Privacy Policy Statement
1. Introduction
This Privacy Policy Statement outlines how Enwealth (“we,” “our,” “us”) collects, uses, discloses, and protects personal data in accordance with the Data Protection Act, 2019 (DPA), its attendant regulations, and other relevant legislation in all jurisdictions where we operate, as well as applicable global regulations
2. Definitions
a) Enwealth: Refers to Enwealth Capital Limited, Enwealth Financial Services Limited, Enwealth Financial Services (UG) SMC Limited, Enwealth Foundation Limited, Enwealth Insurance Brokers Limited, and Enwealth (Mauritius) Limited, which are companies incorporated in Kenya, Mauritius, and Uganda. This definition includes their subsidiaries and branches, whether established within or outside these countries.
b) Data Subject: Refers to our clients, including any person authorized by you to provide instructions, employees, service providers, agents, visitors, and anyone who accesses our website, portals, and applications.
c) Personal Information: Information relating to a natural person who is, or can be, identified directly or indirectly.
3. Who We Are
We are a leading provider of pensions administration, insurance brokerage, investment management, and trustee services. Our goal is to deliver comprehensive financial solutions, including these services, tailored to meet the needs of both institutional and retail clients
4. Principles of Personal Data Protection
We are committed to protecting your personal data in line with the principles of data protection:
a) Privacy: Your personal data will be processed in accordance with your right to privacy;
b) Lawful Processing: We process your data lawfully, fairly, and transparently;
c) Purpose Limitation: Data will be collected for specific, legitimate purposes and not used in ways incompatible with those purposes;
d) Data Minimization: We ensure that data collected is adequate, relevant, and limited to what is necessary;
e) Transparency: Information about family or private matters will only be collected with valid justification;
f) Accuracy: We take reasonable steps to ensure your data is accurate and up-to-date;
g) Storage Limitation: Personal data will be kept in a form that identifies you only for as long as necessary;
h) Data Transfer: Data will not be transferred outside our jurisdictions without adequate protection or your consent.
5. Personal Data We Collect
We collect and process various types of personal data, including:
a) Personal Identification Information (e.g., name, contact details, date of birth);
b) Financial Data (e.g., bank account details, investment records, pension information, insurance policy details);
c) Usage Data (e.g., IP address, browser type, pages visited);
d) Transaction Data (e.g., details of financial transactions).
6. How We Collect Personal Data
We collect personal data:
a) Directly: Through forms, applications, events, our website, mobile apps, or inquiries;
b) Indirectly: From visits to our website, interactions with our agents, or if identified as a beneficiary;
c) From Third Parties: Such as other Enwealth entities, public databases, credit bureaus, and fraud prevention agencies.
If you start filling out online forms and abandon them, we may use the collected information to contact you for completion, unless you request deletion or limit its use.
7. How We Use Personal Data
We use your personal data for purposes including:
a) Customer due diligence and compliance with regulations;
b) Providing and managing our products and services;
c) Authentication and authorization for interactive features;
d) Human resource management and staff onboarding;
e) Executing transactions and fulfilling contractual obligations;
f) Customer support and service;
g) Marketing, research, and improving our services;
h) Monitoring for fraud and ensuring security.
8. Disclosure of Personal Data
We may share your personal data with:
a) Group Companies: Within Enwealth entities;
b) Service Providers: Such as administrators, brokers, and auditors;
c) Regulatory Bodies: To meet legal and regulatory obligations;
d) Legal Requirements: As required by law or regulatory authorities.
9. International Data Transfers
We may transfer personal data outside Kenya, Mauritius, Uganda or any other jurisdiction that we operate or may operate in when:
a) Security Measures: We have implemented robust measures to safeguard the security and protection of your personal data. This includes ensuring that data transfers occur only to jurisdictions with adequate data protection laws. For instance, when using cloud storage services, we ensure that the service provider operates in a jurisdiction that complies with the international General Data Protection Regulations (GDPR);
b) Approved Jurisdictions: The Office of the Data Protection Commissioner (ODPC) periodically publishes a list of countries with adequate data protection measures. We adhere to this list and only transfer data to those jurisdictions;
c) Consent: We may transfer and process personal data outside the country of jurisdiction with your consent for such processing and storage;
d) Necessary Transfers: Data transfer may also occur when necessary for:
(i) Contract Performance: To fulfill or perform a contract you are part of;
(ii) Public Interest: For matters of public interest;
(iii) Legal Claims: To establish, exercise, or defend legal claims;
(iv) Vital Interests: To protect your vital interests or those of others, where you are unable to give consent;
(v) Legitimate Interests: For compelling legitimate interests pursued by Enwealth, provided these are not overridden by your rights, interests, and freedoms.
