Kenya Privacy Notice

Read this Privacy Notice if you want to know how Unlimint Kenya gathers, processes, and stores your personal data.

This Notice’s purpose is to tell you which personal data we process, how, why and for how long we process your personal data. It is important to Unlimint that you know your rights regarding your personal data and how to reach us.

To completely understand Unlimint and our service offering, please read this Notice with the relevant Terms and Conditions and Cookie Policy on our Website.

Who is Unlimint?

Unlimint and its group companies or businesses are part of a global payments and technology organisation holding various licenses and authorizations as each business is obliged to under the laws and regulations it operates in.

Unlimint Kenya Limited (“Unlimint” or “we”) provides our merchants with payment services and the platforms and applications (“platforms”) through which credit card payments services and other alternative payment methods are offered (“payment services”) to merchants.

When you use our payment services through a merchant of Unlimint, the merchant is the data controller.

This may change depending on your chosen services and products or when they become available in Unlimint.

When you visit our Website, or you are an employee of Unlimint, Unlimint is the controller of your personal data.

Warning: Our Website may contain links to or come from websites or applications with their privacy notices or policies, which Unlimint does not control. These websites will have differ-ent privacy notices or statements, and we do not control these websites. Unlimint does not accept any responsibility or liability for such websites.

In this Notice, the following terms are defined as below:

  • Personal data” refers to information that identifies you or may identify you (depending on who you are, i.e. a merchant, cardholder, supplier or business partner and how you interact with us, we may process different types of personal data).
  • Processing” of personal data refers to collecting, gathering, handling, storing, transmitting and combining personal data.
  • A “Processor” is a company that provides its services the behalf of the merchants.
  • Data subject” is a person that can be identified or identifiable from the personal data processed by a controller or processor.
  • A “Merchant” is a company or online service/goods provider that uses our services to enable payments so that you can pay for goods, services or both.

What this Notice tells you

This Notice contains a description of:

  1. Why and when do we process personal data:
      • Why do we process personal data
      • When do we process personal data
  2. What types of personal data do we process
  3. How do we collect and use personal data
  4. What are the lawful grounds that we rely on to process your personal data
  5. Purposes for which we use your personal data
  6. Automated decision making and profiling
  7. Who do we share your personal data with
  8. Data Transfers outside Kenya
  9. Website and automatic collection—cookies, IP addresses and other tracking
  10. How we keep your personal data secure
  11. Your rights and how to raise a complaint
  12. How long we keep your personal data
  13. How to contact us
  14. Your responsibilities
  15. Changes to our Privacy Notice

Why and when do we process personal data?

Why do we process personal data?

We provide services to a merchant under a contract that the merchant has entered into with us. In this scenario, Unlimint needs your personal data for the following purposes:

  • To meet our legal obligations: We are required to identify you, verify and authenticate your identity and perform due diligence checks on you, and if you are a juristic person, we also then have to verify your ultimate beneficial owners. This is a legal obligation on Unlimint under applicable payments, anti-money laundering, sanction and anti-bribery and anti-corruption laws, as well as multiple directives, regulations and guidance to combat fraud, money laundering and bribery and corruption.
  • For contractual purposes: To establish and maintain a business relationship for the provision of our services, to complete payment transactions, and performance of contractual obligations between Unlimint and its merchants.
  • For our legitimate interests: We implement physical and logical security best practices, access control management and underlying analytics which may require processing of your personal data. We do this so that we can provide our payment services, maintain online and physical security of your personal data and protect against cybercrime and fraud.

When do we process personal data?

Personal data is collected before and during the contractual relationship with the merchant.

For example, when we perform card or online payment processing, Unlimint, in the capacity of a processor for the merchant, processes personal data received from merchants, which is required for processing payments for merchants and reporting transactions to the merchant.

This includes personal data such as transaction details and payment reference identifier and personal data in the context of transactions processing (such as payment instrument and transaction details, identification details, contact details, such as email, telephone, name on card, date of birth), to complete the transaction initiated by the cardholder or payer to the merchant.

