AGENCIFY DATA PROCESSING POLICY AND NOTICE

Privacy and trust are key to Agencify and we are committed to protecting personal information. This Data Processing Policy and Notice (Policy) applies to any use of the Agencify websites, mobile applications or applications accessed from other platforms through APIs (the Platform) or any other interaction or transaction between a user of the Platform (you, user or Provider (as defined below) as the context may so admit) and Agencify that would result in processing of Personal Data (as defined below). A user includes any individual that access this Platform. This Policy sets out how we process such Personal Data and we expect users of our Platform to process Personal Data. The Policy and our treatment of your Personal Data complies with the Data Protection Act of Kenya 2019 (as otherwise amended or varied from time to time). All Providers are also required to comply with this Policy and reference to “we” or “us” also includes the Providers as the context so admits.

Please review this Policy carefully to understand our practices. For the avoidance of doubt, this Policy is incorporated by reference into the terms of use governing your use of the Platform and any other agreement entered into with us unless specifically excluded (Main Agreement).

The Platform is not intended for children and we do not knowingly enter into agreements with children. Any data relating to children that is provided will be provided by the parent or legal guardian and it will be processed in accordance with this Policy in connection with the Services.

  1. TERMS
    1. For ease of reference, the terms below as used in the Policy have the following meaning:
      1. Account means the account you create when registering as a user on the Platform to enable you access Services;
      2. Controller, processor, data subject, personal data, personal data breach, processing, Data Commissioner: as defined in the Data Protection legislation;
      3. Data Protection Legislation: the Kenya Data Protection Act of 2019 and any regulations issued under it, and any all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the Data Commissioner;
      4. Effective Date: the effective date of the Main Agreement.
      5. Personal Data: any information identifying a data subject or information relating to a data subject that we can identify (directly or indirectly) from that data alone or in combination with other identifiers. Reference to Personal Data may include sensitive personal data to the extent relevant.
      6. Services means such services made available, accessed, published or otherwise offered through the Platform.
      7. Shared Personal Data: the Personal Data that may be shared by the parties under this Policy, including as between Agencify and a Provider or between Providers;
  2. DATA CONTROLLER

Agencify Limited is the data controller and is responsible for your Personal Data (referred to as “we”, “us” or “our” in this Policy). If you have any questions about this Policy, please send an email to datapolicy@agencify.insure.

