NYANDA SACCO Privacy Policy

Effective Date: 22^nd September 2025
Last Reviewed: 

1. Introduction

NYANDA Savings and Credit Co-operative Society Limited (“NYANDA SACCO”, “we”, “our”, or “us”) values and respects your right to privacy.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our products, services, digital platforms, or visit our premises.

This Policy should be read together with our Data Protection Policy, Terms and Conditions, and other applicable policies. By using our services, you consent to the practices described in this Policy.

2. Definitions

For purposes of this Policy:

• Customer/Member: An individual who joins NYANDA SACCO and uses our products or services.
• Agent: A person or entity who has signed an agreement with NYANDA SACCO and is recognized as a merchant/agent in accordance with law.
• Visitor: Any person accessing NYANDA SACCO premises, including contractors and subcontractors.
• Vendor/Supplier: Any third party contracted by NYANDA SACCO to provide goods or services.
• Employee: Any person employed by NYANDA SACCO under a contract of service.

3. Scope

This Policy applies to:

• All members, customers, employees, suppliers, agents, and visitors.
• All personal data collected through our offices, websites, mobile applications, and other service channels.

It does not cover third-party websites or services linked to from our platforms. Please review those third-party policies separately.

4. Collection of Information

We collect personal information directly from you, and in some cases from third parties, when you:

• Apply for membership, loans, or other SACCO products.
• Access or use our digital platforms, websites, or mobile applications.
• Participate in surveys, promotions, or marketing campaigns.
• Visit our premises or use SACCO facilities.
• Interact with us as a guarantor, supplier, agent, or employee.
• When required by law (e.g., credit reference bureaus, regulators, insurance providers).

We do not knowingly collect data from minors under 18 years, except in cases where a parent/guardian provides consent for specific services.

5. Categories of Information Collected

The personal data we may collect includes:

• Identification details: Name, date of birth, gender, marital status, ID/Passport number, PIN, photographs, biometric data.
• Contact details: Address, phone number, email, postal address.
• Financial and employment data: Employer details, salary, tax details, bank account details, business records, guarantor information.
• Transaction details: Loan applications, contributions, deductions, repayment history.
• Digital data: IP addresses, device identifiers, login details, cookies, Wi-Fi usage.
• Premises data: CCTV recordings, visitor register details, vehicle details.
• Sensitive data: Medical or health information, only when required by law or service delivery (e.g., insurance, tax exemptions).

6. Use of Your Information

We use your information for the following purposes:

• To process your membership, loan, and savings applications.
• To manage your SACCO account and provide services requested.
• To conduct credit checks, scoring, and risk assessment.
• To communicate with you regarding your accounts, products, or inquiries.
• For debt recovery, including engaging guarantors, employers, debt collectors, and legal service providers.
• To comply with legal, regulatory, and contractual obligations.
• To enhance security through CCTV surveillance and visitor management.
• For marketing, research, and service improvement (you may opt out of marketing at any time).
• To prevent, detect, and investigate fraud or other unlawful activities.
• For employee administration and HR management.

We will only process your data for the purposes collected, unless we reasonably consider that we need to use it for another related purpose and that reason is compatible with the original purpose.

7. Legal Basis for Processing

We process your data under the following lawful grounds:

1. Consent – where you have provided consent.
2. Contract – where processing is necessary to provide services or execute an agreement with you.
3. Legal obligation – where required by applicable law.
4. Legitimate interests – where processing is necessary for our operations and your rights do not override such interests.

8. Disclosure of Information

We may share your personal data with:

• Guarantors, employers, or next of kin in the event of loan default.
• Credit reference bureaus, regulators, auditors, or law enforcement agencies.
• Debt collectors, auctioneers, and legal representatives (subject to restrictions on conduct).
• Service providers who support our IT, cloud storage, payment processing, and customer management systems.
• Third parties in case of mergers, acquisitions, or asset transfers (subject to continued protection of your data).

We do not sell your personal data to third parties.

9. Data Retention

We retain personal data only as long as necessary to:

• Provide services to you.
• Comply with legal, tax, or accounting obligations.
• Fulfill contractual obligations.

When no longer required, data will be securely deleted, anonymized, or archived in accordance with our Records Retention Policy.

10. Security of Information

We implement appropriate technical and organizational measures to safeguard your personal data against unauthorized access, loss, misuse, or alteration.

However, no system is completely secure, and we cannot guarantee absolute security of data transmitted via the internet.

11. Your Rights

As a data subject, you have the following rights under the Data Protection Act:

• Right to access personal data held about you.
• Right to rectification of inaccurate or incomplete data.
• Right to withdraw consent at any time.
• Right to object to processing, including direct marketing.
• Right to erasure (“right to be forgotten”), subject to legal obligations.
• Right to data portability.
• Right to restrict processing in certain circumstances.
• Right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC).

Requests to exercise these rights should be submitted in writing using the contact details provided below.

12. Children’s Data

We do not knowingly collect data from persons under 18 years of age. If such data is inadvertently collected, it will be deleted promptly unless retained with parental/guardian consent.

13. Cookies

Our website and mobile applications use cookies to enhance user experience and improve functionality. You may disable cookies in your browser, but some features may not work properly. For more details, see our Cookies Policy.

14. Data Breach Notification

In the event of a data breach likely to result in risk to your rights, NYANDA SACCO will:

• Notify the Office of the Data Protection Commissioner without undue delay.
• Inform affected data subjects within the legally required timelines.
• Take corrective measures to mitigate the breach.

15. Updates to this Policy

We may amend this Privacy Policy from time to time. Updates will be posted on our website, and the “Last Reviewed” date at the top will reflect the latest version.

16. Contacting NYANDA SACCO

For questions, requests, or complaints regarding this Privacy Policy, please contact:

Data Protection Officer
NYANDA SACCO
P.O. Box 1381 – 20300
Nyahururu, Kenya
Tel: +254 794 075 349 / +254 727 286 219
Email: info@nyandasacco.co.ke

---

17. Right to Lodge a Complaint

If you are dissatisfied with how your data is handled, you may lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at: https://www.odpc.go.ke.