Data Privacy Statement

This privacy statement describes how Rafiki Microfinance Bank Limited (“Rafiki”) protects the personal data it processes, why and how we collect and use your personal data and how you can exercise your rights in relation to the processing of your personal data.

This privacy statement should be read together with the Terms and Conditions of Use for other products and services. Where there is a conflict, this privacy statement will prevail.

  1. DEFINITIONS

Rafiki” “We,” “our,” “ours,” and “us,” means Rafiki Microfinance Bank Limited and includes its successors in title and assigns, its affiliates and/or its subsidiaries as may from time to time be specified by the Bank to you.

Personal data” or “personal information” means: Information about you or information that identifies you as a unique individual, such as your name/s and surname combined with your physical address, contact details and/or passport/identity number.

Processing” collectively means handling, collecting, using, altering, merging, linking, organizing, disseminating, storing, protecting, retrieving, disclosing, erasing, archiving, destroying, or disposing of your personal information.

Sensitive personal information” includes data revealing your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation.

You” means:

  • Customer – (which includes personal representatives and assigns) operating an Account held with us and includes (where appropriate) any person you authorize to give us instructions, the person who uses any of our products and services or accesses our websites. “Customer” shall include both the masculine and the feminine gender as well as juristic person.
  • Any agent, dealer and/or merchants who has signed an agreement with us and is recognized as a merchant or agent in accordance with any applicable laws or Regulations.
  • Any visitor that is a person (including contractors/subcontractors or any third parties) who gains access to any premises.
  • Any supplier/ service provider who has been contracted by Rafiki.
  • Any external lawyer who has tendered his/her application and/or signed a service level agreement with Rafiki.
  • Any valuer or auctioneer who has signed an agreement with Rafiki.

The word “includes” means that what follows is not necessarily exhaustive and therefore the examples given are not the only things/situations included in the meaning or explanation of that text.

  1. Collection of Personal Data

Rafiki Bank will only collect personal data about you in so far as is necessary to achieve the purposes set out in this privacy statement. We collect your personal information with your knowledge and consent with exception to cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.

Personal information may be given to or collected by Rafiki Bank in writing as part of a written application form, electronically (email), face-to-face, telephonically, online (www.rafikibank.co.ke) or via App.

Rafiki Bank will collect your personal information when you do any of the following:

  • Make an application, buy or use any of our product and/or service or from third parties on our electronic and digital platforms.
  • Use any of our product and/or service online, on a mobile or other device or in any of our branches or with any of our agents or merchants.
  • Ask the Bank for more information about a product or service or contact the Bank with a query or a complaint;
  • When you visit, access any of Rafiki Bank’s buildings/ premises;
  • Where you’ve been identified as a next of kin by our customer or employee;
  • Where you have applied for employment at the Bank;
  • Attend an event sponsored by the Bank;
  • Make an application to Rafiki Bank or interact with us as a supplier, agent or dealer;
  • Visit, access or use any of our online platforms/ websites;
  • Subscribe to any of our online services, Short Message Service (SMS), email or social media platforms;
  • Respond to or participate in a survey, marketing promotion, prize competition or special offer;
  • We may also collect your information from other organizations including credit-reference bureaus, fraud prevention agencies, government agencies and business directories;
  • When you engage our insurance services or as a result of your relationship with one or more of our staff and clients; and
  • When we require personal information from you in order to fulfil a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, we will inform you and indicate the consequences of failing to do so.

These examples are non-exhaustive, which is reflective of the varied nature of the personal information we may collect.

  1. What Information is Collected?

From individuals who are our customers and prospective customers, or are representatives of customers and prospective customers, we may collect personal information that includes but is not limited to the following:

  • Your identity information, including your title, name, photograph, marital status, nationality, occupation, residence, address, location, phone number, identity document type and number, date of birth, age, gender, your email, Facebook and twitter address.
  • Copies of your identity documents such as IDs or passports
  • Name of your employer, terms of employment and if on contract, expiry of the contract.
  • Your estimated monthly income levels.
  • If you are a student, your college or university and graduation date.
  • Your signature specimen.
  • Your credit or debit-card information, information about your bank account numbers and or other banking information.
  • Your transaction information when you use our electronic and digital platforms, branches, our agents and/or merchants.
  • Your preferences for particular products and services, based on information provided by you or from your use of our network or third party products and services.
  • Name, family details, age, profiling information such as level of education, bank account status, income brackets, etc. collected as part of surveys conducted by us and our agents on behalf of Rafiki Bank.
  • Your contact with us, such as when you: call us or interact with us through social media, email (we may record your conversations, social media or other interactions with us), register your biometric information such as your voice, fingerprints etc.
  • Relevant information as required by regulatory Know Your Client and/or Anti Money Laundering regulations and as part of our client intake procedures. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with clients, which we may request and/or obtain from third party sources. The sources for such verification may include documentation, which we request from you or through the use of online or public sources or both.
  • We use Closed Circuit Television (CCTV) surveillance recordings. CCTV Devices are installed at strategic locations to provide a safe and secure environment in all our branches, Rafiki premises and ATMs as a part of our commitment to security and crime prevention.
  • We maintain a register of visitors in which we collect and keep your personal data such as names, company/institution details, telephone number, vehicle registration details, National ID number and device serial number and model (where you visit our premises with your personal devices e.g. laptops). This information is collected for health, safety and security purposes.
  • We collect and retain your personal data (name, telephone number, and vehicle registration details) when you request for a parking space in any of our Rafiki premises. We use the data you provide to ensure effective car park management, health and safety compliance, for security purposes and inventory management.
  • Information you provide to us for the purposes of attending meetings and events.
  • Where you use fingerprint recognition we may collect and process your biometrics.
  • We collect your personal information when you visit us for purposes of accident and incident reporting. Rafiki will collect personal data from the injured party or person suffering from ill health, such as, Name, Address, Age, next of kin, details of the incident to include any relevant medical history. The data is collected as Rafiki has a legal duty to document workplace incidents/accidents and to report certain types of accidents, injuries and dangerous occurrences arising out of its work activity to the relevant enforcing authority. Incidents and accidents will be investigated to establish what lessons can be learned to prevent such incidents/accidents reoccurring including introduction of additional safeguards, procedures, information instruction and training, or any combination of these. Monitoring is undertaken but on an anonymized basis. The information is also retained in the event of any claims for damages.
  • When you visit our website, we collect your ID-type information: cookie ID, mobile ID, IP address which is used for real-time processing in order to generate a visitor ID.
  • Information that you provide to us and/or Correspondent banks as part of the provision of Services to you, which depends on the nature of your engagement.
  • We may collect details of a minor which include name, date of birth, birth certificate number, relationship with the applicant and any other information relevant for the provision of our products and services. We will only process such data where parental or legal guardian consent has been given. We will also ensure that the processing of such data will be done in a manner that protects and advances the rights and best interests of the child.
  1. Related Legal Entities

Corporate entities and clients form part of our client base. These legal entities are not data subjects (i.e., natural persons to whom personal information relates). However, as part of our engagement with these clients, we may receive personal information about individuals which may include but is not limited to:

  • Full names.
  • Birth certificate number, national identity card number or passport number; personal identification number (PIN).
  • Date of birth
  • Postal and business address.
  • Residential address, telephone number and email address.
  • Occupation or profession.
  • Nature of ownership or control of the company.
  • Number of Shares in the company.

These examples are non-exhaustive, which is reflective of the varied nature of the personal information.

  1. Mailing Lists

We also collect information to enable us improve the customers experience and market our products and/or services, which may be of interest to you. For this purpose, we collect:

  • Name and contact details.
  • Other business information, such as job title and the company you work for.
  • Products and/or services that interest you.
  • Additional information may be collected, such as events you attend and if you provide it to us.
  1. Use of Personal Data

This privacy statement aims to give you complete and transparent information on how Rafiki processes your personal data. We are committed to ensuring that your personal information is processed in a way that is compatible with the specified, explicit, and legitimate purpose of collection.

Where personal data relates to a child, we will process the personal data only where parental or legal guardian consent has been given. The processing of such data will be done in a manner that protects and advances the rights and best interests of the child.

We may use personal data provided to us for any of the following purposes but are not limited to:

  • Verifying your identity information through publicly available and/or restricted government databases to comply with applicable Know Your Customer (KYC) requirements.
  • Assessing the purpose and nature of your business or principal activity, your financial status and the capacity in which you are entering into the business relationship with us.
  • Creating a record of you on our system to verify your identity, provide you with the products and/or services you have applied for from us or from third parties on our ecommerce platforms.
  • Communicate with and keep you informed about the products and/or services you have applied for.
  • Verification of age and consent where the personal data relates to a child.
  • Identifying you and verifying your physical address.
  • Identifying your source of income and similar information.
  • Assessing your personal financial circumstances and needs before providing advice to you.
  • Responding to any of your queries or concerns, we may record or monitor telephone calls between us so that we can check instructions and make sure that we are meeting our service standards.
  • Carrying out credit checks and credit scoring.
  • To perform our obligations under a contractual arrangement with you.
  • Fraud prevention, detection and investigation
  • Any purpose related to the prevention of financial crime, including sanctions screening, monitoring for money laundering prevention and any financing of terrorist activities.
  • Further processing for historical, statistical or research, survey and other scientific or business purposes where the outcomes will not be published in an identifiable format.
  • Provide aggregated data (which do not contain any information which may identify you as an individual) to third parties for research and scientific purpose.
  • In business practices including for quality control, training and ensuring effective systems operations.
  • To understand how you use our products and services for purposes of developing or improving products and services.
  • Administer any of our online platforms/websites.
  • To comply with any legal, governmental, or regulatory requirement or for use by our lawyers in connection with any legal proceedings.
  • For purposes relating to the assignment, sale, or transfer of any of our businesses, legal entities or assets, in whole or in part, as part of corporate transactions.
  • Keeping you informed generally about new products and services and contacting you with offers or promotions based on how you use our or third-party products and services unless you opt out of receiving such marketing messages (you may contact Rafiki at any time to opt out of receiving marketing messages).
  • Where you have applied for employment at Rafiki, we perform applicant screening and background checks.
  • Where you are a Rafiki employee (including contractors), we create an employment record of you on our system to facilitate continuous monitoring during your employment with us.
  • Where you are a Rafiki Director, we create a record of you as a director on our system.
  • Where you are a supplier to Rafiki, we process your personal information for due diligence, risk assessment, administrative and payment purposes.
  • For security purposes when accessing any of Rafiki buildings/premises; and
  • Where you attend an event sponsored by Rafiki, we will be taking photos or videos of the event. These images or videos will be used by us to share news about the event, and may be used in press releases, printed publicly, and published on our website.
  1. Sensitive (Special Categories) Data

We may collect Special Categories of Personal Data about you (this includes details about your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including details of your children, parents, spouse or spouses, sex or sexual orientation and biometric data). We will rely on any of the legal basis provided in for such collection.

  1. Data Processing by Third Parties

We may collect information about you from certain third-party sources, including, for example, financial institutions and government sources. This helps us with engaging in fraud monitoring and prevention, compliance with applicable laws and regulations, reviewing and processing applications for our Services, intake of new customers, managing our business effectively, and account maintenance and servicing.

To help us provide services, your data will be processed internally and externally by other third parties. We use third parties for [administrative, servicing, monitoring and storage of your data]. We will outsource some services to third parties whom we consider capable of performing the required processing activities so that there is no reduction in the service standard provided to you by us.

Where processing of personal data is carried out on our behalf, we have a separate contract with the processor with respect to this processing. This contract ensures compliance with Data Protection Act 2019 and defines sufficient guarantees for the implementation of appropriate technical and organizational measures, which ensure the protection of your rights.

The third party providers may use their own third party subcontractors that have access to personal data (sub-processors). It is our policy to use only third party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by Rafiki, and to follow those same obligations down to their sub-processors.

This Notice does not address, and we are not responsible for, the privacy, security, or other practices of any third parties, including any third party operating any site or service to which the Site links. The inclusion of a link on the Site does not imply endorsement of the linked site or service by us or by our affiliates.

In addition, we are not responsible for the information collection, usage, disclosure, or security policies or practices of other organizations, such as Facebook, Twitter, Instagram, LinkedIn, or any other third-party app provider, social media platform provider, operating system provider, device manufacturer, or wireless service provider, including with respect to any Personal Information you disclose to other organizations through or in connection with the Site/Services.

  1. Transfer of Personal Data

Rafiki may transfer your personal information for the purpose of effecting/implementing, administering, and securing any product or service that you have applied for or for other purpose set out in this privacy statement.

We also share data with Rafiki-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; to comply with regulatory requirements and to protect the rights and property of Rafiki and its customers.

We may transfer or disclose the personal data we collect to regulatory, fiscal or supervisory authority, correspondent banks on transaction enquiries, third party contractors, subcontractors, and/or their subsidiaries and affiliates who provide support to Rafiki in providing their services.

  1. Cross-Border Transfers

From time to time we may need to transfer your personal information outside the country where you are located. This includes countries that do not have laws that provide specific protection to your personal data.

Where we send your information outside the country, we will make sure that there is proof of adequate data protection safeguards in the recipient country or consent from you on transfer of your personal information.

  1. Other Disclosures

We also may disclose your personal information where required by law, to enforce other agreements, or to protect the rights, property, or safety of our business, our clients, customers, employees, or others.

