Introduction

We, at Copia Kenya Limited (hereafter “Copia”, “we”, “us”, or “our”), are committed to safeguarding the privacy of individuals whose personal data we process, for instance our customers, suppliers/ service providers, job candidates, website users, mobile application users and agents/ their representatives as is required by the European Union General Data Protection Regulation (hereafter the “GDPR”), Kenya Data Protection Act 2019 (hereafter the “KDPA”), the Kenya Data Protection (General) Regulations 2021 (hereafter the “Regulations”, “KDPR”), and the Kenya Data Protection (Registration of Data Controllers and Processors) Regulations, 2021 (hereafter the “Registration Regulations”) together referred to as data protection laws. 
 
We recommend you read this Privacy Notice so that you understand our approach towards the processing of your personal data.
 
Our Platforms (Website and App) may contain links to third-party websites that are not covered by this Privacy Notice. We, therefore, ask you to review the privacy statements of other websites and applications to understand their information practices.  
 
This notice applies where we are acting as a data controller, determining the purposes and means of processing your personal data. 
 
Our Platforms are owned, operated, hosted, and maintained by Copia Global.

Personal data we may collect about you

The type of data we collect will depend on the purpose for which it is collected and used. We will only collect data that we need for that purpose. 
 
We collect your personal data in the following ways:
  • When the data is collected directly from you for e.g., when you are creating an account on our website or the copia app, you correspond with us and provide us with your information via emails or phone calls, send us your CV and/or when you register with Copia as agents.
  • When we obtain data indirectly for e.g., such as obtaining customer data through agents and surveys.
  • When it is publicly available. For example:
  1. On your website or other online sources (i.e. information relating to your contact details).
  2. On social media platforms (i.e. information relating to your contact and individual details) depending on your privacy settings. 
The types of personal data that are collected and processed may include:
 

Categories of Personal Data

Details

Contact details 

First name, surname, personal email address, phone number, office number, telephone number, physical address, geolocation, and alternate person’s contact details, billing address, mobile device ID, contact details of your referees

Educational and professional background 

CV/ resumé, academic and professional qualifications, employment history (including information on your previous position held and the name and title of your previous supervisor), reference letters, interview notes.

Identification details 

Identification numbers issued by government bodies or agencies such as your passport number or identity card number, passport.

Individual details

Gender, education level, age, marital status

Employment details

Occupation

Financial information 

Bank details, Income level, commission received, credit score, payment card number

Marketing details 

Your preference in receiving marketing offers from us

IT information 

IP addresses, browser type and version, access time and length of access, page views, user activity and website usage in log files, time zone

For personal data collected via Cookies, please refer to our Cookie Policy

CCTV Footage 

CCTV Footage
For personal data processed via CCTV, kindly request for our CCTV Policy

Sensitive personal data 

Sex, social class, religious belonging, age of children, criminal records

Other

Number of children, call records, recording of calls on Copia communication channels and interactions, sanctions imposed on directors.

Depending on our collaboration, other types of personal data may be collected. These will only be processed in accordance with this notice.

Purpose(s) for processing your personal data

Copia will only use your personal data for the purposes for which it was collected or agreed with you. 

The different purposes for processing your personal data are as follows:

Agents

  • For order processing, tracking and invoicing.
  • For commission and rewards calculation and payment processing.
  • For identity verification.
  • For record keeping.
  • For performance reporting.
  • For surveys.
  • For marketing and sending promotional messages.
  • To resolve customer complaints.
  • For retail sales.

Directors and Shareholders

  • Purpose of processing
  • For conducting due diligence on the directors
  • Record keeping purposes
  • Benefits calculation

Customers

  • For offering and supplying relevant services to you (For processing orders).
  • For marketing and promotional messages.
  • For billing and invoicing purposes.
  • For record keeping purposes.
  • To manage our relationships and communicate with customers.
  • For identity verification when you exercise your data subject’s rights.
  • For retail sales.
  • For business reporting.
  • For tracking orders.
  • For surveys.
  • For rewards.
  • For resolving customer complaints.

Suppliers/Service Providers

  • For managing our relationships with suppliers and for communicating with suppliers.
  • For payment purposes.
  • For identity verification when you are exercising your data subject’s rights.
  • For record keeping purposes.

Job Candidate

  • As required for the recruitment process at Copia:
    – for communicating with you,
    – to analyse your qualifications and assess your suitability for the job,
    – to conduct candidate screening and assess candidate credibility, and
    – to set out your job conditions.
  • To contact your referees and previous employers for authenticating your employment history and performance.
  • Storing your CV and contact details for the purpose of contacting you in the event there are future job opportunities

Website Users/ Mobile Application Users

  • To confirm and verify your identity or to create an account for you on the App.
  • To analyse the use of our website.
  • To monitor compliance with our policies and standards.
  • To ensure the security of our platforms and maintain back-ups of our databases.
  • To develop and improve our app and other related products and services.
  • For troubleshooting and customer support.
  • To confirm and verify your identity when you request to access, rectify, restrict or delete the information we hold on you.
  • To reply to any requests, complaints, comments, or enquiries you submit to us regarding our services and notify you about changes to our service.
    For record keeping purposes.

