DATA PRIVACY POLICY
1.0 INTRODUCTION
1.1 Pivot FS Kenya Limited is a private limited company incorporated in Kenya (hereinafter referred to as “Company”). The Company engages in financial services by providing financing to individuals and businesses.
1.2 The Company is committed to complying with the provisions of the Central Bank of Kenya (Digital Credit Providers) Regulations, 2022, as well as the Kenya Data Protection Act, 2019, and the Data Protection (General) Regulations, 2021. Our policy is aligned with these laws and regulations to ensure the highest level of data privacy and protection for our customers.
2.0 DEFINITIONS
- Data Subject: Refers to an individual who can be identified directly or indirectly by the personal data collected, processed, or stored by the Company.
- Data Processor: Refers to the Company who processes personal data, as governed by a contractual agreement.
- Data Controller: Refers to the Company, the entity responsible for determining the purposes and means of processing personal data and ensuring compliance with applicable data protection laws.
- Personal Data: Refers to any information that relates to an identified or identifiable individual, such as name, contact details, employment information, and financial details, which are collected and processed by the Company.
- Consent: Refers to the voluntary and informed agreement provided by the data subject for the collection, processing, and storage of their personal data by the Company, based on clear and specific information.
- Legitimate Interest: Refers to the lawful basis for processing personal data when the Company has a legitimate and justifiable reason, supported by relevant legal obligations and business interests, to collect, process, and store personal data without explicit consent.
- Services: Refers to the short-term salary loan products and related financial services offered by the Company to eligible individuals who meet the specified criteria and requirements.
- Performance of Contract: Refers to the lawful basis for processing personal data when the Company collects, processes, and stores personal data necessary for the performance of the loan agreement and associated services, as requested by the data subject.
3.0 PURPOSE
This policy outlines measures taken by the Company to ensure protection against loss, damage, destruction, negligent disclosure, misuse, unauthorized access, and modification of personal data entrusted to the company by its internal and external stakeholders in compliance with the Data Protection Act, 2019.
4.0 SCOPE
This statement applies to all employees of the Company, customers, suppliers and all persons and entities that have any business dealings with the company.
5.0 GUIDING PRINCIPLES
- Lawful Purpose – The company shall ensure that a justifiable reason exists why it is collecting or processing the data of an individual or entity.
- Data Minimization – The company shall ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy – The Company shall take reasonable steps to ensure personal data is accurate and kept up to date.
- Archiving/Removal – The Company shall ensure that personal data is kept for no longer than necessary.
- Security – The Company shall put in place measures to prevent unauthorized access, sharing and loss of personal data.
6.0 HOW DATA IS COLLECTED
- Applications for a specific product or service.
- Responses that a customer submits to our forms, questionnaires, surveys, marketing promotions, prize competition and special offers.
- Communications with the Company, such as call records, customer service requests and tickets, and messages or comments posted on the Company-hosted social media platforms.
- Supporting documents such as government-issued identification, financial documents, and authorization letters.
- Information from other organizations including credit-reference Bureaus, fraud prevention agencies and business directories.
- Information when a customer visits any of our premises.
- When a customer interacts with our sales agents, they may collect personal information.
- Usage details, navigation and clicks, traffic data, search history, IP addresses, location data, logs, communication data, and information collected through cookies, web beacons, and other tracking technologies.
- Anti-money laundering records from name and sanctions screening vendors
- Account information from partner financial institutions and service providers
- Repayment and other transaction data from external collections agencies, mobile network providers, and mobile money operators
7.0 WHAT DATA IS COLLECTED
- Personal identifiers such as name, username, e-mail address, mobile number, photograph, KRA PIN, Date of Birth, address, location, age, gender or any other identifier by which a customer may be contacted online or offline.
- Transaction information from Mpesa statements and bank statements.
- Next of Kin details such as ID Number, phone number and relationship.
- Details on customer earnings as per their pay slip.
