Privacy Policy
Effective date: 13 July 2026 · Last updated: 13 July 2026
1. Who we are
Zuka (“Zuka”, “we”, “us”, “our”) is a talent development platform operated by Tunga in Nairobi, Kenya. It is available through our website at zuka.acand through the Zuka mobile applications for Android and iOS (together, the “Service”).
We are the data controller of the personal data described in this policy. This policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over it. It is written to comply with the Kenya Data Protection Act, 2019 and its regulations, the EU/UK General Data Protection Regulation (GDPR) where it applies, and the Google Play Developer Policies (including the User Data policy) and the Apple App Store guidelines.
You can reach us at any time about this policy or your data at hi@tunga.co or +254 733 466 233.
2. Personal data we collect
We collect the following categories of personal data:
- Account information. Name, email address, phone number, password credentials, and profile photo when you create an account or are enrolled in a Zuka program.
- Program and profile data. Information you or your program staff add to the Service, such as your portfolio, projects, performance records, career interests, mentorship notes, community posts, and messages sent within the Service.
- Payment data.If you make a payment through M-Pesa, we process your M-Pesa phone number, transaction reference, and amount. Payments are processed by Safaricom’s M-Pesa service; we do not receive or store card numbers or M-Pesa PINs.
- Communications. Enquiries you send us (for example through the contact form) and messages you exchange with our AI coach feature. AI coach conversations are processed to generate responses and improve the quality of the feature.
- Device and usage data. Device type, operating system, app version, IP address, approximate location derived from IP, log data, crash reports, and push notification tokens.
- Cookies and similar technologies. We use strictly necessary cookies to keep you signed in and remember your preferences. See section 9.
We collect this data directly from you, from your device when you use the Service, and — for participants enrolled through a partner program — from the organisation that enrolled you.
3. Why we process your data and our legal bases
Under the Kenya Data Protection Act, 2019 and Article 6 GDPR, we process personal data:
- To perform our contract with you — creating and managing your account, running your program experience (projects, performance, portfolio, mentorship, community, events), processing payments, and providing support.
- With your consent — sending push notifications and marketing communications, and any optional features that ask for permission. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- For our legitimate interests — securing the Service, preventing fraud and abuse, measuring and improving how the Service works, and communicating service updates. We balance these interests against your rights.
- To comply with legal obligations — including tax, accounting, and lawful requests from Kenyan or other competent authorities.
We do not sell your personal data, and we do not use it for third-party advertising.
4. How we share your data
We share personal data only with:
- Service providers (data processors). Google LLC provides our hosting and backend infrastructure (Google Cloud Platform and Firebase — authentication, database, storage, cloud functions, push notifications via Firebase Cloud Messaging, and Vertex AI for the AI coach feature). Safaricom PLC processes M-Pesa payments. These providers act on our instructions under data processing agreements.
- Your program. If you participate through a partner organisation or employer, program staff and mentors can see the program data relevant to their role (for example your performance records and portfolio).
- Authorities where disclosure is required by law or necessary to protect our legal rights, and successors in the event of a merger, acquisition, or asset sale — in which case this policy will continue to apply to your data.
5. International transfers
Our infrastructure providers store data on servers that may be located outside Kenya, including in the United States and the European Union. Where personal data is transferred outside Kenya, we do so in accordance with sections 48 and 49 of the Data Protection Act, 2019 — ensuring the recipient provides appropriate safeguards for the data. Where the GDPR applies, transfers outside the EEA/UK rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, for Google, its certification under the EU–US Data Privacy Framework.
6. How long we keep your data
We keep personal data for as long as your account is active and as needed to provide the Service. After your account is closed, we delete or anonymise your data within 90 days, except where we must keep it longer to comply with legal obligations (for example financial records of M-Pesa transactions, which Kenyan law requires us to retain for up to 7 years), to resolve disputes, or to enforce our agreements.
7. Your rights
Under the Kenya Data Protection Act, 2019 (sections 26 and 34–40) and, where applicable, the GDPR (Articles 15–22), you have the right to:
- be informed about how your data is used;
- access a copy of the personal data we hold about you;
- have inaccurate or incomplete data corrected;
- have your data deleted (right to erasure), subject to legal retention requirements;
- object to or restrict processing, including for direct marketing;
- receive your data in a portable, machine-readable format;
- withdraw consent at any time where processing is based on consent; and
- not be subject to a decision based solely on automated processing that significantly affects you.
To exercise any of these rights, email hi@tunga.co or call +254 733 466 233. We will respond within the timelines required by law (normally within 30 days) and will not charge a fee unless a request is manifestly unfounded or excessive.
You also have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), Kenya (www.odpc.go.ke) or, if you are in the EEA or the UK, with your local supervisory authority.
8. Account and data deletion
You can request deletion of your Zuka account and the personal data associated with it at any time by emailing hi@tunga.co from the email address on your account, with the subject “Delete my account”. We will verify the request, delete your account, and erase or anonymise your personal data within 90 days, except for records we are legally required to retain (section 6). This deletion route covers data collected through the Zuka mobile apps as well as the website, as required by Google Play’s account deletion policy.
9. Cookies
The website uses strictly necessary cookies and similar technologies (such as local storage) to keep you signed in, protect against cross-site request forgery, and remember interface preferences. We do not use advertising or cross-site tracking cookies. You can clear or block cookies in your browser settings, but signed-in areas of the Service may stop working without them.
10. Security
We apply technical and organisational measures appropriate to the risk, as required by section 41 of the Data Protection Act, 2019 and Article 32 GDPR. These include encryption of data in transit (TLS) and at rest, role-based access controls so staff and mentors only see data relevant to their role, security rules on every database collection, and audit logging. No system is perfectly secure; if we become aware of a breach affecting your data, we will notify the ODPC and affected users as required by law.
11. Children
The Service is designed for people aged 18 and over, and for younger participants only when enrolled through a partner program with the consent of a parent or guardian as required by section 33 of the Data Protection Act, 2019. We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data without appropriate consent, contact us and we will delete it.
12. Mobile apps and platform policies
The Zuka Android app complies with the Google Play User Data policy: the data it collects and shares is disclosed in the app’s Data safety section on Google Play and matches this policy; data is transmitted over encrypted connections; and account deletion is available as described in section 8. The app requests permissions only where needed for a feature (for example notification permission for push notifications, and camera or photo access if you choose to upload a profile photo or portfolio media), and never accesses them in the background for other purposes. The iOS app likewise follows Apple’s App Store privacy requirements, including App Privacy labels.
13. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you through the Service or by email before the changes take effect, and update the “last updated” date above. Continued use of the Service after changes take effect means the updated policy applies.
14. Contact us
For any question, request, or complaint about this policy or your personal data:
- Email: hi@tunga.co
- Phone: +254 733 466 233
- Zuka (operated by Tunga), Nairobi, Kenya