Privacy Policy

Introduction

Kenbright Holdings Limited (“Kenbright”, “we”, “us” or “our”) provides actuarial, re-insurance, pension administration, health and life insurance, financial consulting and related services in Kenya and the East African region. We recognise that the security of our customers’ personal information is critical. The purpose of this Privacy Policy is to explain how we collect, use, store and protect personal data when you visit our website at kenbright.co.ke or when you interact with us through our online forms, email or telephone. The policy also outlines your rights under Kenya’s Data Protection Act, 2019 and related regulations.

This Privacy Policy applies to the personal data that we collect from you when you use our website, request a quote or otherwise interact with Kenbright online. It does not apply to third-party websites that may be linked from our site (for example, external sites providing insurance quotes), and we encourage you to review the privacy notices of those providers separately.

Personal Data We Collect

Information you provide directly

We collect personal data when you voluntarily provide it via forms on our website or when contacting us by email or phone. Examples include:

• Identity and contact details: first and last name, email address, phone number and postal address. Our contact form asks for your first name, last name, email address, phone number and a message explaining your enquiry. We use these details to respond to your request.
• Information about requested services: when you ask for an insurance quote (e.g., car, health or travel insurance) or a pension administration service, we may ask for details relevant to the product, such as vehicle information, age, employment status, cover amount or other underwriting information. These details are collected only when needed to supply a quotation or provide a service.
• Other correspondence: any additional information you provide when contacting us, for example feedback or questions.

Information we collect automatically

When you visit our website, we may automatically collect certain technical information through cookies and similar technologies. This may include your IP address, browser type, operating system, device identifiers, the pages you visit and the time spent on them. Under Kenya’s Data Protection Act (DPA) the use of cookies or similar technologies that process personal data requires explicit, informed and freely given consent. We use cookies to improve site functionality, understand how our site is used and to tailor marketing communications. You can manage your cookie preferences by adjusting the settings in your browser or through any cookie consent banner we implement.

How We Use Your Personal Data

We process personal data only for legitimate purposes. These purposes may include:

1. Responding to inquiries and providing services: We use your contact details and any information you provide to respond to your queries, supply quotes and deliver our insurance, pension or actuarial services.
2. Customer communication and support: We may send you updates about your application or policy, important notices (for example, renewal reminders) or respond to complaints.
3. Marketing: With your consent, we may send you newsletters or information about our products, promotions or events. You can opt out of marketing communications at any time.
4. Compliance with legal obligations: The DPA requires us to process personal data lawfully, fairly and transparently and to observe data subject rights. We may use or disclose your data to meet obligations under insurance, pension, taxation and anti-money laundering laws, or to comply with a court order or regulatory request.
5. Improving our services and security: We analyse website usage data to improve the user experience and to detect and prevent fraud or cyber-security threats.

Legal basis for processing

Kenya’s DPA allows processing of personal data where the data subject has given consent, where processing is necessary for the performance of a contract, to comply with a legal obligation, or where the data controller has a legitimate interest. Depending on the context, we rely on one or more of these legal grounds when processing your data.

Sharing Your Personal Data

We do not sell your personal information. We may share data with:

• Kenbright group companies and affiliates who require the information to provide the requested service, subject to confidentiality obligations.
• Service providers and professional advisers such as IT support, hosting providers, payment processors, actuaries, reinsurers and auditors. These parties act as data processors and must implement appropriate technical and organisational security measures.
• Insurance underwriters or brokers and other third parties to obtain insurance quotations or cover. Our website directs users to external sites (e.g., insure.vehicle.co.ke) to obtain certain insurance quotes; please review those sites’ privacy policies.
• Regulators and legal authorities where we are legally obliged to disclose data, such as the Insurance Regulatory Authority or the Office of the Data Protection Commissioner (ODPC).
• Third parties in connection with corporate transactions, such as mergers or transfers of assets, where the personal data is relevant and transferred subject to confidentiality.

Whenever personal data is shared with third parties, we require them to keep it secure and to use it only for the purposes for which it was provided.

Cross-Border Transfers

As a regional organisation, Kenbright may transfer personal data to countries outside Kenya — for example, to our reinsurers or service providers. Before transferring data internationally, we ensure that adequate safeguards are in place, such as standard contractual clauses or other mechanisms recognised by the DPA, and that processing remains subject to this Privacy Policy.

Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, to comply with legal or regulatory obligations, to resolve disputes and to enforce our agreements. Factors determining retention periods include statutory requirements (e.g., seven years for insurance records), regulatory guidance and the nature of the data. When data is no longer required, we securely delete or anonymise it.

Data Security

Kenbright implements technical and organisational measures to protect your data against loss, misuse, unauthorised access, disclosure or alteration. Measures may include encryption, access controls, secure servers and regular staff training. However, no method of transmission over the internet or electronic storage is completely secure; therefore we cannot guarantee absolute security, but we follow recognised industry standards.

Your Rights Under Kenya’s Data Protection Act

Kenya’s Data Protection Act, 2019 gives individuals a range of rights over their personal data. According to a compliance summary, Kenyan residents have the right to be informed, to access, rectify, erase, port and object to the processing of their personal data; to object to automated decision-making; to give or withdraw consent and to lodge complaints. In particular:

• Right of access: You can request a copy of personal data that we hold about you.
• Right to be informed: You have the right to know how your data is collected and used.
• Right to correction: You may ask us to correct inaccurate or incomplete personal information.
• Right to deletion: You can request deletion of your data under certain circumstances — for example, when the data is no longer needed for the purpose for which it was collected.
• Right to object or restrict processing: You may object to or request that we limit the processing of your data, including direct marketing.
• Right to data portability: You can ask us to provide your data in a structured, commonly used format or to transfer it to another service provider.
• Right to object to automated decision-making: You have the right to request that decisions affecting you are not based solely on automated processing.
• Right to consent and withdraw consent: We must obtain your consent before processing personal data for specific purposes and you can withdraw your consent at any time.
• Right to lodge a complaint: If you believe your rights have been violated, you may file a complaint with the Office of the Data Protection Commissioner. You may also seek judicial redress.

We will respond to your requests within reasonable timeframes and in accordance with the DPA and its regulations. Exercising these rights may be subject to limitations under applicable laws.

Cookie Use and Tracking Technologies

Kenbright uses cookies and similar technologies to provide a better browsing experience, analyse website traffic and personalise content. Under the DPA, cookies that collect or transfer personal information require valid consent. We may categorise cookies as:

1. Necessary cookies: Required for the website to function and cannot be switched off. They enable basic functions like page navigation and access to secure areas.
2. Analytical/performance cookies: Help us understand how visitors interact with the site by collecting and reporting information anonymously.
3. Functional cookies: Enable enhanced functionality and personalisation, such as remembering preferences.
4. Advertising/targeting cookies: Record your visit to our website, the pages you visited and the links you followed. We may use this information to make our website and advertising more relevant to your interests.

When you first visit our site, you may be presented with a cookie banner asking you to consent to or reject non-essential cookies. You can also control cookies through your browser settings. For more information, please see our Cookie Policy.

Children’s Privacy

Our services are aimed at adults and are not intended for children under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal information, please contact us and we will delete the data.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements or technological advances. The updated version will be posted on our website with a revised “last updated” date. We encourage you to review this Policy regularly to stay informed about how we protect your information.

Contact Us

If you have any questions about this Privacy Policy or your personal data, or if you wish to exercise your rights, please contact us using the details below:

Data Controller:

Kenbright Holdings Limited
ACK Garden House, Ground Floor, 1st Ngong Avenue
Nairobi, Kenya.
Telephone: +254 709 783 000
Email: [email protected]

You may also contact the Office of the Data Protection Commissioner via its website or by calling +254 703 722 000 if you are dissatisfied with how we handle your data.