Please check your merchant’s privacy notice or statement regarding further information about your personal data and how it is processed.

If we are not able to process certain categories of personal data then it can result in Unli- mint not being able to perform its services under its contract with a merchant or execute a payment instruction without the requested personal data and we may no longer be able to continue with an existing relationship and provision of our services to a merchant.

What types of personal data do we process?

Various types of personal data are processed in the context of the relationship between you and Unlimint, depending on the service and product you are using. These may include:

Your personal data

Name, previous names, data and place of birth, language, if you hold prominent public functions (PEPs), residence permit.

Your personal contact details

Work address, home address, email address, telephone number, and other contact details.

Your identity information

Passport, National ID card, Nationality, Utility bill, tax residence and tax ID.

Relevant financial information

Personal bank details, professional status, employment field, employer details (including, for example, information such as certificates of directors).

Specific authentication personal data

A signature or your user login to access our service dashboards.

Communications

Personal data that you may provide by filling in forms or by communicating with us (e.g., directed to us in letters, emails, via our electronic channels).

Transactional and other/ documents information

Personal data arising for the execution of payment transactions (including data such as date, time, amount, currencies, beneficiary details, location information and merchant details), supplementary/supporting documentary evidence related to transactions, and further information arising from contractual obligations between Unlimint and merchants.

Location and technical information

Location data (for example, at the time of login or a transaction); IP addresses and device information, visitor’s information and similar information subject to our Cookie Policy.

Publicly available Personal Data

Details about you from public records and available in publicly accessible databases.

Investigations data/ results of due diligence and enhanced due diligence

Personal data regarding criminal convictions and offences (special category of data), as part of its compliance measures with regulatory obligations, as well as other supporting documents and personal data related to the categories above.

CCTV

Closed circuit television (CCTV) at our offices (which may collect videos of you).

Consents

Personal Data that you agree to give us by your active consent when you use our services or visit our Website.

Please note that this is a non-exhaustive list and personal data collected is strictly dependent on our relationship with you.

How do we collect your personal data?

  1. When you submit your personal data to us

This can happen in different ways:

  • When you have agreed to give to the merchant your personal data who has a contract with us so we can provide our services to them. E.g., during the course of our business relationship with a merchant, the merchant is required to complete our application form and undergo Unlimint’s verification and compliance checks which requires the merchant to ensure that its payers or customers know and understand that we will process Transactional Information, Location and Technical information to perform this service. We take all reasonable steps to collect the personal data of payers or customer only what is needed to process the transaction for the Merchant.
  • When you accept our Privacy Notice, receive communications from us, via email or forms available on our Website or any other means of communication. When you accept us collecting such Personal Data, you have the right to opt out of such collection at any time. If you want to opt-out please go to our Website.
  1. Personal Data we collect when you use our services

This personal data may include the following:

  • Payment and Transactions data.
  • Profile and usage data (such as data when you connect to internet banking, or SMS services (if applicable), and may include Personal Data on how you use the services. We may collect data from devices you use to connect to the services, such as computers and mobile phones, such as your IP address and use cookies (go to our Cookie Notice).
  • Third-party data. Personal data we lawfully obtain from other entities such as service providers, fraud prevention aggregation agencies, public authorities, persons that refer you to us, our Group companies, and companies processing payments.
  • Public Data such as databases and publicly accessible sources for licenced entities, such as Unlimint, due to the nature of Unlimints’ services (e.g., this includes Registrars of Companies, Commercial Registries, AML and sanction screening databases).

What are the lawful grounds we rely on to process your personal data?

When we process your personal data, we rely on one of the processing legal bases below. We may process your personal data for different purposes (covered in Section 5), and in such cases, the same personal data will be processed under another legal basis.

