Privacy Policy

Privacy Policy for Nsubiza Ltd.

Last Updated: 30/03/2026

1. Introduction

Nsubiza Ltd (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (nsubiza.com) or use our services.

We comply with:

• Rwanda: Data Protection and Privacy Law (Law No. 058/2021 of 13/10/2021)
• European Union: General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
• United States: Applicable state privacy laws including the California Consumer Privacy Act (CCPA)
• International: Applicable data protection principles and best practices

Data Controller: NSUBIZA LTD, Registration No. 1325979, Commerce Avenue, Huye (Butare), Southern Province, Rwanda. Email: admin@nsubiza.com | Phone: +250 798 382 498

Data Protection Officer (DPO): Email: dpo@kwamuzehe.com | Phone: +250 798 382 498

The DPO is responsible for overseeing our data protection strategy and ensuring compliance with applicable data protection laws, including Law No. 058/2021.

2. Data Collection and Use

We collect data to provide and improve our services. This includes:

• Personal Information: Name, email address, phone number, and other information you voluntarily provide through our contact form or during service engagements.
• Usage Data: Information on how you interact with our website, including pages visited, time spent, and referring URLs.
• Device Information: Browser type, IP address, operating system, and device identifiers.
• Cookies and Tracking Technologies: As described in our Cookie Policy.

We use this information to:

• Respond to your inquiries and provide requested services.
• Improve and optimize our website and user experience.
• Comply with legal obligations.
• Protect the security and integrity of our services.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent: When you provide explicit consent, such as through our contact form or cookie consent banner. You may withdraw consent at any time.
• Contractual Necessity: To fulfill contracts or take pre-contractual steps at your request.
• Legitimate Interest: For purposes such as improving our services, ensuring security, and analyzing website usage, where these interests are not overridden by your rights.
• Legal Obligation: When processing is required by applicable law.

4. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following circumstances:

• Service Providers: With trusted third parties who assist us in operating our website and services, bound by data processing agreements.
• Legal Requirements: When required by law, regulation, or valid legal process, or to protect our rights, property, or safety.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, with appropriate protections for your data.

5. International Data Transfers

As a Rwandan company serving international clients, we may transfer personal data across borders. We ensure such transfers comply with applicable data protection laws, including:

• The EU’s Standard Contractual Clauses (SCCs) for transfers from the EU/EEA.
• Rwandan data protection requirements under Law No. 058/2021.
• Standard Contractual Clauses based on the NCSA-approved template for transfers originating from Rwanda.
• Appropriate safeguards as required by applicable law in your jurisdiction.

Our current third-party processors and their data hosting locations are:

Processor	Purpose	Data Location
Google Cloud	Hosting, infrastructure, and email	europe-west1 (Belgium), africa-south1 (South Africa)
Anthropic	AI-assisted services	United States (additional safeguards in place, including SCCs and supplementary measures)

We conduct transfer impact assessments for each cross-border transfer and ensure that adequate protections are maintained in accordance with Law No. 058/2021 and, where applicable, the GDPR.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

For all users:

• Access: Request a copy of your personal data.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your personal data.
• Restriction: Request that we limit processing of your data.

Additional rights under GDPR (EU/EEA residents):

• Data Portability: Receive your data in a structured, machine-readable format.
• Object: Object to processing based on legitimate interest or for direct marketing.
• Automated Decision-Making: Not be subject to decisions based solely on automated processing.
• Lodge a Complaint: File a complaint with your local Data Protection Authority.

Additional rights under CCPA (California residents):

• Know: Request details about the categories and specific pieces of personal information collected.
• Delete: Request deletion of personal information collected.
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Under Rwandan law (Law No. 058/2021):

• You have the right to access, correct, and request deletion of your personal data.
• You have the right to object to the processing of your personal data, including for direct marketing purposes.
• You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (Article 26).
• You may lodge a complaint with the National Cyber Security Authority (NCSA), Data Protection and Privacy Office:
  • Email: dpp@ncsa.gov.rw
  • Phone: +250 782 847 756
  • Website: https://dpo.gov.rw/

To exercise any of these rights, please contact our DPO at dpo@kwamuzehe.com. We will respond within 30 days (or as required by applicable law).

7. Data Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted data transmission, access controls, and regular security reviews.

While we strive to protect your data, no method of transmission over the internet is completely secure. We cannot guarantee absolute security.

7a. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals:

• We will notify the National Cyber Security Authority (NCSA) within 48 hours of becoming aware of the breach, in accordance with Law No. 058/2021.
• Where the breach is likely to result in a high risk to your rights and freedoms, we will notify affected data subjects without undue delay.
• For breaches affecting EU/EEA residents, we will also notify the relevant EU supervisory authority within 72 hours as required by the GDPR.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Contact form submissions are retained for a maximum of 24 months unless a longer retention period is required for legal purposes.

9. Cookies and Tracking Technologies

We use cookies to enhance your experience. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

10. Children’s Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will take steps to delete that information.

11. Data Protection Impact Assessments

In accordance with Article 34 of Law No. 058/2021, Nsubiza Ltd conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. This includes, but is not limited to, large-scale processing of sensitive data, systematic monitoring, and automated decision-making with legal or significant effects.

12. Records of Processing Activities

Nsubiza Ltd maintains Records of Processing Activities (ROPA) as required by Article 31 of Law No. 058/2021. These records document the categories of data processed, purposes of processing, data recipients, retention periods, and technical and organizational security measures in place.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated by posting the updated policy on our website and revising the “Last Updated” date. We encourage you to review this policy periodically.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Nsubiza Ltd. Address: Commerce Avenue, Huye (Butare), Southern Province, Rwanda P.O Box 262, Huye

Data Protection Officer: Email: dpo@kwamuzehe.com Phone: +250 798 382 498

General Inquiries: Email: admin@nsubiza.com Phone: +250 798 382 498

Supervisory Authority: National Cyber Security Authority (NCSA), Data Protection and Privacy Office Email: dpp@ncsa.gov.rw Phone: +250 782 847 756 Website: https://dpo.gov.rw/

---