Privacy Notice

Welcome to the privacy and security statement for our Heritage Health Cover Product.
The Heritage Insurance Company Kenya Limited (hereinafter referred to as “Heritage”, “we”, “us” or “our”), a subsidiary of Liberty Kenya Holdings Plc whose parent organisation is Liberty Holdings Limited. Liberty Holdings Limited is an Africa-focused, client-led, and digitally enabled financial services organisation. We provide comprehensive and integrated financial and finance-related solutions to our clients and operate across the African continent.

Due to the integrated nature of the Liberty Holdings Limited business, clients whose primary business is with one entity of the Liberty Holdings Limited are viewed as a client of Liberty Holdings Limited as a whole, for client – centricity, information quality and risk management purposes.

Heritage respects your privacy and is committed to protecting your personal data as guaranteed by the Kenyan Data Protection Act No. 24 of 2019.

Regulation of data privacy and protection
As a client of Heritage your primary data controller will be Heritage. However, as we operate in various countries and through various legal entities, we comply with the applicable data protection and privacy laws in each of these countries. Accordingly, the specific Liberty Holdings Limited legal entity that is responsible for determining the purpose and means of processing your personal information (responsible party or data controller), in other words the legal entity who holds the business relationship with you will not always be the same. It will be made clear to you when you take up a product or service, who the responsible party or data controller is.

What is the purpose and scope of this statement?
The purpose of this statement is to inform you about how we collect, use, store, make available, disclose, update, safeguard, destroy or otherwise deal with (process) your personal information (also referred to as personal data in some countries) and to explain your rights relating to the privacy of your personal information and how the law protects you.

We may combine your personal information, available across the Group, and use the combined information for any of the purposes set out in this statement where we have lawful grounds for doing so. Your personal information may be processed in another country that does not provide you with the same data protection that the country of origin does (in these circumstances we will give an explanation before requesting your permission to transfer your personal information to such jurisdictions), but we will only transfer personal information to countries that we are satisfied will provide adequate data protection safeguards.

Protecting the privacy, confidentiality and security of your personal information is important to us as it is critical for us to maintain your trust and act in the right way to meet your needs. We have therefore implemented Group-wide policies and procedures to ensure that your personal information is protected.

What is personal information and what types of personal information do we collect?
Personal information is any information from which you can be identified. The personal information we may collect about you includes:

• Identification information such as name, date and place of birth, national identity card number, passport number, Kenya Revenue Authority personal identification number (PIN), photo, marital status, title, nationality, gender, and specimen signature.
• Contact information such as email address, postal address, physical address, residential address, and telephone number.
• Financial information such as bank account details, payment card details, mobile money statements, income, credit history, credit worthiness, bank statements, details about payments to or from you and other details of products and services you have purchased from us.
• Information relevant to your insurance policy or relevant to your claim or your involvement in the matter giving rise to a claim.
• Information about the nature of your business and commercial assets.
• Employment information such as the name of the employer, position in the organization and office address.
• Children’s personal data such as the name, date of birth and gender.
• Sensitive personal information such as marital status, property details, health status and family details (such as next of kin and beneficiaries).
• Marketing and communications information including your preferences in receiving marketing information from us and communication from us.
• Online data whenever you use our products and services through our website, mobile applications such as cookies, login data, IP address (your computer’s internet address), browser type and version, ISP or operating system, domain name, access time, page views, location data, how you frequently use our online insurance, banking and other services, our mobile applications or visit our website.
• Profile data such as your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.

If we need information about other people connected to you, we may request you to provide the information in relation to those people. If you are providing information about another person, we expect you to ensure that they know you are doing so and have consented to their information being provided to us. It might be helpful to share this Privacy Statement with them and if they have any concerns, please contact us on the same.

How do we collect your personal data?
We will collect personal information directly from you or by telephone or through online channels such as our website. This includes personal data you provide when you:

• apply for our products or services;
• make enquiries;
• create an account on our website;
• register for our products offered through mobile and online platforms;
• request marketing information to be sent to you;
• give us feedback or contact us;
• provide goods or services to us as a supplier or contractor; or
• interact with our website. We collect this personal data by using cookies and similar technologies. You can find out more about this in our cookies and website policy;

We also collect personal information about you from other sources where lawful and reasonable, such as reputable third parties that you deal with or that Heritage interacts with for the purposes of conducting its business. These third parties include:

• identity and contact data from the Government of Kenya’s e-citizen and Integrated Population Registration Services platforms;
• identity and contact data from publicly available sources such as the Companies Registry, NTSA and the Business Registration Service;
• contact, financial and transaction data from land registries, industry databases such as credit reference agencies, fraud prevention agencies and providers of technical, payment and delivery services;
• medical professionals and hospitals;
• social media. If you are a potential candidate for employment with Heritage, we may have received your personal data from third parties such as recruiters or external websites.
• directly from an individual or employer (or your employer’s service provider) who has a policy with us under which you are insured.
• directly from an employer which funds a cover that we administer where you are a beneficiary.
• directly from a person who is making a claim or application, and they include information about you which is related to their claim or application.
• from your family members when they make enquiries about purchasing a product for you or including you on their insurance, when you ask them to make a claim on your behalf, or where you may be incapacitated or otherwise unable to provide information yourself when we need it;
• your insurance intermediary;
• third parties who assist us in checking that claims are eligible for payment.

