Date: 12 July 2021; version: 1.0
CarePay has the mission to give everyone the power to care by enabling mobile access to healthcare services. For this purpose, we operate the M-TIBA digital marketplace and in doing so we handle personal data of marketplace users. Processing personal data comes with responsibilities on privacy, confidentiality, access and consent, which we take seriously.
CarePay endorses and seeks to comply with applicable data protection laws. In Kenya, this is the Kenya Data Protection Act (KDPA), while we also observe the principles of the European General Data Protection Regulation (GDPR) throughout the CarePay group. We design our services to be compliant with the KDPA and GDPR and ensure we process personal data with a legal basis and in accordance with the processing purpose, while respecting your right to privacy.
To protect the personal data of M-TIBA marketplace users, our marketplace has built-in technical safeguards. We use up-to-date knowledge and tools to protect data in line with industry standards. We continuously evaluate the security of our systems and processes to improve them where necessary.
CarePay endeavours to process your personal data carefully, securely, and confidentially. It is important to us that you have confidence in our organisation regarding the processing of personal data. This privacy statement is intended for users of the M-TIBA digital marketplace and provides information about the processing of personal data through our marketplace’s web-portals and online applications. Information on the processing of personal data of users of other services and products delivered via our M-TIBA platform is provided in our Terms of Service.
What is personal data?
Personal data are all data that can be traced back to a person. Examples include your name, address, telephone number and account number. Where we can, we pseudonymise your personal data so that it is no longer directly traceable to you as a person.
Which personal data do we process and why?
We process your personal data to enable and enhance your use of the marketplace and to enable you to purchase health products on the marketplace. To know whether our marketplace can be visited properly, gain insights on visitor behaviour and to locate and address root causes of errors, we process user actions (using cookies), IP address, location information and device details, in each case in pseudonymised form. This way we can provide our users a seamless experience, update the marketplace functionalities where necessary and expedite solving technical errors, while limiting the impact on your privacy. To purchase products on the marketplace, you need to create an M-TIBA account or log in using your existing M-TIBA account, following which we process the know-your-customer data required by vendors of the products on the marketplace. This data may include your full name, date of birth, gender, mobile number, email address, National ID number (copy National ID or passport) and tax identification number. To facilitates your purchase on the marketplace, we also process which product you purchase, which limit applies and how many dependents you cover (if any) and their know-your-customer data. With your M-TIBA account you will be able to use the M-TIBA platform to view the details of products purchased on the marketplace.
Which parties process personal data for us?
CarePay has engaged various third-party processors for the processing of personal data on the web-portals and online applications of our marketplace. This includes AWS (Amazon Web Services) as host of our marketplace on their cloud servers, meaning AWS processes the marketplace data, including personal data. We apply tools to process and analyse user actions to provide insights on the use of our marketplace and improve the marketplace user experience. We also use other third-party processors to enable us to develop, operate and monitor our marketplace, including automated extraction of know-your-customer data from your National ID or passport and enabling payment for the purchased product, as well as solve technical errors. As the marketplace is under development, these parties may change from time to time. You can contact us for an up-to-date overview and further information.
What is the legal basis for processing and how do we limit impact on your privacy?
The legal basis we use to process your personal data when visiting the marketplace is the legitimate interest of CarePay to develop, operate and improve its marketplace web-portals and online applications. We take the following measures to limit the impact of our data processing on your privacy:
- Where it is not important for us to know exactly who the marketplace user is, we process user data in pseudonymised form.
- We use processors who have privacy/security policies and offer a data processing agreement with standard contractual clauses safeguarding data privacy.
- The processors may only process your personal data to support us in developing, operating and improving the marketplace.
Who is the data controller for the processing of personal data?
CarePay is the data controller for the processing of personal data on the marketplace:
CarePay Kenya Limited
114 East Manyani,
off James Gichuru,
Do we share your data with other parties?
Your personal data will be treated confidentially and will only be processed for the purposes set out in this statement. To enable the purchase of a product, we share the personal data required for such purchase with the relevant vendor. Where necessary to develop, operate and improve the marketplace web-portals and online applications, we share data with our third-party processors as described in this statement and with other CarePay group entities supporting the marketplace (including M-TIBA Agencies, who facilitates the sale of insurance products on the marketplace). In addition to Nairobi, Kenya, CarePay currently has operational offices in Amsterdam, the Netherlands, and Lagos, Nigeria. All CarePay group entities apply appropriate safeguards using commercially reasonable efforts and are a party to a data sharing agreement with clauses safeguarding data privacy. CarePay is sometimes obliged to provide personal data pursuant to legal obligations, such as public investigations.
How do we protect your data?
We collect your data in pseudonymised form as much as possible. We further use commercially reasonable efforts in applying various technical and organisational measures to prevent the personal data from being misused. These measures include for example the encryption of data and training our employees on data privacy.
Where is personal data processed and for how long?
The M-TIBA marketplace is hosted on AWS’ European cloud servers and as such marketplace data is processed in Europe. Other third-party processors supporting our marketplace process data on their own servers which may have various locations. Data is also processed in CarePay’s various offices. In each case, all processing is subject to contractual clauses safeguarding data privacy and is only done for as long as necessary for the purpose of developing, operating, and improving the marketplace. You can contact us for any further information on this.
Third-party websites and the internet
Our marketplace may contain links to third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for these websites or policies. The transmission of information over the internet is not completely secure. If you provide us with information over the internet, any transmission is at your own risk. However, once we receive your information, we use commercially reasonable efforts to prevent unauthorised access to your personal data.
What rights do you have?
CarePay considers it important that marketplace users can properly exercise their rights under data protection laws. In summary, you have the following rights:
- The right of access: you have the right to see which of your personal data we process.
- The right of rectification: if your personal data we process are not correct, you have the right to have them adjusted.
- The right of erasure: if we no longer need your personal data for the purpose for which they were collected, you have the right to ask us to delete them. There are several exceptions to this, such as our obligation to retain certain data, for example for statutory legal or tax requirements.
- The right to object: it is possible to object to the processing of your personal data based on our legitimate interest, after which a balancing of interests will follow.
- The right of restriction: during the period that we are in the process of determining whether your data should be rectified, determining the unlawfulness of data processing, determining whether data should be deleted or whether you have rightfully objected to the processing, you have the right to request a restriction of the processing.
How can you contact us and where can you file a complaint?
CarePay finds it important to have satisfied marketplace users. If you have any questions or issues on the CarePay marketplace, you can contact our customer support via 0800 721 253 and 0709 071 000. If you have any questions on the way we process your data or your rights in this respect or have a complaint or other remark related to your data, you can contact us via email@example.com. This will put you in contact with our Data Protection Officer who is appointed to safeguard compliance with the KDPA. When it comes to the protection of your personal data it is also possible to file a complaint with the supervisory authority, being the Office of the Kenya Data Commissioner (https://www.odpc.go.ke). We would appreciate you contacting us first to give us the opportunity to address and solve your complaint.
Modifications to marketplace and statement
CarePay may make changes to the marketplace and its functionalities and reserves the right to update this privacy statement accordingly. If the changes impact the processing of your personal data, we will inform you of such updates upon your next visit to the marketplace.