PRIVACY POLICY
Koala Education Consultants have created this privacy statement in order to demonstrate our firm commitment to privacy.
Koala Education Consultants (Kenya) ("Koala", "we", "us", "our") is the data controller responsible for personal data processed through our website (koala.co.ke) and services. Koala is located at 4th Floor, Grenadier Tower, Woodvale Grove, Westlands, Nairobi, Kenya, with data protection contact: info@koala.co.ke or +254 780359830.
Purposes of Processing and Lawful Bases
Personal data is processed to provide education consultancy services:
- Appointment booking: contract performance.
- Application assistance: contract performance or legitimate interests.
- Event RSVPs: consent or contract.
- Marketing communications: consent.
Lawful bases under Kenya's Data Protection Act 2019 (DPA) Section 30 include consent, contract performance, legal obligation, and legitimate interests (e.g., service improvement). For EU residents, these align with GDPR Article 6 equivalents.
Categories of Personal Data Collected per Form
- Book an Appointment: Name, contact details (email/phone), appointment date/time, preference (online/physical) – mandatory for service delivery (contract basis).
- Apply Now: Name, age, email, education level/course sought, funder details, nationality, supporting documents – mandatory fields for contract; optional for marketing.
- RSVP for Open Days/Fairs: Name, email/phone, event selection, attendance confirmation – consent-based.
No special category data (e.g., health, biometrics) is routinely collected.
Special Categories and Minors Handling
Special category data, if voluntarily disclosed (e.g., health information in documents), requires explicit consent under DPA Section 33.
For minors under 18, parental/guardian consent is mandatory. Verification occurs via ID upload or follow-up call/email. Processing supports the child's best interests in education guidance.
How Data is Collected
Data is collected directly via website forms and from third parties (e.g., CRM, email providers, appointment booking tools). No cookies are used on this website.
Recipients, Third Parties, and Cross-Border Transfers
Data is shared with processors under Data Processing Agreements (DPAs):
- CRM systems.
- Email marketing providers.
- Website hosting.
- Analytics and appointment booking tools.
Cross-border transfers (e.g., to Australian universities) use safeguards: Standard Contractual Clauses (SCCs), encryption in transit/at rest, or pseudonymization. No transfers occur without appropriate safeguards per DPA Regulations.
Retention Periods and Deletion Rules
- Appointment bookings: 2 years post-appointment (service records).
- Application records: 7 years (contract/legal claims).
- RSVP data: 1 year post-event.
- Marketing lists: Until consent withdrawn.
Post-retention, data is securely deleted, pseudonymized, or anonymized.
Data Subject Rights and How to Exercise Them
Data subjects have rights under DPA Section 26: access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, and withdrawal of consent.
Submit requests (DSAR) to info@koala.co.ke. Verification (e.g., ID copy) required. Response within 14 days (extendable to 90 days for complex cases). No fee unless excessive. For EU residents, GDPR-equivalent timelines apply.
Complaints
Contact Koala's data protection team first at info@koalaeducation.co.ke.
Escalate to Office of the Data Protection Commissioner (ODPC): P.O. Box 34714-00100, Nairobi; complaints@odpc.go.ke; www.odpc.go.ke. EU residents may contact relevant supervisory authority.
Security Measures and Breach Notification
Technical/organizational measures include:
- Encryption (TLS 1.3 in transit, AES-256 at rest).
- Role-based access controls.
- Activity logging and monitoring.
-Staff training and annual audits.
Breaches notified to ODPC within 72 hours and affected individuals without undue delay.
Automated Decision-Making and Profiling
No automated decision-making or profiling occurs.
Changes to This Policy
Policy updated periodically. Changes posted here with effective date. Continued use constitutes acceptance.
Contact Details
Data Protection Contact:
info@koala.co.ke
+254 780359830
4th Floor, Grenadier Tower, Woodvale Grove, Westlands, Nairobi, Kenya
Koala Education Consultants (Kenya)
Last updated 24th February 2026
PRIVACY POLICY
Koala Education Consultants have created this privacy statement in order to demonstrate our firm commitment to privacy.
