Tala Privacy Policy

a picture of a lock

Effective Date: 1 July 2022

1. INTRODUCTION


1.1 InVenture Capital Corporation, a US corporation, is affiliated with different legal entities forming the Tala Group. When we mention “Tala” in this document, we are referring to the relevant Kenyan subsidiary company, InVenture Mobile Limited, which is the data controller responsible for processing your data. 


1.2 The Tala Group offers digital financial services to help the traditionally underbanked borrow, save and grow their money. Our Services include:


  • 1.2.1 The Tala App, which is an Android mobile application that can be downloaded from Google Play, and for which the applicable Privacy Notice can be accessed here;
  • 1.2.2 The Tala Website (https://tala.co.ke/), including the Tala Biashara Club Site (https://community.tala.co.ke/), and for which the applicable Privacy Notice can be accessed here. 


1.3 This Privacy Policy also applies to your use of Tala’s Services and explains what personal data we collect, with whom we share it, how we may use your data and how you can prevent us from sharing certain information with certain parties. This Privacy Policy should be read together with the applicable Privacy Notice for the particular Service that you are using as linked above. The relevant Privacy Notice informs you as to how we look after your personal data when you use our Services and tells you about your privacy rights and how you are protected under the Data Protection Act, 2019.  


1.4 By accepting the terms of this Privacy Policy and the relevant Privacy Notice, you accept and consent to the practices described therein. 


1.5 You have the right to submit a complaint at any time to the Office of the Data Protection Commissioner (ODPC) the Kenyan regulator for data protection issues (https://www.odpc.go.ke/file-a-complaint/). We would, however, appreciate the chance to deal with your concerns before you approach the ODPC and ask that you please contact us in the first instance via email at hellokenya@talamobile.com.


1.6 If you have any questions about this Privacy Policy, please contact us via email at hellokenya@talamobile.com.


1.7 Tala’s Services are not intended for children and we do not knowingly process data relating to children.

2. DEFINITIONS


Terms used in this Privacy Policy shall have the following meanings, and reference to the singular includes the plural (and vice versa).

2.1 “Authorities” includes any judicial, administrative, government, public or regulatory body, securities or futures exchange, court, central bank or law enforcement body, or any of their agents with jurisdiction over Tala.


2.2 “Child” means an individual who has not attained the age of eighteen (18) years.


2.3 “Comply with a legal obligation” means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to, such as (a) Laws or international guidance and internal policies or procedures, (b) any demand from Authorities or reporting, disclosure or other obligations under Laws, and (c) Laws requiring us to verify the identity of our customers.


2.4 “Consent” means processing your Customer Information where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us via hellokenya@talamobile.com.


2.5 “Customer” or “User” means any individual within the Republic of Kenya to which Tala provides its products or services.


2.6 “Customer Information” means your Personal Data, Sensitive Personal Data, and/or Relevant Information including relevant information about you, your transactions, your use of our products and services, and your relationships with Tala.


2.7 “Laws” include any local or foreign law, regulation, judgment or court order, voluntary code, sanctions regime, an agreement between any member of Tala and an Authority, or agreement or treaty between Authorities and applicable to Tala.


2.8 “Legitimate Interest” means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). 


2.9 “Performance of Contract” means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.


2.10 “Personal Data” or “Personal Information” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.


2.11 “Relevant Information” means information that Tala requires for purposes of providing full access to the Tala Service;


2.12 “Sensitive Personal Information” refers to Personal Data about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; health status, education, biometric data, genetic data, sex or the sexual orientation of a person, property details, family details including names of the person’s children, parents, spouse or spouses; any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and specifically established by an executive order or other legislative act to be kept classified.


2.13 “Services” refers to the products and features provided by Tala and the Tala Group as described in 1.2 above.


2.14 “We”, “Our” and “Us” refer to Tala.


3. THE DATA WE COLLECT ABOUT YOU


3.1 Information that you provide. To access our Services, you will be requested to provide Personal Data as specified in the applicable Privacy Notice. This includes the following:


  • 3.1.1 Identifiers such as name, username, e-mail address, mobile number, or any other identifier by which you may be contacted online or offline;
  • 3.1.2 Responses that you submit to our forms, questionnaires, and surveys;
  • 3.1.3 Communications with Tala, such as call records, customer service requests and tickets, and messages or comments posted on Tala-hosted platforms;
  • 3.1.4 Supporting documents such as government-issued identification, financial documents, and authorization letters. 


3.2 Information that we collect as you use the Services. We also collect information from your usage of our products and features, as specified in the applicable Privacy Notice. This includes the following: 


  • 3.2.1 Device specifications, such as device identifiers, technical settings and features, and user-selected settings such as language and region;
  • 3.2.2  Usage details, navigation and clicks, traffic data, search history, IP addresses, location data, logs, communication data, and information collected through cookies, web beacons, and other tracking technologies;
  • 3.2.3  Transaction records, such as loan requests, credit score, disbursement records, and repayment records;
  • 3.2.4  Device content data, such as phonebook and network data, call logs, SMS data, and installed applications.


3.3 Information that we receive from third parties. To provide you with our Services and to comply with our legal obligations, we may also obtain information from third parties such as:


  • 3.3.1 Credit scores or similar scores provided by credit reference or credit scoring entities;
  • 3.3.2 Anti-money laundering records from name and sanctions screening vendors;
  • 3.3.3 Account information from partner financial institutions and service providers;
  • 3.3.4 Repayment and other transaction data from external collections agencies, mobile network providers, and mobile money operators.


4. HOW WE USE YOUR PERSONAL DATA


4.1 We will only use your Personal Data when we have a lawful basis to do so, as specified in the applicable Privacy Notice. Most commonly we will use your Personal Data in the following circumstances: 


  • 4.1.1 Where you have given your consent before the processing of the data.
  • 4.1.2Where we need to perform a contract we are about to enter or have entered with you.
  • 4.1.3 Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • 4.1.4 Where we need to comply with a legal or regulatory obligation. 


4.2 We collect and use your Personal Data for the following purposes, as further specified in the applicable Privacy Notice for each specific Service:


  • 4.2.1 To determine your eligibility for our Services, including for credit scoring and fraud prevention;
  • 4.2.2 To process requests and instructions that we receive from you, your account, or your device;
  • 4.2.3 To improve our Services, including the development of our models using data science and machine learning technology;
  • 4.2.4 To communicate with you and manage our relationship with you;
  • 4.2.5 To analyze customer behavior, conduct research, and to personalize the customer experience;
  • 4.2.6 To meet legal requirements, such as know-your-customer and transaction monitoring obligations;
  • 4.2.7 To comply with other orders and directives of local and international law enforcement agencies and regulatory bodies;
  • 4.2.8 To fulfill our contractual obligations to our partners and to allow our partners to fulfill their contractual obligations to you;
  • 4.2.9 To enable the conduct of Tala’s business through its agents, employees, representatives, consultants, vendors, partners, and other service providers.


4.3 We will only send you direct marketing communications by push notification, email or text if we have your consent. You have the right to withdraw that consent at any time by contacting us via email at hellokenya@talamobile.com. 


4.4 We use automated processing and automated decision-making with little to no human intervention when we provide you with certain features of our Services. Our models are regularly tested to ensure they remain fair, accurate, and unbiased. Where applicable, you may request a reconsideration of an automated decision by emailing us at hellokenya@talamobile.com. Please note that human intervention does not guarantee that the automated decision will be overturned. 


4.5 We regularly engage in capacity building, orientation, and training programs for our team to be familiar with data protection and security policies and practices.

5. DISCLOSURES AND CROSS-BORDER TRANSFERS OF YOUR PERSONAL DATA


5.1 We may disclose and/or transfer your Personal Data to internal and external third parties as described in the applicable Privacy Notice of each particular Service. 


5.2 Tala as the data controller remains accountable for your Personal Data that is disclosed to our data processors. We use contractual and other reasonable means to provide a comparable level of protection when your Personal Data is being processed by a data processor.