In addition to the above-mentioned specific purposes for which we process your personal data, we may also process any of your personal data where such processing is necessary for compliance with legal and regulatory requirements which apply to us, or when it is otherwise allowed by law, or when it is in connection with legal proceedings.

Legal basis for processing your personal data.

We process your personal data based on one or more of the following legal bases:
  • Contractual Necessity: Processing is necessary for the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
  • Legal Obligations: Processing is necessary to comply with our legal obligations.
  • Legitimate interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party provided that such interests are not overridden by your rights and interests.
  • Consent: Processing is based on your explicit consent which you can withdraw at any time.

Disclosure of personal data 

In general, we do not share your personal information with third parties (other than service providers acting on our behalf) unless we have a lawful basis for doing so.

Copia may share your personal data with its Affiliates (Affiliates may include companies within the same group, our parent company and any subsidiaries, joint venture partners or other companies that we control or that are under common control with us), and such third-party service providers to assist us in fulfilling our responsibilities regarding our relationship with you and for the purposes listed above. When we share your data, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of your personal data.

  • We may also make certain personal data available to third-party companies that provide us with software and tools relevant to our business operations.

We are also required to disclose your personal data to other third parties such as lawyers, bankers, consultants, auditors as well as public and government authorities where:

  • We have a duty or a right to disclose in terms of law or for national security and/or law enforcement purposes;
  • We believe it is necessary to protect our rights;
  • We need to protect the rights, property or personal safety of any member of the public or a customer of our company or the interests of our company; or
  • You have given your consent.

We require our service providers and other third parties to keep your personal data confidential and that they only use the personal data in furtherance of the specific purpose for which it was disclosed. We have written agreements in place with our processors to ensure that they comply with these privacy terms.

Transfer Personal data outside Kenya

We may transfer, or store, your personal data outside our respective jurisdictions as may be necessary for the purposes mentioned above.

These transfers would always be made in compliance with the data protection laws. Data transfers do not change any of our commitments to safeguard your privacy and your personal data remains subject to existing confidentiality obligations.

If we transfer your personal data to other countries which provide a lower level of protection, we will ensure that there are appropriate safeguards in place with regard to the protection of your personal data.

If you would like further details on the transfer of your personal data outside our respective jurisdictions, please contact our Data Protection Officer (hereafter “DPO”) (refer to Section 11.1).

Personal data security 

We prioritise the security of your personal data and take appropriate technical and organisational measures to protect it from unauthorised access, disclosure, alteration, or destruction. We employ a combination of physical, administrative, and technological safeguards to ensure the confidentiality, integrity, and availability of your data. Here are some of the security measures we have implemented: Access controls, encryption, secure storage, incident response, and employee training amongst others.

Data Retention

We collect and process your personal data for the purposes mentioned above for no longer than necessary and for a period of 7 years after end of our engagement with you.

For data collected via cookies, to please refer to our Cookie Policy for the applicable retention periods.

CCTV images will be retained for a period adequate to fulfil the purposes specified. This will normally be for a maximum period of one month. After this period, the CCTV images will be automatically overwritten.

All personal data processed for payment purposes are retained for a period of 10 years after the end of our engagement with you.

All personal data processed during call recordings and for job candidates are retained for a period of 1 year.

We will delete your personal data as soon as the retention period has lapsed.  

Your data protection rights

You have certain rights regarding your personal data as detailed below and we are committed to respecting and facilitating the exercise of these rights:

  • Right of Access: You have the right to request access to the personal data we hold about you. This includes the right to obtain confirmation of whether we process your personal data and to receive a copy of that information.
  • Right to Rectification: If you believe that the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it.
  • Right to Erasure: In certain circumstances, you may have the right to request the erasure of your personal data. This includes situations where your personal information is no longer necessary for the purposes for which it was collected, or you withdraw your consent and there is no other legal basis for processing.
  • Right to Restriction of Processing: You have the right to request the restriction of processing of your personal data under certain conditions. This means we will temporarily suspend the processing of your personal data, such as when you contest its accuracy or when you object to the processing.
  • Right to Data Portability: If the processing of your personal information is based on your consent or the performance of a contract, you may have the right to request a copy of your personal information in a structured, commonly used, and machine-readable format. You may also have the right to transmit this data to another data controller.
  • Right to Object: You have the right to object to the processing of your personal data for certain reasons, such as direct marketing or legitimate interests. If you exercise this right, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Right to Withdraw Consent: If we rely on your consent as the legal basis for processing your personal data, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise your rights or if you have any privacy-related inquiries or complaints, please contact us using the information provided at the end of this notice. We will respond to your request as required by applicable data protection laws.

Changes to this privacy notice

We may update this notice from time to time to reflect best practices in data management, security and control and to ensure compliance with any changes or amendments made to the data protection laws and any laws or regulations thereof. The latest version will also be available on our website. We encourage you to periodically review this notice to be informed of how we are using and protecting your personal data.

Contact details

The primary point of contact for questions relating to this privacy notice, including any requests to exercise your legal rights, is our DPO who can be contacted:

  • by post, Tatu City Industrial Park, ALP North, 2 Ruiru Kamiti Road, Ruiru, Kenya
  • by email, [email protected]

The personal data we hold about you must be accurate and correct. Please keep us informed if your data changes during your relationship with us. 

If you believe we have not handled your request appropriately, you have the right to complain to the relevant supervisory authority.