  1. DATA PROCESSOR
    1. The service providers using the Platform, namely the insurance companies and the insurance agents, act as data processors in their individual capacities (the Providers).
    2. Each Provider is required to ensure that it has all necessary consents and notices in place to enable the lawful collection and processing of Personal Data, including but not limited to, the lawful transfer of the Personal Data to Agencify.
    3. The Provider will comply with all applicable requirements of the Data Protection Legislation. This Policy is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
    4. Without prejudice to the generality of clause 3.3, the Provider shall, in relation to any Personal Data processed in connection with the performance by the Provider of its obligations under the Main Agreement or otherwise in the provision of the Services:
      1. process that Personal Data only as permitted under this Policy or unless the Provider is required by Data Protection Legislation or any other applicable laws to otherwise process that Personal Data;
      2. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
      3. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and
      4. not transfer any Personal Data outside of Kenya unless the prior written consent of the data subject have been obtained or the following conditions are fulfilled:
        1. the Provider has provided appropriate safeguards in relation to the transfer;
        2. the data subject has enforceable rights and effective legal remedies;
        3. the Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
        4. the Provider complies with reasonable instructions notified to it in advance by Agencify with respect to the processing of the Personal Data;
      5. not transfer any sensitive personal data outside of Kenya unless the prior written consent of the data subject has been obtained and the Provider has provided appropriate safeguards in relation to the transfer;
      6. assist Agencify in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
      7. notify Agencify without undue delay on becoming aware of a Personal Data breach;
      8. at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the Main Agreement unless required by applicable law to store the Personal Data; and
      9. maintain complete and accurate records and information to demonstrate its compliance with this Policy
    5. Agencify does not consent to the Provider appointing any third party processor of Personal Data under the Main Agreement unless otherwise expressly approved in writing by Agencify.
    6. In the event of a dispute or claim brought by a data subject or the Data Commissioner concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion. Each party shall abide by a decision of a competent court or the Data Commissioner.
    7. The Provider will allow Agencify to audit its systems, processes and premises at any time on reasonable advance notice and only on a business day for the purposes of allowing Agencify to verify and audit Provider’s compliance with this Policy.
  2. DATA COLLECTED
    1. Depending on the Services you are obtaining or accessing, the following different types of information may be collected, stored, used and transferred through the Platform:
      1. Identity information such as your first name, last name, username or similar identifier, nationality, date of birth.
      2. Contact information such as your billing address, delivery address, email address and telephone numbers, the name of your business, and/or location.
      3. Professional information such as qualifications and/or other information relating to your employment and your employer.
      4. Financial information such as preferred mode of payment, bank account, payment card details, and/or Mpesa details.
      5. Transaction data such as details about payments to and from you and other details of products and services you have purchased or accessed through the Platform.
      6. Verification information such as your government issued national identification or passport, KRA PIN certificate, business permits, company incorporation certificates, and/or location.
      7. Account information relating to the use of the Platform including profile data such as your username, password, orders, interests, preferences, survey responses and/or feedback or any other communication with the Platform.
      8. Automatic information and information about your device including technical data (internet protocol (IP) address, login data, time zone setting, browser type and version, location, browser plug-in types and versions, operating system and platform, and/or other technology on the devices you use to access the Platform. Note that this automatic information and device information is used to screen for potential risks and fraud, to improve and optimize the Platform, to ease access to the Platform, and to carry out upgrades, data analysis, improve the Services. You can set your browser to refuse all or some browser cookies, but this will make some parts of the Platform inaccessible or not function properly.
      9. Marketing and communications data such as your preferences in receiving marketing from us and our third party partners and your communication preferences.
    2. Please note that the list in this clause is not an exhaustive list.
    3. We may collect and use statistical or demographic information for any purpose. This data is anonymous and it is not personal information as this data will not directly or indirectly reveal your identity. However, if we combine or connect statistical/demographic information with your Personal Data, we treat the resulting information as Personal Data and it will be used in accordance with this Policy.
    4. We may collect sensitive personal data about you depending on the nature of the Services or your interaction with the Platform. Sensitive personal data includes: details about your race or ethnicity, conscience, health status, sex, family details including the names of that persons children, parents, spouse or spouses, biometric data and property details.
    5. Where we need to collect Personal Data by law, or under the terms of a contract we have with you, and that data is not provided when requested, it may be difficult to provide certain Services and the provision of the Services or access to the Platform may have to be cancelled or stopped.
  3. HOW DATA IS COLLECTED
    1. We use different methods to collect the data described in Clause 4.1 from and about you including through:
    2. Direct interactions. You may provide your Identity, Contact and Financial Information by filling in forms or by corresponding with us or a Provider by post, phone, email, through the Platform or otherwise. This includes Personal Data provided when you:
      1. create an Account on our Platform;
      2. use our Platform;
      3. subscribe to or use our Services;
      4. request marketing to be sent to you;
      5. enter a competition, promotion or survey; or
      6. give us feedback or contact us.
    3. Automated technologies or interactions. As you interact with our Platform, we will automatically collect Technical Data about the equipment, browsing actions and patterns. We collect this Personal Data by using cookies, server logs and other similar technologies.
    4. Third parties or publicly available sources. We will receive Personal Data about you from various third parties and public sources as set out below:
      1. Technical information from the following parties: analytics; advertising networks; and search information providers.
      2. Contact, verification, financial and transaction Information from the Providers.
      3. Contact, financial and transaction information from providers of technical, payment and delivery services.
      4. Contact, financial and transaction information from parties which you may have entered into.
      5. Identity, verification and contact information from publicly available sources, including but not limited to NTSA and other similar public registries or databases.
  4. ACCURACY OF THE DATA
    1. It is important that the Personal Data we hold is accurate and current to ensure that the Services can be delivered effectively. As such, please keep us informed if your Personal Data or any other information changes in the course of your use of the Platform.
