1. INTRODUCTION

1.1 Unifi Credit Limited (Company number PVT-Y2ULRB86), hereinafter referred to as "Unifi," is responsible for processing your data when you access our services. “We”, “Our” and “Us” refer to Unifi.

1.2 In certain situations, Unifi may also act as a data processor on behalf of another data controller with whom you have a contractual relationship. In such cases, Unifi will adhere to the data controller's instructions.

1.3 Unifi provides digital financial services aimed at assisting the traditionally underbanked in borrowing, saving, and growing their finances. Our services are accessible through:

1.3.1 Unifi USSD: Accessible via USSD

1.3.2 Unifi Website: Available at (https://unifi.credit/ke/), with a corresponding Privacy Notice provided.

1.3.3 Unifi Branch: Available across Kenya and location details available on our website at (https://unifi.credit/ke/)

1.4 The Score of Privacy Policy applies to your use of Unifi's services and outlines the personal data we collect, whom we share it with, how we use your data, and how you can control the sharing of specific information. This policy should be read alongside the Privacy Notice associated with the specific service you are using. The Privacy Notice provides details about how we protect your personal data, your privacy rights, and your protection under the Data Protection Act, 2019.

1.5 By accepting the terms of this Privacy Policy and the relevant Privacy Notice, you acknowledge and consent to the practices described herein.

1.6 If you have any questions about this Privacy Policy, please reach out to us at [email protected]

1.7 Unifi's services are not intended for children, and we do not knowingly process data related to children.

2. DEFINITIONS

2.1 Channels: Any system or medium (including the Unifi App, web, whether internet-based, mobile device-based, branch or otherwise) established by Unifi to facilitate access to our services.

2.2 Children: Individuals under the age of eighteen (18) years.

2.3 Consent: Express, unequivocal, free, specific, and informed indication of your wishes by a statement or clear affirmative action.

2.4 Customer or User: Any individual within the Republic of Kenya to whom Unifi provides its services.

2.5 Personal Data: Information related to an identified or identifiable individual, including Sensitive personal data.

2.6 Sensitive Personal Data: Information concerning an individual's race, health status, ethnic and social origin, beliefs, genetic data, biometric data, property details, marital status, family details, or sexual orientation.

2.7 Services: Financial and informational products and features offered by Unifi to users, as described in Section 1.3.

3. THE DATA WE COLLECT ABOUT YOU

3.1 Information You Provide: To access our services, you will be asked to provide personal data as specified in the relevant Privacy Notice. This may include:

3.1.1 Identifiers such as name, username, email address, mobile number, or other contact details.

3.1.2 Responses submitted in forms, questionnaires, and surveys.

3.1.3 Communications with Unifi, including call records, customer service requests, messages, or comments on Unifi-hosted platforms.

3.1.4 Supporting documents, such as government-issued identification, financial documents, and authorization letters.

3.2 Information We Collect as You Use the Services: We also collect information based on your usage of our products and features, as specified in the relevant Privacy Notice. This includes:

3.2.1 Device specifications, such as device identifiers, technical settings, user-selected settings, and more.

3.2.2 Usage details, navigation, clicks, traffic data, search history, IP addresses, location data, logs, and information collected through cookies, web beacons, and other tracking technologies.

3.2.3 Transaction records, including loan requests, disbursements, payments, and fund transfers.

3.2.4 Device content data, such as phonebook and network data, call logs, SMS data, and installed applications.

3.3 Information We Receive from Third Parties: To provide our services and meet legal obligations, we may obtain information from third parties, including:

3.3.1 Credit scores or similar scores from credit reference or credit scoring entities.

3.3.2 Anti-money laundering records from screening vendors.

3.3.3 Account information from partner financial institutions and service providers.

3.3.4 Identifiers, repayment, and transaction data from partners, external collection agencies, mobile network providers, and mobile money operators.

3.4 Withholding of Personal Data: Failure to provide requested personal data may prevent us from offering our services.

3.5 Regulatory Requirements: As a Digital Credit Provider regulated by government bodies, we may be required to collect, process, and retain specific personal data to comply with Anti-Money Laundering, Counter Terrorist Financing, and Counter Proliferation Financing (AML/CTF/CPF) or tax regulations when you use our services.

4. HOW WE USE YOUR PERSONAL DATA

4.1 Lawful Basis for Processing: We only process your personal data when we have a lawful basis, as specified in the relevant Privacy Notice. This may include:

4.1.1 Consent for processing your personal data.

4.1.2 Necessity to perform a contract or take pre-contractual steps.

4.1.3 Legal obligations.

4.1.4 Legitimate interests, subject to considering your rights and interests.

4.2.1 Assessing your eligibility for our services, including credit scoring and fraud prevention.

4.2.2 Processing requests and instructions from you, your account, or your device.

4.2.3 Enhancing our services, including model development through data science and machine learning.

4.2.4 Communication and relationship management.

4.2.5 Customer behaviour analysis, research, and personalization.

4.2.6 Meeting legal requirements, such as know-your-customer and transaction monitoring.

4.2.7 Compliance with law enforcement and regulatory directives.

4.2.8 Fulfilling contractual obligations to partners and enabling partners to fulfil their obligations to you.

4.2.9 Conducting Unifi's business through agents, employees, representatives, consultants, vendors, partners, and other service providers.

