Website Privacy Statement

Date: 27 July 2021; version: 1.0

Our view

CarePay (M-TIBA) has the mission to give everyone the power to care by enabling mobile access to healthcare services. On our website, www.mtiba.com, you can find information on the CarePay (M-TIBA) platform and other aspects of our business. We process the personal data of visitors to our website as well as users of our platform. Processing personal data comes with responsibilities on privacy, confidentiality, access, and consent, which we take seriously.

CarePay endorses and seeks to comply with applicable data protection laws. In Kenya, this is the Kenya Data Protection Act (KDPA), while we also observe the principles of the European General Data Protection Regulation (GDPR) throughout the CarePay group. We design our services to be compliant with the KDPA and GDPR and ensure we process personal data on a legal basis and in accordance with the processing purpose while respecting your right to privacy.

Privacy Statement

Introduction
CarePay endeavors to process your personal data carefully, securely, and confidentially. It is important to us that you have confidence in our organization regarding the processing of personal data. This privacy statement is intended for visitors of the mtiba.com website and provides information about the processing of personal data through this website. Information on how we process personal data of users of the CarePay (M-TIBA) platform and the services and products delivered via our platform is provided by another means, for example, our country-specific platform privacy statement and platform terms of service.

What is personal data?
Personal data are all data that can be traced back to a person. Examples include your name, address, telephone number, and account number. Where we can, we pseudonymize your personal information so that it is no longer directly traceable to you as a person.

Which personal data do we process and why?
We process your personal data to enable and enhance your use of our website. To know whether our website can be visited properly, which pages are visited and which errors occur, we monitor website traffic and process your actions on the website (using cookies), IP address, location information, and details of your device, in each case in pseudonymized form. This way we can provide website visitors a seamless experience, update the website where necessary, and expedite solving technical errors while limiting the impact on your privacy.

Which parties process personal data for us?
CarePay engages Google Analytics to provide insights on how you use our website and enable us to improve the website and your user experience.

What is the legal basis for processing?
The legal basis we use to process your personal data on the website is the legitimate interest of CarePay to run and improve its website. We take the following measures to mitigate the impact on the privacy of the website visitor:

  • Where it is not important for us to know exactly who the website visitor is, we process visitor data in pseudonymized form.
  • We offer you the opportunity upon visiting the website to opt-out of the processing of your personal data by Google Analytics.
  • We use processors who have privacy/security policies and offer a data processing agreement with standard contractual clauses safeguarding data privacy.
  • The processors may only process your personal data to support us in running our website.

Who is the data controller for the processing of personal data?
CarePay is the data controller for the processing of personal data through the website:

CarePay Limited
114 East Manyani,
off James Gichuru,
Nairobi, Kenya

Do we share your data with other parties?
Your personal data will be treated confidentially and will only be processed for the purpose of running and improving our website. Where necessary for this purpose, we share the data with our third-party processors as described in this statement and with other CarePay group entities. All CarePay group entities apply appropriate safeguards using commercially reasonable efforts and are a party to a data-sharing agreement with clauses safeguarding data privacy. CarePay is sometimes obliged to provide personal data pursuant to legal obligations, such as public investigations.

How do we protect your data?
We collect your data in the pseudonymized form as much as possible. We further use commercially reasonable efforts in applying various technical and organizational measures to prevent personal data from being misused. These measures include for example the encryption of data and training our employees on data privacy.

Where is personal data processed and for how long?
We host our website on our private server in Kenya. Google Analytics processes data on its own servers in various locations. In each case, all processing is only done for as long as necessary for the purpose of running and improving our website.

Third-party websites and the internet
Our website may contain links to third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for these websites or policies. The transmission of information over the internet is not completely secure. If you provide us with information over the internet, any transmission is at your own risk. However, once we receive your information, we use commercially reasonable efforts to prevent unauthorized access to your personal data.

YouTube
Our website may contain YouTube videos. Google (who owns YouTube) collects personal data from visitors on pages that contain these videos.

What rights do you have?
CarePay considers it important that website visitors can properly exercise their rights under data protection laws. In summary, you have the following rights:

  • The right of access: you have the right to see which of your personal data we process.
  • The right of rectification: if the personal data we process is not correct, you have the right to have them adjusted.
  • The right of erasure: if we no longer need your personal data for the purpose for which they were collected, you have the right to ask us to delete them. There are several exceptions to this, such as our obligation to retain certain data, for example for statutory legal or tax requirements.
  • The right to object: it is possible to object to the processing of your personal data, after which a balancing of interests will follow.
  • The right of restriction: during the period that we are in the process of determining whether your data should be rectified, determining the unlawfulness of data processing, determining whether data should be deleted, or whether you have rightfully objected to the processing, you have the right to request a restriction of the processing.

How can you contact us and where can you file a complaint?
CarePay finds it important to have satisfied website visitors and platform users. If you have any questions on the way we process your data or your rights in this respect or have a complaint or other remark related to your data, you can contact us via privacy@carepay.com. This will put you in contact with our Data Protection Officer who is appointed to safeguard compliance with the KDPA. When it comes to the protection of your personal data it is also possible to file a complaint with the supervisory authority, being the Office of the Kenya Data Commissioner (https://www.odpc.go.ke). We would appreciate you contacting us first to give us the opportunity to address and solve your complaint.

Modifications to website and statement
CarePay may make changes to the website and its features and reserves the right to update this privacy statement accordingly. If the changes impact the processing of your personal data, we will inform you of such updates upon your next visit to the website.