookies; or customise your preferences by accepting or rejecting specific cookie categories (performance, functionality, targeting).
5.1.2 Updating Preferences
You may be able to revisit and modify your cookie preferences at any time by clicking on the cookie settings link, typically located in the footer of the Website, or by clearing your cookies and revisiting the Website.
Changes to your cookie preferences will take effect immediately for future cookie deployment, though cookies already stored on your device will remain until they expire or are manually deleted.
5.2 Web Browser Cookie Settings
Most modern web browsers provide built-in controls that allow you to manage cookies, including the ability to:
5.2.1 Block All Cookies
You may be able to configure your browser to reject all cookies automatically. However, this may prevent you from accessing certain features of the Website and may impair functionality.
5.2.2 Block Third-Party Cookies
You may be able to configure your browser to accept cookies from the website you are visiting (first-party cookies) whilst blocking cookies from other domains (third-party cookies, typically used for advertising and tracking).
5.2.3 Delete Existing Cookies
You may be able to delete all cookies currently stored on your device. Note that this will also delete cookies that may be beneficial to you, such as those storing your preferences.
5.2.4 Receive Notifications
You may be able to configure your browser to notify you each time a cookie is set, allowing you to accept or reject it on a case-by-case basis. This option provides granular control but may significantly disrupt your browsing experience due to frequent notifications.
5.3 Browser-Specific Cookie Management Instructions
Cookie management procedures vary by browser. Please consult your browser’s help documentation:
Google Chrome: Settings > Privacy and security > Cookies and other site data
Mozilla Firefox: Options > Privacy & Security > Cookies and Site Data
Apple Safari: Preferences > Privacy > Cookies and website data
Microsoft Edge: Settings > Privacy, search, and services > Cookies and site permissions
Opera: Settings > Privacy & security > Cookies
Brave: Settings > Shields > Cookies and other site data
For mobile browsers, consult your device’s settings menu under Safari (iOS) or Chrome/Browser settings (Android).
5.4 Third-Party Opt-Out Tools
For certain analytics and advertising cookies, you may opt out directly through third-party tools:
5.4.1 Google Analytics Opt-Out
You can prevent Google Analytics from collecting data by installing the Google Analytics Opt-out Browser Add-on, available at: https://tools.google.com/dlpage/gaoptout
This add-on instructs the Google Analytics JavaScript not to send information to Google Analytics.
5.4.2 Advertising Opt-Out Services
You can opt out of interest-based advertising from participating companies through:
Digital Advertising Alliance (DAA): http://www.aboutads.info/choices/
European Interactive Digital Advertising Alliance (EDAA): http://www.youronlinechoices.eu/
Network Advertising Initiative (NAI): http://www.networkadvertising.org/choices/
Please note that opting out does not mean you will no longer receive advertisements; rather, the advertisements you receive will not be tailored to your interests based on your browsing behaviour.
5.4.3 Social Media Platform Settings
You can manage cookies and advertising preferences for social media platforms through their respective settings:
Facebook: Settings & Privacy > Settings > Ads
Twitter: Settings and privacy > Privacy and safety > Ads preferences
LinkedIn: Settings & Privacy > Account preferences > Advertising data
Google/YouTube: Ads Settings at https://adssettings.google.com/
5.5 Do Not Track (DNT) Signals
Some browsers offer a “Do Not Track” (DNT) setting that sends a signal to websites requesting that they do not track your browsing. Currently, there is no universal standard for how websites should respond to DNT signals. Our Website does not currently respond to DNT signals, but we provide you with alternative mechanisms to control cookie usage as described in this policy.
5.6 Consequences of Blocking or Deleting Cookies
Whilst you have the right to manage cookies according to your preferences, please be aware that blocking or deleting certain cookies may result in:
Loss of saved preferences and settings, requiring you to re-enter information on each visit; inability to access certain features or areas of the Website that rely on cookies for functionality; degraded user experience, reduced personalisation, and less efficient navigation; inability to maintain login sessions, potentially requiring repeated authentication; and impaired ability for us to analyse Website performance and make improvements.
Essential cookies are necessary for basic Website functionality. Blocking these cookies may prevent you from using fundamental features of the Website.
ARTICLE 6: THIRD-PARTY COOKIES AND EXTERNAL SERVICES
6.1 Third-Party Cookie Controllers
In addition to cookies set directly by The Ndege Group (first-party cookies), some cookies on our Website may be set by third-party services whose functionalities we integrate into the Website (third-party cookies).
These third parties may include: analytics providers (e.g., Google Analytics); advertising networks and partners; social media platforms (e.g., Facebook, Twitter, LinkedIn); content delivery networks (CDNs); embedded content providers (e.g., YouTube, Vimeo); and other service providers whose tools enhance Website functionality or performance.
