SORTIKA PRIVACY NOTICE
Data Privacy Policy
Table of Contents
- Definitions
- Who We Are
- Information We Collect
- Information You Provide
- How We Use Information
- Third-Party Information
- Where We Store Your data and Security
- Cookies and Tracking
- How You Exercise Your Rights
- Do-Not-Track Features
- Privacy Rights for California Residents
- How General Data Protection Applies to European Users
- Managing and Deleting Your Information
- Update to Our Policy
- Contact Information
- How We Process Information
- Disclaimer
1.Definitions
Biodata: Biographical information: Personal information with regard to gender, nationality, contact information, physical location, and any other
Controller: Means the natural or legal person, authority, organization or other agency that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data.
GDPR: Means the General Data Protection Regulation((EU) 2016/679)
Personal Data: Means any information identifying you or information relating to you that we can identify (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data excludes anonymous data or data that has had the identity of you as an individual permanently removed.
Processor: Means a natural or legal person, authority, organization or other agency that processes Personal Data on behalf of the Controller.
Responsible Person: Means information security department
Minor: Means an individual who has not attained the age of eighteen (18) years.
Consent: Means processing your Customer Information where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us via customercare@sortika.com.
Customer/User: Means any individual within the Republic of Kenya to which we provide our products or services.
2. Who We Are
We are Sortika Enterprises with Our registered office at Westlands The Mirage Towers. Tower2 M2 Suite7 that specializes in savings and investments. This privacy notice for Sortika App (‘Company‘, ‘we‘, ‘us‘, or ‘our‘,), describes how and why we might collect, store, use, and/or share (‘process’) your information when you use our services (‘Services’), such as when you:
- Download and use our mobile application (Sortika App), or any other application of ours that links to this privacy notice
- Engage with us in other related ways, including any sales, marketing, or events
Our Privacy Policy (“Privacy Policy”) helps explain our information practices, including the information we process to support our Services. For example, we talk about what information we collect and how this affects you.
Questions or concerns? Reading this privacy notice will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services as this Information is required to be able to serve you. If you still have any questions or concerns, please contact us at customercare@sortika.com
3. Information We Collect
We must receive or collect some information to operate, provide, improve, understand, customize, support, and market our Services. This also includes when you install, access, or use our Services. The types of information we receive and collect depend on how you use our Services.
Information that we are collecting in regard to you and used devices:
Sensitive Information. When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information:
- Financial data. We may request access to your financial or credit information, personal description or photo, employer name and address, employment status, work phone number, monthly income and expenses, the content of your SMS saved on your mobile, transactions on bank accounts, description, signature, localization, contact list and any other information you would provide to us.
Application Data. If you use our application(s), we also may collect the following information if you choose to provide us with access or permission:
- Geolocation Information. We collect device location information if you use our location features. We may request access or permission to track location-based information from your mobile device, either continuously or while you are using our mobile application(s), for diagnostics and troubleshooting purposes such as if you are having trouble with our app’s location features. We use various technologies to determine location, including IP, GPS, and information about nearby Wi-Fi access points, beacons, and cell towers.
- Mobile Device Access. We may request access or permission to certain features from your mobile device, including your
- Contacts (We may retrieve contact names and numbers and may use this information in our credit and underwriting models such as fraud modeling and guarantor reference, through verifying identities and understanding your relationship to determine whether you are eligible for our Services. We also collect the contact list numbers to enable our users to send invitations to your contacts so as to create a financial social network when building a group or creating a guarantor network We will never reach out to any of your contacts or provide any of your information to your contacts unless you separately and expressively direct us to do so),
- SMS messages (We retrieve information about the SMS stored on your device such as message ID and keywords, and use this information to understand your financial activity in regards to prompts on percentage monetary reductions that you have expressively given us consent to. This storing of SMS data enables passive savings tapped into your financial transactions even when the app is closed and not in use),
- Social media accounts (These are optional as they are used as alternative identifiers), and other features.
- Images via devices camera access and device storage (we may request you to upload or take photos with your device’s camera as an identifier and for documents i.e. proof of income, passport photo, group photo, photo of your Identification Document issued by the government of Kenya or respective country of origin to enable our KYC (Know Your Customer) processes to comply with regulations and help you enjoy all the services on the application).