Why do we process your personal information?
Our responsibilities to you are very important to us and we aim to provide you with personalised services to meet your needs. We may process your personal information for any of the reasons outlined in this section:

Contract requirements
We may need to process your personal information if we require it to conclude or perform under a contract or agreement with you for a product or service that you have applied for either with us or through our business partners with whom we have entered into a partnership, collaboration or alliance arrangement or for purposes of:

• providing products and services to you that involve opening and maintaining your cover, executing transactions, administering claims where applicable, collecting payments due to us by you, managing our risks and maintaining our overall relationship with you;
• communicating with you regarding the products or services you have with us; or
• providing you with further information that you request from us regarding the products or services you have with us.

Lawful obligations
We may need to process your personal information for the following purposes:

• To complete integrity and business conduct checks required for compliance purposes including due diligence and onboarding processes, monitoring and assurance reviews and conduct sanctions screening against any sanctions lists.
• To comply with other risk management, regulatory and legislative requirements.
• To comply with voluntary and mandatory codes of conduct.
• To detect, prevent and report theft, money laundering, terrorist financing, corruption or other potentially illegal activity, or activity that could lead to loss.
• To process and settle transactions and payments.
• To conduct research and analysis (which may include assessing product suitability, credit quality, insurance risks, market risks and affordability, developing credit models and tools and obtaining related information)

Legitimate interest
Heritage may process your personal information in the regular management of its business and to protect the interests of its clients, depositors, shareholders, employees and other third parties, including our business partners and members of the public. Heritage may process your personal information to:

• Maintain, monitor, improve and develop our business policies, systems and controls;
• Maintain and improve data quality;
• Design, develop and test products, services and solutions for clients, which may include combining sources and types of your personal information across multiple legal entities and countries, subject to compliance with applicable laws;
• Personalise and customise products, services and solutions, messaging and advertising;
• Respond to client enquiries and communications and to record these interactions for the purpose of analysis and improvement;
• Manage business emergencies and stress events;
• Process and settle transactions and payments;
• Meet record-keeping obligations;
• Conduct research and analysis (among other things, to assess product suitability, credit quality, insurance risks, market risks and affordability, to conduct behavioural profiling, to develop credit models and tools and to obtain related information);
• Enable clients to use value-added solutions and participate in reward programmes;
• Achieve other related purposes.

Consent
In addition to the reasons given above, we may process your personal information where we have your specific consent for a defined purpose. We will also seek your consent where applicable laws require it.
We will store your personal information according to our defined retention schedules or the law and thereafter delete it.

Where will we process your personal information?
Due to the integrated nature of our business and to provide you with efficient access to our products and services, we may process your personal information in South Africa or in countries where we have a presence and where our products or services are provided or where our third-party service providers operate. We will only transfer personal information to countries that we are satisfied will provide adequate data protection safeguards, and we ensure our third-party service providers comply with the minimum data protection standards.

Integrated processing holds the following benefits for you:

• A single, holistic view of your information that helps us to manage your client profile, authenticate your identity and protect you against fraud.
• Improved business processes and service delivery (and less duplication of information provided).

How will we communicate with you?
Besides in-person communication, we use a wide array of channels to engage with you regarding your existing products and services and to keep you updated. These include SMSs, email, phone calls, notifications sent to your mobile device and in-app notifications. We need to keep you up to date on an ongoing operational basis about your existing products and services and their new features especially where we are making them more secure and as we make insurance and other financial services more convenient for you. We may contact you through these means for research purposes or to communicate with you for marketing of new products or services as explained in greater detail below.

How do we use your personal information for marketing?
If you are an existing client with whom we have had previous interactions in respect of your financial well-being or needs, you are important to us and therefore we would like to share information about our products, services and special offers with you (subject to applicable local laws).

If you are a prospective client, and we have had no previous interaction or have no relationship with you, we will seek your express consent in compliance with local laws to market to you electronically.

If you no longer wish to be contacted for marketing purposes, you may opt out at any time as per the instructions contained in any marketing communication you receive. You can also opt out by contacting us through any of the following:

• Phoning us through +254 0711 039 000; or
• via email on [email protected] ; or
• SMS – by opt out message.

