Privacy Policy for WillingHost

1. Data protection principles
The Organisation is committed to processing data in accordance with its
responsibilities under the DPA.
DPA requires that personal data shall be:
a. processed in accordance with the right to privacy of the data subject;
b. processed lawfully, fairly and in a transparent manner in relation to any data
subject;
c. collected for explicit, specified and legitimate purposes and not further
processed in a manner incompatible with those purposes;
d. adequate, relevant, limited to what is necessary in relation to the purposes for
which it is processed;
e. collected only where a valid explanation is provided whenever information
relating to family or private affairs is required;
f. accurate and, where necessary, kept up to date, with every reasonable step
being taken to ensure that any inaccurate personal data is erased or rectified
without delay;
g. kept in a form which identifies the data subjects for no longer than is necessary
for the purposes which it was collected; and
h. not transferred outside Kenya, unless there is proof of adequate data protection
safeguards or consent from the data subject.
2. General provisions
a. This policy applies to all personal data processed by the Organisation.
b. The Responsible Person shall take responsibility for the Organisation’s ongoing
compliance with this policy.
c. This policy shall be reviewed annually.
d. The Organisation shall register with the Office of the Data Protection
Commissioner as an organisation that processes personal data.
3. Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, the Organisation
shall maintain a Register which shall be reviewed annually.
b. Individuals have the right to access their personal data and any such requests
made to the Organisation shall be dealt with in a timely manner.
4. Lawful purposes
a. All data processed by the Organisation must be done on one of the following
lawful bases: consent, contract, legal obligation, vital interests, public task or
legitimate interests.
b. The Organisation shall note the appropriate lawful basis in the Register.
c. Where consent is relied upon as a lawful basis for processing data, evidence of
opt-in consent shall be kept with the personal data.
d. Where communications are sent to individuals based on their consent, the
option for the individual to revoke their consent should be clearly available and
systems should be in place to ensure such revocation is reflected accurately in
the Organisation’s Register.
5. Data minimisation
a. The Organisation shall ensure that personal data acquired is adequate, relevant
and limited to what is necessary in relation to the purposes for which it is
processed.
6. Accuracy
a. The Organisation shall take reasonable steps to ensure personal data is
accurate.
b. Where necessary for the lawful basis on which data is processed, steps shall be
put in place to ensure that personal data is kept up to date.
7. Archiving / removal
a. To ensure that personal data is kept for no longer than necessary, the
Organisation shall put in place an archiving policy for each area in which
personal data is processed and review this process annually.
b. The archiving policy shall consider what data should/must be retained, for how
long, and why.
8. Security
a. The Organisation shall ensure that personal data is stored securely using
modern software that is kept up-to-date.
b. Access to personal data shall be limited to personnel who need access and
appropriate security should be in place to avoid unauthorised sharing of
personal information.
c. When personal data is deleted this should be done safely such that the data is
irrecoverable.
d. The organization shall put in place appropriate back-up and disaster recovery
solutions.
9. Breach
In the event of a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data, the
Organisation shall promptly assess the risk to people’s rights and freedoms and if
appropriate report this breach to the Data Protection Commissioner within 72 hours.

H-PESA PRIVACY NOTICE
1. Introduction
1.1 At H-Pesa, we are committed to protecting your privacy.
1.2 This Policy applies where we are acting as a data controller/processor
with respect to your personal data.
The personal data that we collect
1.3 We may process data enabling us to get in touch with you ("contact data").
This may include your name, email address, phone number, and/or social
media account identifiers.
1.4 We process "account data". The accunt data may include your account
identifier, name, email address, account creation and modification dates,
website settings and marketing preferences.
1.5 We may process your "transaction data". The transaction data may include
your name, contact details, your loan requests, disbursement schedules,
mobile wallet credentials and other transaction details.
1.6 We may process "communication data" which may include communication
that you send to us or that we send to you.
1.7 We may process “location data” which refers to data concerning your
precise location when making a loan request as a borrower. We may also
use GPS technology or other location services to determine your current
location.
1.8 We may process "usage data" which may include your IP address,
geographical location, browser type and version, operating system,
referral source, length of visit, page views and website navigation paths, as
well as information about the timing, frequency and pattern of your
service use.
2. Purposes of processing and legal bases
2.1 Operations - We may process your personal data for the purposes of
successfully operating our website and Application, by processing and
fulfilling your loan requests, transferring funds to your mobile wallet
account, managing repayments, informing you of repayment deadlines and
other lending-related matters. The legal basis for this processing is our
legitimate commercial interests.
2.2 Relationships and communications - We may process your personal data
for the purposes of managing our relationship and communicating with
you.