NB: If you wish to change our access or permissions, you may do so in your device’s settings.
- Mobile Device Data. We automatically collect device information (such as your mobile device ID, model, and manufacturer), operating system, version information and system configuration information, device and application identification numbers, browser type and version, hardware model Internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server). If you are using our application(s), we may also collect information about the phone network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s unique device ID, and information about the features of our application(s) you accessed.
- Push Notifications. We may request to send you push notifications regarding your account or certain features of the application(s). If you wish to opt out from receiving these types of communications, you may turn them off in your device’s settings.
- Third-Party Data. We may request data from credit reference agencies or bureau, external collection agencies, identity verification and sanctions screening service providers and marketing partners
This information is primarily needed to maintain the security and operation of our application(s), for troubleshooting, and for our internal analytics and reporting purposes.
All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.
4. Information You Provide
Please be informed that we may collect the following Consumer Information
via our Mobile App, Website and Web App. Information received directly from you:
- Provided by filling our registration forms which are integral part of using our Services. This may include Biodata, your photo, billing address, employment status, monthly income and expenses, bank account, debit/credit card information, contact preferences, authentication data
- Provided during corresponding with us by chat, e-mail, phone, SMS, USSD, messages
- Provided when you enter a competition, promotion, surveys and reporting any technical issues related to our Services
5. How We Use Information
We use the information we have (subject to the choices you make) to operate, provide, improve, understand, customize, support, and market our Services. Here’s how:
a) Our Services
We use the information we have to operate and provide our Services, including verifying your identity, disbursing loans and collecting payments, analyzing customer behavior, providing customer support, and improving, fixing, and customizing our Services. We understand how people use our Services and analyze and use the information we have to evaluate and improve our Services, research, develop, and test new services and features, and conduct troubleshooting activities. We also use your information to respond to you when you contact us.
b) Safety and Security
We verify accounts and activity and promote safety and security on and off our Services, such as by investigating suspicious activity or violations of our Terms, and ensure our Services are being used legally.
c) Communications About Our Services
We use the information we have to communicate with you about our Services and features and let you know about our terms and policies and other important updates. We may provide you with marketing for our Services.
d) Commercial Messaging
We will allow you and third parties, like businesses, to communicate with each other using Our Services, such as through order, transaction, and appointment information, product and service updates, and marketing. For example, you may receive target status for a product or service you have been saving for as a goal on our App, a receipt for something you purchased via our App, or a notification when a delivery will be made. Messages you may receive containing marketing could include an offer for something that might interest you.
We do not want you to have a spammy experience; as with all of your messages, you can manage these communications, and we will honor the choices you make.
e) Measurement, Analytics, and Other Business Services
We help you when you use Our Service to measure the effectiveness and distribution of your finances and understand how you interact with Our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
f) Information You and We Share
You share your information as you use and communicate through our Services, and we share your information to help us operate, provide, improve, understand, customize, support, and market our Services. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. We post testimonials on our Services that may contain personal information.
g) Send Your Information to Those You Choose to Communicate With
- Our business partners, suppliers, and sub-contractors for the performance of any contract we enter into with you
- Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. [We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about our users)
- Government and enforcement agencies and
- Credit and other payment card companies and screening companies.
h) Your Contacts and Others
Users and businesses with whom you communicate may store or reshare your information (including your phone number or messages) with others on and off our Services. You can choose whom you communicate with and certain information you share within the scope of Our Services.
i) Third-Party Services
When you use third-party services that are integrated with our Services, they may receive information about what you share with them. For example, if you use a data backup service integrated with our Services (like iCloud or Google Drive), they will receive information you share with them. If you interact with a third-party service linked through our Services, you may be providing information directly to such third party. Please note that when you use third-party services, their own terms and privacy policies will govern your use of those services.
6. Third-Party Information
We work with third-party service providers to help us operate, provide, improve, understand, customize, support, and market our Services. For example, we work with companies to distribute our apps, provide our infrastructure, delivery, and other systems, supply location, map, and places information, process payments, help us understand how people use our Services, market our Services, help you connect with businesses using our Services, conduct surveys and research for us, and help with customer service. These companies may provide us with information about you in certain circumstances; for example, app stores may provide us reports to help us diagnose and fix service issues.