4.3 Marketing Communications: We will only send you direct marketing communications with your consent, and you have the right to withdraw that consent at any time by contacting us at [email protected]

4.4 Withdrawal of Consent: Where you have provided consent for specific data processing, you have the right to withdraw that consent at any time by contacting us. We will cease processing your information for the specified purpose unless we have another legitimate basis for doing so.

4.5 Automated Processing: We use automated processing with limited human intervention for certain features. Our models are regularly tested to ensure fairness, accuracy, and lack of bias. If applicable, you can request a reconsideration of an automated decision by emailing us at [email protected]. Note that human intervention doesn't guarantee reversal of an automated decision.

5. DISCLOSURES AND CROSS-BORDER TRANSFERS OF YOUR PERSONAL DATA

5.1 Disclosure and Transfer: We may disclose and transfer your personal data to internal and external third parties, as described in the relevant Privacy Notice for each specific service.

5.2 Data Location: Your personal data collected by Unifi may be stored and processed outside of Kenya. We maintain safeguards to ensure similar protection if your data is transferred.

6.1 Information Security Management: Unifi implements an Information Security Management System to maintain the confidentiality, integrity, and availability of information resources in line with industry standards and best practices. This includes:

6.1.1 Governance: Establishing and reviewing information security policies, understanding and managing legal and regulatory requirements, conducting data protection impact assessments, and appointing a Data Protection Officer.

6.1.2 Employee Screening and Confidentiality: Conducting background verification checks, outlining responsibilities for information security in personnel contracts, and enforcing compliance with organisational policies.

6.1.3 Training and Awareness: Providing personnel with information security and data protection education and training.

6.1.4 Asset Management: Inventorying company-issued devices, establishing rules for software installation, and ensuring asset return upon termination.

6.1.5 Data Classification: Classifying information and records based on legal requirements, criticality, and sensitivity.

6.1.6 Access Control: Implementing access control policies and a formal user registration process.

6.1.7 System Access Control: Controlling access with secure log-on procedures and implementing multi factor authentication.

6.1.8 Cryptographic Controls: Implementing policies on cryptographic controls for information protection.

6.1.9 Physical Security: Applying physical security measures and protecting equipment supporting information servers.

6.1.10 Logging and Monitoring: Maintaining event logs and reviewing them regularly.

6.1.11 Incident Management and Response: Having incident response and recovery plans and procedures in place.

6.1.12 Network Security Management: Identifying security mechanisms, service levels, and management requirements for network services.

6.1.13 Third Parties: Conducting information security and compliance diligence for third-party vendors, suppliers, and partners.

6.1.14 Security in Development: Establishing secure development environments throughout the system development lifecycle.

6.1.15 Audit and Independent Review: Conducting independent reviews of systems and procedures at planned intervals.

6.2 Data Breach Procedures: We have procedures in place to handle suspected personal data breaches and will notify you and relevant regulatory authorities as required.

7. DATA RETENTION

7.2 Retention Details: Details of retention periods for different aspects of your personal data are available in the Privacy Notice for the specific service.

7.3 Data Deletion: You may request data deletion, and we will dispose of it securely to prevent further processing, unauthorised access, or disclosure.

7.4 Anonymization: We may anonymize your data for research or statistical purposes, allowing indefinite use without further notice.

8. YOUR DATA SUBJECT RIGHTS

8.1 Data Subject Rights: As a data subject, you have several rights related to your personal data, including:

8.1.1 Being informed about how your data is used.

8.1.2 Access to your data and information about its processing.

8.1.3 The right to object to processing (unless compelling legitimate interests exist).

8.1.4 Correction or rectification of false or inaccurate data.

8.1.5 Data erasure (subject to legal obligations).

8.1.6 Data portability.

8.1.7 Restriction of processing.

8.1.8 Opting out of direct marketing.

8.1.9 Withholding or withdrawing consent when it serves as the lawful basis for processing.

8.2 Exercising Your Rights: You or your authorised representative can exercise these rights at any time by contacting us at [email protected], subject to verification and review.

9. CHANGES TO THE PRIVACY POLICY AND YOUR DUTY TO INFORM US OF INFORMATION CHANGES

9.1 Policy Updates: We regularly review this Privacy Policy, and any changes will be posted on this page and, when appropriate, notified to you.

9.2 Keeping Your Information Current: It is vital that the personal data we hold about you remains accurate and up-to-date. Please inform us of any changes during our relationship.

Our services may include links to third-party websites. These websites and services have their own privacy policies, and we do not accept responsibility for their policies or any data collected through them. Please review their policies before providing personal data.

This revised privacy policy aims to enhance clarity and readability while maintaining compliance with legal requirements. It provides a clearer structure, defined terms, and actionable information for data subjects.