Last updated: 16 August 2025

This Privacy Policy explains how Toop (“we,” “us,” “our”) collects, uses, shares, and protects your personal data when you visit our websites, contact us, or use our services. We are based in Nairobi, Kenya and process personal data in line with the Kenya Data Protection Act, 2019 (KDPA). Where we serve individuals in the EEA/UK, we also consider GDPR/UK GDPR requirements.

1) Who we are and how to contact us

Controller: Toop Digital

• Email: hello@toop.digital 
• Phone/WhatsApp: +254115661135
• Data Protection Lead (DPO/POC): Elvis Warutumo (hello@elvisw.online) 

For our own site, marketing, and CRM, we act as a data controller. When we work inside a client’s tools or accounts, we usually act as a data processor following their instructions.

2) What this policy covers

• Visitors to our websites and landing pages
• People who contact us by form, email, phone, or WhatsApp
• Prospects and clients who receive proposals, invoices, or support

3) What data we collect

You provide

1. Contact details (name, email, phone/WhatsApp), company, role
2. Messages/forms (project brief, goals, budget, files)
3. Billing details (payer name, business info; payment details handled by payment providers)
4. Preferences (newsletter opt‑in, cookie choices)
   

Collected automatically

1. Device and log data (IP address, browser, pages viewed, referrer, timestamps)
2. Cookie/identifier data from analytics and ad platforms (e.g., Google, Meta, LinkedIn, TikTok)
3. Approximate location from IP for security and fraud prevention
   

From partners/third parties

• Lead sources (events, referrals)
• Business contact enrichment where lawful and appropriate

We do not intentionally collect special categories of data on our website. If a project requires handling sensitive data, we will agree safeguards in writing first.

4) How we use your data (purposes and legal bases)

1. Provide services and support (perform a contract or take steps at your request)
2. Respond to enquiries and book calls (legitimate interests / pre‑contract)
3. Send service and marketing updates with your consent or our legitimate interests (you can opt out anytime)
4. Improve our sites and ads using analytics and measurement (consent where required; otherwise legitimate interests)
   
5. Secure our systems and prevent abuse (legitimate interests; legal obligations)
6. Comply with law (tax, accounting, regulatory requests)

Where we rely on consent, you can withdraw it at any time via unsubscribe links or Cookie Settings. Where we rely on legitimate interests, we balance our interests against your rights and reasonable expectations.

5) Cookies, analytics, and advertising

We use cookies and similar technologies for:

• Essential site functions and security
• Analytics (e.g., Google Analytics 4) to understand usage
• Advertising/retargeting (e.g., Google/Meta/LinkedIn/TikTok pixels) to measure and improve campaigns
  

You can manage preferences in our Cookie Settings and in your browser. Some features may not work without certain cookies. For details, see our Cookie Policy.

6) Sharing your data

We share data only with:

• Service providers (hosting, email, analytics, payments, CRM) under contracts that protect your data
• Clients when we act as their processor or when you interact with their assets
• Professional advisers (legal, accounting) under confidentiality
• Authorities when required by law or to protect rights, safety, and security
• Buyers/investors as part of a merger or acquisition (with notice where feasible)
  

We do not sell personal data.

7) International transfers

We may transfer data outside Kenya (for example, to cloud providers). When we do, we use appropriate safeguards (contractual and technical) and reputable vendors. For EEA/UK data we rely on Standard Contractual Clauses or equivalent mechanisms as required by GDPR/UK GDPR.

8) How long we keep data

• Client/project records: for the engagement plus up to 7 years for legal/accounting
• Marketing contacts: until you opt out; we keep a suppression list to honour opt‑outs
• Website analytics: retained per tool defaults or shorter where configured; reported in aggregate where possible
  

When data is no longer needed, we delete or anonymise it.

9) Your rights

Depending on your location, you can:

• Be informed about how your data is used
• Access your personal data
• Correct inaccurate data
• Delete data that is false, misleading, or no longer needed
• Object to certain processing (e.g., direct marketing)
• Withdraw consent where processing is based on consent
• Complain to a data protection authority
  

To make a request, email hello@toop.digital. We may ask for proof of identity. We aim to respond within the timelines required by law.

10) Security

We use reasonable technical and organisational measures such as access controls, encryption in transit, least‑privilege access, monitoring, and regular backups. No method is 100% secure, but we work to prevent, detect, and respond to incidents.

11) Children

Our site and services are not directed to children under 18. If you believe a child has provided personal data, contact us and we will delete it.

12) Third‑party links

Our site may link to other websites. Their content and privacy practices are their responsibility. Please review their policies.

13) If you are a client

When we process personal data on your behalf, we will sign a Data Processing Agreement (DPA) that covers processing instructions, security, sub‑processors, international transfers, audits, and deletion/return of data at the end of the engagement.

14) Kenya‑specific information

• We process personal data in line with the Kenya Data Protection Act, 2019 and related regulations
• Where required, we will register as a data controller/processor with the Office of the Data Protection Commissioner (ODPC)
• You may lodge a complaint with the ODPC if you believe your data protection rights have been infringed (see the ODPC website for guidance)
  

15) EEA/UK users

Where GDPR/UK GDPR applies, we follow its principles and, where needed, appoint an EU/UK representative. For international transfers, we use Standard Contractual Clauses and conduct transfer risk assessments as appropriate. You may also have rights to data portability and to restrict processing under GDPR.

16) Marketing communications

If you opt in to updates, we will send useful content or service news. You can unsubscribe at any time using the link in our emails or by contacting us.

17) Changes to this policy

We may update this policy to reflect changes in law or our practices. We will post the new version with a new “Last updated” date. If changes are significant, we will provide a clear notice on our site or by email where appropriate.

18) How to contact us

Questions, requests, or complaints about this policy or your data? Contact our Data Protection Lead at hello@elvisw.online. If we cannot resolve your concern, you may contact the ODPC or, for EEA/UK users, your local supervisory authority.