Privacy Policy

NASFAM ("we", "our", or "the Organisation") is committed to protecting the privacy of all individuals who interact with our website, programmes, and digital services. This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed.

By using the NASFAM website at www.nasfam.org, you acknowledge that you have read and understood this Privacy Policy. This Policy applies to all users globally but reflects our primary obligations under Malawian data protection principles and, where applicable, the General Data Protection Regulation (GDPR) for users accessing the site from the European Economic Area.

We review this Policy periodically. The most current version will always be published at this URL. Where changes are material, we will notify you through a prominent notice on our homepage.

We collect information in the following ways:

2.1 Information You Provide Directly

• Name, email address, and phone number submitted via our Contact Us form
• Organisation name and role when submitting partnership enquiries
• Newsletter subscription details including email address and communication preferences
• Job application materials including CV, cover letter, and referee details
• Membership registration information submitted through District Farmers Associations
• Event registration details including name, district, and dietary requirements

2.2 Information Collected Automatically

• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited, time spent on pages, and navigation paths
• Referral source (how you arrived at our site)
• Device identifiers and screen resolution
• Session duration and interaction events

2.3 Information From Third Parties

We may receive information about you from partner organisations, donor platforms, or publicly available sources for the purpose of coordinating programme delivery or verifying partnership credentials.

We use the information we collect for the following purposes:

• Responding to enquiries submitted through the Contact Us form
• Delivering newsletters, programme updates, and market price bulletins to subscribers
• Processing and evaluating job applications
• Coordinating event registrations and sending logistical information
• Improving the website by analysing usage patterns and identifying technical issues
• Meeting reporting obligations to donors and statutory bodies
• Verifying partner and member eligibility for specific programmes
• Detecting and preventing fraud, abuse, and unauthorised access
• Complying with legal obligations and court orders

Where the GDPR or equivalent data protection frameworks apply, we rely on the following lawful bases to process your personal data:

Where we rely on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We do not sell, rent, or trade your personal information. We may share your data with the following categories of third parties only where necessary:

5.1 Service Providers

We use trusted third-party service providers for email delivery, web hosting, analytics, and form processing. These providers are bound by confidentiality agreements and are prohibited from using your data for any purpose other than providing services to NASFAM.

5.2 Donors and Funders

Aggregated, anonymised programme data may be shared with donors for reporting purposes. We do not share individually identifiable personal data with donors without your explicit consent.

5.3 Government and Regulatory Bodies

We may disclose personal information where required by law, court order, or government authority, including but not limited to the Malawi Revenue Authority and the Ministry of Agriculture.

5.4 Business Transfers

In the event of a merger, acquisition, or transfer of NASFAM operations to another entity, personal data may form part of the transferred assets. We will notify you before your data is transferred and becomes subject to a different privacy policy.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with applicable legal, accounting, or reporting requirements.

After the applicable retention period, data is securely deleted or anonymised. You may request earlier deletion subject to the exceptions outlined in Section 7.

Depending on your location and the applicable data protection framework, you may have the following rights with respect to your personal data:

• Right of access — obtain a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your data ('right to be forgotten') subject to legal retention obligations
• Right to restriction — request that processing be limited in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or direct marketing
• Rights related to automated decision-making — request human review of decisions made solely by automated means

To exercise any of these rights, please contact our Data Protection Officer using the details in Section 12. We will respond within 30 days. Where a request is complex or numerous, we may extend this period by a further two months and will notify you accordingly.

You also have the right to lodge a complaint with a relevant supervisory authority. For users in the EEA, this is the data protection authority in your country of residence.

NASFAM takes the security of your personal data seriously and has implemented a range of technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration.

Technical Measures

• TLS/SSL encryption for all data transmitted to and from the website
• Password hashing and salting for any stored credentials
• Access controls limiting staff access to personal data on a need-to-know basis
• Regular security patching and vulnerability assessments
• Encrypted backups stored in geographically separate locations

Organisational Measures

• Staff data protection training during onboarding and annually thereafter
• Documented data handling procedures and incident response protocols
• Third-party processor due diligence and contractual obligations
• Periodic internal privacy audits

While we take all reasonable precautions, no method of electronic transmission or storage is 100% secure. If you believe your data has been compromised, please contact us immediately at info@nasfam.org.

We use cookies and similar tracking technologies to improve website performance and understand how visitors use our site. For full details on the types of cookies we use and how to manage them, please refer to our Cookie Policy.

Essential cookies necessary for the website to function are placed automatically. All other cookies (analytics, preferences) require your consent, which you can manage through the cookie consent banner displayed on your first visit.

Our website may contain links to external websites operated by third parties, including partner organisations, donor portals, and resource repositories. This Privacy Policy applies only to information collected by NASFAM. We have no control over third-party websites and are not responsible for their privacy practices.

We encourage you to review the privacy policy of any external site you visit through links on our platform. The inclusion of a link on our website does not constitute endorsement of that site or its privacy practices.

The NASFAM website is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately and we will take steps to delete such information.

For programme activities involving minors (such as youth farmer competitions or training camps), parental or guardian consent is obtained separately through offline registration processes managed by district offices.

For all privacy-related enquiries, data subject rights requests, or concerns about how we handle your personal information, please contact:

We aim to respond to all requests within 30 calendar days. If you are not satisfied with our response, you have the right to escalate the matter to a relevant supervisory authority.