    2. You guarantee and declare that you are the owner of the information you submit on the Platform or share with us, or that you have the necessary rights to do so. You also guarantee and declare that it is exact, true and verified, and the use of the information is not contrary to this Policy or applicable laws and will not damage a third party’s reputation. You accept full and complete liability for any information that is contrary to this Policy or any applicable laws.
  5. USE OF THE COLLECTED DATA
    1. How your Personal Data is used depends on the Services you are accessing. We will use your Personal Data to provide you with the Services, in particular:
      1. By the Providers in order to provide the Services;
      2. Run targeted marketing campaigns in the case of an insurer.
      3. To contact you about the Services, events and promotions (where you have agreed to us doing so);
      4. To comply with our legal obligations;
      5. To perform a task in the consideration of the greater public interest;
      6. Where necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and/or
      7. Where the Personal Data is required for statistical or research purposes.
    2. Note that we may process your Personal Data for more than one lawful ground depending on the specific purpose for which we are using your data.
    3. Any sensitive personal data that we use to provide you with the Services will be used only for one of the following purposes:
      1. To establish, exercise or defend a legal claim; and/or,
      2. By us or the Providers in order to carry out our obligations and exercising our specific rights or your rights (as a data subject).
    4. Generally, we do not rely on consent as a legal basis for processing your Personal Data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
  6. SECURity
    1. If you are a registered user of the Platform, you are entirely responsible for maintaining the confidentiality of your password and login name. Furthermore, you are entirely responsible for any and all activities that occur under your Account. You must immediately notify us of any unauthorized use of your login name or any other breach of security known to you.
    2. The security and integrity of your Personal Data is important to us and we have in place appropriate security measures and take all due care to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Unfortunately, we cannot guarantee its absolute security since there is no method of transmission over the internet or method of electronic storage that is fully secure. We disclaim all liability to you to the greatest extent possible under the law should such a breach of security occur.
  7. SHARING YOUR PERSONAL DATA
    1. Except as specified in this Policy, we will not disclose your Personal Data to third parties without your consent. Depending on the Services, we may share your Personal Data with:
      1. Internal third parties such as companies which are affiliated with us;
      2. External third parties such as service providers (for example, without limit, valuers), Kenya Revenue Authority, and other governmental bodies should we be required to do so;
      3. other users of the Platform or our Services to facilitate matching between requests and services offered provided that only necessary Personal Data shall be shared for this purpose only;
      4. Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Policy.
    2. Depending on the Services you are accessing, we may share certain personal information with third parties to help us use your personal information. We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
    3. We will also disclose information, including Personal Data, to third parties:
      1. when we are required to do so by a court order or by any regulatory authority;
      2. where we are required to do so in order to comply with our legal and regulatory obligations in terms of any legislation or regulation applicable to us and our business (including fraud prevention and anti-money laundering);
      3. in order to exercise, protect and defend our rights and property (including our intellectual property); or
      4. where such disclosure is in the public interest.
  8. TRANSFER OF DATA
    1. Your personal information may be transferred outside Kenya either for ease of delivery of Services, storage or other necessary form of processing. When such transfer is necessary and for your benefit, we ensure an appropriate and similar degree of protection is afforded to it by requiring implementation of relevant safeguards by the recipient of the Personal Data as required by the law in Kenya.
    2. Your sensitive Personal Data will also be transferred outside of Kenya for the same reasons as described above in this section. By accepting this Policy, you are providing us with your express consent to the transfer of your Personal Data as laid out above. We will ensure an appropriate degree of protection is afforded to the transfer of sensitive Personal Data outside of Kenya by requiring implementation of relevant safeguards.
  9. RETENTION OF DATA
    1. We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Your Personal Data may be retained for a longer period where there has been a complaint or there is a prospect of litigation with respect to your use of the Platform.
  10. MARKETING
    1. We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising. You will receive marketing communications from the Platform or from the Providers if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing.
    2. You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.
    3. Where you opt out of receiving these marketing messages, this will not apply to Personal Data provided to us as a result of a product/service purchase, product/service experience or other transactions.
  11. YOUR LEGAL RIGHTS
    1. In accordance with the Data Protection Legislation, you may have the right to:
      1. Be informed of the use to which your Personal Data is being put;
      2. Access your Personal Data;
      3. Object to the processing of your Personal Data;
      4. Request restriction of the processing of your Personal Data;
      5. Request for correction of false or misleading Personal Data;
      6. Request the transfer of your Personal Data;
      7. Request erasure of false or misleading Personal Data. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. and
      8. Withdraw consent at any time where we are relying on consent to process your Personal Data. Note that this does not affect the lawfulness of any of processing base don prior consent before your withdrawal.
  12. Warranties and indemnities WITH RESPECT TO SHARED PERSONAL DATA
    1. Agencify and each Provider or any other data processor processing data relating to the Platform warrants and undertakes that it will:
      1. Process the Shared Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations including the Data Protection Legislation.
      2. Respond within a reasonable time and as far as reasonably possible to enquiries from the Data Commissioner in relation to the Shared Personal Data.
      3. Respond to data subjects’ requests in accordance with the Data Protection Legislation.
      4. Where applicable, maintain registration with the Data Commissioner to process all Shared Personal Data for the Agreed Purpose.
      5. Take all appropriate steps to ensure compliance with the security measures set out in this Policy.
    2. The parties undertake to indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of Policy, except to the extent that any such liability is excluded under this section. Indemnification hereunder is contingent upon:
      1. the party to be indemnified (the indemnified party) promptly notifying the other party (the indemnifying party) of a claim,
      2. the indemnifying party having sole control of the defence and settlement of any such claim, and
      3. the indemnified party providing reasonable cooperation and assistance to the indemnifying party in defence of such claim.
      4. A party’s total liability under this clause is limited to KES1,000 for any one claim.
  13. CHANGES TO THE POLICY
    1. We regularly review and update this Policy in order to reflect changes to our practices, for operational, legal or regulatory reasons, and for any other purpose. Any revisions to this Policy will be uploaded to the Platform and such upload will be deemed to be sufficient communication to you. Where you are a registered user, we may elect, in our own discretion, to notify you of any revision through a notice on your Account.

Last updated: 7 July 2020