  • Conclusion and performance of a contract. We process personal data to provide our payment services to merchants and perform our obligations under the contract that we have concluded with such merchants.
  • Legal obligation or public interest. Unlimint is subject to various legal obligations regulatory requirements when we provide payment services to you or merchants. We are also required to implement regulations and directives of multiple authorities to ensure compliance. The legal obligations require us to process personal data for carrying out identity verification, , money laundering, fraud prevention, compliance with our record reporting obligations, tax obligations, risk control measures, and providing information to a competent authority, public body or law enforcement agency (if required).
  • Legitimate interests. Where necessary, we may process personal data where there is a legitimate interest for us or a third party in pursuing commercial and business interests, except where your interests, fundamental rights and freedoms override such interests.
  • Your consent. Your personal data will be processed in this way if you agree to this. Where the legal basis is the consent you provided, you may withdraw your consent at any time. The revocation of your consent will not affect the legality of the data processed before the revocation.

Purposes for which we use your personal data

We process your personal data for the following purposes:

1. Perform our obligations under our contracts with our merchants or banks or both which may include the following activities:

  • To verify, authenticate and authorize your identity (e.g., for Know your customer and fraud prevention purposes);
  • To provide our payment services (e.g., conduct merchant acceptance procedures to enter into a contract with the merchants);
  • To complete payment transactions for our merchants;
  • To execute merchant payment requests i.e. act upon instructions of the merchant;
  • To perform our contractual obligations with our merchants or banks or both which may include processing of your personal data.

2. Ensure we comply with the applicable law and regulations and, directives which in- cludes the following activities:

  • To perform anti-money laundering checks and evaluations;
  • For crime prevention purposes and, when required, to cooperate with authorities;
  • Enforce or defend the rights of Unlimint or Unlimint group/affiliates;
  • Ensure physical and technical security and business continuity;
  • For internal operational support and administrative purposes (e.g., product development, audit, risk management);
  • General administrative functions (e.g. maintenance of our internal records necessary for keeping up-to-date information in our systems, general record-keeping).

3. To communicate, establish and maintain our services relationship with you:

  • To provide ongoing support and handle inquiries, complaints and similar issues;
  • To provide information about our products, services or both when you request it;
  • To ensure that our internal procedures and protective measures against fraud, risk and financial crime are followed and that you are kept informed of this;
  • To obtain reports of an online problem (e.g. with our website or payment services);
  • To notify you of any quality management change, important product or service improvement, update or upgrade.

4. To market our product and services:

  • To provide information about our products, services or both;
  • To improve and customise the content of our advertisements, promotions, andadvertising that you may be interested in;
  • To gather statistics and analytics for internal purposes and improvement of services and Website.

The provision of marketing activities is subject to the applicable laws of the country in which the marketing and communication activity occurs. This means that you can in Kenya actively opt-in to receive such marketing communications. You are entitled to opt-out from receiving such marketing by clicking on the opt-out or unsubscribe link(s) provided in Unlimint marketing communications.

Automated decision-making and profiling

Automated decision-making means making decisions through automated means of processing personal data without human intervention. We do not generally use automated deci- sion-making in establishing and carrying out a business relationship.

However, we may process some specific data automatically by using systems to make automated suggestions or decisions, including profiling, based on information we have or collect from other authorised sources. This helps us ensure we can react quickly and efficiently, with an aim also to protect our Merchants and payers. We may use automated decision-making and profiling to undertake anti-money laundering and anti-fraud measures. We may use your personal data to help us identify if any account/payment instrument is potentially being used for purposes of fraud or money-laundering/terrorist financing, or sanctions contraventions. If we determine a risk of fraud or unauthorised activity, we may stop activity on the account/block the payment instrument, or refuse access to them.

Who do we share your personal data with?

Internally within Unlimint group companies and affiliates

Unlimint shares your personal data within Unlimint to carry out its operations as a global company. This means that Unlimint Kenya may share personal data with third parties from within the same group of companies to which Unlimint belongs. We may disclose your personal information to:

  • Provide and receive support services and technical services;
  • Contribute to research, data analytics and studies to improve our products and services.

