For the purposes of this Policy, “we”, “our” or “us” means Copia Kenya Limited.
Please note that the Copia Services are not intended for children and we do not knowingly collect data relating to children.
If you require further information about this Policy please contact:
ATTN: Privacy Manager, Copia Kenya Limited: email – [email protected]
Definitions and Legal References
Personal Data (or Data)
Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
Sensitive Personal Data
Any data that reveals your race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details (i.e. your location), marital status, family details including names of your children, parents, spouse or spouses, your sex or the sexual orientation.
Information usually collected automatically through the Copia App or Copia website (or third party services employed through our online platforms) which can include: the IP addresses or domain names of the computers utilized by the Users who use the Copia Services, or other location data of Users of the Copia Services (both digital and physical), the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page as part of the Copia Services ) and the details about the path followed as part of the Copia Services with special reference to the sequence of pages visited, and other parameters about the device operating system.
The individual using the Copia Services (sometimes also referred to as a “data subject”).
Data Processor (or Data Supervisor)
The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Copia as the Data Controller, as described in this Policy.
Data Controller (or Owner)
Copia is the Data Controller in respect of the Copia Services. This means that Copia alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Small sets of data stored in the User’s device.
This Policy has been prepared in accordance with the Kenya Data Protection Act 2019.
Types of Data collected and how that Data is collected.
Among the types of Personal Data that the Copia Service collects, by itself or through third parties, there are: Cookies, Usage Data, first name, last name, phone number, email address, personal identification details, payment information and Data communicated while using the Copia Service.
We collect information from and about you including through:
- Direct interactions with us or through the Copia Agents;
- Automated technologies or interactions;
- Third parties or publicly available sources.
Complete details on each type of Personal Data collected are provided in the specific explanation texts shown prior to the Data collection.
Except for certain Usage Data (which is collected automatically when using the Copia Service), Personal Data is freely provided by the User, when using the Copia Services. Unless specified otherwise, all Data requested when you use the Copia Service is mandatory and if you do not provide this Data it may make it impossible for us to provide the Copia Services. In cases where we state that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Copia Services.
Users who are uncertain about which Personal Data is mandatory are welcome to contact us via email to [email protected] or via phone call to 0709 339 000.
Users are responsible for any third-party Personal Data obtained, published or shared through the Copia Services and you confirm that you have the third party’s consent to provide the Data to Copia or its Data Processor.
Legal basis of processing
We may process Personal Data relating to Users if one of the following applies:
- Users have given their consent for one or more specific purposes;;
- provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations;
- processing is necessary for compliance with a legal obligation to which we are subject;
- processing is necessary for the purposes of the legitimate interests pursued by Copia or by a third party and your interests and fundamental rights do not override those interests.
In any case, we will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract. If you would like further information please contact us via email to [email protected] or via phone call to 0709 339 000.
The purposes of processing
By accepting the terms of this Policy, the User consents to the processing of his/her Personal Data, including Sensitive Personal Data where applicable.
The Data concerning the User is collected to allow the Owner to provide the Copia Services (for example, fulfilment of your Copia order), as well as for the following purposes: Analytics, Marketing, Contacting and Interaction with the User.
Place of processing and transfers of Data
The Data is processed at Copia’s operating offices and in any other places where the parties involved in the processing are located, for example where the Copia Agent is located.
Depending on the User’s location, data transfers may involve transferring the User’s Data to a country outside of Kenya. We will only transfer a User’s Sensitive Personal Data outside of Kenya with prior consent. If transfers out of Kenya occur, we share your Personal Data within the Copia group of companies only. We will also share User’s Personal Data to Data Processors located outside of Kenya in order for us to be able to provide the Copia Services to you for example, service providers such as Amazon Web Services and Flutterwave (see section on “Sharing data with third parties”).
Whenever we transfer your personal data out of Kenya, we ensure a similar degree of protection is afforded to it by ensuring that there are appropriate safeguards in place with respect to the security and protection of the Personal Data.
Sharing data with third parties
In some cases, the Data may be accessible to certain types of persons involved with the operation of the Copia Services (including administration, sales, marketing, legal, system administration) and certain third parties who perform functions on behalf of Copia and who are necessary for the performance of the Copia Services. These third parties may include, but are not limited to Copia Agents, payment gateways necessary to fulfil an order, back-up servers, third-party technical service providers, couriers used to deliver your order, hosting providers, IT companies, and communications agencies. The updated list of these parties may be requested from Copia at any time.
You will receive marketing communications from us if you have requested information from us or purchased goods from us and you have not opted out of receiving that marketing.
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.
Methods of processing Data
Copia takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition, we limit access to User’s Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process User’s Data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Personal Data shall be processed and stored for as long as required by the purpose it has been collected for.
- Personal Data collected for purposes related to the performance of a contract between Copia and the User shall be retained until such contract has been fully performed.
- Personal Data collected for the purposes of Copia’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding the legitimate interests pursued by Copia within the relevant sections of this Policy or by contacting Copia (please refer to the Contact section).
Copia may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, we may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.
Once the retention period expires, Personal Data shall be deleted or anonymised. Therefore, please note that the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period
The legal rights of Users
Users may exercise certain rights regarding their Data processed by Copia.
In particular, Users have the right to do the following:
- Withdraw their consent at any time: Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
- Object to processing of their Data: Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
- Access their Data: Users have the right to learn if Data is being processed by Copia, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
- Verify and seek rectification: Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
- Restrict the processing of their Data: Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, Copia will not process their Data for any purpose other than storing it.
- Have their Personal Data deleted or otherwise removed: Users have the right, under certain circumstances, to obtain the erasure of their Data from Copia.
- Receive their Data and have it transferred to another controller: Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.
- Lodge a complaint: Users have the right to bring a claim before their competent data protection authority.
Details about the right to object to processing
Where Personal Data is processed for the purposes of the legitimate interests pursued by Copia, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise User rights can be directed to Copia through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by Copia as early as possible and always within one month.
Additional information about Data collection and processing
The User’s Personal Data may be used for legal purposes by Copia in Court or in the stages leading to possible legal action arising from improper use of the Copia Services.
The User declares to be aware that Copia may be required to reveal personal data upon request of public authorities.
Information not contained in this policy
More details concerning the collection or processing of Personal Data may be requested from Copia at any time. Please see the contact information in this Policy.
Changes to this Policy
Copia reserves the right to make changes to this Policy at any time by giving notice to its Users – as far as technically and legally feasible by posting a notice on the Copia App or Copia website or by updating the Copia catalogue. We may also send a notice to Users via any contact information that have been made available to Copia. Where you use the Copia App or Copia website it is strongly recommended to check back with these online services often, referring to the date of the last modification listed in this Policy.
Should the changes affect processing activities performed on the basis of the User’s consent, we shall collect new consent from the User, where required.
ATN: Privacy Manager