Privacy and Security Policy
Identigate Integrated Solutions Limited Company Number CPR/2015/211533 (Identigate) complies with the Kenya Data Protection Act. No. 24 of 2022 and other applicable laws when dealing with personal information. Personal information is information about an identifiable individual (a natural person).
This policy sets out how we will collect, use, disclose and protect your personal information.
This policy does not limit or exclude any of your rights under the Kenya Data Protection Act and other applicable laws. If you wish to seek further information on the Kenya Data Protection Act see www.kenyalaw.org
Changes to this policy
We may change this policy by uploading a revised policy onto our website (www.soja.co.ke) (the website). Unless stated otherwise, the change will apply from the date that we upload the revised policy.
What personal information do we collect
We collect, hold and process two categories of personal information
Account and Marketing Data is personal information that we collect about you:
in connection with the creation or administration of a customer account
if you ask to receive information about us or our services and products or sign up for our newsletter
when you contact us directly (e.g. telephone call, email or through the user dashboard) or visit our website.
The Account and Marketing Data we collect may include company/personal names, usernames, phone numbers, email addresses, your location, billing information, information about how you use our website or the Services (for example, traffic volumes, time spent on pages), your IP address and/or other device identifying data, and other information required to provide a service or information you have requested from us.
Visitor or Employee Data is personal information about a customer’s visitors or employees that is input into the Soja Visitors Management Service (as defined in our Terms of Service). Visitor and Employee Data may include visitors’ and employees’ names, ID Numbers, phone numbers, email addresses, locations and photos, times of visit, visitors’ employers’ names and any other information that a customer decides to capture about its visitors and employees.
We will not disclose, move, access, process or use Visitor or Employee Data except as provided in our Terms of Service and we require our customers to comply with applicable privacy and data protection laws.
Who do we collect your personal information from ?
- We collect personal information about you from:
- you, when you provide that personal information to us, including via our website and the Service, through any registration process, through any contact with us (e.g. telephone call, email or through the user dashboard) third parties where you have authorised this or the information is publicly available.
- If possible, we will collect personal information from you directly.
- When you visit or use our website or the Service, we may collect information about you:
Some provision of personal information is optional. However, if you do not provide us with certain types of personal information, you may be unable to enjoy the full functionality of our website or the Services.
We may also conduct user surveys to collect information about your preferences. These surveys are optional and if you choose to respond, your responses will be kept anonymous. Similarly, we may offer contests to qualifying users in which we ask for contact and demographic information such as name, email address and mailing address. None of this information is shared with third parties, except in summary form, if at all. Information we gather through a contest may also be disclosed to third parties as necessary for prize fulfillment and other aspects of any contest or similar offering.
How we use your personal information
We will use your personal information:
- to verify your identity
- to provide services and products to you
- to market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose)
- to tailor content or advertisements to you;
- to improve the services and products that we provide to you
- to bill you and to collect money that you owe us, including authorizing and processing credit card transactions
- to respond to communications from you, including a complaint
- to conduct research and statistical analysis (on an anonymised basis)
- to protect and/or enforce our legal rights and interests, including defending any claim
- for any other purpose authorised by you, the Kenya Data Protection Act or other applicable law.Disclosing your personal information
We may disclose your personal information to:
any other company within our group for the purposes described in this policy
any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products or that assists us with our marketing and customer care activities described in this policy
other third parties (for anonymised statistical information)
a person who can require us to supply your personal information (e.g. a regulatory authority)
any other person authorised by the Act or another law (e.g. a law enforcement agency)
any other person authorised by you
any other company in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
A business that supports our services and products may be located outside Kenya. This may mean your personal information is held and processed outside Kenya.
Protecting your personal information
We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse.
Accessing and correcting your personal information
Subject to certain grounds for refusal set out in the Kenya Data Protection Act or other applicable law, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.
In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to note on the personal information that you requested the correction.
If you want to exercise either of the above rights, email us at firstname.lastname@example.org. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting).
While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.
For the purposes of the GDPR:
we are the data controller (as defined in the GDPR) when processing Account and Marketing Data; and
We will not process Visitor or Employee Data except as provided in our Terms of Service and wee require our customers to comply with applicable privacy and data protection laws.
The remainder of this GDPR Addendum applies to Account and Marketing Data only, and does not apply to Visitor or Employee Data.
This GDPR Addendum was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal data. However, we are happy to provide any additional information or explanation needed. Any requests for further information should be sent to email@example.com
Processing personal data
The legal basis for our processing of Account and Marketing Data is your consent and, for certain Account and Marketing Data, processing is necessary for the performance of a contract to which you are a party.
Despite the above, we may process any of your personal data where such processing is necessary for compliance with applicable laws.
You do not have to provide us with your name or contact information to access and use the website. However, you must provide us with your name and contact information when using the Service and some of our other services. The consequence of not providing your name and contact information is that we will not be able to provide all of our services to you.
Your rights in relation to your personal data under the GDPR include:
right of access – if you ask us, we will confirm whether we are processing your personal data and provide you with a copy of that personal data.
right to rectification – if the personal data we hold about you is inaccurate or incomplete, you have the right to have it rectified or completed. We will take every reasonable step to ensure personal data which is inaccurate is rectified. If we have shared your personal data with any third parties, we will tell them about the rectification where possible.
right to erasure – we delete your personal data when it is no longer needed for the purposes for which you provided it. You may request that we delete your personal data and we will do so if deletion does not contravene any applicable laws. If we have shared your personal data with any third parties, we will take reasonable steps to inform those third parties to delete such personal data.
right to withdraw consent – if the basis of our processing of your personal data is consent, you can withdraw that consent at any time.
right to restrict processing – you may request that we restrict or block the processing of your personal data in certain circumstances. If we have shared your personal data with third parties, we will tell them about this request where possible.
right to object to processing – you may request that we stop processing your personal data at any time and we will do so to the extent required by the GDPR.
right to data portability – you may obtain your personal data from us that you have consented to give us or that is necessary to perform a contract with you. We will provide this personal data in a commonly used, machine-readable and interoperable format to enable data portability to another data controller. Where technically feasible, and at your request, we will transmit your personal data directly to another data controller.
the right to complain to a supervisory authority – you can report any concerns you have about our privacy practices to the relevant data protection supervisory authority.
Where personal data is processed for the purposes of direct marketing, you have the right to object to such processing, including profiling related to direct marketing.
If you would like to exercise any of your above rights, please contact us at firstname.lastname@example.org . If you are not satisfied by the way your query is dealt with by our data protection officer, you may refer your query to your local data protection supervisory authority.
We do not intend to collect personal data from children aged under 16. If you have reason to believe that a child under the age of 16 has provided personal data to us through our website and/or by using our services, please contact us at email@example.com
International transfer of data
The Account and Marketing Data may be transferred to, and stored in, a country operating outside the European Economic Area (EEA). Under the GDPR, the transfer of personal data to a country outside the EEA may take place where the European Commission has decided that the country ensures an adequate level of protection. In the absence of an adequacy decision, we may transfer personal data provided appropriate safeguards are in place.
Some of the Account and Marketing Data we collect is processed in Kenya (where our registered office is located). Kenya Has a data protection Act in place. We rely on this decision in transferring personal data to Kenya
Some of the Account and Marketing Data we collect is processed by third party data processors in other countries, including the United States. These countries are not subject to an adequacy decision by the European Commission and instead, in transferring your personal data to these countries, we take other appropriate safeguards as prescribed by the GDPR.
Data retention policy
Account and Marketing Data that we collect, and process will not be kept longer than necessary for the purposes for which it is collected, or for the duration required for compliance with applicable law, whichever is longer.
You can contact us at firstname.lastname@example.org