Privacy Center

AGENTS’ PRIVACY POLICY

1. POLICY STATEMENT

1.1. Welcome to the AAR’s Agents Privacy Policy. We appreciate you taking the time to read all our notices carefully.

1.2. AAR Insurance Limited (“AAR”, “We” “Us” “Our”) is committed to processing your personal information in a lawful, fair and transparent manner and in accordance with data protection laws in Kenya.

1.3. This Privacy Policy outlines how we collect, use, disclose, and protect personal information in connection with our services, including provision of medical and general insurance products and services.

1.4. Please take time to read this Privacy Policy to understand how and why we collect and use your information in connection with our insurance business.

2.1. AAR Insurance Kenya Limited is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Homeowners Insurance, Medical Insurance for SMEs and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance.

2.2. Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.

3.1. This Privacy Policy applies to all AAR Insurance Kenya Limited Agents in connection with our insurance business.

4.1. In this Privacy Policy, "personal data" refers to any information relating to an identified or identifiable individual. This includes, but is not limited to, identification details, contact details, commissions, lead management details, performance appraisals, social media profiles, HMIS Code and any other data that can be used to directly or indirectly identify an individual.

4.2. Personal data may also include sensitive information, such as racial or ethnic origin, religious beliefs, health information, family information including children’s information, biometric data, property records, financial information, transaction records, where applicable and subject to applicable laws and regulations.

5.1. We collect Personal Data directly from you as well as from other available sources to the extent permitted by law. We endeavour to only collect Personal Data that is necessary for the purpose(s) for which it is collected and to retain such data for no longer than necessary for such purpose(s). Subject to applicable law and practice, the categories of Personal Data that are typically collected and processed are:

Data Subject

Type of personal data collected

Purpose of Collection

Lawful Basis

Agents

  • Identification details: name, date of birth, ID/Passport, HMIS Code
  • For identification purposes
  • To grant access to My Wakalaar
  • To confirm that the details provided on registration on My Wakalaar match with those in AIK Agent database.
  • To allow for background data synchronization on My Wakaalar 
  • Legal Obligation

 

  • Contact details: telephone number, WhatsApp number, email address
  • For communication purposes including OTP delivery
  • To facilitate user-agent interactions including enabling users communicate their needs and enquiries to the agent, foster engagement and communication with agent on my Wakalaar platform. 

 

  • Legitimate interests 
  • Recruitment details: CV, Academic Certificates, Passport Photographs, examination results
  • To your determine suitable for role applied
  • Legitimate interests
  • Onboarding details: Insurance certificate, contractual details
  • To onboard you to AAR Insurance
  • Contract
  • Legal Requirement
  • Performance Management details: Weekly activity templates, productivity appraisals
  • To assess your performance against set KPIs
  • Contract
  • Commission details: Commission, monthly statements, payment details including bank account numbers
  • To process your commissions
  • Contract
  • Consent details: Consent to receive marketing communications, consent to receive OTP, consent to process customer information
  • For marketing/promotional purposes
  • To enable you perform accurate calculations of quotations, personalize the quotation process, communicate with client and track the progress of quotation and see its eventual closure.
  • Consent
  • One Time Password (OTP) & agents’ passwords
  • For validation and authentication of agents during registration to My Wakaalar
  • To ensure that you have control over your account on My Wakaalar and update it when necessary. 
  • Legitimate interests
  • Social Media details: social media accounts, consent to post on linked social media accounts, access tokens
  • To enable you seamlessly link your social media accounts with My Wakalaar.
  • Consent
  • Lead Management details: lead source, lead probability, lead value, tags, notes consent to process potential customer’s information
  • To enable you save lead information on My Wakaalar platform and effectively manage lead data

 

  • Legitimate interests
  • CCTV Records 
  •  To secure company premises and assets
  • Legitimate interests
  • Complaints/requests

 

  • To receive, register and resolve your complaints
  • Legitimate interests
  • Online identifiers: such as cookies and related tags, IP addresses
  • To improve your experience when you access our website
  • Legitimate interests

6.1. We collect your information directly when you call, message, email or populate your details on the Agents’ platform My Wakalaar.

6.2. We also collect personal data indirectly when you use our website or access My Wakalaar, social medial platforms or when you visit our offices, and your images are captured by CCTV.

