Privacy Policy

Last updated: February 2026

1. Data Controller

Knowledge Exchange for Social Impact (KESI) is the data controller responsible for your personal data. If you have questions about this policy or your data, contact us at privacy@kesi-int.com.

2. What Data We Collect

We collect personal data only when you voluntarily provide it through our website:

Contact Form

• Name
• Email address
• Organisation (optional)
• Inquiry type
• Message content

Newsletter Signup

• Email address

Technical Data

We do not use tracking cookies or invasive analytics. If we introduce privacy-respecting analytics in the future, this policy will be updated accordingly.

3. Lawful Basis for Processing

We process your personal data under the following lawful bases as defined by the UK General Data Protection Regulation (UK GDPR):

• Contact form submissions: Legitimate interest (Article 6(1)(f)) — to respond to your inquiry and provide the information or service you have requested.
• Newsletter subscriptions: Consent (Article 6(1)(a)) — you actively opt in by submitting your email address and confirming via a double opt-in email.
• Application or interest registration forms: Consent (Article 6(1)(a)) — you actively submit your information for a specific purpose.

4. How We Use Your Data

• To respond to your inquiries submitted via the contact form
• To send you newsletter updates if you have subscribed and confirmed your subscription
• To process programme applications or interest registrations

We will never sell, rent, or share your personal data with third parties for marketing purposes.

5. Third-Party Processors

We use the following third-party services to process data on our behalf:

• Amazon Web Services (AWS): Our website is hosted on AWS infrastructure. Contact form submissions are processed via AWS Lambda and emails are sent via Amazon Simple Email Service (SES). AWS acts as a data processor under our instructions. AWS maintains compliance with EU/UK data protection standards through their Data Processing Addendum.

6. International Data Transfers

Your data may be transferred to and processed in AWS data centres outside the United Kingdom. These transfers are covered by AWS’s Data Processing Addendum and appropriate safeguards (including Standard Contractual Clauses where applicable) to ensure your data receives an adequate level of protection in compliance with UK GDPR.

7. Data Retention

• Contact form submissions: Retained for up to 12 months after your inquiry has been resolved, then securely deleted.
• Newsletter subscriptions: Your email address is retained for as long as you remain subscribed. You can unsubscribe at any time using the link in each email.
• Application data: Retained for the duration of the relevant programme cycle, plus up to 12 months afterwards for follow-up and evaluation purposes.

8. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data (subject to legal obligations).
• Right to restriction: Request that we limit how we process your data.
• Right to data portability: Request a copy of your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@kesi-int.com. We will respond to your request within 30 days.

9. Data Subject Access Requests (DSARs)

You may submit a Data Subject Access Request by emailing privacy@kesi-int.com. We will verify your identity and respond within 30 days of receiving your request, as required by UK GDPR.

10. Nigeria Data Protection

KESI also operates in Nigeria. In addition to UK GDPR, we comply with the Nigeria Data Protection Act 2023 (NDPA). Nigerian data subjects have equivalent rights to access, rectify, and erase their personal data. The same contact details and processes described above apply.

11. Cookies

This website does not use cookies for tracking or analytics. If we introduce any cookie-setting services in the future, we will add a consent mechanism and update this policy.

12. Security

We take appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS/TLS), server-side input validation, and access controls on our hosting infrastructure.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via our website. The “Last updated” date at the top reflects the most recent revision.

14. Contact

If you have questions, concerns, or wish to exercise your data rights, contact us:

• Email: privacy@kesi-int.com
• Organisation: Knowledge Exchange for Social Impact (KESI)

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the United Kingdom, or the Nigeria Data Protection Commission (NDPC).