Externally

We do not share personal data with third parties unless this is necessary for our legitimate business needs to carry out requests, provide services or as required or permitted by law.

Third parties under these circumstances include:

(i) Merchants

Unlimint share your personal data with merchants to process a payment transaction. For example; when you buy products or services using Unlimint payment services, we may provide the merchant with your credit card billing address to help complete an individual’s payment transaction.

(ii) Service providers

We will disclose personal data to third-party partners and service providers (processors), so they can process it on our behalf where required. These service providers must provide assurances in accordance with applicable data protection laws and associated requirements. (e.g., being bound contractually to data protection, privacy, security and confidentiality obligations). We will only share personal data as is strictly necessary for them to provide their services to us.

(iii) Auditors, advisors and consultants

We may disclose personal data for purposes and in the context of audits (e.g., external card scheme audits, regulatory authority audits, security audits—such as Quality Security Assessors for PCI DSS Level 1, to legal and other compliance advisors who investigate security issues, risks, complaints.

This means that your personal data may be transferred and disclosed to the following type of businesses/entities, regulators and advisors:

  • Money laundering and fraud prevention aggregation or agencies for compliance and verification services and risk prevention services. This is required to verify your identity, ensure protection against fraud, and confirm eligibility for our services/products.
  • Banks (other credit and financial service institutions) and similar institutions. These enable us to provide our payment services and include correspondent banks such as intermediary banks.
  • Payment Card Systems (SWIFT, Visa, Mastercard). These enable us to provide our card processing services.
  • Companies assisting us with the provision of our services (e.g., technological services, solutions, support such as support/maintenance/development of IT applications, technology, website management, telephony/SMS services).
  • Customer support service providers and marketing service providers.
  • Entities of Unlimint Group which are affiliated/related to us, acting as processors or controllers to provide services, streamlined services, ensure quality and effectiveness across the group.
  • Administrative service providers.
  • Auditing and accounting services and consultants.
  • External legal advisors.

Unlimint takes all reasonable measures to ensure that every third party involved in processing your personal data has the required organizational and technical protections, including the required data processing and transfer agreements where necessary. When required under applicable law, we may provide you with a list of our sub-processors or suppliers upon request by contacting us at [email protected].

Regulatory authorities, law enforcement, courts

We may disclose personal data to comply with applicable legislation and regulatory obligations, to respond to requests of regulatory authorities, government and law enforcement agencies, courts and court orders in the Republic of Kenya, such as:

  • Central Banks;
  • Financial Investigative authorities and the Police (subject to the receipt of a subpoena, court order or similar lawful request or procedure);
  • Tax Authorities;
  • Other regulators, authorities and public bodies where applicable under Kenyan legislation.

Other recipients may be any person/legal entity/organisation for which you ask your data to be transferred (e.g. reference etc.) or give your consent to transfer personal data.

Here are some additional scenarios in which we may also disclose your personal data:

  • If we are under a duty to disclose or share your personal data to comply with any legal or regulatory obligation or request;
  • To apply or enforce the Terms and Conditions or any other agreement in place in the context of our relationship and to investigate potential breaches;
  • To protect Unlimint’s rights, safety or property, or that of our customers or third parties/the public. This includes exchanging information with other companies and organisations for the purposes of money laundering, fraud prevention and equivalent risks;
  • If Unlimint or substantially all of its assets are acquired by a third party, in which case personal data held by it will be one of the transferred assets;
  • If Unlimint or substantially all of its assets are acquired by a third party, in which case personal data held by it about its merchants will be one of the transferred assets.

Data Transfers outside Kenya

We are a company with a global reach. Your personal data may be processed locally in Kenya, in the EEA, or worldwide as permitted by law.