7.1. In some cases, if you choose not to provide certain personal data requested by us, it may impact our ability to fulfil our contractual obligations or provide you requested services or information. The specific consequences of not providing personal data will depend on the context and the purpose for which the data is requested.

7.2. For example, if you fail to provide us accurate bank account details, we may fail to process your commission statements.

7.3. We encourage you to carefully consider personal data requested and its importance for the intended purposes. If you have concerns about providing certain information, please contact us to discuss your specific circumstances and requirements. We will endeavor to find alternative solutions or assess if there are any legal or contractual obligations that require the provision of the requested data.

8.1. We may share your personal data within the Company to facilitate our internal operations and provide you with efficient services.

8.2. We may share your personal data with third parties in the following circumstances:

  • Service Providers: We may engage third-party service providers to perform various services on our behalf, such as IT service providers and legal services providers. These service providers will have access to your personal data as necessary to perform their functions but are strictly prohibited from using your personal data for any other purposes.
  • Business Partners: We may share your personal data with trusted business partners who collaborate with us to provide products or services to you. These partners may use your personal data only for the purposes specified in our agreement with them.
  • Obligations: may disclose your personal data if required to do so by law or in response to a valid legal request, such as a court order or government inquiry.
  • Corporate Transactions:In the event of a merger, acquisition, or any form of corporate restructuring, we may transfer your personal data to the involved parties, if they agree to treat your personal data in accordance with this privacy policy.
  • Consent:We may share your personal data with third parties if you have given us explicit consent to do so. You have the right to withdraw your consent at any time.

8.3. When sharing your personal data with third parties, we prioritise the security and confidentiality of your information. We take stringent measures to ensure that these parties comply with strict data protection standards and handle your personal data in accordance with our instructions.

8.4. We carefully select and evaluate third-party service providers, business partners, and other recipients of your personal data. We enter into contractual agreements with these parties, imposing obligations to protect your personal data and restricting their use of the information solely for the specified purposes outlined in our agreement. Furthermore, we require these third parties to implement appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction of your personal data.

9.1. We understand the importance of keeping your personal data secure and take appropriate measures to protect it against unauthorized access, loss, misuse, or alteration. We have implemented robust security measures to ensure the confidentiality, integrity, and availability of your information, including: -

  • Technical Safeguards: To protect your information during transmission, we utilize industry-standard encryption protocols, ensuring the confidentiality of your data. Our secure network infrastructure incorporates firewalls, intrusion detection systems, and other security measures to prevent unauthorised access and mitigate external threats. Additionally, access controls are in place, restricting data access to authorised individuals through unique user credentials, strong passwords, and role-based privileges. Regular data backups and recovery processes are performed to maintain data integrity and availability.
  • Organisational Safeguards: Our commitment to data security extends to our employees and third-party service providers. Strict confidentiality agreements bind them, emphasizing the importance of maintaining the security and confidentiality of your personal data. Regular training programs are conducted to educate employees on data protection best practices, security protocols, and their responsibilities. Access controls and authorization mechanisms ensure that only authorised personnel can access your data. We have established comprehensive data protection policies and procedures to guide the proper handling, storage, retention, and disposal of personal data. In the event of any security incidents, our incident response plan enables swift identification, mitigation, and notification, as well as measures to prevent future occurrences.

9.2. While we continually enhance our security measures, it is important to note that no security measure can provide absolute protection. However, we are dedicated to maintaining the highest possible standards of data security and will continue to invest in measures to safeguard your information

9.3. If you suspect any misuse or loss of or unauthorised access to your personal data, please let us know immediately by sending us an email on privacy@aar.co.ke

10.1. We retain your personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy, or as required by applicable laws and regulations.

10.2. Once the retention period expires, we securely delete or anonymise your data to ensure it is no longer identifiable or accessible.

10.3. The retention periods for each category of data subjects and their respective personal data may vary based on the specific circumstances and legal requirements.

10.4. Your personal data such as contact details, identification details, contract details, payment details, CCTV records, social media profiles, complaints/requests, and cookies/online identifiers, is generally retained for the duration of the business relationship and for six [6] years thereafter. This allows us to maintain effective communication, fulfil contractual obligations, and comply with legal requirements.