Rafiki may disclose, respond, advise, exchange and communicate personal data and/or information in the Bank’s possession relating to you outside Rafiki whether such personal data and/or information is obtained after you cease to be the Bank’s customer or during the continuance of the bank-customer relationship or before such relationship was in contemplation, provided that such personal information is treated in confidence by the recipient: –

  • For fraud prevention, detection and investigation purposes.
  • To licensed credit reference agencies or any other creditor if you are in breach of your obligations to the Bank and for assessment of credit applications and for debt tracing.
  • To licensed credit reference agencies or any other creditor for determining your payment history.
  • To the Bank’s external lawyers, auditors, valuers, survey agencies, and sub-contractors, software developers or other persons acting as agents of the Bank.
  • To any person who may assume the Bank’s rights within the confines of the law.
  • To debt collection agencies.
  • Providing income tax-related information to tax authorities.
  • To any regulatory, fiscal or supervisory authority, any local or international law enforcement agencies, governmental agencies so as to assist in the prevention, detection, investigation or prosecution of criminal activities, courts or arbitration tribunal where demand for any personal data and/or information is within the law.
  • To the Bank’s subsidiaries, affiliates and their branches and offices (together and individually).
  • Where the Bank has a right or duty to disclose or is permitted or compelled to do so by law.
  • For purposes of exercising any power, remedy, right, authority or discretion relevant to an existing contract with the Bank and following the occurrence of an Event of Default, to any other person or third party as well.

Legal Basis for Processing of Personal Data

Rafiki will process your personal information as permitted by the applicable Data Protection Law and its internal policies:

  • For the performance of a product/service contract which you are party to;
  • Where processing is necessary for the purposes of legitimate business interests pursued by Rafiki or by a third party within the confines of the law;
  • For the establishment, exercise or defense of a legal claim;
  • Compliance with a mandatory legal obligation to which it is subject to;
  • With your consent;
  • Public interest;
  • To protect your vital interest or the vital interests of any person.

Direct Marketing

From time to time, we may also use your personal information to contact you for market research or to provide you with information about other services we think would be of interest to you. You may be required to opt-in or give any other form of explicit consent before receiving marketing messages from us.

We respect your right to control your personal data depending on which of our products you use. Therefore, at a minimum, we will always give you the opportunity to opt-out of receiving such direct marketing or market research communications. You may exercise this right to opt-out at any time.

Retention of Personal Data

Rafiki will retain your personal data only for as long as is necessary to achieve the purpose for which they were collected. We may retain your personal data and/or information for a period of up to seven (7) years or as may be required by law and maintains specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the following retention criteria:

  • Where we have an ongoing relationship with you.
  • To comply with a legal obligation to which it is subject.
  • Where retention is advisable to safeguard or improve the Bank’s legal position.

Your Rights

You have the right (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law to:

  • Be informed that we are collecting personal data about you;
  • Request access to your personal information that we have on record. This right entitles you to know whether Rafiki holds personal data of you and, if so, obtain information on and a copy of those personal data.
  • Request Rafiki to rectify any of your personal data that is incorrect or incomplete.
  • Object to and withdraw your consent to processing of your personal data. This right entitles you to request that Rafiki no longer processes your personal data. The withdrawal of your consent shall not affect the lawfulness of processing based on prior consent before its withdrawal. We may also continue to process your personal information if we have a legitimate or legal reason to do so.
  • Request the erasure of your personal data. This right entitles you to request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.
  • Request the restriction of the processing of your personal data: This right entitles you to request that Rafiki only processes your personal data in limited circumstances, including with your consent.
  • Request portability of your personal data. This right entitles you to receive a copy (in a structured, commonly used, and machine-readable format) of personal data that you have provided to Rafiki, or request Rafiki to transmit such personal data to another data controller in an electronic format.

The Use of Cookies

We may store some information (using “cookies”) on your computer when you visit our websites. This enables us to recognize you during subsequent visits. The type of information gathered is non-personal (such as: the Internet Protocol (IP) address of your computer, the date and time of your visit, which pages you browsed and whether the pages have been delivered successfully. We use cookies for storing and honoring your preferences and settings, enabling you to sign in, providing interest-based advertising, combating fraud, analyzing how our products perform, and fulfilling other legitimate purposes.

We may also use this data in aggregate form to develop customized services – tailored to your individual interests and needs. Should you choose to do so, it is possible (depending on the browser you are using), to be prompted before accepting any cookies, or to prevent your browser from accepting any cookies at all. This will however cause certain features of the web site not to be accessible.

Contact Us

Please contact us if you (i) have any questions or concerns about how Rafiki processes your personal data or (ii) want to exercise any of your rights in relation to your personal data, on 0711073000 , 0730170000 or by writing to us on email: dpo@rafiki.co.ke

Amendments to this Statement

Rafiki reserves the right to amend or modify this privacy statement from time to time and your continued use of our products and services constitutes your agreement to be bound by the terms of any such amendment or variation. You can access the most current version of the privacy statement from www.rafikibank.co.ke and any amendment or modification to this statement will take effect from the date of notification on the Rafiki website.