2.3 Direct marketing - We may process your personal data for the purposes of
sending direct marketing communications by email and/or SMS. The legal
basis for this processing is premised on your consent and protecting our
legitimate interest in promoting our business.
2.4 Record keeping - We may process your personal data for the purposes of
creating and maintaining our databases and business records in line with
our legitimate commercial interests.
2.5 Security - We may process your data for the purposes of security and
preventing and/or reporting criminal activity.
2.6 Legal compliance and vital interests - We may also process your personal
data where such processing is necessary for compliance with a legal
obligation to which we are subject.
3. Providing your personal data to others
3.1 We may disclose a borrower’s transaction and contact data to the lenders
in the platform in as far as is necessary to facilitate a loan request.
3.2 By using the Services, you agree that we may, as necessary and
appropriate for the Purposes, transfer and disclose any Customer
Information to the following recipients globally (who may also process,
transfer and disclose such Customer Information for the Purposes):
a. any member of H-Pesa and any sub-contractors, agents, service
providers, or associates of H-Pesa (including their employees, directors
and officers);
b. persons acting on your behalf, payment recipients, beneficiaries,
account nominees, intermediary, correspondent and agent banks,
clearing houses, clearing or settlement systems, market counterparties,
upstream withholding agents, swap or trade repositories, stock
exchanges, companies in which you have an interest in securities (where
such securities are held by us for you);
c. any financial institutions, credit reference agencies or credit bureaus, for
the purposes of obtaining or providing credit references;
d. any third party to whom we provide introductions or referrals;
e. any party in connection with any H-Pesa business transfer, disposal,
merger or acquisition, wherever located, including in jurisdictions which
do not have data protection laws that provide the same level of
protection as the jurisdiction in which the Services are supplied.
f. third-party service providers under contract with H-Pesa that help us
with our business operations, such as transaction processing, fraud
prevention, and marketing. We share your Personal Information with
these companies only as necessary to provide you with our Service; and
g. law enforcement, government officials or other third parties, but only in
connection with a formal request, subpoena, court order, or similar legal
procedure; or
h. when we believe in good faith that disclosure is necessary to comply with
the law, prevent physical harm or financial loss, report suspected illegal
activity, or to investigate violations of our User Agreement; or
i. Or any other legally permissible purpose.
4. Retaining and deleting personal data
We will retain your personal data as follows:
4.1 Contact data will be retained for a minimum period of 3 months following
the date of the most recent contact between you and us, and kept for the
maximum period that you take to complete paying for your item;
4.2 Account data will be retained for a minimum period of 1 month
following the date of closure of the relevant account, and for a
maximum period of 3 months following that date;
4.3 Transaction data will be retained for a minimum period of 1 month
following the date of the transaction, and for a maximum period of 3
months following that date
4.4 Communication data will be retained for a minimum period of 1 month
following the date of the communication in question, and for a maximum
period of 3 months following that date];
4.5 Usage data will be retained for 3 months following the date of
collection
5. Your rights
5.1 Your principal rights under data protection law are:
(a) to be informed of the use to which your personal data is to be put;
(b) to access your personal data in our custody as a data controller or
data processor;
(c) to object to the processing of all or part of your personal data;
(d) to correct false or misleading data about yourself; and
(e) to delete or request to be deleted of false or misleading data about
you.
5.2 You may exercise any of your rights in relation to your personal data by
writing to us using the contact details on our website.
6. About cookies
6.1 A cookie is a small file which asks permission to be placed on your
computer’s hard drive. Once you agree, the file is added and the cookie
helps analyse web traffic or lets you know when you visit a particular site.
Cookies allow web applications to respond to you as an individual. The web
application can tailor its operations to your needs, likes and dislikes by
gathering and remembering information about your preferences.
6.2 We use traffic log cookies to identify which pages are being used. This helps
us analyse data about web page traffic and improve our website in order to
tailor it to our customer’s needs. We only use this information for statistical
analysis purposes and then the data is removed from the system.
6.3 Overall, cookies help us provide you with a better website, by enabling us to
monitor which pages you find useful and which you do not. A cookie in no
way gives us access to your computer or any information about you, other
than the data you choose to share with us.
6.4 You can choose to accept or decline cookies. Most web browsers
automatically accept cookies, but you can usually modify your browser
setting to decline cookies if you prefer. This may prevent you from taking
full advantage of the website.
7. Amendments
7.1 We may update this policy from time to time by publishing a new version
on our website.
8. Our details
8.1 This website is owned and operated by H-Pesa
9. Data Protection Officer
9.1 Our Data Protection Officer with respect to our obligations under data
protection law is Meshack Masibo and you can contact him through
info@masibolaw.co.ke