Your personal data may be transferred to international organisations if the transfer is necessary and has a legal basis as described in this Notice. Such transfers take place, for example:

  • When necessary to carry out and in the context of transactions (e.g., card transactions, payment orders to third countries, through a correspondent bank in the third country);
  • Under applicable law (e.g., tax legislation);
  • Based on your instructions or consent;
  • In the context of data processing undertaken by third parties on our behalf (e.g., the data may also be processed by staff operating outside of the EU/EEA or the relevant country who work for Unlimint or one of our third-party service providers or our group. Such staff may be performing technical duties and support, duties related to the processing of your orders, provision of support services etc.).

We aim to take all steps reasonably necessary to ensure that your personal data is treated securely and under this Privacy Notice (e.g., requirement to observe privacy standards equivalent to ours, maintaining security standards and procedures to prevent unauthorised access, use of technology such as encryption and firewalls) to protect the security of data in transit and at rest.

Website and automatic collection — cookies, IP addresses and other tracking

Unlimint’s Website contains forms that website visitors may use. When website visitors send us information online via forms on the website, in the context of the provision of services, the information will be used for purposes and in ways set out in the Privacy Notice.

In some instances, Unlimint and other entities (such as service providers) may use cookies and other technologies to collect certain types of data automatically when you visit Unlimint websites and online platforms. The collection of this data enables Unlimint to improve the security, and usability of Unlimint’s websites and online resources and to measure the effectiveness of marketing activities. We may collect information about your computer or mobile device (including, for example type of operating system and browser) for system administration.

For detailed information on cookies and the purposes for which we use them, please refer to our Cookie Notice.

An IP address is a number assigned to your computer when you access the internet from your browser, which allows computers and servers to recognise and communicate with one another. IP addresses of website visitors may be recorded for IT security and diagnostic purposes. This information may also be used in aggregate form to conduct website trends and perfor- mance analysis. In the context of the provision of services, IP addresses may also be used for the purposes and in ways set out in with the Privacy Notice including fraud prevention.

How we keep your personal data secure?

Unlimint has established and regularly reviews its security internal policies and procedures for secure processing of personal data in order to protect personal data from unauthorised access, loss, misuse, alteration or destruction.

We ensure to the best of our abilities that access to personal data is limited to persons on a need-to-know basis, and that persons who have access are required to maintain its confidentiality. We utilise a series of technology and security solutions to protect personal data (such as storage of information you provide us on secure servers, perimeter security mechanisms, such as encryption etc.).

Transmission of information via the internet is not completely secure. We cannot guarantee the security of data transmitted to us via email, to our website or online resources; such transmissions are at your own risk.

Unlimint follows the payments industry standards regarding the protection of payment card information. Unlimint’s payment card infrastructure is regularly audited to maintain the highest level of security certification with the Payments Card information Security Standard Council (PCI) in respect of protecting card data.

Your Rights and how to raise a complaint

Depending on the applicable law, you may have rights as afforded under applicable data protection law—these rights are afforded to natural persons who are data subjects of personal data which we hold as a controller.

We ensure that you may exercise your rights under applicable privacy and data protection laws, which means that Unlimint endeavors to provide reasonable assistance in respect to requests from individuals regarding the processing of personal data, rights to access, deletion, amendment etc. Please note that your rights are not absolute and may be limited due to a legal basis replied upon by us to process your data.

As the majority of processing we perform is a consequence of legal obligations, some of the rights may be limited by our legal and regulatory requirements or legitimate interests.