- Customer account information, information about their bank account numbers and SWIFT codes or other banking information.
- Credit scores or similar scores provided by credit reference or credit scoring entities
- Call and message records when customers call and interact with the company through social media or other company-hosted platforms.
8.0 SPECIFIC USE OF THE DATA COLLECTED
- Processing applications for products and services, effecting payments, transactions and completing instructions or requests.
- Responding to any customer queries or concerns.
- Verifying customer identity information through publicly available and/or restricted government databases in order to comply with applicable regulatory requirements.
- Assessing suitability for products and services.
- Carrying out credit checks and credit scoring.
- Keeping customer informed generally about new products and services and contacting them with any new product unless they opt out of receiving such marketing messages (customer may contact the company at any time to opt out of receiving marketing messages or by sending stop to the number provided in the sms).
- To comply with any legal, governmental or regulatory requirement or for use by our lawyers in connection with any legal proceedings.
- In business practices including quality control, training and ensuring effective systems operations.
- To understand how the customer uses our products and services for purposes of developing or improving products and services.
- Preventing and detecting fraud or other crimes and for debt recovery.
- For research, statistical, survey and other scientific or business purposes.
- Provide aggregated data (which do not contain any information which may identify the customer as an individual) to third parties for research and scientific purpose;
- To administer any of the company’s online platforms/websites.
9.0 LAWFUL BASIS FOR PROCESSING CUSTOMER INFORMATION
- Consent – The data subject has given consent to the processing of his or her personal data for one or more specific purposes
- Contract – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Legal Obligation – Processing is necessary for compliance with a legal obligation to which the controller is subject
- Vital Interest – Processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Public Task – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Legitimate Interest – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data
10.0 DISCLOSURE OF DATA
10.1 The company will respect the confidentiality of the personal data a customer provides.
10.2 Any disclosure of customer information shall be in accordance with the Data Protection Act, 2019. The company shall assess and review each application for information and may decline to grant such information to the requesting party.
10.3 Obtaining Consent:
- The Company will seek the customer’s explicit consent before sharing their personal data with any third party, except as permitted or required by law.
- The Company will provide the customer with clear and specific information regarding the purpose of the sharing, the categories of personal data to be shared, and the identities or types of third parties involved.
10.4 The Company may disclose customer information to:
- Law-enforcement agencies, regulatory authorities, courts or other statutory authorities in response to a demand issued with the appropriate lawful mandate and where the form and scope of the demand is compliant with the law.
- Our associates, partners, software developers or agents who are involved in delivering the company’s products and services the customers order or use;
- Fraud prevention and Anti money laundering agencies,
- Credit- reference agencies;
- Publicly available and/or restricted government databases to verify customer identity information in order to comply with regulatory requirements;
- Debt-collection agencies or other debt-recovery organizations;
- Survey agencies that conduct surveys on behalf of the company;
- Any other person that we deem legitimately necessary to share the data with
10.5 We shall not release any information to any individual or entity that is acting beyond its legal mandate.
10.6 Marketing
- We may use a customer’s personal data to conduct market research and surveys with the aim of improving our products and services and for marketing purposes, promotional events, competitions and lucky draws.
- A customer can ask us to stop sending them marketing messages at any time by writing to us or by following the opt out option on any marketing message sent to them or by attending to us or contacting us at any time through the provided contacts.
11.0 DATA RETENTION
11.1 We retain customer personal data in line with our legal and regulatory obligations and for business and operational purposes. In the majority of cases this will be for 7 (seven) years from the end of the customer’s relationship with us.
11.2 Anonymized information that can no longer be associated with the customer may be held indefinitely.
12. CUSTOMER ACCESS TO OWN DATA
12.1 If a client believes that our records contain inaccurate or incomplete information about them, they can visit any of our branch outlets to make the necessary amendments or write to complaince@pivot.co.ke .
12.2 Some changes will only be made once the necessary supporting documentation has been obtained.
12.3 The company will take reasonable steps to investigate the customer’s concerns and correct inaccurate information in a timely manner.
