Legal
Privacy Policy
Last updated 7 May 2026 — Prepared in accordance with the Malawi Data Protection Act (2024)
1. Introduction
Kafukufuku Data Hub ("KDH", "we", "us", "our") is committed to protecting your privacy and handling your personal data in compliance with the Malawi Data Protection Act, 2024 (the "Act"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the Act.
For the purposes of the Act, KDH acts as a data controller with respect to personal data we collect directly from you (e.g., account registration). For datasets uploaded by third-party contributors that may contain personal data, KDH acts as a data processor on behalf of the submitting data controller. We are taking steps to register with the Malawi Data Protection Authority (MDPA) as required under Section 26 of the Act.
2. Lawful Basis for Processing
Under Section 28 of the Malawi Data Protection Act (2024), we process personal data on the following lawful bases:
- Consent — When you register for an account or submit data, you consent to our processing.
- Legitimate interest — To operate, maintain, and improve the Service, and to communicate with you about the Service.
- Legal obligation — To comply with applicable laws, regulations, and lawful requests from authorities.
- Performance of a contract — To provide the Service as requested by you.
3. Personal Data We Collect
3.1 Account Data
When you create an account, we collect:
- Username and email address
- Role (admin, editor, viewer)
- Hashed password (never stored in plain text)
- Account creation date and last login timestamp
3.2 Usage Data
We automatically collect certain technical information when you access the Service:
- IP address
- Browser type and version
- Pages visited and time spent on each page
- API request endpoints, method, and response status codes
- Referrer URL
- Date and time of access
3.3 Submitted Data
When users submit datasets to KDH, the data may contain information about individuals. KDH processes this data as a data processor on behalf of the submitting data controller. We require submitters to warrant that they have a lawful basis under the Act for processing any personal data contained in their submissions.
3.4 Communications
If you contact us directly (e.g., via email), we collect your name, email address, and the content of your communication.
4. How We Use Your Data
We use the collected data for the following purposes:
- To provide, maintain, and improve the Service
- To authenticate users and manage access to admin features
- To monitor and analyze usage patterns and trends to improve user experience
- To respond to user inquiries and support requests
- To detect, prevent, and address technical issues, security incidents, and abuse
- To comply with legal obligations under Malawi law
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:
- Service Providers — We may engage trusted third-party providers for hosting, data storage, analytics, and technical operations. These providers are bound by data processing agreements that comply with the Act.
- Legal Compliance — As required by law, court order, or governmental regulation, including reporting to the Malawi Data Protection Authority (MDPA) as required by the Act.
- Protection of Rights — To protect the rights, property, or safety of KDH, our users, or the public.
- With Your Consent — With your explicit consent for any other purpose not described in this policy.
6. Cross-Border Data Transfers
Our servers and infrastructure may be located outside the Republic of Malawi. In accordance with Section 37 of the Malawi Data Protection Act (2024), we will only transfer personal data to countries that have been deemed by the MDPA to provide an adequate level of data protection, or where we have implemented appropriate safeguards such as standard contractual clauses. By using the Service, you consent to such transfers.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Specifically:
- Account data — Retained while your account is active. You may request deletion at any time.
- Usage data — Retained for up to 12 months for analytics purposes.
- Submitted datasets — Retained indefinitely for archival and research purposes, unless removal is requested by the data controller.
- Communications — Retained for up to 24 months after the last communication.
When personal data is no longer required, it is securely deleted or anonymized in accordance with the data minimization and storage limitation principles of the Act (Sections 24–25).
8. Your Rights Under the Malawi Data Protection Act (2024)
The Act grants you the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@kdh.mw. We will respond within 30 days as required by the Act.
| Right | Act Section | Description |
|---|---|---|
| Right to be informed | Sections 30–31 | You have the right to be informed about how your personal data is collected and used. |
| Right of access | Section 32 | You may request a copy of the personal data we hold about you, free of charge. |
| Right to rectification | Section 33 | You may request that inaccurate or incomplete personal data be corrected. |
| Right to erasure | Section 34 | You may request deletion of your personal data in certain circumstances ("right to be forgotten"). |
| Right to restrict processing | Section 35 | You may request that we limit how we process your personal data in certain circumstances. |
| Right to data portability | Section 36 | You may request your personal data in a structured, commonly used, machine-readable format. |
| Right to object | Section 38 | You may object to the processing of your personal data for direct marketing or on grounds relating to your particular situation. |
| Rights related to automated decision-making | Section 39 | You have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you. |
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the Malawi Data Protection Authority (MDPA), the independent supervisory authority established under Part VI of the Act.
9. Data Security
We implement appropriate technical and organizational measures, as required by Section 41 of the Act, to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS 1.3) and at rest
- Password hashing using industry-standard algorithms (bcrypt/PBKDF2)
- Role-based access control and principle of least privilege
- Regular security reviews and dependency audits
- Secure credential management via environment variables, never in source code
However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
10. Data Breach Notification
In accordance with Section 42 of the Act, in the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the MDPA within 72 hours of becoming aware of the breach
- Notify affected data subjects without undue delay when the breach is likely to result in high risk
- Document the breach, its effects, and the remedial actions taken
11. Data Protection Officer
As required by the Act for data controllers processing personal data on a large scale, we are in the process of designating a Data Protection Officer (DPO). Inquiries regarding data protection may be sent to privacy@kdh.mw until the DPO appointment is finalized and registered with the MDPA.
12. Cookies
The Service uses essential session cookies required for authentication and security (CSRF protection, session management). These cookies do not track you across websites and are not used for advertising purposes. We do not use third-party tracking cookies or analytics cookies. You may configure your browser to refuse cookies, but some features of the Service (such as login and admin functions) may not function properly.
13. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such data promptly, in compliance with the Act's special protections for children's data.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and post a notice on the Service at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
15. Contact
For questions, concerns, or to exercise your rights under this policy or the Malawi Data Protection Act (2024), please contact us:
Kafukufuku Data Hub
Email: privacy@kdh.mw
Data Protection Inquiries: privacy@kdh.mw
Malawi Data Protection Authority (MDPA)
For complaints or inquiries about data protection in Malawi.