6.2 Third-Party Privacy Policies
Third-party cookies are governed by the respective privacy policies and cookie policies of those third parties, not by this Cookie Policy. We do not control how third parties use cookies or the data they collect.
We encourage you to review the privacy and cookie policies of these third-party services:
Google Analytics Privacy Policy: https://policies.google.com/privacy
Google Ads Privacy Policy: https://policies.google.com/technologies/ads
Facebook Data Policy: https://www.facebook.com/privacy/explanation
Twitter Privacy Policy: https://twitter.com/en/privacy
LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy
YouTube Privacy Policy: https://policies.google.com/privacy
6.3 Third-Party Data Processing
When you interact with third-party services integrated into our Website, those services may collect and process data according to their own policies. We cannot control and are not responsible for the data practices of these third parties.
By using features that involve third-party services (such as social sharing buttons or embedded videos), you consent to the data collection and processing practices of those services as governed by their policies.
ARTICLE 7: COOKIES AND PERSONAL DATA
7.1 Relationship with Privacy Policy
Some cookies may collect or process personal data, such as IP addresses, device identifiers, or browsing behaviour that can be linked to you. The processing of any personal data through cookies is governed by our Privacy Policy, which provides comprehensive information about how we collect, use, share, and protect your personal data.
This Cookie Policy should be read in conjunction with our Privacy Policy to gain a complete understanding of our data practices.
7.2 Legal Bases for Cookie Processing
Where cookies process personal data, we rely on the following legal bases under the Data Protection Act, 2019 of Kenya: your explicit consent for non-essential cookies (Section 32(b)); legitimate interests for certain analytics and security purposes (Section 32(f)); and necessity for performance of services for essential cookies (Section 32(a)).
7.3 Your Rights Regarding Cookie Data
To the extent that cookie data constitutes personal data, you possess all the data protection rights outlined in our Privacy Policy, including rights of access, rectification, erasure, restriction, data portability, and objection.
To exercise these rights regarding cookie data, please contact our Legal Desk at legal@ndege.co.ke.
ARTICLE 8: INTERNATIONAL DATA TRANSFERS VIA COOKIES
Some cookies, particularly those set by third-party service providers such as Google Analytics, may result in the transfer of data (including personal data such as IP addresses) to countries outside Kenya, including the United States and other jurisdictions.
These international transfers are subject to appropriate safeguards as described in our Privacy Policy, which may include: adequacy decisions recognising equivalent data protection standards; standard contractual clauses approved by data protection authorities; or your explicit consent for the specific transfer.
For more information about international data transfers and the safeguards we implement, please refer to Article 5 of our Privacy Policy.
ARTICLE 9: SECURITY OF COOKIE DATA
We implement appropriate technical and organisational measures to protect cookie data from unauthorised access, alteration, disclosure, or destruction. These measures include: secure transmission protocols (HTTPS/TLS); encryption of sensitive cookie data; access controls limiting who can access cookie data; secure server configurations; and regular security assessments and updates.
Third-party service providers that set cookies on our Website are contractually required to implement equivalent security measures.
However, please note that no method of electronic storage or transmission is completely secure. Whilst we strive to protect cookie data, we cannot guarantee absolute security.
ARTICLE 10: UPDATES AND AMENDMENTS TO THIS COOKIE POLICY
10.1 Right to Modify
We reserve the right to update, modify, or replace this Cookie Policy periodically to reflect changes in our use of cookies, technological developments, legal or regulatory requirements, or best practices in data protection and privacy.
10.2 Notification of Changes
Any revisions will be effective immediately upon posting the updated Cookie Policy on the Website. The “Last Updated” date at the beginning of this policy will be revised to reflect the date of the most recent changes.
For material changes that significantly affect cookie usage or your rights, we may provide more prominent notice through our Website or other appropriate communication methods.
10.3 Regular Review
We encourage you to review this Cookie Policy periodically to remain informed about how we use cookies and how you can manage your preferences.
ARTICLE 11: CONTACT INFORMATION AND COOKIE ENQUIRIES
For any questions, comments, concerns, or requests regarding this Cookie Policy, cookie usage, or to exercise your rights concerning cookie data, please contact:
Legal Desk
The Ndege Group Nominees Limited for Africa’s Sovereign Development Trust®
Head Office:
UN Crescent, Gigiri
P.O. Box 43112-00100
Nairobi, Kenya
Trust’s Domicile:
1st Floor, Eden Plaza, Eden Island
Victoria, The Seychelles
U.K. Mailing Address:
116 Pall Mall, St. James’s
London, SW1Y 5ED, United Kingdom
Email: legal@ndege.co.ke
Telephone: +254 799 504 111
General Enquiries: hello@thendegegroup.com
© 2026 David Okiki Amayo Jr. and The Ndege Group®. All rights reserved.
Africa’s Sovereign Development Trust® (ASDT) anchors the future.
www.thendegegroup.com