12.4 Where a customer requires to know their personal data held by the company, they shall submit a request for the same via email by writing to compliance@pivot.co.ke whereupon the company shall furnish the customer with the requested information upon verification of the client’s identity.
13. DATA SECURITY MEASURES
The Company implements an Information Security Management System to maintain the confidentiality, integrity, and availability of the Company’s information resources, in keeping with industry standard and global best practices:
- Physical locations shall be protected from unauthorized access, threats, and damage.
- Data should be encrypted in accordance with the data classification and handling requirements.
- Backup practices of critical information resources should be performed, tested, and maintained.
- Data retention, decommissioning, and disposal requirements are aligned with contractual, legal, environmental, and business requirements.
- Endpoints should be protected by security hardening, malware protection, and host-based monitoring.
- Access should be restricted by access control, user access management, privileged access (principle of least privilege), access review, multi-factor authentication, and passwords, where applicable.
- Information resource logs should be managed, and security events should be monitored.
- Network access should be protected through a secure network infrastructure, network access controls, and information transfer requirements.
- Information security risks associated with third parties that access the Company’s information resources should be identified, assessed, and managed. Contracts with third-party vendors and processors should contain information security and confidentiality clauses. Information security reviews of third-party vendors and processors should be regularly performed.
- Procedures should be in place to recruit competent and qualified individuals as employees. A formal disciplinary process should be established and implemented for non-compliance with information security policies, standards, and procedures.
- Information resources should be maintained by identifying and remediating associated vulnerabilities.
- Formal change management requirements should be followed when introducing or modifying information resources.
- Information security incidents should be managed, including detection, analysis, resolution, and lessons learned. Incident response shall include preparation, identification, containment, eradication, recovery, and lessons learned.
- Compliance requirements should be established based on legislative, statutory, regulator, or contractual obligations, and shall be subject to independent review.
- A risk assessment process and framework should be established to identify and remediate information security risks.
- Requirements should be implemented to ensure information security controls are verified at regular intervals to assess their validity and effectiveness during adverse situations.
- Information resources should be managed by identification, inventorying, maintenance, and protection controls.
13.2 We have put in place procedures to deal with any suspected personal data breach and will notify the customer and any applicable regulator when we are legally required to do so.
14. TRANSFER OF CUSTOMER DATA OUTSIDE KENYA
14.1 The Company acknowledges that, in the course of providing our services, it may be necessary to transfer customer personal data to countries outside of Kenya. Such transfers may occur for various reasons, including, but not limited to, processing transactions, storing data, or engaging service providers located in other jurisdictions.
14.2 By using our services and providing their personal data to the Company, customers consent to the transfer of their personal data outside Kenya as described in this clause and in accordance with applicable data protection laws and regulations.
14.3 When transferring personal data outside Kenya, the Company will take all reasonable steps to ensure that adequate safeguards are in place to protect the privacy and security of that personal data. These safeguards may include implementing standard contractual clauses, relying on the recipient’s Privacy Shield certification (if applicable), obtaining customers’ explicit consent, or other appropriate measures as required by applicable laws.
14.4 Customers have the right to request further information about the safeguards implemented by the Company in relation to the transfer of their personal data outside Kenya. To exercise this right or for any other inquiries regarding the transfer of personal data, customers will contact our Compliance Officer using the contact details provided in our Privacy Policy.
