PRIVACY STATEMENT

1. Introduction

We are committed to protecting your privacy in accordance with Article 31 of the Constitution of Kenya, 2010 and the Data Protection Act, 2019 and its subsidiary Legislation. This privacy statement sets out how CPF Financial Services Limited, the Schemes it administers and all its subsidiaries (“CPF Group”) uses, processes, transfers and protects personal data provided by any user. This Privacy Statement applies to all website managed by CPF Group.

Please read the privacy statement for additional details into how CPF Group relates with its users on its website.

2. Interpretation and definitions
   • Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

• Definitions

For the purposes of this privacy statement:

1. Accountmeans a unique account created for you to access our website or parts of our website.
2. Cookiesare small files that are placed on your computer, mobile device, or any other device by a website, containing the details of your browsing history on that website among its many uses.
3. Countryrefers to Kenya
4. IP Address means Internet Protocol address, browser type, browser version, the pages on our website that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data
5. Personal datais any information that relates to an identified or identifiable individual.
6. Websiterefers to the CPF Group websites namely: https://cpf.or.ke/ https://lib-insurance.co.ke/ https://www.laser.or.ke/ https://www.laptrust.or.ke/ and https://cpfconsulting.or.ke/ as well as the Staff, Member and Sponsor Portal.
7. Service providermeans any natural or legal person who processes the data on behalf of the company. It refers to third-party companies or individuals engaged by the company to facilitate a service, to provide a service on behalf of the company, to perform services related to the service or to assist the company in analysing how the service is used.
8. Third-party social media servicerefers to any website or any social network website through which a user can log in or create an account when accessing the website e.g. Facebook, Instagram, Twitter, LinkedIn, and WhatsApp.
9. Usage datarefers to data collected automatically, either generated using the website or from the website infrastructure itself (for example, the duration of a page visit).
10. “We”, “Us” “CPF Group” or “Our” refers to CPF Financial Services Limited, the Schemes it administers and all its subsidiaries (LIB, LITES and LASER).
11. Youmeans the individual accessing or using the website.
12. Collecting and using your personal data
    • Types of data collected

While using our website, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

• Email address;
• First name and last name;
• Phone number;
• Address, state, province, zip/postal code, city; and
• Usage data.

• Usage data

Usage data is collected when using the website upon accepting the necessary cookies. Usage data may include information such as your device IP address, browser type, browser version, the pages that you visit on the website, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

If you access the website using a mobile device, we collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile internet browser you use, unique device identifiers and other diagnostic data.

We also collect information that your browser sends whenever you visit our website or access the website using an electronic device.

• Information from third-party social media services

We allow you to create an account and log in to use the website through third-party media services. If you decide to register through or otherwise grant us access to a third-party social media service, we may collect personal data that is already associated with your third-party social media service’s account, such as your name, your email address, your activities, or your contact list associated with that account.

You also have the option of sharing additional information through your third-party social media service’s account. If you choose to provide such information and personal data, during registration or when contacting us, you are giving us permission to use, share, and store such data in a manner consistent with this privacy statement.

• Tracking technologies and cookies

We use cookies and similar tracking technologies to track activity on our website, storing and honouring your preferences and settings, enabling you to sign in, providing interest-based advertising, combating fraud, analysing how our products perform, and fulfilling other legitimate purposes. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse our website. The technologies we use includes:

• Cookies or browser cookies. A cookie is a small file placed on your device. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some parts of our website. Unless you have adjusted your browser setting so that it will refuse cookies, our website may use cookies.
• Flash cookies. Certain features of our website may use local stored objects (or flash cookies) to collect and store information about your preferences or your activity on our website. Flash cookies are not managed by the same browser settings as those used for browser cookies.
• Web beacons. Certain sections of our website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us to, for example, count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).

Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser. We use both session and persistent cookies for the purposes set out below:

• Necessary / essential cookies type: session cookies administered by: us purpose: these cookies are essential to provide you with services available through the website and to enable you to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Failure to consent to the use of these cookies, results in the inability to provide services you may request.
• Cookies statement / notice acceptance cookies type: persistent cookies administered by: us purpose: these cookies identify if users have accepted the use of cookies on the website.
• Functionality cookies type: persistent cookies administered by: us purpose: these cookies allow us to remember choices you make when you use the website, such as remembering your login details or language preference. The purpose of these cookies is to provide you with a more personal experience and to avoid you having to re-enter your preferences every time you use the website.

For more information about the cookies we use and your choices regarding cookies, please visit our cookies statement at https://cpf.or.ke/cookies-statement/.

