Effective Date: 12 August 2025
Controller: DRY Associates Ltd (“DRY”, “we”, “our”, “us”)
Registered address: [Insert full Kenyan address]
Contact: [Insert main email] | [Insert phone]
Data Protection Officer (DPO): [Insert DPO name/email]
1) What data we collect
- Name and WhatsApp/phone number.
- Any details you include in your message or lead form (enquiry context).
- Basic technical metadata generated by the messaging platform (e.g., timestamps).
We do not request sensitive data for enquiries.
2) Purpose and lawful bases
We process your data to:
- Contact you on WhatsApp to respond to and qualify your enquiry (consent).
- Keep minimal internal records of enquiries for reporting, compliance, and audit (legitimate interests) and to comply with laws that apply to investment firms (legal obligation).
3) Direct marketing and WhatsApp
We will only send you marketing communications on WhatsApp if you give us your explicit, specific, and informed consent.
- We will provide a separate opt-in mechanism (e.g., a checkbox) for marketing.
- We will only message you on WhatsApp about your enquiry.
- Every message will include how to opt out (reply STOP) and we will honour it promptly. ODPC
4) Sharing and disclosures
- Service providers/IT and messaging platforms (e.g., WhatsApp/Meta) that enable communications and secure storage.
- Regulators or authorities if legally required.
We do not sell your personal data.
5) International transfers
Some providers may process data outside Kenya and/or the EEA. When we transfer data internationally, we use appropriate safeguards (e.g., contractual clauses/adequacy) and assess the protection in destination countries. ODPC
We may transfer your data outside Kenya, but only under the following conditions as required by the Data Protection Act:
- The transfer is to a country with an adequate level of data protection as determined by the ODPC.
- We have put in place appropriate safeguards, such as standard contractual clauses.
- The transfer is necessary for a contract with you.
- You have given your explicit consent after being informed of the risks.
6) Retention
- Enquiries that do not become clients: retained for up to 12 months from last contact, then deleted.
- If you become a client: certain records are kept to meet financial‑services and anti‑money laundering requirements (typically 7 years after relationship end or as required by law). Kenya Law
7) Your rights
Under the Kenya DPA and the GDPR, you can:
- Access, correct, or delete your data.
- Object to or restrict processing (including direct marketing).
- Withdraw consent at any time (does not affect past processing).
- Request data portability (where applicable).
- Lodge a complaint with the Office of the Data Protection Commissioner (Kenya) or, if you are in the EEA/UK, your local data protection authority. ODPC
To exercise rights, contact our DPO at [Insert DPO email].
8) Children
Our services are for adults. We do not knowingly engage people under 18 (Kenya). For EEA residents, the default child age is under 16. ODPC
9) Security
We implement technical and organisational measures aligned to the Act and General Regulations (access controls, encryption in transit where available, least‑privilege access, logging). We will notify the ODPC and affected individuals of notifiable data breaches as required. ODPC
10) Sources of data
Data is provided by you via Meta lead forms and/or WhatsApp. Meta/WhatsApp process your data under their own privacy notices.
11) Changes
We may update this Policy. We will post the latest version with the effective date.