Privacy Policy

PRIVACY NOTICE 

We respect your privacy and are committed to keeping your personal information and other data confidential and secure.

Your personal data is important to us, and we want to make sure you know how we use and protect it. Personal data is information that either identifies you or is about you as an individual. In this privacy notice, we’ll explain how we collect, share, and process your personal data. We’ll also tell you about your rights and how you can exercise them. From time to time, we may also provide you where relevant, with additional privacy information in a separate notice for specific channels, products, services, businesses and activities. 

In this privacy notice, the relevant data controllers for the personal data collected shall be KaziQuest Limited incorporated in Kenya and whose principal office in Kenya is at 4th Floor, Studio House. Marcus Garvey Rd Off Argwings Kodhek Road, P.O. Box 49264-00100, Nairobi (“KaziQuest”, “we”, “us” and “our”) and our contact details are provided under ‘How to get in touch’ section of this privacy notice. We are responsible for deciding the means and purposes for processing the personal data collected. 

We’ll update this privacy notice from time to time. You can find the current version date listed at the end of this privacy notice. If you have any questions or concerns about your personal data, please don’t hesitate to get in touch (you can find our details under ‘How to get in touch’ below).

 

A: What Types of Personal Data Do We Collect?

This privacy notice explains how KaziQuest HR and Payroll(“we,” “us,” or “our”) collects, uses, and protects your personal data.

Who Does This Policy Apply To?

This privacy notice explains how KaziQuest HR and Payroll (“we,” “us,” or “our”) collects, uses, and protects your personal data. It applies to the following individuals and entities:

  1. Individuals

This policy governs the processing of personal data of individuals in the following categories:

  1. Direct Users:
    • Employees: Individuals whose employers use KaziQuest for payroll, HR, and benefits management. This includes full-time, part-time, and temporary employees.
    • Job Applicants: Individuals using our platform to search and apply for jobs, including those who submit resumes, cover letters, and other application materials.
    • Independent Contractors and Freelancers: Individuals utilizing our platform for invoicing, payments, project management, and other business purposes.
    • Self-Employed Individuals: Individuals using our services for tax calculations, benefits management, or other business needs.
  2. Related Individuals:
    • Family Members: Spouses, partners, children, or other family members of employees whose information is provided for benefits enrolment, emergency contact purposes, or other legitimate reasons.
    • Beneficiaries: Individuals designated as beneficiaries on insurance policies or other benefit programs.
    • Dependents: Individuals who rely on an employee for financial support, such as children or other family members.
    • Emergency Contacts: Individuals designated as emergency contacts for employees.
    • Referees: Individuals providing references or recommendations for job applicants or other users.
  3. Other Individuals:
    • Website Visitors: Individuals who visit our website, regardless of whether they create an account or use our services. We may collect data from website visitors through cookies and other tracking technologies.
    • Individuals Contacting Us: Anyone who contacts us via phone, email, or other channels, including customer support inquiries and sales inquiries.
    • Research Participants: Individuals who participate in surveys, focus groups, or other research activities conducted by KaziQuest.
  1. Businesses and Organizations

This policy also applies to businesses and organizations as separate legal entities that use our services, register on our platform, or interact with us. We recognize that businesses have their own privacy interests and expectations regarding their confidential information.

We collect various types of business information, including:

  • Company Details: Name, address, contact information, industry type, registration number, tax identification number, and other identifying information.
  • Financial Information: Billing details, bank account information, credit history, and other financial data necessary for payment processing and service provision.
  • Business Operations Data: Number of employees, payroll information, benefits programs, and other data related to the company’s use of KaziQuest services.
  • Usage Data: Information about how the company uses our services, including features accessed, frequency of use, and other analytics data

Depending on your interaction with KaziQuest, we may collect the following types of personal data:

Personal Data We Collect

  • Data Collected from All Users:
    • Account Information: This includes your name, date of birth, login details, contact information (email, phone number, address), and government-issued identification numbers (where required). We may also collect information about your job title, education, work history, skills, and professional licenses or certifications.
    • Financial Information: This includes bank account information for salary payments or billing purposes, tax identification numbers, and other financial information required for processing payments or providing services.
    • Usage Data: This includes information about how you interact with our products and services, such as browsing behaviour, app usage, features accessed, and pages visited.
    • Location Data: This includes your device’s IP address or approximate location, which may be used to personalize services or for security purposes.
  • Data Collected from Employees (When your company uses KaziQuest for HR and Payroll):
    • Employment Information: This includes your job title, salary, start date, performance reviews, disciplinary records, work schedule, and other information related to your employment history and performance.
    • Payroll and Benefits Information: This includes payroll information, bank account numbers for direct deposit, tax withholding information, deductions for benefits or other purposes, and enrolment in health insurance, retirement plans, and other company benefits.
  • Data Collected from Job Seekers (When applying through a company using KaziQuest’s recruiting module):
    • Application Information: This includes your name, contact information, resume, cover letter, job history, education, references, skills, qualifications, and responses to application questions or assessments.
  • Data Collected from Businesses:
    • Company Details: This includes the company’s name, address, contact information, industry type, registration number, tax identification number, and other identifying information.
    • Financial Information: This includes billing details, bank account information, and other financial data necessary for payment processing and service provision.
    • Business Operations Data: This includes the number of employees, payroll information, benefits programs, and other data related to the company’s use of KaziQuest services.
    • Usage Data: This includes information about how the company uses our services.
  • Sensitive Personal Data:
    • In certain cases, we may collect sensitive personal data, such as racial or ethnic origin, gender, biometric data, health information, and criminal history. We will only collect this data with your explicit consent or where required by law.

 

B. Why Do We Collect Your Personal Data?

We collect your personal data for various reasons, all aimed at providing you with the best possible experience and ensuring the secure and efficient operation of our services. These reasons include:

  • Providing and Improving Services

We use your data to deliver and enhance our core services, such as:

    • Processing payroll accurately and on time.
    • Administering employee benefits, including health insurance and retirement plans.
    • Managing employee records efficiently and securely.
    • Facilitating recruitment processes, from posting job openings to onboarding new hires.
  • Managing Client Relationships

We use data to build strong relationships with our clients by:

    • Maintaining accurate and up-to-date client records.
    • Managing accounts and subscriptions effectively.
    • Communicating clearly about service updates, responding to inquiries, and resolving issues promptly.
  • Ensuring Secure and Smooth Operations

Your data helps us:

    • Run our daily business operations, including billing, account management, and customer support.
    • Process payments and payroll transactions securely and efficiently.
    • Verify identities and protect against unauthorized access to prevent fraud and misuse of our services.
  • Enhancing User Experience

We strive to continually improve your experience by:

    • Collecting and analysing feedback to understand your needs and preferences.
    • Studying usage patterns to enhance the performance of our systems and develop new features that make our services more user-friendly.
  • Meeting Legal and Regulatory Obligations

We collect and process data to comply with applicable laws and regulations, including:

    • Labor laws, tax regulations, and data protection laws.
    • Anti-money laundering (AML) and know your customer (KYC) regulations to prevent financial crimes.
    • Cooperating with requests from regulatory authorities and law enforcement agencies.
  • Protecting Our Rights and Interests

In some cases, we may use your data to:

    • Protect KaziQuest’s rights, property, and interests.
    • Respond to legal claims, disputes, or audits.
  • Supporting Corporate Transactions

If KaziQuest undergoes a merger, acquisition, or divestiture, your data may be used to:

    • Facilitate due diligence processes.
    • Ensure a smooth transition of services.

Legal Bases for Processing

We process your personal data based on one or more of the following legal grounds:

  • Consent: When you have given your explicit consent to the processing of your personal data for a specific purpose.
  • Contract: When processing is necessary to fulfil our contractual obligations to you or to take steps at your request before entering into a contract.  
  • Legal Obligation: When processing is necessary for us to comply with a legal obligation.
  • Legitimate Interests: When processing is necessary for the purposes of our legitimate interests, except where such interests are overridden by your interests or fundamental rights and freedoms.

C. When Do We Conduct Direct Marketing?

We want to keep you informed about our products and services, but we also respect your inbox and your time. We may use your contact information to send you marketing communications about:

  • New product releases and updates
  • Special offers and promotions
  • Helpful resources and tips related to HR and payroll
  • Upcoming events and webinars

We will only send you marketing communications if you have given us your consent. You can opt out of these communications at any time by clicking the “unsubscribe” link in any email or by contacting us directly.

How We Deliver Marketing Messages

We may use a variety of channels to deliver marketing messages, including:

  • Email
  • SMS
  • Telephone
  • Postal mail
  • Secure messages within our platform or mobile app
  • Social media

 

D. Who May We Share Your Personal Data With?

We understand the importance of keeping your personal data confidential and secure. We only share your data when necessary to provide our services, comply with legal obligations, or protect our legitimate interests. Here are the categories of recipients with whom we may share your data:

  1. People You Authorize

This includes individuals or organizations you’ve given permission to access your data, such as:

  • Your employer or their designated representatives.
  • Family members or beneficiaries you’ve designated for benefits or other purposes.
  • Third parties you’ve authorized to act on your behalf, such as accountants or legal representatives.
  1. Service Providers

We work with trusted service providers who assist us in delivering and improving our services. These partners are carefully vetted and contractually obligated to protect your data. Examples include:

  • Payment Processors: To securely process payroll and other financial transactions.
  • IT Support and Data Hosting Providers: To maintain our systems and securely store your data.
  • Communication Tools Providers: To facilitate communication with you through email, SMS, or other channels.
  • Background Check Providers: To conduct background checks for specific job roles, where permitted by law and with your consent.
  • Auditors: To conduct independent audits of our financial records and data processing practices.
  • Lawyers: To provide legal advice and representation on various matters, including data protection and compliance.
  1. Strategic Partners

We may share your data with strategic partners who help us enhance our services or provide you with additional value. This includes:

  • Referral Partners: Organizations that refer you to our services.
  • Benefit Providers: Companies that offer benefits programs, such as health insurance or retirement plans, through KaziQuest.
  • Technology Partners: Companies we collaborate with to integrate our services or develop new features.
  1. Financial Institutions

We may share your data with financial institutions to facilitate payroll, transactions, or credit checks, including:

  • Banks and saccos for direct deposit and payment processing.
  • Credit reference agencies to assess creditworthiness for certain services, where permitted by law and with your consent.
  1. Government and Legal Authorities

We may disclose your data to comply with legal obligations or assist in legal proceedings, such as:

  • Tax authorities for tax reporting and compliance.
  • Law enforcement agencies for investigations related to fraud, security threats, or other illegal activities.
  • Regulatory bodies to respond to inquiries or audits.
  • Courts and tribunals in connection with legal claims or disputes.
  1. Other Entities in Corporate Transactions

In the event of a merger, acquisition, or sale of our business, we may share your data with:

  • Potential buyers or investors to facilitate due diligence.
  • The new owners or operators of the business to ensure a smooth transition of services.

 

E. Where Do We Transfer Personal Data?

To provide our services effectively, we may need to transfer your personal data to locations outside of Kenya. We understand that data protection laws may vary in different countries, and we are committed to ensuring your data remains protected wherever it is processed.

International Data Transfers

Your data may be transferred to and processed in countries where we or our trusted partners operate. This may include countries outside of Kenya or the African Union.

Safeguards for International Transfers

When transferring your data internationally, we take steps to ensure its protection, including:

  • Compliance with Applicable Laws: We comply with all applicable data protection laws and regulations, including the Kenyan Data Protection Act and any relevant regulations governing international data transfers.
  • Adequacy Decisions: We may transfer data to countries that have been deemed to have adequate data protection laws by relevant authorities (e.g., the Kenyan Data Protection Commissioner).
  • Standard Contractual Clauses: When transferring data to countries without adequacy decisions, we use standard contractual clauses approved by relevant authorities. These clauses provide legal safeguards for your data.
  • Other Safeguards: We may also implement other safeguards, such as Binding Corporate Rules (BCRs) or approved codes of conduct, to ensure adequate protection of your data.

Examples of International Transfers

We may transfer your data internationally for the following purposes:

  • Data Hosting: Your data may be stored on servers located in different countries to ensure redundancy and disaster recovery.
  • Service Providers: We may use service providers located in other countries to assist with payment processing, IT support, or other services.
  • Global Operations: If you are an employee of a multinational company using KaziQuest, your data may be transferred to other countries where your company operates.

If you have any questions or concerns about international data transfers, please contact us using the details provided in this privacy notice.

 

F. How Do We Protect Your Personal Data?

We take the privacy and security of your personal data very seriously. We implement a variety of measures to protect your data from unauthorized access, use, disclosure, alteration, or destruction. These measures include:

  • Technical Safeguards:  
    • Encryption of data both in transit and at rest.
    • Access controls to limit who can access your data.
    • Firewalls and intrusion detection systems to prevent unauthorized access to our systems.
    • Regular security assessments and vulnerability scanning to identify and address potential risks.
  • Physical Safeguards:
    • Secure data centres with restricted access.
    • Physical security measures to protect against unauthorized entry.
  • Organizational Safeguards:
    • Data protection policies and procedures that govern how we collect, use, and store your data.
    • Employee training on data privacy and security best practices.
    • Confidentiality agreements with our employees and service providers.
    • Incident management and reporting procedures to address any data security incidents promptly.

G. How Long Do We Keep Your Personal Data?

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this privacy notice. Retention periods may vary depending on the type of data and legal requirements.  

Factors that influence our retention periods include:

  • Legal Obligations: We may be required to retain certain data for specific periods to comply with tax laws, labour laws, or other regulations.
  • Contractual Obligations: We may need to retain data to fulfil our contractual obligations to you.
  • Operational Needs: We may retain data for operational purposes, such as auditing, fraud prevention, and dispute resolution.

When your personal data is no longer needed, we will securely delete or anonymize it.

H. What are Your Personal Data Protection Rights?

You have the following rights regarding your personal data:

  • Right to Access: You have the right to request access to your personal data and information about how we process it.
  • Right to Rectification: You have the right to request correction of any inaccurate or incomplete personal data we hold about you.  
  • Right to Erasure (“Right to be Forgotten”): You have the right to request deletion of your personal data in certain circumstances, such as when it is no longer needed for the original purpose or when you withdraw your consent.  
  • Right to Restriction of Processing: You have the right to request restriction of processing of your personal data in certain circumstances, such as when you contest its accuracy or the lawfulness of processing.  
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.  
  • Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or direct marketing.
  • Right to Withdraw Consent: If we process your data based on your consent, you have the right to withdraw your consent at any time.  

To exercise your rights, please contact us using the contact details provided in this privacy notice. We may need to verify your identity before processing your request.  

I. How to Get in Touch

Data Controller:

KaziQuest Limited

Address: Studio House, 4th Floor, Marcus Garvey Road Off Argwings Kodhek Road Kilimani, P.O. Box 49264-00100 G.P.O, Nairobi

Data Protection Officer:

The Data Privacy Officer

Address: Studio House, 4th Floor, Marcus Garvey Road Off Argwings Kodhek Road Kilimani, P.O. Box 49264-00100 G.P.O, Nairobi

Email: Data.ProtectionKE@kaziquest.com

Complaints:

If you have any concerns or complaints about how we are using your personal data, please contact us. You can also contact the Office of the Data Protection Commissioner in Kenya for further assistance at https://www.odpc.go.ke/.

This privacy notice was updated on 16 January 2025.