• How to access your own data

You have a variety of tools to control the data collected by cookies, web beacons, and similar technologies such as using controls in your internet browser to limit how the websites you visit can use cookies and to withdraw your consent by clearing or blocking cookies.

You can also make choices about the collection and use of your data by CPF group. You can control your personal data that has been obtained, and exercise your data privacy rights, by contacting us or using various tools we provide. In some cases, your ability to access or control your personal data will be limited, as required, or permitted by applicable law. How you can access or control your personal data will also depend on which products or services you have subscribed to or accessed. For example, you can Opt-out of receiving promotional emails, SMS messages, telephone calls, and postal mail from us.

Not all personal data processed by us can be accessed or controlled. If you want to access or control personal data processed that is not available via the tools stated above, you can always contact us at the address at the end of this privacy policy or by using our contact web form.

• Use of your personal data

The company may use personal data for the following purposes:

• To provide and maintain our website: including to monitor the usage on the website.
• To manage your account: to manage your registration as a user. The personal data you provide can give you access to different functionalities that are available to you as a registered user.
• For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items, or services you have purchased or of any other contract with us.
• To contact you: to contact you by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products, or contracted services, including the security updates, when necessary or reasonable for their implementation.
• To provide you with news, special offers and general information about other goods, services, and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information.
• To manage your requests: to attend and manage your requests to us.
• For business transfers: we may use your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by us about our users is among the assets transferred.
• For other purposes: we may use your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our website, products, services, marketing, and your experience.

We may share your personal information with your consent in the following situations:

• For business transfers: we may share or transfer your personal information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• With affiliates: we may share your information with our affiliates, in which case we will require those affiliates to honour this privacy statement. Affiliates include the schemes we administer, our parent company and any other subsidiaries, joint venture partners or other companies that we control.
• With business partners, services providers, and Law enforcement: we may share your information with our business partners to offer you certain products, services, or promotions or to complete any transaction or provide any product you have requested or authorized. We also share information with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; and to protect the rights and property of CPF Group and its customers, website users, clients, pensioners, members, and sponsors.
• With other users: when you share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If you interact with other users or register through a third-party social media service, your contacts on the third-party social media service may see your name, profile, pictures, and description of your activity. Similarly, other users will be able to view descriptions of your activity, communicate with you and view your profile.

• Retention of your personal data

The company will retain your personal data only for as long as is necessary for the purposes set out in this privacy statement. We will also retain and use your personal data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable Kenyan laws), resolve disputes, and enforce our legal agreements. The company will also retain usage data for internal data analysis purposes. Usage data is generally retained for a shorter period, except when this data is used to strengthen the security, prevent fraud, or to improve the functionality of our website, or where we are legally obligated to retain this data for a longer period.

• Transfer of your personal data

Your information, including personal data, is processed at the company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to and maintained on computers located outside your State, Province, Country, or other Governmental Jurisdiction where the Data protection Laws may differ from those within your Jurisdiction. The company will take all steps reasonably necessary to ensure that your data is transferred securely and in accordance with this privacy statement and no transfer of personal data will take place to any organization or Country unless there are adequate safeguards and measure in place to protect your privacy and personal data and other personal information.

4. Security of your personal data

The security of your personal data is important to us. However, while we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

CPF Group will notify you of any significant breach of personal data by third parties that would cause undue harm to you. We will also notify the Office of the Data protection Commissioner of any security breach of personal data that may occur. Further, will also be Should there be a breach of security that causes harm

5. Children’s privacy

We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from anyone under the age of 13 without parental consent, we will take the necessary steps to remove that information from our servers. If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent’s consent before we collect and use that information.

6. Links to other websites

Our website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the privacy statement of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services. We are not responsible for the privacy or security practices of our users, which may differ from those set forth in this privacy statement.

7. Changes to this privacy statement

We may update our privacy statement from time to time. We will notify you of any changes by posting the new privacy statement on this page. We will let you know via email and/or a prominent notice on our website, prior to the change becoming effective and update the “last updated” date at the top of this privacy statement. You are advised to review this privacy statement periodically for any changes. Changes to this privacy statement are effective when they are posted on this page.

8. Contact us

You should direct your privacy inquiries, including any requests to exercise your data protection rights, to us through our Data protection officer:

• By email: dataprotectionofficer@cpf.or.ke or info@cpf.or.ke;
• By visiting this page on our website and filling the web form: https://cpf.or.ke/contacts/; or
• By phone number: +254 111 114000.