11.1. Under the Data Protection Act, 2019, you have serval rights regarding your personal data.

  • right to information: you have a right to be informed of how the Company will use your personal data.
  • right to access: you are entitled to access your personal data that is in our possession or custody.
  • right to object: you can object to the processing of all part of your personal data, except when we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
  • right to rectification: you have the right to request the correction of inaccurate, outdated, incomplete or misleading personal data in our possession or under our control, without undue delay.
  • right to erasure: you have the right to request deletion or destruction, without undue delay, of personal data that we are no longer authorised to retain, or that is irrelevant, excessive, or obtained unlawfully.
  • right to data portability: you have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit the data to another data controller without hindrance. Where technically feasible, you may also request direct transmission of your personal data from us to another data controller or data processor.
  • automated decision making : you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects affects you. If we make automated decisions based on your personal data, you will be notified in writing. You can also request us to reconsider any decisions made solely through automated processing or to make a new decision that is not solely automated
  • right of restriction: : You can request the restriction of processing your personal data in certain circumstances, such as when you contest the accuracy of the data, it is no longer needed for processing, it was processed unlawfully, or you have objected to the processing pending verification of our legitimate interests.

12.1. If you wish to exercise any of the rights outlined above, please write an email to the Data Protection Officer (DPO) on privacy@aar.co.ke

12.2. We will make every effort to address your inquiries and requests via email within the timelines specified by applicable data protection laws and regulations.

12.3. To ensure the security and accuracy of the personal data we provide, we may request additional information and verification of your identity. This is necessary to confirm that we are releasing the data to the rightful owner./p>

12.4. While we strive to fulfill all valid requests, there may be cases where we are unable to comply. If such a situation arises, we will inform you of the reasons for our inability to fulfill your request.

13.1. As part of our business operations, we may transfer personal data to recipients located in countries outside Kenya.

13.2. We are committed to ensuring that any transfer of personal data outside of Kenya complies with the provisions set forth by the Data Protection Act, 2019.

13.3. We prioritise the security and protection of your personal data throughout the transfer process. Therefore, we have implemented the following policy regarding international data transfers:

  • Appropriate Safeguards Before transferring personal data to another country, we ensure that we have appropriate safeguards in place to ensure the security and protection of your data. These safeguards may include technical, organisational, and legal measures to uphold data privacy standards. We will document these safeguards and provide proof to the Data Commissioner as and when required.
  • Legal Grounds: We will only transfer personal data outside of Kenya when it is necessary and lawful. This includes situations where the transfer is required for the performance of a contract between you and AAR establishment, exercise, or defense of legal claims, the protection of vital interests, matters of public interest, or compelling legitimate interests that are not overridden by your rights and freedoms.
  • Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.
  • Data Commissioner OversightWe acknowledge the authority of the Data Commissioner to request demonstrations of the effectiveness of security safeguards or the existence of compelling legitimate interests prior to the transfer of personal data. We will cooperate with the Data Commissioner and comply with any conditions or restrictions imposed to protect the rights and fundamental freedoms of data subjects.

13.4. We are committed to maintaining the privacy and security of your personal data, regardless of its location. If you have any questions or concerns regarding our international data transfer practices, please contact our Data Protection Officer (DPO) at privacy@aar.co.ke We will strive to address your inquiries and provide you with transparent information regarding the transfer of your personal data outside of Kenya.

14.1. As a data subject, it is important that you understand and fulfill certain responsibilities to ensure the protection and privacy of your personal data. By providing your personal data to the Company, you agree to adhere to the following responsibilities:

  • Accuracy and Updates:You are responsible for providing accurate and up-to-date personal data to the Company. Please inform us promptly of any changes or updates to your contact details or other relevant information.
  • Third-Party Data: If you give us personal data of third parties, such as prospective member, it is your responsibility to ensure that you have obtained the necessary consent or authority to share their information. Inform these individuals about the processing activities and possible international transfers of their data.
  • Exercise of Rights: If you wish to exercise your rights with respect to your personal data, including the rights of access, rectification, erasure, objection, or data portability, please follow the procedures outlined in our Privacy Policy. We may require additional information or verification to process your request and ensure the security and confidentiality of your data.
  • Reporting Concerns: If you have any concerns or complaints regarding the processing or transfer of your personal data, please contact our designated Data Protection Officer (DPO) at privacy@aar.co.ke .We appreciate your feedback and will promptly address any issues raised.

15.1. We may periodically update or revise this Privacy Policy to ensure its alignment with legal requirements and our evolving business practices. We encourage you to review this Policy periodically to stay informed about how we handle your personal data.

