Hotline Paul’s Notes Sprint Connect Collabs Ventures Hotline Paul’s Notes Sprint Connect Collabs Ventures

3d backstage beauty care chef dental eatwell enroll events experiences fit gifts gigs handy mechanic media mind pets pros rental secure sheets skincare solar stays tidy tutor 3d backstage beauty care chef dental eatwell enroll events experiences fit gifts gigs handy mechanic media mind pets pros rental secure sheets skincare solar stays tidy tutor

Paul’s Report VBSS – VRL Business Scaling System The Business Owner’s Journey The B2B Customer Journey The B2C Customer Journey Paul’s Report VBSS – VRL Business Scaling System The Business Owner’s Journey The B2B Customer Journey The B2C Customer Journey

Privacy Policy

Applicability: VRL (the Holding Company) and all its current and future subsidiaries, brands, and offerings.

1. Introduction

VRL (“We,” “Us,” “Our”) is committed to protecting the privacy and security of your personal information.

This Master Privacy Policy (“Policy”) describes how we collect, use, store, and disclose personal data when you interact with any of our services, websites, platforms, or brands.

This Policy applies to all individuals whose personal data we process, including website visitors, subscribers, clients, partners, and service providers. It is designed to comply with the Kenya Data Protection Act, 2019 (DPA) and other applicable privacy laws.

By using our Services, you acknowledge that you have read and understood this Policy.

2. Definitions

Personal Data means any information relating to an identified or identifiable natural person.
Data Subject means the identified or identifiable natural person to whom personal data relates.
Processing means any operation performed on personal data, including collection, storage, use, and deletion.
Data Controller means VRL, which determines the purposes and means of processing personal data.
Data Processor means any third party that processes personal data on behalf of VRL.

3. Legal Basis for Processing

Under the DPA, we process personal data only when we have a valid legal basis, including:

Consent: You have given clear consent for us to process your personal data for a specific purpose.
Contract: The processing is necessary for a contract you have with us.
Legal obligation: The processing is necessary for us to comply with the law.
Legitimate interests: The processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests.

4. What Personal Data We Collect

We may collect and process the following categories of personal data:

Information You Provide Directly:

Identity information: name, date of birth, ID/passport number, photograph
Contact information: email address, phone number, physical address
Account credentials: username, password
Payment information: bank details, M-Pesa transaction details, card information (processed securely through our payment partners)
Business information: company name, business registration details, KRA PIN
Communications: any information you provide when you contact us

Information Collected Automatically:

Technical data: IP address, browser type, device information, operating system
Usage data: how you interact with our websites and services, pages visited, time spent
Cookies and tracking technologies: we use cookies to enhance user experience

Information from Third Parties:

Verification services: to verify your identity or business information
Payment processors: to process transactions
Social media platforms: if you interact with our social media pages

5. How We Use Your Personal Data

We use your personal data for the following purposes:

To deliver our Services. This includes giving you access to Paul’s Notes, managing your VRL Sprint project, connecting you with clients through VRL Connect, setting up co-branded distribution through VRL Collabs, and forming equity partnerships through VRL Venture. This processing is necessary for the contract we have with you.

To manage your account. We use your information to create and maintain your user account, verify your identity, and provide customer support. This is necessary for the contract we have with you.

To process payments. This includes collecting subscription fees, project fees, commissions, and processing revenue or profit share payments. This covers payments made through M-Pesa, bank transfers, or other payment methods. This processing is necessary for the contract we have with you and to comply with legal obligations.

To communicate with you. We send service updates, respond to your inquiries, and provide customer support. We may also send you marketing information about our Services if you have given us consent or where we have a legitimate interest. You can opt out of marketing messages at any time.

To improve our Services. We analyze how users interact with our websites and platforms to identify issues, improve functionality, and develop new features. This processing is based on our legitimate interest in improving our business.

To protect our Services. We use your information to detect and prevent fraud, unauthorized access, and other security threats. This is necessary for our legitimate interest in protecting our business and users, and to comply with legal obligations.

To comply with the law. We may process your information to meet legal and regulatory requirements, including tax laws, anti-money laundering regulations, and requests from authorities. This processing is necessary for legal compliance.

6. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

Within VRL Group. Your data may be shared among VRL holding company and its subsidiaries for internal administration and service delivery.

Service Providers. We engage third-party service providers who process data on our behalf, including payment processors, cloud hosting providers, analytics providers, customer support platforms, and marketing platforms. All service providers are contractually obligated to protect your data and process it only in accordance with our instructions.

Business Partners. In connection with our partnership offerings (VRL Connect, Collabs, Venture), we may share relevant information with partners as necessary to provide the services.

Legal Authorities. We may disclose your information to law enforcement agencies, regulatory authorities, courts, or other statutory bodies in response to a lawful demand.

Business Transfers. In the event of a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction.

7. Data Subject Rights

Under the DPA, you have the following rights regarding your personal data:

Right to be Informed. You have the right to know that we are collecting your data and how we will use it. This Policy provides that information.

Right of Access. You have the right to access the personal data we hold about you.

Right to Rectification. You have the right to request correction of inaccurate or incomplete data.

Right to Erasure. You have the right to request deletion of your data, subject to our legal obligations to retain certain information.

Right to Restriction. You have the right to request restricted processing of your data in certain circumstances.

Right to Data Portability. You have the right to receive your data in a structured, commonly used format and to transmit it to another controller.

Right to Object. You have the right to object to processing based on legitimate interests.

Right to Withdraw Consent. Where processing is based on consent, you have the right to withdraw consent at any time.

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 13. We will respond to your request within the timeframe required by law.

8. Data Security

We have implemented appropriate technical and organizational measures to protect your personal data from unauthorized access, accidental loss, alteration, or disclosure. These measures include:

Encryption of data in transit and at rest
Access controls and authentication procedures
Regular security assessments and vulnerability scans
Firewalls and intrusion detection systems
Staff training on data protection
Secure data storage and backup procedures

While we take reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period, we consider:

The amount, nature, and sensitivity of the data
The potential risk of harm from unauthorized use or disclosure
The purposes for which we process the data
Applicable legal requirements

When we no longer need your personal data, we will securely delete or anonymize it.

10. International Data Transfers

Your personal data may be transferred to, and processed in, countries other than Kenya. When we transfer your data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the Office of the Data Protection Commissioner.

11. Cookies and Tracking Technologies

Our websites use cookies and similar technologies to enhance user experience, analyze traffic, and personalize content. You can manage your cookie preferences through your browser settings. However, disabling certain cookies may affect the functionality of our websites.

12. Children’s Privacy

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

13. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Policy and the DPA. You may contact our DPO at:

Data Protection Officer
VRL
Email: dpo@vrl.co.ke
Office: Nairobi, Kenya

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make material changes, we will notify you by email or through a prominent notice on our website. We encourage you to review this Policy periodically.

15. Complaints

If you have concerns about our handling of your personal data, please contact our DPO first. You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC):

Office of the Data Protection Commissioner
Email: complaints@odpc.go.ke
Website: www.odpc.go.ke

16. Contact Us

If you have any questions about this Policy or our privacy practices, please contact us:

VRL
Email: privacy@vrl.co.ke
Office: Pinetree Plaza, Kilimani, Nairobi, Kenya
Website: vrl.co.ke