Effective Date: 1 July 2022
1.1 InVenture Capital Corporation, a US corporation, is affiliated with different legal entities forming the Tala Group. When we mention “Tala” in this document, we are referring to the relevant Kenyan subsidiary company, InVenture Mobile Limited, which is the data controller responsible for processing your data.
1.2 The Tala Group offers digital financial services to help the traditionally underbanked borrow, save and grow their money. Our Services include:
1.5 You have the right to submit a complaint at any time to the Office of the Data Protection Commissioner (ODPC) the Kenyan regulator for data protection issues (https://www.odpc.go.ke/file-a-complaint/). We would, however, appreciate the chance to deal with your concerns before you approach the ODPC and ask that you please contact us in the first instance via email at firstname.lastname@example.org.
1.7 Tala’s Services are not intended for children and we do not knowingly process data relating to children.
2.1 “Authorities” includes any judicial, administrative, government, public or regulatory body, securities or futures exchange, court, central bank or law enforcement body, or any of their agents with jurisdiction over Tala.
2.2 “Child” means an individual who has not attained the age of eighteen (18) years.
2.3 “Comply with a legal obligation” means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to, such as (a) Laws or international guidance and internal policies or procedures, (b) any demand from Authorities or reporting, disclosure or other obligations under Laws, and (c) Laws requiring us to verify the identity of our customers.
2.4 “Consent” means processing your Customer Information where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us via email@example.com.
2.5 “Customer” or “User” means any individual within the Republic of Kenya to which Tala provides its products or services.
2.6 “Customer Information” means your Personal Data, Sensitive Personal Data, and/or Relevant Information including relevant information about you, your transactions, your use of our products and services, and your relationships with Tala.
2.7 “Laws” include any local or foreign law, regulation, judgment or court order, voluntary code, sanctions regime, an agreement between any member of Tala and an Authority, or agreement or treaty between Authorities and applicable to Tala.
2.8 “Legitimate Interest” means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
2.9 “Performance of Contract” means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
2.10 “Personal Data” or “Personal Information” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
2.11 “Relevant Information” means information that Tala requires for purposes of providing full access to the Tala Service;
2.12 “Sensitive Personal Information” refers to Personal Data about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; health status, education, biometric data, genetic data, sex or the sexual orientation of a person, property details, family details including names of the person’s children, parents, spouse or spouses; any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and specifically established by an executive order or other legislative act to be kept classified.
2.13 “Services” refers to the products and features provided by Tala and the Tala Group as described in 1.2 above.
2.14 “We”, “Our” and “Us” refer to Tala.
3. THE DATA WE COLLECT ABOUT YOU
3.1 Information that you provide. To access our Services, you will be requested to provide Personal Data as specified in the applicable Privacy Notice. This includes the following:
3.2 Information that we collect as you use the Services. We also collect information from your usage of our products and features, as specified in the applicable Privacy Notice. This includes the following:
3.3 Information that we receive from third parties. To provide you with our Services and to comply with our legal obligations, we may also obtain information from third parties such as:
4. HOW WE USE YOUR PERSONAL DATA
4.1 We will only use your Personal Data when we have a lawful basis to do so, as specified in the applicable Privacy Notice. Most commonly we will use your Personal Data in the following circumstances:
4.2 We collect and use your Personal Data for the following purposes, as further specified in the applicable Privacy Notice for each specific Service:
4.3 We will only send you direct marketing communications by push notification, email or text if we have your consent. You have the right to withdraw that consent at any time by contacting us via email at firstname.lastname@example.org.
4.4 We use automated processing and automated decision-making with little to no human intervention when we provide you with certain features of our Services. Our models are regularly tested to ensure they remain fair, accurate, and unbiased. Where applicable, you may request a reconsideration of an automated decision by emailing us at email@example.com. Please note that human intervention does not guarantee that the automated decision will be overturned.
4.5 We regularly engage in capacity building, orientation, and training programs for our team to be familiar with data protection and security policies and practices.