15.2. If we make any material changes to this Policy, we will notify you through appropriate means, such as by posting a notice on our website or sending a direct communication. Your continued use of our services after the effective date of any revised Privacy Policy constitutes your acceptance of the revised Policy. We recommend that you regularly check this Privacy Policy to stay updated on any changes. If you disagree with any modifications to this Policy, you should discontinue using our services and contact us to exercise your rights or request the removal of your personal data, as outlined in this Policy.

Awaiting Content

DATA PROTECTION FAQS

AAR Insurance Company Limited values your loyalty and respects your fundamental right to privacy. As part of our business operations, we collect and use your personal data in various instances including assessing your performance and processing your commissions. Below are some frequently asked questions to help you better understand how we handle your personal data:

1. How is my personal information protected on this platform?

We employ a diverse range of technical and organisational measures to safeguard your data. These measures include encryption to secure information during transmission and storage, regular security assessments to identify and address vulnerabilities, strict access controls to ensure data is only accessible to authorised personnel, and secure storage practices.

We obtain your explicit consent before collecting and processing your personal data. Specifically, we seek consent when the data is intended for marketing purposes, entails the transfer of personal data outside Kenya or involves changes in processing purposes. For example, when you register on My Wakalaar, we present clear and concise marketing consent statements that explain why we need your data and how it will be used. You have a right to withdraw your consent. If you wish to withdraw your consent, kindly contact the DPO at privacy@aar.co.ke

We take your data security seriously. Your personal information is protected through encryption and security measures, ensuring that only authorized personnel can access it. For more details on how the types of data we collect about you, please refer to our Privacy Policy.

We do not share your personal data with third parties without your consent, except when required by law or for legitimate business purposes, such as processing claims or payments. Our Privacy Policy provides more details on data sharing.

Yes, your payment information is secured using industry-standard encryption protocols to protect it during transactions. We do not store your full payment card information on our servers.

Your data is retained as long as it is necessary for the purposes for which it was collected and in compliance with legal requirements.

You have several rights concerning your personal data, including the right to access, rectify, and erase your data. You can also restrict or object to the processing of your data and request data portability. These rights are detailed in the Agents’ Privacy Policy, and you can exercise them by contacting our customer service teams or Data Protection Officer at privacy@aar.co.ke

You can opt out of receiving marketing communications from us at any time. We provide an "unsubscribe" link in our emails, and you can also manage your communication preferences in My Wakalaar settings. Each SMS sent contains an embedded opt-out mechanism that allows you to effortlessly discontinue receiving such messages. In addition, you will also have the option to opt-out of any marketing related phone calls.

If you provide us personal data of third parties for example your clients during the recruitment process (for agents on contract basis), it is your responsibility to obtain their prior written consent and refer them to our company’s Corporate Privacy Policy available on our website.

If you suspect a data breach or unauthorized access, please notify us on privacy@aar.co.ke. We will investigate and take appropriate actions to secure your account and data. All notifications must be made within 48 hours of becoming aware of the breach. You are also under obligation to coordinate and cooperate with AAR in the timely investigation and remediation of a suspected or actual data breach.

If you choose to close your account, we will securely delete or anonymize your data in accordance with our Data Retention and Disposal Policy, unless legal obligations require us to retain it.

If you receive any suspicious communication claiming to be from AAR Insurance and requesting your personal information, please do not provide any details. Contact our official customer service number or email to verify the communication's authenticity before taking any action.

If you have any questions or concerns regarding how we process your personal data, including data access requests, complaints, or inquiries about our data protection practices.

  • You can contact our customer service team on +254 703 063 000,+254 730 633 000, +254 202 895 000 and info@aar.co.ke
  • You can also contact our Data Protection Officer at privacy@aar.co.ke

DATA SUBJECT REQUEST FORMS

REQUEST FOR ACCESS TO PERSONAL DATA
All fields marked as * are mandatory

A. DETAILS OF THE DATA SUBJECT

(This section is to provide the details of the Data Subject)
(Provide the following details where making a request on behalf of a minor or a person who has no capacity)

B. DETAILS OF THE PERSONAL DATA REQUESTED

MODE OF ACCESS

I would like to: (check all that apply)

C. DELIVERY METHOD

D. DECLARATION

Note any attempt to access Personal Data through misrepresentation may result in prosecution.