Koala Education Consultants (Kenya) ("Koala", "we", "us", "our") is the data controller responsible for personal data processed through our website (koala.co.ke) and services. Koala is located at 4th Floor, Grenadier Tower, Woodvale Grove, Westlands, Nairobi, Kenya, with data protection contact: info@koala.co.ke or +254 780359830.
Purposes of Processing and Lawful Bases
Personal data is processed to provide education consultancy services:
- Appointment booking: contract performance.
- Application assistance: contract performance or legitimate interests.
- Event RSVPs: consent or contract.
- Marketing communications: consent.
Lawful bases under Kenya's Data Protection Act 2019 (DPA) Section 30 include consent, contract performance, legal obligation, and legitimate interests (e.g., service improvement). For EU residents, these align with GDPR Article 6 equivalents.
Categories of Personal Data Collected per Form
- Book an Appointment: Name, contact details (email/phone), appointment date/time, preference (online/physical) – mandatory for service delivery (contract basis).
- Apply Now: Name, age, email, education level/course sought, funder details, nationality, supporting documents – mandatory fields for contract; optional for marketing.
- RSVP for Open Days/Fairs: Name, email/phone, event selection, attendance confirmation – consent-based.
No special category data (e.g., health, biometrics) is routinely collected.
Special Categories and Minors Handling
Special category data, if voluntarily disclosed (e.g., health information in documents), requires explicit consent under DPA Section 33.
For minors under 18, parental/guardian consent is mandatory. Verification occurs via ID upload or follow-up call/email. Processing supports the child's best interests in education guidance.
How Data is Collected
Data is collected directly via website forms and from third parties (e.g., CRM, email providers, appointment booking tools). No cookies are used on this website.
Recipients, Third Parties, and Cross-Border Transfers
Data is shared with processors under Data Processing Agreements (DPAs):
- CRM systems.
- Email marketing providers.
- Website hosting.
- Analytics and appointment booking tools.
Cross-border transfers (e.g., to Australian universities) use safeguards: Standard Contractual Clauses (SCCs), encryption in transit/at rest, or pseudonymization. No transfers occur without appropriate safeguards per DPA Regulations.
Retention Periods and Deletion Rules
- Appointment bookings: 2 years post-appointment (service records).
- Application records: 7 years (contract/legal claims).
- RSVP data: 1 year post-event.
- Marketing lists: Until consent withdrawn.
Post-retention, data is securely deleted, pseudonymized, or anonymized.
Data Subject Rights and How to Exercise Them
Data subjects have rights under DPA Section 26: access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, and withdrawal of consent.
Submit requests (DSAR) to info@koala.co.ke. Verification (e.g., ID copy) required. Response within 14 days (extendable to 90 days for complex cases). No fee unless excessive. For EU residents, GDPR-equivalent timelines apply.
Complaints
Contact Koala's data protection team first at info@koalaeducation.co.ke.
Escalate to Office of the Data Protection Commissioner (ODPC): P.O. Box 34714-00100, Nairobi; complaints@odpc.go.ke; www.odpc.go.ke. EU residents may contact relevant supervisory authority.
Security Measures and Breach Notification
Technical/organizational measures include:
- Encryption (TLS 1.3 in transit, AES-256 at rest).
- Role-based access controls.
- Activity logging and monitoring.
-Staff training and annual audits.
Breaches notified to ODPC within 72 hours and affected individuals without undue delay.
Automated Decision-Making and Profiling
No automated decision-making or profiling occurs.
Changes to This Policy
Policy updated periodically. Updated changes posted here & continued use constitutes acceptance.
Contact Details
Data Protection Contact:
info@koala.co.ke
+254 780359830
4th Floor, Grenadier Tower, Woodvale Grove, Westlands, Nairobi, Kenya
Koala Education Consultants (Kenya)
Last updated 24th February 2026