5.3 Your Personal Data collected by Tala may be stored and processed outside Kenya in a location where Tala, its affiliates, or its data processors maintain facilities. Whenever we transfer your personal data out of Kenya, we ensure a similar degree of protection is afforded to it by ensuring adequate safeguards are implemented. We ensure your Personal Data is protected by requiring all our affiliates and processors to follow the same rules when processing your Personal Data.


6. DATA SECURITY MEASURES

6.1 Tala implements an Information Security Management System to maintain the confidentiality, integrity, and availability of Tala’s information resources, in keeping with industry standard and global best practices.


6.1.1 Physical locations shall be protected from unauthorized access, threats, and damage.
6.1.2 Data should be encrypted in accordance with the data classification and handling requirements. Backup practices of critical information resources should be performed, tested, and maintained.
6.1.3 Data retention, decommissioning, and disposal requirements are aligned with contractual, legal, environmental, and business requirements.
6.1.4 Endpoints should be protected by security hardening, malware protection, and host-based monitoring.
6.1.5 Access should be restricted by access control, user access management, privileged access (principle of least privilege), access review, multi-factor authentication, and passwords, where applicable.
6.1.6 Information resource logs should be managed, and security events should be monitored.
6.1.7 Network access should be protected through a secure network infrastructure, network access controls, and information transfer requirements.
6.1.8 Information security risks associated with third parties that access Tala information resources should be identified, assessed, and managed. Contracts with third-party vendors and processors should contain information security and confidentiality clauses. Information security reviews of third party vendors and processors should be regularly performed.
6.1.9 Procedures should be in place to recruit competent and qualified individuals as employees. A formal disciplinary process should be established and implemented for non-compliance with information security policies, standards, and procedures.
6.1.10 Information resources should be maintained by identifying and remediating associated vulnerabilities.
6.1.11 Formal change management requirements should be followed when introducing or modifying information resources.
6.1.12 Information security incidents should be managed, including detection, analysis, resolution, and lessons learned. Incident response shall include preparation, identification, containment, eradication, recovery, and lessons learned.
6.1.13 Compliance requirements should be established based on legislative, statutory, regulator, or contractual obligations, and shall be subject to independent review.
6.1.14 A risk assessment process and framework should be established to identify and remediate information security risks.
6.1.15 Requirements should be implemented to ensure information security controls are verified at regular intervals to assess their validity and effectiveness during adverse situations.
6.1.16 Information resources should be managed by identification, inventorying, maintenance, and protection controls.


6.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.


7. DATA RETENTION


7.1 To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, the need to comply with our internal policies and the applicable legal, regulatory, tax, accounting or other requirements. We will retain or store your personal information only for so long as is necessary to fulfill the purposes set forth in the applicable Privacy Notice, and for a reasonable time thereafter for the furtherance and completion of any of our services to you,  and for such time as may be necessary in order to comply with any legal obligation. 


7.2 Details of retention periods for different aspects of your Personal Data are available in our data retention policy which you can request by contacting us.


7.3 In some circumstances you can ask us to delete your data: see Your Data Subject Rights below for further information. Where Personal Data must be deleted, disposal shall be done in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other entity.


7.4 In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.


8. YOUR DATA SUBJECT RIGHTS


8.1 Under certain circumstances you have the following rights under data protection laws in relation to your personal data. 


You have the right to:

  • 8.1.1 Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • 8.1.2. Request correction or rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • 8.1.3. Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • 8.1.4. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • 8.1.5. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
  • a) if you want us to establish the data’s accuracy;
  • b) where our use of the data is unlawful but you do not want us to erase it;
  • c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • 8.1.6 Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • 8.1.7 Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.


8.2 You also have the right to ask us not to continue to process your personal data for marketing purposes. 


8.3 You can exercise any of these rights at any time by contacting us via email at hellokenya@talamobile.com


9. CHANGES TO THE PRIVACY POLICY AND YOUR DUTY TO INFORM US OF CHANGES

9.1 We keep this Privacy Policy under regular review. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you. 


9.2 It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you. 


10. THIRD PARTY LINKS


Our Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact and Location Data. Please check these policies before you submit any personal data to these websites or use these services.