SIMI Technologies Data Protection and Privacy Policy

1. Introduction

SIMI Technologies (“the Company”, “we”, “our”, or “us”) is committed to protecting and respecting your privacy in compliance with the Data Protection Act, 2019 of Kenya.

This policy explains how we collect, use, disclose, and safeguard your personal data when you interact with us, and outlines your rights as a data subject.

2. Scope

This policy applies to all personal data processed by SIMI Technologies in relation to:

• Customers
  
  
• Employees
  
  
• Suppliers and contractors
  
  
• Website and system users
  
  
• Any other individuals whose data we process
  
  

3. Definitions

• Personal Data: Information relating to an identified or identifiable person.
  
  
• Data Subject: An individual whose personal data is processed.
  
  
• Data Controller: A person or entity that determines the purpose and means of processing personal data (SIMI Technologies).
  
  
• Data Processor: A person or entity that processes personal data on behalf of the controller.
  
  

4. Principles of Data Protection

We adhere to the following principles when processing personal data:

1. Lawfulness, fairness, and transparency
   
   
2. Purpose limitation – data collected for specific, explicit, and legitimate purposes only.
   
   
3. Data minimization – only relevant and necessary data is collected.
   
   
4. Accuracy – ensuring data is up to date.
   
   
5. Storage limitation – data is not kept longer than necessary.
   
   
6. Integrity and confidentiality – data is secured against unauthorized access, loss, or destruction.
   
   
7. Accountability – we take responsibility for compliance with the DPA 2019.
   
   

5. Data We Collect

We may collect and process the following categories of personal data:

• Identity data (name, ID number, date of birth, etc.)
  
  
• Contact details (phone number, email, postal address)
  
  
• Financial data (bank account details, payment records)
  
  
• Employment data (CVs, job applications, performance records)
  
  
• Digital identifiers (IP addresses, cookies, system usage data)
  
  
• Sensitive personal data (health, biometric, or children’s data) – only with explicit consent or legal basis.
  
  

6. Legal Basis for Processing

We process personal data only when we have a lawful basis, including:

• Consent from the data subject
  
  
• Performance of a contract
  
  
• Compliance with a legal obligation
  
  
• Legitimate interests pursued by the Company
  
  
• Protection of vital interests of the data subject
  
  

7. Use of Personal Data

We use personal data for purposes including:

• Delivering products and services   
  
  
• Customer support and communication
  
  
• Employment and HR management
  
  
• Compliance with legal and regulatory requirements
  
  
• Security and fraud prevention
  
  

8. Data Sharing and Transfers

We do not sell personal data. We may share data only with:

• Service providers and contractors under confidentiality agreements
  
  
• Regulatory authorities as required by law
  
  
• Business partners (only with consent or legitimate basis)
  
  

If personal data is transferred outside Kenya, we ensure adequate safeguards are in place as required by law.

9. Data Security

We implement appropriate technical and organizational measures, including:

• Encryption and access controls
  
  
• Secure storage and backups
  
  
• Staff training on data protection
  
  
• Regular system monitoring and audits
  
  

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Data no longer needed is securely deleted or anonymized.

11. Data Subject Rights

You have the right to:

• Be informed of the use of your data
  
  
• Access your personal data
  
  
• Request correction or deletion of inaccurate data
  
  
• Withdraw consent at any time
  
  
• Object to processing, including direct marketing
  
  
• Request data portability
  
  
• Lodge a complaint with the Office of the Data Protection Commissioner (ODPC)
  
  

Requests may be submitted to:

📧 Email: privacy@simitechnologies.co.ke

12. Data Breach Management

In case of a data breach, we will notify the ODPC and affected data subjects within the required timeframe, outlining the nature of the breach, potential consequences, and measures taken.

13. Children’s Data

We process children’s data only with consent of the parent/guardian and in compliance with the law.

14. Policy Updates

This policy may be updated periodically to comply with legal requirements or business changes. Updates will be communicated through our website or other appropriate channels.