Please note that information transmitted over the internet may pass through countries with varying levels of privacy and data protection laws, which may be weaker than those in your country of residence. As such, we cannot guarantee absolute confidentiality, security, or integrity of your information during its transmission over the internet
10. How We Secure Personal Data and Retention Period
a) Data Retention: We will retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including compliance with legal, regulatory, tax, accounting, or reporting obligations. Personal data will be stored securely and accurately, using appropriate physical, technical, and organizational measures;
b) Ongoing Security Measures: We are committed to continuously updating our information systems and security measures to protect personal data from potential risks and emerging threats. However, please be aware that no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security and recommend that you maintain the confidentiality of any user ID and password;
c) Retention Period: Generally, we are required by law to retain personal data for a period of 7 years. After this period, personal data will be deleted or erased from our systems in accordance with our record retention and destruction policies;
d) Extended Retention: Personal data may be retained for a longer period if necessary to address complaints or if there is a reasonable belief that litigation is anticipated in relation to our relationship with you;
e) Third-Party Processors: If we engage third parties to process personal data on our behalf, we will ensure that appropriate agreements are in place to obligate them to uphold our security standards.
11. Accessing Your Personal Data and Your Rights
Subject to legal and contractual exceptions, you have the following rights:
a) Notification: Be informed when we collect personal data from you;
b) Purpose: Be informed of the purposes for which we are collecting your personal data;
c) Consent Withdrawal: Withdraw your consent at any time. To exercise this right, complete the statutory form ‘Request for Access to Personal Data’;
d) Data Access: Access your personal data in our custody. To exercise this right, complete the statutory form ‘Request to Confirm Possession of Personal Data’;
e) Objection: Object to the processing of all or part of your personal data. To exercise this right, complete the statutory form ‘Request for Restriction or Objection to the Processing of Personal Data’;
f) Restriction: Restrict the processing of your personal data. To exercise this right, complete the statutory form ‘Request for Restriction or Objection to the Processing of Personal Data’;
g) Correction: Request correction of inaccurate or misleading data. To exercise this right, complete the statutory form ‘Request for Rectification’.
h) Deletion: Request deletion of false or misleading data;
i) Erasure: Request erasure of your personal data where it is irrelevant, excessive, or was unlawfully obtained, also known as “the right to be forgotten”;
j) Data Portability: Request data portability in a universally machine-readable format or to transfer data to another service. To exercise this right, complete the statutory form ‘Request for Data Portability’;
k) Compensation: Seek compensation for material or non-material damage if your rights have been violated;
l) Judicial Remedy: Seek an effective judicial remedy if you believe your personal data was not processed in compliance with the law;
m) Automated Decisions: Not be subjected to decisions based solely on automated processing, including profiling, that significantly affects you;
n) Complaint: Lodge a complaint with the Office of the Data Protection Commissioner (ODPC) or the relevant data protection authority in the jurisdictions where we operate;
To exercise any of the above rights, please complete the statutory forms and contact us at compliance@enwealth.co.ke. Statutory forms are available on our website, the ODPC website, or the website of the relevant data protection authority. We will endeavor to respond to all legitimate requests promptly. If your request is complex or numerous, we may require additional time, and we will keep you informed of the progress.
Please note that there may be instances where we process data without your consent if required by the Data Protection Act, relevant regulations, or applicable global legislations.
12. Complaints
If you believe your privacy rights have been violated, you have the right to file a complaint. You can do so by submitting the complaint form available on our website and sending it to our Data Protection Officer at compliance@enwealth.co.ke, or by visiting our offices. We strive to handle and resolve all complaints promptly and effectively. You also have the right to lodge a complaint with the ODPC or the relevant data protection authority in the jurisdiction where we operate.
13. Cookies
Cookies are small text files stored on your device when you visit our website. They help us enhance website performance and functionality, remember your preferences, and improve security. We use cookies for:
a) Performance: Enhancing the design and functionality of our website;
b) Personalization: Remembering your preferences and settings for a tailored experience;
c) Security: Ensuring the security of our website.
You can configure your browser to alert you before accepting cookies, or to disable cookies entirely. Please note that disabling cookies may affect your experience on our website, such as automatic log-ins and personalized features.
14. Links to Other Websites
Our website may contain links to other sites that we do not control. This privacy statement does not apply to those websites. We advise you to review the privacy statements of any linked websites.
15. Clickstream Data and Google Analytics
We use clickstream data and Google Analytics to track and analyze website traffic and improve user experience. This may include collecting information such as IP addresses, search terms, pages accessed, and browser types. The data collected is aggregate and does not personally identify you. We also respect ‘do not track’ settings on your browser.
16. Marketing
We may send you marketing information about our products and services based on the personal information you have provided. You can opt out of receiving marketing communications by clicking “unsubscribe” in the emails or texts you receive from us, or through other contact channels.
17. Processing Data Relating to a Child
We do not knowingly process data relating to children without parental or guardian consent. We will implement mechanisms, such as requesting a birth certificate, to verify the age and obtain the necessary consent before processing personal data of children.
18. Changes to This Data Protection Statement
This data protection and privacy statement was last updated in August 2024. We may update it periodically to reflect changes in regulatory requirements or our practices. Updated versions will be posted on our website. We will notify you of significant changes via email or through our website, but we encourage you to regularly check our website for updates.
19. Contact Us / Further Information
If you have any enquiries, request or feedback on your personal data or queries or feedback about our personal data protection policies, and procedures, please contact our DPO on compliance@enwealth.co.ke. You may also visit our offices