1. Heritage Privacy Statement

 

Welcome to The Heritage Insurance Company Kenya Limited’s (hereinafter “Heritage”) Privacy Statement. Your right to privacy and security is very important to us. Heritage, (Heritage, we, us, our) treat personal information as private and confidential.

 

2. How and why we collect personal information

 

2.1. Collection

Personal data means any information relating to an identified or identifiable natural person. The personal data that we collect will depend on the context of our relationship with you. We may collect, use, store and transfer different kinds of personal data about you or persons connected to you which we have grouped together as follows:

• identification information such as name, date and place of birth, national identity card number, passport number, Kenya Revenue Authority personal identification number (PIN), photo, marital status, title, nationality, gender and specimen signature.
• contact information such as email address, postal address, physical address, residential address and telephone number.
• financial information such as bank account details, payment card details, mobile money statements, income, credit history, credit worthiness, bank statements, details about payments to or from you and other details of products and services you have purchased from us.
• information relevant to your insurance policy or relevant to your claim or your involvement in the matter giving rise to a claim.
• Information about the nature of your business and commercial assets.
• employment information such as the name of the employer, position in the organization and office address.
• children’s personal data such as the name, date of birth and gender.
• sensitive personal information such as marital status, property details, health status and family details (such as next of kin and beneficiaries).
• marketing and communications information including your preferences in receiving marketing information from us and communication from us.
• online data whenever you use our products and services through our website, mobile applications such as cookies, login data, IP address (your computer’s internet address), browser type and version, ISP or operating system, domain name, access time, page views, location data, how you frequently use our online insurance, banking and other services, our mobile applications or visit our website.
• profile data such as your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.

If we need information about other people connected to you, we may request you to provide the information in relation to those people. If you are providing information about another person, we expect you to ensure that they know you are doing so and are content with their information being provided to us. It might be helpful to show them this Privacy Statement and if they have any concerns, please contact us on the same.

The list below shows you the various ways we may collect your personal information (please note that this list is not exhaustive):

We may collect personal data directly from you

In most instances, we collect personal data directly from you when you fill in forms or communicate with us through our contact details. This includes personal data you provide when you:

• apply for our products or services;
• make enquiries;
• create an account on our website;
• register for our products offered through mobile and online platforms;
• request marketing information to be sent to you;
• give us feedback or contact us;
• provide goods or services to us as a supplier or contractor; or
• interact with our website. We collect this personal data by using cookies and similar technologies. You can find out more about this in our cookies and website policy;

We may collect your personal data from a number of third parties or publicly available sources; such as the National Transport and Safety Authority (NTSA) or other government institutions that may hold your personal data.

In some instances, we will receive your personal data from various third parties or publicly available sources including:

• identity and contact data from the Government of Kenya’s e-citizen and Integrated Population Registration Services platforms;
• identity and contact data from publicly available sources such as the Companies Registry and the Business Registration Service;
• contact, financial and transaction data from land registries, industry databases such as credit reference agencies, fraud prevention agencies and providers of technical, payment and delivery services;
• medical professionals and hospitals;
• social media. If you are a potential candidate for employment with Heritage, we may have received your personal data from third parties such as recruiters or external websites.
• directly from an individual or employer (or your employer’s service provider) who has a policy with us under which you are insured.
• directly from an employer which funds a cover that we administer where you are a beneficiary.
• directly from a person who is making a claim or application and they include information about you which is related to their claim or application.
• from your family members when they make enquiries about purchasing a product for you or including you on their insurance, when you ask them to make a claim on your behalf, or where you may be incapacitated or otherwise unable to provide information yourself when we need it;
• your insurance intermediary if you have one.
• third parties who assist us in checking that claims are eligible for payment.

 

2.2. Use of Personal Information

We will only use your personal data within the confines of the law. Most commonly, we will use your personal data in any of the following circumstances:

• where we need to perform the contract, we are about to enter into or have entered into with you.
• to assess whether you are eligible for our products and services.
• where you consent to our use of your personal data.
• where we need to comply with or fulfil legal or regulatory obligations and protecting ourselves and our clients against fraud.
• where we need to protect your vital interests and the vital interests of third parties (for example when paying out sums to beneficiaries under your policies).
• where it is necessary for our legitimate interests (or those of a third party) such as maintaining our records, developing, assessing and improving our products and services, risk evaluation, underwriting, managing arrangements with reinsurers, managing claims, improving our customer administration and engagement as well as complying with our Know Your Customers (KYC) requirements.
• to establish, exercise or defend our legal rights such as when we are faced with any legal claim or where we want to pursue any legal claims.
• to advertise and market to you our latest products and services (please note that if you do not want to receive our marketing information you may opt-out anytime by contacting us at any time).
• to send you important notices such as changes to our terms, conditions and policies or unusual activity with respect to any of your accounts with us.
• if you apply for an employment position at heritage or we note that you are a potential candidate for employment, we may use your personal data in evaluating your candidacy and to contact you about the employment opportunity.
• where we receive your personal data from third parties, we may use it to validate the information you have provided to us or for fraud prevention purposes.
• to enable you use the services available through our website and mobile and online applications including registering you for our services and verifying your identity and authority to use our services.
• to address fraud or safety concerns, or to investigate complaints or suspected fraud or illegality.
• to monitor and analyse the use of our products and services for system administration, operation, testing and support purposes.
• to cooperate with, respond to requests from, and to report transactions and/or other activity to, government, tax or regulatory bodies, financial markets, brokers or other intermediaries or counterparties, courts or other third parties.

 

2.3. Retention and Disposal

 

We will only retain your personal data for as long as may be reasonably necessary to fulfil the purpose we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting information.

 

We may retain your personal data for a longer period if the retention is:

• required or authorised by law;
• reasonably necessary for a lawful purpose.
• authorised or consented by you.
• Is necessary for purposes of responding to a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
• for historical, statistical, journalistic, literature and art or research purposes.

 

2.4. Access

 

It is important that the personal data we hold about you is accurate and the most recent. We encourage you to keep us informed in case of any changes of your personal data during your relationship with us.

 

2.5.  Third Party Disclosure

 

Subject to your rights and the applicable laws, we may share your personal data with the third parties set out below:

 

• entities comprising Heritage or its affiliates.
• public authorities or governments when required by law, public interest, national security, regulation, legal process or enforceable governmental request.
• our third-party service providers who help us manage our products and services including those service providers who maintain our IT and office systems and provide marketing and advertising services.
• to service providers that provide application processing, fraud monitoring, call centre and/or other customer services, hosting services and other technology and business process outsourcing services.
• persons or entities that you explicitly request us to transfer your personal data to them.
• your relatives, guardians or persons acting on your behalf where you are incapacitated or for the purposes of paying out claims to your beneficiaries.
• financial advisers, business partners and third-party administrators who help us manage our products and services.
• banks or financial institutions within the country and outside the country where you either transfer or receive payments from the said banks or financial institutions.
• insurers, reinsurers and brokers who help us manage and underwrite our products and provide us with reinsurance and insurance services.
• our professional advisers such as auditors, tax advisers, insurers, reinsurers, medical agencies, legal advisers who act on our or your behalf, or who represent another third party.
• loss adjusters and claims experts who help us handle claims.
• medical institutions and professionals where we may require to access your health records and assessments for the purpose of arranging or facilitating your claim.
• third parties connected with the sale, transfer or disposal of our business.
• to counterparty banks, payment infrastructure providers and other persons from whom we receive, or to whom we make, payments on our clients’ behalf.
• debt collection agencies, credit reference agencies, fraud detection agencies and other agencies that we will contract to provide services to us.

 

2.6 Data Security

 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

 

We have put in place procedures to deal with any suspected personal data breach and will notify

you and any applicable regulator of a breach where we are legally required to do so.

 

2.7. Cross Border Transfer of Personal Data

 

Sometimes we will process your personal information in other countries, either to carry out your instructions or for ordinary business purposes.

 

Where we will make a transfer of your personal data outside Kenya, we will ensure that adequate steps are taken to protect your privacy rights and your personal data.

 

2.8. Your Rights as a Data Subject

 

You have the right to:

• request access to your personal data that we hold about you;
• object to the processing of all or part of your personal data;
• request correction of inaccurate, false or misleading data that we hold about you; and
• request deletion of false or misleading data that we hold about you.
• lodge a complaint regarding the processing of your personal information.

 

 

3. Our use of technology to follow your use of our website

 

Cookies

 

We collect and examine information about visits to this website. We use this information to find out which areas of the website people visit most. This helps us to add more value to our services. This information is gathered in such a way that we do not get personal information about any individual or their online behaviour on other websites. We may use any of the cookie types shown below.

 

We use cookie technology on some parts of our website. Cookies are small pieces of text that are saved on your Internet browser when you use our website. The cookie is sent back to our computer each time you visit our website. Cookies make it easier for us to give you a better experience online. You can stop your browser from accepting cookies, but if you do, some parts of our website or online services may not work. We recommend that you allow cookies.  