We allow you to use our Services in connection with third-party services. If you use our Services with such third-party services, we may receive information about you from them. For example, if you use the share button on our Services to share a product with groups, or broadcast lists, or if you choose to access our Services through a mobile carrier’s or device provider’s promotion of our Services. Please note that when you use third-party services, their own Terms and Privacy Policies will govern those services.
7. Where We Store Your Data and Security
The data that we collect from you may be transferred to, and stored at, a destination outside your country of origin or residence (as applicable). It may also be processed by staff operating outside your country of origin or residence (as applicable), who work for us or for one of our suppliers. Our staff members may be engaged in the fulfillment of your requests on our Service Platforms. Data stored outside Kenya may be subject to the laws of the country in which it is stored. By submitting your personal data, you agree to the collection, transfer, storing, or processing of your personal data in the manner set out above. We will take all steps reasonably necessary to ensure that your data is treated, stored, and processed securely and in accordance with these Terms and Conditions.
Where we have given you (or where you have chosen) a password that enables you to access certain parts of Our Services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to Our Services, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
We implement and maintain appropriate safeguards to protect personal data, considering, in particular, the risks to you, presented by unauthorized or unlawful processing or accidental loss, destruction of, or damage to their personal data.
Safeguarding will include the use of encryption and pseudonymization where appropriate. It also includes protecting confidentiality (i.e. that only those who need to know and are authorized to use personal data have access to it), integrity, and availability of the personal data. We regularly evaluate and test the effectiveness of those safeguards to ensure the security of our processing of personal data.
8. Cookies and Tracking
We may use mobile tracking technologies and/or website cookies to distinguish you from other users of the App, Web Site, or Service Sites. This helps us to provide you with a good experience when you use the App or browse any of the Service Sites and also allows us to improve the App and Website. For example, we use cookies:
- To provide Sortika Enterprises for web and desktop and other Services that are web-based, improve your experiences, understand how our Services are being used, and customize our Services;
- To understand which of our FAQs are most popular and to show you relevant content related to our Services;
- To remember your choices, such as your language preferences, and otherwise to customize our Services for you; and
- To rank the FAQs on our website based on popularity, understand mobile versus desktop users of our web-based Services, or understand popularity and effectiveness of certain of our web pages.
9. How You Exercise Your Rights
Under the General Data Protection Regulation or other applicable local laws, you have the right to access, rectify, port, and erase your information, as well as the right to restrict and object to certain processing of your information. This includes the right to object to our processing of your information for direct marketing and the right to object to our processing of your information where we are performing a task in the public interest or pursuing our legitimate interests or those of a third party. You can access or port your information via a request to customercare@sortika.com. You can access tools to rectify, update, and erase your information directly in-app as described in the Managing and Deleting Your Information section (13). If we process your information based on our legitimate interests or those of a third party, or in the public interest, you can object to this processing, and we will cease processing your information unless the processing is based on compelling legitimate grounds or is needed for legal reasons. You can also object to our processing of your information and learn more about your options for restricting the way we use your information by visiting http://sortika.co.ke/policy. Where we use your information for direct marketing for our own Services, you can always object and opt out of future marketing messages using the unsubscribe link in such communications.
Depending on the circumstances, you have a right to know:
- whether we collect and use your personal information;
- the categories of personal information that we collect;
- the purposes for which the collected personal information is used;
- whether we sell your personal information to third parties;
- the categories of personal information that we sold or disclosed for a business purpose;
- the categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
- the business or commercial purpose for collecting or selling personal information.
In accordance with applicable law, we are not obligated to provide or delete consumer information that is de-identified in response to a consumer request or to re-identify individual data to verify a consumer request. Depending on the type of request you submit, we may ask you to provide certain information so that we can match the information you provide with the information we already have on file, or we may contact you through a communication method (e.g. phone or email) that you have previously provided to us. We may also use other verification methods as the circumstances dictate.
We will only use the personal information provided in your request to verify your identity or authority to make the request. To the extent possible, we will avoid requesting additional information from you for the purposes of verification. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes. We will delete such additionally provided information as soon as we finish verifying you.
Other privacy rights
- You may object to the processing of your personal information.
