IMSURE is a data controller under the Kenya Data Protection Act, 2019 ("DPA"). This Policy explains what personal data we collect, why, how long we keep it, and your rights.
1. Data we collect
- Identity — name, date of birth, national ID / passport, KYC images.
- Contact — email, phone number, postal address.
- Financial — M-Pesa transaction references, premium payments, wallet ledger.
- Policy & claims — products purchased, claims filed and supporting evidence.
- Device & usage — IP, device type, app interactions for security and product improvement.
2. Why we use it
- To provide insurance products and process claims (contract).
- To comply with KYC, AML and IRA regulatory obligations (legal obligation).
- To prevent fraud and secure our platform (legitimate interest).
- To send service messages and, with your consent, marketing.
3. Who we share with
- Our IRA-licensed underwriting partner for binding and claims.
- Identity, payments, SMS and email processors acting as our processors.
- Regulators, courts and law enforcement where legally required.
We do not sell your data. Cross-border transfers are made only with appropriate safeguards permitted under the DPA.
4. How long we keep it
- Policy and claims data: 7 years from policy end (statutory).
- KYC documents: 7 years from account closure.
- Marketing data: until you withdraw consent.
5. Your rights
You can ask us to export, correct, restrict, or delete your personal data, and to object to certain processing. Use the in-app Privacy & Data screen or email dpo@imsure.io. We respond within 30 days.
6. Security
Data is encrypted in transit and at rest. Access is restricted to authorised staff under role-based access control. We log all administrative actions.
7. Complaints
If we cannot resolve your concern, you may complain to the Office of the Data Protection Commissioner of Kenya.
8. Contact
Data Protection Officer · dpo@imsure.io · IMSURE Technologies Ltd, Nairobi.
DRAFT — review with counsel and register the DPO with the ODPC before launch.