Privacy and Data Retention Policy

Privacy Policy

In its everyday business operations, Koa makes use of a variety of data about identifiable individuals. In collecting and processing the information Koa is required to comply with the Right to Privacy as stated in Article 31 of the Constitution of Kenya, 2010, the Data Protection Act, 2019 and the National Payment System Act (collectively referred to as the “Data Protection Laws”). The purpose of this policy is to describe the steps that Koa is taking to ensure compliance with the law. This policy applies to all systems, people and processes that constitute Koa’s information systems, including, management, employees, consultants, clients, suppliers and other third parties who have access to Koa’s systems. Any breach of the Data Protection Act 2019 or our Data Protection Policies is a serious matter and could lead to disciplinary action or criminal proceedings in extreme cases. Other agencies and individuals working with us, and who have access to personal information held by us are required to comply with this policy.The following policies and procedures are part of this policy:

  • Terms & Conditions
  • Data Retention Policy
  • Cookie Policy

(Collectively referred to as our Policies).

DefinitionsAct means the Data Protection Act, No. 24 of 2019 Laws of Kenya and the relevant Regulations thereunder.

Anonymization means the removal of personal identifiers from personal data so that the data subject is no longer identifiable.

Consent means any voluntary, specific and informed expression of will of a data subject to process personal data.

Data Commissioner means the person appointed under the Data Protection Act, 2019.

Data subject means an identified or identifiable natural person who is the subject of personal data.

Identifiable natural person means a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity.

Koa means Koasave Africa Limited, a limited liability company duly incorporated in accordance with the laws of Kenya with its registered address at Ten Metropolitan Estate, Riverside Drive and of P.O. Box 41911-00100 Nairobi.

Koa Platform means the digital savings and investment platform that enables Members to access our digital mobile application and website providing customers access to savings and investment products.

Personal data” means any information relating to an identified or identifiable natural person.

Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processing” means any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as:

  • collection, recording, organization, structuring;
  • storage, adaptation or alteration;
  • retrieval, consultation or use;
  • disclosure by transmission, dissemination, or otherwise making available; or
  • alignment or combination, restriction, erasure or destruction.

Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, and such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Sensitive personal data” means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, sex or the sexual orientation of the data subject, marital status, family information such as the names of their children, spouse or spouses, property information.

Third party” means natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.

Description of types data retained
In its day to day functions Koa retains data about:

  • customers;
  • current, past and prospective employees and consultants;
  • stakeholders; and
  • other third parties who interact with Koa.

The information we retain may include:

  • names;
  • telephone numbers;
  • physical addresses;
  • copies of identification documents;
  • passports information;
  • KRA PIN certificates;
  • medical bio data of our employees/consultants;
  • gender;
  • ethnicity;
  • history of conviction;
  • sexuality;
  • race;
  • education and professional qualifications;
  • marital status;
  • family information;
  • financial information;

Data privacy is critically important to us. When handling personal data, we apply the following fundamental principles:

  • We do not ask for personal information unless we truly need it.
  • We do not share personal information with anyone except to comply with the law, develop our products, or protect our rights.
  • We do not store personal information on our servers unless required for the on-going operation of one of our services.

Sensitive personal data
Koa collects personal data such as data revealing an individual’s biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation.Where we collect sensitive data, the data shall be processed in accordance with the law and under the legally provided grounds set out below.

Protection of personal data & rights of data subjects
As Koa, we will ensure that we support the rights of persons whose personal data we collect. These rights include the right:

  • to be informed of the use to which data subject’s personal data is to be put;
  • to access data subject’s personal data in our custody;
  • to object to the processing of all or part of data subject’s personal data;
  • to correction of false or misleading data; and
  • to delete false or misleading data about data subjects.

Principles for data protection The Act provides principles for data protection. It requires Koa to ensure that personal data is:

  • processed in accordance with the right to privacy of the data subject;
  • processed lawfully, fairly and in a transparent manner in relation to any data subject;
  • collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected;
  • released to a third party only with the consent of the data subject; and
  • to delete fnot transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject.alse or misleading data about data subjects.

Koa will ensure that it complies with all of these principles both in the processing it carries out and as part of new methods of processing such as new IT systems.

Exercise of the rights of the Data subject
In order to exercise any of the rights of the data subject Koa has in place procedures to enable you to do the following:

  • access personal data held by Koa;
  • object to processing of personal data by Koa;
  • correct or delete of false or misleading data held by Koa;
  • restrict of processing of personal data;
  • data portability;
  • share and/or lodge complaints; and
  • get information on automatic individual decision making.

To access the procedure please contact the officer in charge at the following email

How do we use the personal data we collect?
We use information we collect in the following ways:

  • to facilitate your access Koa’s Platform;
  • billing you for using our services;
  • responding to any of your queries or concerns;
  • quality control and ensuring maintenance of optimal business and system operations;
  • for the purpose of management of our employees; and
  • for purposes of management of contracts with Third Parties.

We may associate one or more categories of information with any other category of information that we see fit to and this combined information will be treated as personal data in accordance with the provisions set out in this policy, for as long as it is combined.

Processing of personal data
Koa will process the personal data we collect based on a lawful basis allowed under Data Protection Laws being:

  • with the data subject’s consent;
  • for performance of providing services through Koa’s Platform, or fulfilling contractual obligations with the data subject;
  • to support our legitimate business interests’;
  • in compliance with a mandatory legal obligation;
  • n the interests of the data subjects vital interest; and
  • public interest.

Disclosure of personal data
Koa will not share personal information with any other individual, or Third Party except in the following cases:

  • where we have obtained the data subject’s consent;
  • for legal reasons where there is a court order or a legal obligation which we have to comply with; or
  • it is necessary for public interest or national security.

Where we share personal data in the cases listed above we take all necessary steps to ensure that: the data is processed lawfully, we only disclose what is necessary, and the data is kept secure and all safeguards are put in place to ensure its protection.

Data Retention Policy
We only retain personal data for as long as it is necessary to do so in line with the provisions of Data Protection Laws. Once it is no longer necessary to retain the data we anonymize or pseudonymize the personal data. We ensure that we retain and maintain all relevant records in a manner that is: secure, confidential, accurate and up to date. How we handle data retention is more elaborately explained in our Data Retention Policy.

Exercise of Rights of the Data Subject
Every data subject has the right to:

  • be informed of the use to which their personal data is to be put;
  • access their personal data in custody of data controller or data processor;
  • object to the processing of all or part of their personal data;
  • correction of false or misleading data; and
  • deletion of false or misleading data about them.

In order to comply with these requirements, Koa has established the following procedures:

  • procedure for access to personal data;
  • procedure for objection to processing of personal data; and
  • procedure for correction and deletion of false or misleading data.

These procedures can be found in the Data Requests Procedures Manual.

Data Security
Koa is dedicated to keeping personal data secure. We shall endeavor to keep an up to date security procedure which shall include:

  • use of HTTPS for all communications with our servers;
  • storage in services which are encrypted at rest;
  • limiting access authorizations to the database and database systems including physical storage systems;
  • instructions to authorized users of the database, database systems and physical storage systems regarding the protection of data store in the database;
  • clear instructions concerning the management and usage of portable devices;
  • carrying out periodic audits to ensure Koa complies with Data Protection Laws and policies; and
  • periodical audits to ensure the data held is accurate and up to date.

Data Breach
At Koa we ensure that we take all possible steps to safeguard all personal data that we store. However, in the event that there is a breach on our system and personal data has been accessed by an unauthorized person and there is real risk of harm to the data subject we shall:

  1. take immediate action to contain and stop the breach.
  2. notify the Data Commissioner within seventy-two (72) hours of becoming aware of the breach.
  3. where we can identify the data subject we will communicate to them in writing within a reasonable practicable period. This communication may be limited where it is necessary and appropriate for purposes of prevention, detection or investigation of an offense.

The notification above will contain:

  • description and nature of the data breach;
  • description of the measures we have taken and intend to take to address the data breach;
  • recommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise;
  • (where applicable) the identity of the unauthorized person who may have accessed or acquired the personal data; and
  • the name of the officer from whom more information could be obtained.

When a breach occurs we record the information, particularly: facts relating to the breach, effects of the breach, and the remedial action to be taken. We shall maintain a record of all security incidents at all times.

Data Protection Impact Assessment
At Koa we will undertake a Data Protection Impact Assessment (DPIA) whenever necessary where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

The DPIA will follow the following phases:

Phase 1 detailed listing of the data processing including: the data to be used, the legal basis or retention periods applied to the data

Phase 2 identify the legal and risk treatment controls which are currently implemented. This phase involves the current and existing set of measures from a legal, technical, physical and business point of view.

Phase 3 list the risk sources to the data processing.

Phase 4 analyze and list potential negative events and threats to the data processing focusing on data subjects’ personal data, and potential impact of the new processing.

Phase 5 write and present a report that summarizes the analysis, the current controls, the risks to the business and the threats to personal data.

Transfer of personal data outside Kenya
We may transfer any identifiable personal data about a data subject outside Kenya. In the event that we are required to transfer any data outside of Kenya, we shall ensure that we seek the necessary consent from you (where necessary).Any transfer of data will be done with adequate safeguard measures put in place to ensure that there is no risk of a data breach.

Complaints handling
All complaints from data subjects regarding the way data is handled will be forwarded to

A complaint can be made either orally or in writing but where an oral complaint is made the designated officer will as soon as practicable reduce the oral complaint into writing.

We will investigate every complaint that we receive and get back to you within 14 days of receiving the complaint.

If you are not satisfied with the findings you have the right to appeal or to lodge a complaint to the Data Commissioner established under the Act.

Changes to our Policies  
We reserve the right to update or change our Policies at any time and you should check our Website periodically. Your continued use of our services after we post any modifications to our Policies on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Policies.

If we make any material changes to our Policies, we will notify you either through the email address you have provided us, or by placing a prominent notice on our website or at our office.