- You may request correction of your personal data if it is incorrect or no longer relevant, or ask to restrict the processing of the information.
- You can designate an authorized agent to make a request under the CCPA on your behalf. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with the CCPA.
- You may request to opt out from future selling of your personal information to third parties. Upon receiving an opt-out request, we will act upon the request as soon as feasibly possible, but no later than fifteen (15) days from the date of the request submission.
To exercise these rights, you can contact us by referring to the contact details at the bottom of this document. If you have a complaint about how we handle your data, we would like to hear from you.
10. Controls for Do-Not-Track Features
Do-Not-Track (‘DNT’) are features or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage no, uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.
11. Privacy Rights for California Residents
If you are a resident of California, you are granted specific rights regarding access to your personal information.
California Civil Code Section 1798.83, also known as the ‘Shine The Light’ law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.
If you are under 18 years of age, reside in California, and have a registered account with Services, you have the right to request removal of unwanted data that you publicly post on the Services. To request removal of such data, please contact us using the contact information provided below and include the email address associated with your account and a statement that you reside in California. We will make sure the data is not publicly displayed on the Services, but please be aware that the data may not be completely or comprehensively removed from all our systems (e.g. backups, etc.).
CCPA Privacy Notice
The California Code of Regulations defines a ‘resident’ as:
(1) every individual who is in the State of California for other than a temporary or transitory purpose and
(2) every individual who is domiciled in the State of California who is outside the State of California for a temporary or transitory purpose
All other individuals are defined as ‘non-residents’.
12. How General Data Protection Applies to European Users
We collect, use and share the information we have as described above:
- as necessary to fulfill our Terms;
- consistent with your consent, which you can revoke at any time;
- as necessary to comply with our legal obligations;
- occasionally to protect your vital interests, or those of others;
- as necessary in the public interest; and
- as necessary for our (or others’) legitimate interests, including our interests in providing an innovative, relevant, safe, and profitable service to our users and partners, unless those interests are overridden by your interests or fundamental rights and freedoms that require protection of personal data.
13. Managing and Deleting Your Information
We store information until it is no longer necessary to provide our services, or until your account is deleted, whichever comes first. All information you provide to us is stored on our secure servers. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
Length of data retention is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, and relevant legal or operational retention needs.
14. Update to Our Policy
We will notify you before we make changes to this Privacy Policy and give you the opportunity to review the revised Privacy Policy before you choose to continue using our Services.
15. Contact Information
If you have questions about our Privacy Policy, please contact us customercare@sortika.com or write us here:
Sortika Enterprises
The Mirage Towers. Tower2 M2 Suite 7
Waiyaki Way, Westlands
Nairobi, Kenya
P.O Box 3123-00800 Nairobi
You have the right to lodge a complaint with Sortika Enterprises.
16. How We Process Information
Under European law, companies must have a legal basis to process data. You have particular rights available to you depending on which legal basis we use, and we’ve explained these below. You should know that no matter what legal basis applies, you always have the right to request access to, rectification of, and erasure of your data under the General Data Protection Regulation (the “GDPR”).
For all people who have legal capacity to enter into an enforceable contract, we process data as necessary to perform our contracts with you (the Terms of Service, the “Terms”). We describe the contractual services for which this data processing is necessary in Our Services section of the Terms and in the additional informational resources accessible from our Terms. The core data uses necessary to provide our contractual services are:
- To provide, improve, customize, and support our Services as described in “Our Services”;
- To promote safety and security;
- To transfer, transmit, store, or process your data outside the EEA, including to within the United States and other countries; and
- To communicate with you, for example, on Service-related issues.
- We’ll use the data we have to provide these services; if you choose not to provide certain data, the quality of your experience using Sortika Enterprises may be impacted.
- When we process data you provide to us as necessary to perform our contracts with you, you have the right to port it under the GDPR. To exercise your rights, visit How You Exercise Your Rights section of the Privacy Policy.