Depending on the applicable laws, you may have certain rights under data protection law. For example, in Kenya under the Data Protection Act, 2019 and its corresponding laws, regulations and frameworks:

  • Access your personal data (access rights): You have the right to ask us if we pro- cess personal information that relates to you and you may ask us to provide you with details of the personal information we process about you (as required under applicable laws);
  • Correct or rectify your personal data: You can ask us to have inaccurate personal information we process about you fixed or changed;
  • Erase your personal data: You can ask us to delete or erase personal data under certain circumstances if the personal information is no longer needed for the purposes for which we collected them (subject to local data retention legal obligations) or when the personal data is false, misleading or incorrect;
  • Withdraw your consent: You may withdraw consent to processing that you have given us and prevent further processing if there is no other legal ground (including legitimate interests) for processing your personal information;
  • Restrict: the processing of your personal information: You can require certain personal information to be marked as restricted for processing in certain circumstances, such as an objection to our processing of your personal information based on our legitimate interests;
  • Object to automated decision-making, including profiling, if these decisions produce a legal effect on you.

Exercising your rights

Please contact our Data Protection Officer directly at contact details (mentioned in Section 13) to exercise your rights or if you have questions about the use of your personal data.

You may be subject to identity verification procedures and measures in order to ensure that no personal data is disclosed to unauthorized persons. We may also request additional clarifications (as may be required) to process your request as rapidly and efficiently as possible.

All requests must be made in English in a comprehensive manner and contain a clear description of the object of the request. We will not be able to process requests which are incomprehensive or in languages other than English.

We do not normally charge a fee to access your personal data (or exercise other rights). We may charge a fee where your request is clearly unfounded, excessive or repetitive. Alternatively, we may reject such a request as manifestly or excessively burdensome, unfounded and not submitted in good faith.

Depending on the complexity of your request and volume of data associated with it, we will aim to satisfy all legitimate requests within one month of receipt or to inform you of refusal, or of an extension period of up to three months to satisfy your request. We will notify you appropriately if your request requires more than one month to fulfil.

Right to file a complaint

If you have any complaints about the use of your data, exercise of your rights, please notify and/or file a complaint with our data protection function directly at the contact details indicated below or fill out and submit the relevant form available on the Company’s website: www.unlimint.com. We will immediately investigate and inform you regarding your complaint.

Complaints must be made in English in a comprehensive manner and contain sufficient details and a clear description of the complaint. We will not be able to process requests which are incomprehensive or in languages other than English.

If you believe that we have not been able to resolve your complaint, you may also submit a complaint to the competent data protection authority. For Unlimint Kenya, you may submit a complaint here.

How long do we keep your personal data

Our obligations primarily determine our retention period under applicable legislation to retain data for a specific time. Destruction will only be possible after the lapse of this period.

We are obliged to keep Transaction data (including personal data) during the business relationship and for a minimum period of 7 years after business relationship termination, or after Customer application rejection/withdrawal, per AML legislation and other requirements applicable to our business.

The retention period may be extended in case of other lawful reasons justifying longer retention (such as for complaints handling, legal proceedings, investigations, regulatory, tax, money laundering and crime and fraud prevention purposes).

How to contact us

Data Protection Function
Unlimint Kenya Ltd

8th Floor, Pinetree Plaza,

Kaburu drive off Ngong road,

Nairobi, Kenya

You may reach out to [email protected] to contact our data protection function.

Your Responsibilities

You are responsible for ensuring that the information provided to Unlimint by you/about you or on your behalf is accurate and up to date. You must inform us if anything changes as soon as possible.

If you provide information about another person, you must direct them to this Privacy Notice and ensure they agree to Unlimint using their information as described.

Unlimint’s services are not intended or designed to attract minors. If we learn that we collected the personal data of a minor without first receiving verifiable parental consent, we will delete the information as soon as possible.

Changes to our Privacy Notice

We may revise or update our Privacy Notice from time to time. In such a case, we make the most recent version of the Privacy Notice available to you, informing you accordingly by displaying the updated version and relevant date of update.

You are advised to visit our Website frequently to consult our Privacy Notice in its most recent version.

Version 1.0_DP_Unlimint Kenya Limited_ May 2023

Unlimint Kenya Privacy Notice.pdf

Region Products may vary
Language Select language
We’ve got all your details, thanks!
We’ve received your application form.

One of our sales team will be
in touch ASAP.

Close