 

Types of cookies

 

Session cookies

Session cookies, also known as 'temporary cookies', help websites recognise users and the information provided when they navigate through a website. Session cookies only retain information about a user's activities for as long as they are on the website. Once the web browser is closed, the cookies are deleted. These are commonly used on shopping websites or e-commerce websites.

 

Permanent cookies

Permanent cookies, also known as 'persistent cookies', remain in operation even after the web browser has closed. For example, they can remember login details and passwords, so web users don't need to re-enter them every time they use a site.

 

First-party cookies

First-party cookies are installed directly by the website (ie domain) the user is visiting (ie the URL shown in the browser's address bar). These cookies enable website owners to collect analytics data, remember language settings, and perform other useful functions that provide a good user experience.

 

Third-party cookies

Third-party cookies are installed by third parties with the aim of collecting certain information from web users to carry out research into, for example, behaviour, demographics or spending habits. They are commonly used by advertisers who want to ensure that products and services are marketed towards the right target audience.

 

Flash cookies

Flash cookies, also known as 'super cookies', are independent of the web browser. They are designed to be permanently stored on a user's computer. These types of cookies remain on a user's device even after all cookies have been deleted from their web browser.

 

 

4. Marketing by post, email or text messages

 

If you give us permission, we may use your personal or other information to tell you about products, services and special offers from us or other companies that may interest you. We will do this by post, email or text message (SMS). If you later decide that you do not want us to do this, please contact us and we will stop doing so. This may be done by any of the following as applicable;

4.1.    Phoning us through +254 0711 039 000; or

4.2.     via email on [email protected].; or

4.3.      SMS – by opt out message

 

5. Our website may contain links to or from other websites. We try to link only to websites that also have high standards and respect for privacy, but we are not responsible for their security and privacy practices or their content. We recommend that you always read the privacy and security notices on these websites.

 

6. When will we use customers personal information to make automated decisions about them?

 

Where the law allows, Automated decisions make use of your personal information to reach a decision without humans involved. This decision may influence you and you have the right to query such decision and Heritage is obliged to provide the reason(s) for the decisions as far as reasonably possible.

 

7. Our security practices

 

7.1.   We are committed and obliged to implement all reasonable controls to safeguard access to your personal information.

7.2.   Where third parties are required to process your personal information in relation to the purposes set out in this notice and for other legal requirements, we ensure that they are contractually bound to apply the appropriate security practices.

7.3.   All use of our website and transactions processed through it are protected through secure encryption in line with best practice international standards.

7.4.    We may share with, or receive, personal information from parties as set out above, where these parties reside outside of the Republic of Kenya.

 

 

 

8.   Privacy and security statements that apply to specific online services

 

Different online services or businesses of Heritage may have their own privacy and security policies because the service or product they offer may need different or extra policies. These specific policies will apply to your use of the service where they are different from our general policies.

 

 

 

9.  Personal use of emails and notice about checking on emails

 

Our communication and information systems are for business use. However, we realise that our employees occasionally use our systems for personal use. Personal use includes sending or receiving personal emails within or outside Heritage. Whilst our employees are bound by strict usage policies and security safeguards, we do not accept responsibility for the contents of personal emails sent by our employees using our systems. Please note that we may intercept, check on and delete any communications created, stored, sent, or received using our systems, according to any law that applies.

 

10.   Right to change this privacy and security notice

 

We may, from time to time, amend this privacy and security notice in keeping with amended legislation or business practices. We will effect all changes on our website. The latest published version of our privacy and security notice will replace all earlier versions of it, unless otherwise stated.

 

 

11.   When will we use customers personal information to make automated decisions about them?

 

Where the law allows, Automated decisions make use of your personal information to reach a decision without humans involved. This decision may influence you and you have the right to query such decision and Liberty is obliged to provide the reason(s) for the decisions as far as reasonably possible.

 

12.   How to Reach Us

 

We have appointed a data protection officer who is responsible for overseeing questions in relation to this Privacy Statement. If you have any concerns about the use of your personal data, questions about this Privacy Statement including any requests to exercise your legal rights under the law, please contact us using the

details set out below:

 

Data privacy officer

Name:                                 Januaries Kioko Robert
Email Address:                    [email protected]
Telephone Number:            +254 711 039 429   

 

Support

Email address: [email protected]

Postal address: P.O. Box 30390 – 00100, Nairobi

Physical address: Liberty House, Mamlaka Rd, Nairobi

Telephone number: +254 0711 039 000

 

 

We will respond to your questions or concerns as soon as reasonably possible.