You also have the right at any time to stop us from contacting you by any means for marketing purposes.

When, how and with whom will we share your personal information?
We share information with vendors, auditors, service providers and advisers supporting our services to you, with our trusted partners to introduce products and services to you, with agencies and other financial institutions on credit, fraud and risk matters, with data validation and trust providers to verify your data and identity and with the relevant local and foreign government and other authorities as required by law.

We take extra care when we transfer or share information and will enter into suitable contracts with the trusted parties with whom we share your information, thus ensuring your rights under relevant data protection legislation are upheld.

How is your personal information protected?
The security of your personal information is important to us, and we take reasonable steps to keep your personal information safe and to prevent loss, destruction of and damage or unlawful access to your personal information by unauthorised parties. We require the same level of security to be implemented by our service providers and other third parties. However, you must not share or send us any personal information through unauthorised channels, as these are not a secure way of communication and carry a risk of interception and unauthorised access. You should only share personal information through our authorised channels.

What are your rights?
We value your trust and want you to be familiar with your rights under the legislation and to know how you can exercise them in your interactions with us.

You have the right to:

• access the personal information we hold about you and to correct and update your information;
• object to our processing your personal information, where applicable;
• request that we delete your personal information where appropriate;
• be notified that your personal information is being collected by us or has been accessed or acquired by an unauthorised person;
• object to the processing of personal information for the purposes of direct marketing;
• not be subject to automated decision-making processes in respect of an application for products and/or services, except under certain circumstances; and
• to request reasons or make a representation to us if your application for products and/or services is refused.

Use of cookies on our website
A “cookie” is a small text file that is stored on your computer, smartphone, tablet or other device when you visit a website or use an application. It helps to distinguish you from other users and contains specific information related to your use of our website or application, such as your login details and your preference settings, and helps the website or the application to recognise your device.

Cookies help to make a website or app function better and make it easier for us to give you a better user experience on our online channels. To use or store cookie types that are not required for the functioning of the website or app and are optional, we will obtain your consent first.

For this reason, we limit our use of cookies to:

• providing products and services that you request;
• delivering advertising through marketing communications;
• providing you with a better online experience and tracking website performance; and
• helping us make our website more relevant to you.

We use the following types of cookies on our online channels, such as our website:

These cookies are mandatory and are required for the effective operation and functioning of our website on your device. They enable you to use the website and the features on the website and cannot be switched off.

These are optional cookies that collect information about how you use the website but not any personal information. Performance information is anonymous and mostly statistical and is used to improve the performance of our website.

These cookies are also optional and are used to deliver and display advertisements that are relevant and engaging for you as the user. They help us measure how effective our advertising campaigns are by your interaction with the advertisement.

These cookies are temporary, optional and only exist while you browse our website to remember your activities on the website. As soon as you close the website or move to a different website, the cookies are deleted.

These are permanent, optional cookies that are stored on your device until they reach a set expiry date or until you delete them. They remember your preferences or actions on our website (or in some cases across different websites). We may use them for various reasons, for example to remember your preferences and choices when you use our website, or to display relevant advertising campaigns to you.

These are cookies that we create and store when you use our website and relate to information obtained directly from you.

These cookies are owned and created by a third party that provides a service to us such as social media sharing, website analytics or content marketing. These cookies are intended to collect information directly from you by us and we share the personal information with the third party through the cookies that the third-party stores on our website.

Once you select your cookie preferences you can always change them later by enabling or disabling them. Where we use cookies to collect personal information, it will always be done in accordance with this statement. You can stop your browser from accepting cookies, but if you do, some parts of our websites or online services may not work properly. We recommend that you allow cookies. Explore the settings and options on your browser to disable or enable them or visit https://www.aboutcookies.org for detailed information about managing cookies.

Social media
When you engage with us through our social media accounts, your personal information may be processed by the social media platform owner. This process is outside our control and the processing activities may be in a country outside of Kenya that may have different data protection laws. For more information about the privacy practices of a social media platform, please refer to and read the terms and conditions of that social media platform before you use it or share any personal information on it.

Our social media accounts are not appropriate forums to discuss our clients’ products or financial arrangements. We will never ask you to share personal, account or security information on social media platforms. We may, however, ask you to message us in private through one of our official social media accounts.

General
We may change this statement from time to time in accordance with changes in our products or services or regulatory requirements. We will make reasonable efforts to notify you through suitable communication channels.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Should you have any queries relating to the processing of your personal information, please contact our Data Protection Officer at:

Full name of legal entity: The Heritage Insurance Company Kenya Limited
Physical Address: Liberty House, Mamlaka Rd, Nairobi
Email address: [email protected]
Postal address: 30364-00100
Telephone number: +254 (0) 711 076 222