The other legal bases we rely on in certain instances when processing your data are:
a) Your Consent:
For collecting and using information you allow us to receive through the device-based settings when you enable them (such as access to your GPS location, camera, or photos), so we can provide the features and services described when you enable the settings. When we process data you provide to us based on your consent, you have the right to withdraw your consent at any time and to port that data you provide to us, under the GDPR. To exercise your rights, visit your device-based settings, your in app-based settings like your in-app location control, and the How You Exercise Your Rights section of the Privacy Policy.
b) Our legitimate interests or the legitimate interests of a third party, where not outweighed by your interests or fundamental rights and freedoms (“legitimate interests”):
For people under the age of majority (under 18, in most EU countries) who have a limited ability to enter into an enforceable contract only, we may be unable to process personal data on the grounds of contractual necessity. Nevertheless, when such a person uses our Services, it is in our legitimate interests:
- To provide, improve, customize, and support our Services as described in Our Services;
- To promote safety and security; and
- To communicate with you, for example, on Service-related issues.
c) The legitimate interests we rely on for this processing are:
- To create, provide, support, and maintain innovative Services and features that enable people under the age of majority to express themselves, communicate, discover, and engage with information and businesses relevant to their interests, build community, and utilize tools and features that promote their well-being;
- To secure our platform and network, verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, and keep our Services and all of Sortika Enterprises Products free of harmful or inappropriate content, and investigate suspicious activity or violations of our terms or policies and to protect the safety of people under the age of majority, including to prevent exploitation or other harms to which such individuals may be particularly vulnerable.
d) For all people, including those under the age of majority:
For providing measurement, analytics, and other business services where we are processing data as a controller. The legitimate interests we rely on for this processing are:
- To provide accurate and reliable reporting to businesses and other partners, to ensure accurate pricing and statistics on performance, and to demonstrate the value our partners realize using our Services; and
- In the interests of businesses and other partners to help them understand their customers and improve their businesses, validate our pricing models, and evaluate the effectiveness and distribution of their services and messages, and understand how people interact with them on our Services.
e) For providing marketing communications to you. The legitimate interests we rely on for this processing are:
- To promote Sortika Enterprises and issue direct marketing.
- To share information with others including law enforcement and to respond to legal requests. See our Privacy Policy under Law and Protection for more information. The legitimate interests we rely on for this processing are:
- To prevent and address fraud, unauthorized use of the Sortika Products, violations of our terms and policies, or other harmful or illegal activity; to protect ourselves (including our rights, property or Products), our users or others, including as part of investigations or regulatory inquiries; or to prevent death or imminent bodily harm.
- To secure systems and fight spam, threats, abuse, or infringement activities and promote safety and security across Sortika Products. You have the right to object to, and seek restriction of, such processing; to exercise your rights, visit How You Exercise Your Rights section of the Privacy Policy. We will consider several factors when assessing an objection including: our users’ reasonable expectations; the benefits and risks to you, us, other users, or third parties; and other available means to achieve the same purpose that maybe less invasive and do not require disproportional effort. Your objection will be upheld, and we will cease processing your information, unless the processing is based on compelling legitimate grounds or is needed for legal reasons. If you are under the age of majority in your country and have a limited ability to enter an enforceable contract, we will take particular account of the fact that you are below the age of majority and adjust our assessment of our legitimate interests and the balancing of your interests and rights accordingly.
f) Compliance with a legal obligation:
For processing data when the law requires it, including, for example, if there is a valid legal request for certain data.
g) Protection of your vital interests or those of another person:
The vital interests we rely on for this processing include protection of your life or physical integrity or that of others, and we rely on it to combat harmful conduct and promote safety and security, for example, when we are investigating reports of harmful conduct or when someone needs help.
h) Tasks carried out in the public interest:
For undertaking research and to promote safety and security, as described in more detail in our Privacy Policy under How We Use Information, where this is necessary in the public interest as laid down by European Union law or Member State law to which we are subject.
When we process your data as necessary for a task carried out in the public interest, you have the right to object to, and seek restriction of, our processing. In evaluating an objection, we’ll evaluate several factors, including: reasonable user expectations; the benefits and risks to you and third parties; and other available means to achieve the same purpose that may be less invasive and do not require disproportional effort.
Your objection will be upheld, and we will cease processing your information, unless the processing is based on compelling legitimate grounds or is needed for legal reasons.
17. Disclaimer
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these web-sites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Data Subject Rights Request Form
We have availed a form to enable our customers to exercise their Data Subject Rights as provided by the Kenya Data Protection Act. 2019. Please see the attached form below: