Data & Privacy Policy

We collect personal data when you interact with our website, visit our offices, contact our staff, or subscribe to our communications. The categories of data we may collect include:

• Full name, national ID number
• Phone number, email address, postal address
• Bank account and payment card details (for transaction processing)
• PIN and authentication credentials (encrypted at all times)
• CCTV footage captured on our premises
• Correspondence and communications records

We collect and process personal data on the following lawful bases:

• Consent where you have expressly agreed to processing
• Contract to fulfill our obligations under agreements with you or your institution
• Legal obligation to comply with the Data Protection Act 2019 and CBK regulations
• Legitimate interests for marketing communications to existing partners, analytics to improve our services, and fraud prevention across the payment network

We share personal data only where necessary and proportionate:

• Network member institutions involved in processing your transactions
• Visa International and card scheme partners, for card processing purposes
• Technology service providers operating under strict data processing agreements
• Statutory authorities including CBK, KRA, and law enforcement when required by law

We do not sell, rent, or trade personal data to third parties for commercial purposes.

Kenswitch maintains a comprehensive information security programme including:

• PCI DSS Level 1 certification for all cardholder data environments
• ISO 27001:2013 accreditation for information security management
• 256-bit TLS encryption for all data in transit
• Role-based access controls and privileged access management
• Regular penetration testing and security assessments by independent auditors
• Staff training and data protection awareness programmes
• Documented incident response and breach notification procedures

Under the Data Protection Act 2019, you have the right to:

• Withdraw consent at any time, without affecting prior processing
• Access a copy of the personal data we hold about you
• Object to processing based on legitimate interests
• Correct inaccurate or incomplete personal data
• Request deletion of your data (subject to legal retention obligations)
• Restrict processing in certain circumstances
• Data portability — receive your data in a structured, machine-readable format
• Not be subject to solely automated decision-making with significant effects
• Lodge a complaint with the Office of the Data Protection Commissioner (ODPC)

To exercise any of these rights, contact our Data Protection Officer (see Section 08).

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Transaction records are retained for a minimum of seven years in compliance with CBK regulations. CCTV footage is retained for 30 days unless required for an investigation.

Where it is necessary to transfer personal data outside Kenya (for example, to Visa's international processing infrastructure), we ensure such transfers are conducted with appropriate safeguards, including ODPC approvals where required, and standard contractual clauses that ensure equivalent levels of protection.

Our designated Data Protection Officer is available to address any queries, requests, or complaints relating to the processing of personal data by Kenswitch.