Data Retention Policy

The purpose of this Policy is to ensure that necessary records and documents are adequately protected and maintained and to ensure that records that are no longer needed by Koa or are of no value are discarded at the proper time in accordance with Koa’s policies and prevailing laws and regulations.This Policy is also for the purpose of aiding employees and consultants of Koa in understanding their obligations in retaining all personal information in written paper for or electronic documents - including e-mail, Web files, text files, sound and movie files, PDF documents, and all Microsoft Office or other formatted files. All employees and consultants of Koa, contractors and external parties with access to Koa’s information systems are bound by this Policy.

Description of types data retained
In its day to day functions Koa retains data about:

  • Customers;
  • Current, past and prospective employees and consultants;
  • Stakeholders; and
  • Other third parties who interact with Koa.

The information we retain may include:

  • names;
  • telephone numbers;
  • physical addresses;
  • copies of identification documents;
  • passports information;
  • KRA PIN certificates;
  • medical bio data of our employees/consultants;
  • gender;
  • ethnicity;
  • history of conviction;
  • sexuality;
  • race;
  • education and professional qualifications;
  • marital status;
  • family information;
  • financial information;

Guidelines and Procedures
It is our intention to ensure that all records and the information contained therein is:

  • Accurate - records are always reviewed to ensure that they are a full and accurate representation of the transactions, activities or practices that they document.
  • Accessible - records are always made available and accessible when required (with additional security permissions for select staff where applicable to the document content).
  • Complete - records have the content, context and structure required to allow the reconstruction of the activities, practices and transactions that they document
  • Compliant - records always comply with any record keeping legal and regulatory requirements.
  • Monitored – company, staff, and system compliance with this Data Retention Policy is regularly monitored to ensure that the objectives and principles are being met.

Data Storage
Documents are always retained in a secure location, with authorized personnel being the only ones to have access. Once the retention period has elapsed, the documents are either deleted, erased, anonymized or pseudonymized depending on their purpose, classification and action type.

Retention Period
All records retained during their specified periods are traceable and retrievable. Any file movement, use or access is tracked and logged, including inter-departmental changes. All information is retained, stored and destroyed in line with legislative and regulatory guidelines. For all data and records obtained, used and stored by Koa, we:

  • carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain;
  • carry out periodical reviews of the data retained, checking purpose, continued validity, accuracy and requirement to retain;
  • establish and verify retention periods for the data, with special consideration given specifically to the Koa's business needs, types of personal data and subjects, the nature of and lawful basis of data processing necessary.  

Where it is not possible to define a statutory or legal retention period, as per the law Koa will identify the criteria by which the period can be determined and provide this to the data subject on request.

Destruction and Disposal of Records and Data
All information of a confidential or sensitive nature on paper or electronic media must be securely destroyed when it is no longer required after a period of seven (7) years. This ensures compliance with the Data Protection laws and the duty of confidentiality we owe to our employees, clients and customers.We are committed to the secure and safe disposal of any confidential waste and information assets in accordance with our contractual and legal obligations and that we do so in an ethical and compliant manner.

Suspension of record disposal in event of litigation or claims
In the event Koa is served with any request for documents or any employee/consultant becomes aware of a governmental investigation or audit concerning Koa or the commencement of any litigation against or concerning Koa, such employee/consultant shall inform Koa’s Management and any further disposal of documents shall be suspended until such time as Koa’s Management, with the advice of counsel, determines otherwise. Koa’s Management shall take such steps as is necessary to promptly inform all staff of any suspension in the further disposal of documents.

Right to erasure and rectification
We recognize that data subjects have the right to request us to:

  • rectify without undue delay personal data in our possession or control that is inaccurate, outdated, incomplete or misleading; or
  • erase or destroy without undue delay personal data that we are no longer authorized to retain or that is irrelevant, excessive or obtained unlawfully.

The procedure for making a request for erasure or rectification can be found in the Data Requests Procedure manual.

Retrieval of data
All requests for data shall be made by filling a data request form which shall be lodged with the relevant department and the designated data protection officer (where applicable). Every customer has the right to access their information held by Koa and shall be guided to do so as set out in our Policies.Retrieval of online records shall not exceed 30 days unless there are certain prevailing circumstances preventing compliance in which case, the requesting customer shall be informed of the delay immediately.Where any information requested is required for purposes of protection of life or liberty of a person, the duration for retrieval shall be within 48 hours from the time of request. Koa may, where such retrieval requires an extensive search through a large amount of information and meeting the stipulated time will unreasonably interfere with its activities or where consultations are necessary before the information is released, extend the period to not more than fourteen (14) days or as the law may provide from time to time.

Appropriate information handling is critical to the protection of customer data, employees’ information, third party information and for the security of Koa’s operations. Any employee who does not comply with this policy shall be subject to disciplinary action.Any third party who has access to Koa and its customers’ information who does not comply with this policy shall be in breach of their contractual terms and obligations.All employees/consultants shall be responsible for the implementation and maintenance of the requirements of the law and this policy.Koa shall be accountable for ensuring that appropriate security controls are identified, and their compliance measured and shall audit the security controls from time to time.

Where systems, procedures or processes are not able to meet these requirements they should be reviewed by Koa’s Management. Where an appropriate business justification exists, exceptions may be sought.