15. CUSTOMER DATA RIGHTS
15.1 Subject to legal and contractual exceptions, customers have rights under the Data Protection Act, 2019, in relation to their personal data. These are listed below: –
- Right to be informed that we are collecting personal data about them;
- Right to access personal data that we hold about them and request for information about how we process it;
- Right to request that we correct their personal data where it is inaccurate or incomplete;
- Right to request that we erase their personal data noting that we may continue to retain their information if obligated by the law or entitled to do so;
- Right to object and withdraw their consent to processing of their personal data. We may continue to process if we have a legitimate or legal reason to do so;
- Right to request restricted processing of their personal data noting that we may be entitled or legally obligated to continue processing the customer data and refuse their request;
15.2 If a customer wishes to exercise any of the rights set out above, they can contact us on compliance@pivot.co.ke .
15.3 We may need to request specific information from the customer to help us confirm their identity and ensure their right to access their personal data (or to exercise any of their other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact them to ask them for further information in relation to their request to speed up our response.
16. COMPLAINTS HANDLING
16.1 The customer has the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC), the supervisory authority that is tasked with personal data protection within the republic of Kenya via the website (https://www.odpc.go.ke/file-a-complaint/).
16.2 However, the Company shall take appropriate steps to try and resolve the customer’s concerns through the below procedure:
- Receipt of Complaint:
- Customers can submit their complaints regarding data privacy and protection by contacting the Company through designated complaint handling channels.
- Complaints can be submitted through email, phone, or in writing to the dedicated complaint handling department or officer.
- Acknowledgment of Complaint:
- The Company acknowledges the receipt of the complaint promptly, typically within one business day.
- The acknowledgment may be sent via email or in writing, confirming that the complaint has been received and is being reviewed.
- Investigation and Resolution:
- The complaint is assigned to a qualified staff member responsible for handling complaints and resolving issues related to data privacy.
- The staff member investigates the complaint thoroughly, gathering all necessary information and reviewing relevant records and documents.
- Communication and Updates:
- Throughout the investigation process, the Company maintains regular communication with the complainant, providing updates on the progress of the investigation.
- The complainant is kept informed of any significant developments, including the estimated time-frame for resolving the complaint.
- Resolution and Remedial Actions:
- Once the investigation is complete, the Company determines an appropriate resolution for the complaint.
- If a violation of data privacy policies or regulations is identified, remedial actions are taken promptly to rectify the issue and prevent recurrence.
- The complainant is informed of the resolution and any actions taken to address the complaint.
- Final Communication:
- The Company provides a final response to the complainant, outlining the findings of the investigation and the resolution reached.
- The response may be sent via email or in writing, ensuring it is clear, concise, and addresses all relevant concerns raised in the complaint.
- Escalation:
- If the complainant is not satisfied with the resolution provided, they have the option to escalate the complaint.
- The Company designates an escalation point or appeals process for complainants seeking further review of their complaint.
- The escalation process ensures a fair and impartial review by a designated authority within the organization.
- Closure and Documentation:
- Once the complaint is resolved or escalated, the Company ensures that all relevant documentation, correspondence, and records related to the complaint are appropriately filed and retained for future reference.
- Closure of the complaint is communicated to the complainant, confirming that the matter has been addressed and resolved to the best of the organization’s ability.
17. CONSEQUENCES OF BREACH
17.1 The Company treats data breaches and violations of the Data Privacy Policy with utmost seriousness.
17.2 In the event of a data breach, the company will promptly initiate an incident response process to contain and mitigate the breach, assess the impact, and restore the security of customer data.
17.3 Appropriate disciplinary actions will be taken against employees or third parties found to have violated the Data Privacy Policy, which may include disciplinary measures, termination of contracts, or legal action, as deemed necessary.
17.4 The Company will also comply with any legal obligations related to data breach notifications, including notifying affected individuals and relevant regulatory authorities as required by applicable laws and regulations.
18. CUSTODIANSHIP
The Board of Directors is the overall owner of this policy.
19. REVIEW
19.1 The Company regularly reviews and updates its Data Privacy Policy to ensure it remains accurate, relevant, and compliant with applicable laws and regulations.
19.2 The policy review includes an assessment of the effectiveness of data protection measures, identification of potential risks and vulnerabilities, and the incorporation of industry best practices.
19.3 Updates to the Data Privacy Policy will be communicated to customers through appropriate channels, such as the company website or direct communication.