1. POLICY STATEMENT

Hiview International Co. Ltd. (“Company”) understands that protecting the privacy and security of personal data is crucial in maintaining customer trust, complying with data protection laws and safeguarding sensitive information from unauthorized access or misuse. As an organization that values privacy and data security, we are committed to processing personal data responsibly, transparently and in accordance with applicable legal and regulatory frameworks, including the Data Protection Act, 2019.

We recognize that every individual has a constitutionally guaranteed right to privacy, including the protection of their personal and business information. Our commitment to data protection goes beyond mere compliance; we strive to foster a culture of trust, accountability and ethical data handling across all levels of our organization. We believe that individuals have the right to understand how their data is collected, used and safeguarded, and we uphold these rights in every aspect of our operations.

This Data Privacy Policy is built upon the following fundamental principles:

1. Lawful, Fair, and Transparent Processing – We collect and process personal data legally, fairly and in a transparent manner.
2. Purpose Limitation – We only collect data for specified, legitimate purposes and do not process it in a manner incompatible with those purposes.
3. Data Minimization – We only collect the personal data necessary for our business operations.
4. Accuracy – We strive to maintain accurate and up-to-date data.
5. Storage Limitation – We retain personal data only for as long as necessary to fulfill the intended purpose or as required by law.
6. Integrity and Confidentiality – We implement strong security measures to protect personal data from unauthorized access, loss or damage.
7. Accountability – We take responsibility for our data processing activities and continuously evaluate our policies and procedures to enhance data protection.

Our employees receive regular training on data privacy and security to ensure compliance with this policy. We continuously assess and improve our data protection practices in response to technological advancements, regulatory changes and emerging threats. Through this commitment, we aim to uphold the highest standards of data protection, ensuring that personal data is treated with care and respect while fostering trust among our customers, employees, partners and other stakeholders.

By implementing this Data Privacy Policy, we demonstrate our dedication to safeguarding personal data and respecting individuals’ rights. We invite all stakeholders to engage with us, provide feedback and collaborate in upholding the highest standards of data protection.

2. PURPOSE

This Data Privacy Policy establishes the framework for collecting, processing, storing and sharing personal data within Hiview International Co. Ltd. It ensures compliance with data protection laws, safeguards sensitive information and upholds the privacy rights of individuals. The purpose of this policy is to:

1. Define how personal data is collected, used and protected.
2. Ensure compliance with the Data Protection Act, 2019 and other applicable regulations.
3. Promote transparency in data processing activities.
4. Provide guidelines for secure data management and retention.
5. Establish mechanisms for handling data subject rights, complaints and breaches.

3. DEFINITIONS

For the purpose of this policy, the following definitions apply:

Personal Data: Any information relating to an identified or identifiable individual, including names, contact details, identification documents and financial records.

Data Subject: Any individual whose personal data is collected, stored or processed by the Company.

Processing: Any operation performed on personal data, including collection, recording, storage, use, sharing and deletion.

Third Party: Any external entity, including contractors, service providers and financial institutions that processes personal data on behalf of the Company.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: Any person or organization that processes personal data on behalf of the Company.

Consent: Any freely given, specific, informed and unambiguous indication of a Data Subject’s agreement to the processing of their personal data.

Data Breach: Any unauthorized access, disclosure, alteration or destruction of personal data.

4. Scope and Applicability

This policy applies to all individuals whose data is collected, including but not limited to:

1. Customers opening accounts and engaging with our services.
2. Employees whose information is retained for administrative and operational purposes.

• Promotional staff (Models & Brand Promoters) whose data is used for marketing and branding.

1. Event attendees whose contact details, photos and videos may be collected.

This policy covers all personal data collected, stored, processed or transmitted by the Company in any format (electronic, paper, verbal) and applies to all operations within and outside Kenya in relation to Data Subjects located in Kenya. Employees, third-party representatives, agents, service providers, contractors and any associated entities handling personal data on behalf of the Company must comply with this policy.

5. Lawful Processing of Personal Data

Personal data will only be collected and processed when there is a lawful basis, including:

1. Contract Performance – Necessary for fulfilling a contract with the Data Subject.
2. Legal Compliance – To meet regulatory obligations.

• Legitimate Interests – Where processing is necessary for the Company’s legitimate business operations and does not override Data Subject rights.

1. Consent – When required, explicit consent will be obtained before processing personal data.

6. Data Collection and Processing

This section outlines how the Company collects, processes, stores and protects personal data for different data subjects, including customers, employees, promotional staff and event attendees.

• Customer Information

6.1.1 Data Collection

1. Through Customer Update Forms & Credit application forms (physical and online submissions via email).
2. Direct communication with sales representatives.

• Financial transactions and account activity.

6.1.2 Data Collected

1. Full Name
2. Contact Details (Phone, Email, Physical Address)

• Business Information (Company Name, Registration Number, Trade Name, Date Established, shareholding and particulars of the director-shareholder(s)/proprietor)

1. Identification Documents (National ID, Passport, Certificate of Incorporation/Business Registration)
2. Financial Records (Bank Statements)
3. Tax Registration Documents (KRA PIN Certificate)

• Trade References

6.1.3 Purpose of Collection

1. Account opening and verification.
2. Credit assessment and risk evaluation.

• Communication regarding transactions, promotions and company updates.

1. Compliance with legal and regulatory obligations.

6.1.4 Data Security Measures

1. Customer data is securely stored in the finance system and in physical files.
2. Access to data is restricted to authorized personnel only.

• Physical files are kept in secure storage with controlled access.

1. Regular audits to ensure data integrity and compliance.

6.1.5 Data Sharing and Consent

Customer data may be shared with;

1. Financial institutions for credit processing only with explicit consent.
2. Legal authorities upon official request and in compliance with data protection laws.

• Third-party service providers under strict confidentiality agreements and with prior customer consent. Customers will be informed and required to provide written consent before their data is shared externally.

6.1.6 Retention and Deletion

1. Customer data is retained as long as the account remains active or as required by law.
2. Upon closure, data is securely deleted unless retention is required for legal, tax or regulatory purposes, such as financial record-keeping, audits or dispute resolution.

• Customers may request data deletion where legally permissible.

6.2    Employee Information

6.2.1 Data Collection

1. Through job applications and recruitment forms (physical and online submissions).
2. Employee records maintained by HR and finance teams.

• Performance and disciplinary evaluations.

6.2.2 Data Collected

1. Full Name

1. Contact Information
2. Employment Records and Contracts
3. Banking Details for Salary Processing
4. National ID/Passport
5. Next of Kin information
6. Performance and Disciplinary Records
7. Photos and Videos for Internal and Marketing Purposes

6.2.3 Purpose of Collection

1. Payroll processing
2. Performance management and HR functions.
3. Legal compliance and internal security.
4. Marketing and branding (where applicable).

6.2.4 Data Security Measures

1. Employee records are securely stored in the finance system and in physical files.
2. Access is restricted to HR and finance personnel.

• Sensitive information (e.g., banking details) is stored securely.

1. Employees are trained on data protection and confidentiality.

6.2.5 Data Sharing

1. Payroll data may be shared with financial institutions.
2. Legal authorities upon request.
3. Marketing team for promotional use with explicit consent.

6.2.6 Retention and Deletion

1. Employee records are retained during employment and thereafter for a reasonable period after termination.
2. Sensitive data is deleted after the retention period expires.

6.3    Promotional Staff (Models & Brand Promoters)

6.3.1 Data Collected

1. Full Name

1. Contact Information

• Photos and Videos for Internal and Marketing Purposes

1. Contracts and Payment Details

6.3.2 Purpose of Collection

1. Marketing and promotional campaigns.

1. Payment processing and contract management.
2. Legal compliance and record-keeping.

6.3.3 Data Security Measures

1. Secure storage of contracts and payment records.

1. Restricted access to marketing and finance teams.
2. Consent-based use of images and videos for an agreed period of time.

6.3.4 Data Sharing

1. Marketing agencies and advertisers under confidentiality agreements.

1. Public platforms (social media, websites, advertisements) with prior consent.

6.3.5 Retention and Deletion

1. Data is retained for the duration of contracts and a reasonable period for marketing records.
2. Upon request, personal details and images may be removed from marketing materials where possible. Previously published content may not always be retractable.

6.4   Event Attendees

6.4.1 Data Collected

1. Full Name

1. Contact Information (Phone, Email)
2. Photos and Videos from Events

6.4.2 Purpose of Collection

1. Communication and follow-up on event-related matters.

1. Marketing and promotional use.
2. Record-keeping and analysis for future events.

6.4.3 Data Security Measures

1. Contact details are stored securely and not shared without consent.

1. Event images are used publicly only after consent is obtained.
2. Attendees have the right to request removal of their images from company platforms.

6.4.4 Data Sharing

1. Event photos/videos may be shared on social media, websites and marketing materials.

1. Contact details are NOT shared with third parties without explicit consent.

6.4.5 Retention and Deletion

1. Contact details are retained only for event-related communications.

1. Photos and videos for which an attendee has consented to the sharing will remain in use unless a removal request is submitted.

7. Obtaining Consent

The Company obtains consent from data subjects through various methods, ensuring that consent is freely given, informed and recorded appropriately. Consent may be obtained through:

• Written agreements
• Telephone communication
• Email correspondence
• Online messaging and/or SMS
• Video and/or audio recordings
• Filled and signed forms
• Disclaimer notices on webpages

1. Consent obtained for one purpose cannot automatically be applied to all uses.
2. Preliminary verbal consent should be sought at the point of initial contact when personal or sensitive data needs to be recorded. Verbal consent must be documented in the appropriate fields of a computer record or stated in an email for future reference. Although written consent is preferred, verbal consent is the minimum requirement and must be documented and shared with the data subject.

• If the data subject is under 18 years old (legal minor), parental/guardian consent must be obtained before processing their personal data.

1. For photographs and/or videos, written consent must be obtained before use in any materials, including but not limited to:

• Publicity materials
• Press releases
• Social media platforms
• Websites

1. Consent must also specify whether the individual’s name can be published alongside media content. Data subjects have the right to withdraw consent at any time in writing.

1. Use of Files, Books, and Paper Records & Disposal

The Company maintains strict protocols for handling physical records, ensuring the security and confidentiality of personal data stored in files, books, and paper records.

8.1 Storage & Access Control:

1. Physical records containing personal data are stored in locked cabinets or restricted-access areas.
2. Only authorized personnel have access to sensitive documents.

• Physical files are logged and monitored to prevent unauthorized access.

8.2 Disposal of Physical Records:

1. When physical records reach the end of their retention period, they must be securely destroyed.
2. Sensitive documents containing personal data will be shredded or disposed of in a manner that prevents reconstruction.

• Corresponding digital records will also be deleted or anonymized as per retention policies.

1. Physical records that no longer serve a legal or business purpose must not be stored beyond their necessary retention period. Employees handling physical records are responsible for ensuring compliance with these disposal guidelines.

9. Complaints Handling Mechanism & Privacy Breaches

The Company shall ensure compliance with data protection laws through its internal policies and designated personnel. Any data-related concerns, access requests or complaints regarding personal data processing should be directed to the Company’s official contact point:

Hiview International Co. Ltd.

1. O. Box 88-00623 Nairobi Kenya

info@hiviewinternational.com

9.1 Reporting a Data Breach:

1. Any suspected or actual data breach must be reported immediately to the designated personnel responsible for data protection.
2. The Company is required to notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of discovering a data breach that poses a risk to personal data security.

• Where a data breach is likely to result in harm to a Data Subject, the affected individuals will also be notified in a timely manner.

2019. The Company will investigate all complaints and breaches promptly and take necessary corrective measures in line with the Data Protection Act, 2019.
2020. Data Subjects may submit complaints regarding their personal data processing. Complaints will be acknowledged within 7 working days and resolved within 30 working days. If dissatisfied, Data Subjects may escalate the complaint to the ODPC.

10. Duty to Notify

The Company is committed to transparency and will notify data subjects in the event of:

1. Significant changes to this policy that affect how personal data is processed.
2. Any data breach that poses a risk to personal data security.

• Changes in regulatory requirements that impact data protection practices.

Notifications will be communicated through appropriate channels including email, official notices or updates on the Company’s website.

11. Consent and Rights of Data Subjects

Individuals have the right to:

1. Access their personal data and request corrections or updates.
2. Withdraw consent for marketing, photography or data processing.
3. Request data deletion where legally permissible.
4. Lodge complaints regarding data misuse.

12. Policy Review & Updates

This policy shall be reviewed every three (3) years and/or when the need arises due to regulatory updates, business changes or emerging risks.