NORTHGATE POLICY AND RESEARCH CENTER — Data Protection Notice
Effective: 1 January 2026 · Last updated: 10 June 2026NORTHGATE POLICY AND RESEARCH CENTER ("Northgate Research", "we", "us", "our") is an independent research consultancy established in 2026 and based in Ruiru, Kiambu County, Kenya.
We are registered with the Office of the Data Protection Commissioner (ODPC) of Kenya as both a Data Controller and a Data Processor under the Data Protection Act 2019 (Cap. 411C).
Our Designated Data Protection Officer (DPO) is:
Dr. David Mutabari
Director, Northgate Research & Policy Center
Email: davidmutabari42@gmail.com
Phone: +254 742 300 002
Post: Executive Apartment, Ruiru, Kiambu County, Kenya. P.O. Box 1598 – 00232.
We collect personal data only where necessary to deliver our services or comply with legal obligations. The categories of data we may collect include:
Where we conduct research on behalf of clients, we may process personal data about research participants. This data is governed by a separate Data Processing Agreement between Northgate and the commissioning organisation (the Data Controller). We process this data only on documented instructions from the client.
Under the Data Protection Act 2019, we rely on the following lawful bases for processing:
| Purpose | Lawful basis |
|---|---|
| Delivering a service you have booked and paid for | Performance of a contract |
| Responding to an enquiry or consultation request | Legitimate interests |
| Sending the Insights newsletter (where subscribed) | Consent |
| Verifying M-Pesa payment | Performance of a contract |
| Maintaining financial and tax records | Legal obligation (KRA, Kenya Revenue Authority) |
| Protecting Northgate's legal rights | Legitimate interests |
| Processing research participant data on client instructions | Data Processing Agreement / client's lawful basis |
We do not sell, rent, or trade your personal data. We do not use your data for automated decision-making or profiling that produces legal effects about you.
We share personal data only where necessary and on a need-to-know basis:
Only team members and associates who need access to deliver your engagement see your data. Every associate and enumerator signs a confidentiality agreement (NDA) before accessing client material.
Each provider is bound by their own privacy and data protection terms. We do not grant them access to data beyond what is technically necessary for the service.
We may disclose data to ODPC, KRA, or law enforcement where required by Kenyan law, a court order, or a legitimate legal obligation.
Our primary operations are Kenya-based. Some of our service providers (Google Workspace, Meta/WhatsApp) may process data outside Kenya. Where this occurs, we rely on the safeguards established in those providers' standard contractual terms and, where applicable, adequacy decisions or other appropriate transfer mechanisms under the Data Protection Act 2019.
Where a research engagement involves international data transfer (e.g., data shared with a foreign institution), this is governed by a separate Data Processing Agreement with the commissioning organisation.
| Data type | Retention period |
|---|---|
| Service enquiry (no engagement proceeds) | 6 months from last contact |
| Completed service engagement records | 5 years from engagement completion |
| Financial and payment records | 7 years (KRA legal obligation) |
| Newsletter subscriber data | Until unsubscribed + 30 days |
| Website analytics (aggregated) | 12 months rolling |
| Research participant data (processed on client instructions) | Per Data Processing Agreement with client |
After the applicable retention period, we securely delete or anonymise personal data. You may request earlier deletion — see Section 9.
As a data subject under Kenyan law, you have the following rights:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Ask us to delete your data (subject to legal retention obligations) |
| Restriction | Ask us to limit how we use your data while a dispute is resolved |
| Objection | Object to processing based on legitimate interests |
| Portability | Receive your data in a machine-readable format |
| Withdraw consent | Withdraw consent at any time where consent is the lawful basis (e.g. newsletter) |
To exercise any right, email our DPO at davidmutabari42@gmail.com with subject line "Data Subject Request". We will respond within 21 days as required by the Data Protection Act 2019.
If you are not satisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke.
Our website uses the following categories of cookies:
| Category | Purpose | Can you opt out? |
|---|---|---|
| Strictly necessary | Session management, form submission, security | No — required for the site to function |
| Analytics | Aggregate page visit statistics (no personal identification) | Yes — see below |
We do not use advertising, tracking, or third-party social media cookies. Analytics cookies collect only aggregated, anonymised data about page visits. No individual user is identified.
To opt out of analytics cookies, you can use your browser's built-in cookie controls: Settings → Privacy → Cookies → Block third-party cookies. You can also use a browser extension such as uBlock Origin.
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The "Last updated" date at the top of this page will always show when the most recent change was made.
For material changes — those that significantly affect your rights or how we use your data — we will notify active clients by email at least 14 days before the change takes effect.
For any privacy-related question, request, or complaint:
Email: davidmutabari42@gmail.com
WhatsApp: +254 742 300 002
Post: Dr. David Mutabari, Data Protection Officer
Northgate Research & Policy Center
P.O. Box 1598 – 00232, Ruiru, Kiambu County, Kenya
If you are not satisfied with our response, you may contact the ODPC:
www.odpc.go.ke · P.O. Box 41270 – 00100, Nairobi