5. DISCLOSURES AND CROSS-BORDER TRANSFERS OF YOUR PERSONAL DATA
5.1 We may disclose and/or transfer your Personal Data to internal and external third parties as described in the applicable Privacy Notice of each particular Service.
5.2 Tala as the data controller remains accountable for your Personal Data that is disclosed to our data processors. We use contractual and other reasonable means to provide a comparable level of protection when your Personal Data is being processed by a data processor.
5.3 Your Personal Data collected by Tala may be stored and processed outside Kenya in a location where Tala, its affiliates, or its data processors maintain facilities. Whenever we transfer your personal data out of Kenya, we ensure a similar degree of protection is afforded to it by ensuring adequate safeguards are implemented. We ensure your Personal Data is protected by requiring all our affiliates and processors to follow the same rules when processing your Personal Data.
6. DATA SECURITY MEASURES
6.1 Tala implements an Information Security Management System to maintain the confidentiality, integrity, and availability of Tala’s information resources, in keeping with industry standard and global best practices.
6.1.1 Physical locations shall be protected from unauthorized access, threats, and damage.
6.1.2 Data should be encrypted in accordance with the data classification and handling requirements. Backup practices of critical information resources should be performed, tested, and maintained.
6.1.3 Data retention, decommissioning, and disposal requirements are aligned with contractual, legal, environmental, and business requirements.
6.1.4 Endpoints should be protected by security hardening, malware protection, and host-based monitoring.
6.1.5 Access should be restricted by access control, user access management, privileged access (principle of least privilege), access review, multi-factor authentication, and passwords, where applicable.
6.1.6 Information resource logs should be managed, and security events should be monitored.
6.1.7 Network access should be protected through a secure network infrastructure, network access controls, and information transfer requirements.
6.1.8 Information security risks associated with third parties that access Tala information resources should be identified, assessed, and managed. Contracts with third-party vendors and processors should contain information security and confidentiality clauses. Information security reviews of third party vendors and processors should be regularly performed.
6.1.9 Procedures should be in place to recruit competent and qualified individuals as employees. A formal disciplinary process should be established and implemented for non-compliance with information security policies, standards, and procedures.
6.1.10 Information resources should be maintained by identifying and remediating associated vulnerabilities.
6.1.11 Formal change management requirements should be followed when introducing or modifying information resources.
6.1.12 Information security incidents should be managed, including detection, analysis, resolution, and lessons learned. Incident response shall include preparation, identification, containment, eradication, recovery, and lessons learned.
6.1.13 Compliance requirements should be established based on legislative, statutory, regulator, or contractual obligations, and shall be subject to independent review.
6.1.14 A risk assessment process and framework should be established to identify and remediate information security risks.
6.1.15 Requirements should be implemented to ensure information security controls are verified at regular intervals to assess their validity and effectiveness during adverse situations.
6.1.16 Information resources should be managed by identification, inventorying, maintenance, and protection controls.
6.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
7. DATA RETENTION
7.1 To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, the need to comply with our internal policies and the applicable legal, regulatory, tax, accounting or other requirements. We will retain or store your personal information only for so long as is necessary to fulfill the purposes set forth in the applicable Privacy Notice, and for a reasonable time thereafter for the furtherance and completion of any of our services to you, and for such time as may be necessary in order to comply with any legal obligation.
7.2 Details of retention periods for different aspects of your Personal Data are available in our data retention policy which you can request by contacting us.
7.3 In some circumstances you can ask us to delete your data: see Your Data Subject Rights below for further information. Where Personal Data must be deleted, disposal shall be done in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other entity.
7.4 In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
8. YOUR DATA SUBJECT RIGHTS
8.1 Under certain circumstances you have the following rights under data protection laws in relation to your personal data.
You have the right to:
8.2 You also have the right to ask us not to continue to process your personal data for marketing purposes.
8.3 You can exercise any of these rights at any time by contacting us via email at firstname.lastname@example.org
9.2 It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.
10. THIRD PARTY LINKS
Our Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services.