Effective Date: 15th January, 2023

The following document lays out the terms and conditions regarding the Privacy Policy for the product which is owned and operated by KoaSave Africa Ltd and its affiliates (hereby referred to as “Lotus” and/or “Koa”).


In its everyday business operations, Koa makes use of a variety of data about identifiable individuals. In collecting and processing the information Koa is required to comply with the Right to Privacy as stated in Article 31 of the Constitution of Kenya, 2010, the Data Protection Act, 2019 and the National Payment System Act (collectively referred to as the “Data Protection Laws”). The purpose of this policy is to describe the steps that Koa is taking to ensure compliance with the law. This policy applies to all systems, people and processes that constitute Koa’s information systems, including, management, employees, consultants, clients, suppliers and other third parties who have access to Koa’s systems. Any breach of the Data Protection Act 2019 or our Data Protection Policies is a serious matter and could lead to disciplinary action or criminal proceedings in extreme cases. Other agencies and individuals working with us, and who have access to personal information held by us are required to comply with this policy.The following policies and procedures are part of this policy:

  • Terms & Conditions
  • Data Retention Policy
  • Cookie Policy

(Collectively referred to as our Policies).

Definitions Act means the Data Protection Act, No. 24 of 2019 Laws of Kenya and the relevant Regulations thereunder.

Anonymization means the removal of personal identifiers from personal data so that the data subject is no longer identifiable.

Consent means any voluntary, specific and informed expression of will of a data subject to process personal data.

Data Commissioner means the person appointed under the Data Protection Act, 2019.

Data subject means an identified or identifiable natural person who is the subject of personal data.

Identifiable natural person means a person who can be identified directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social or social identity.

Koa means Koasave Africa Limited, a limited liability company duly incorporated in accordance with the laws of Kenya with its registered address at Ten Metropolitan Estate, Riverside Drive and of P.O. Box 41911-00100 Nairobi.

Koa Platform means the digital financial solutions platform that enables Users to access our digital web application that provides them access to banking and financial services.

Personal data” means any information relating to an identified or identifiable natural person.

Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processing” means any operation or sets of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as:

  • collection, recording, organization, structuring;
  • storage, adaptation or alteration;
  • retrieval, consultation or use;
  • disclosure by transmission, dissemination, or otherwise making available; or
  • alignment or combination, restriction, erasure or destruction.

Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, and such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Sensitive personal data” means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, sex or the sexual orientation of the data subject, marital status, family information such as the names of their children, spouse or spouses, property information.

Third party” means natural or legal person, public authority, agency or other body, other than the data subject, data controller, data processor or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.

Description of types data retained
In its day to day functions Koa retains data about:

  • customers;
  • customer’s businesses;
  • current, past and prospective employees and consultants;
  • stakeholders; and
  • other third parties who interact with Koa.

The information we retain may include:

  • names;
  • telephone numbers;
  • physical addresses;
  • copies of identification documents;
  • passports information;
  • KRA PIN certificates;
  • medical bio data of our employees/consultants;
  • gender;
  • ethnicity;
  • history of conviction;
  • sexuality;
  • race;
  • education and professional qualifications;
  • marital status;
  • family information;
  • financial information;

Data privacy is critically important to us. When handling personal data, we apply the following fundamental principles:

  • We do not ask for personal information unless we truly need it.
  • We do not share personal information with anyone except to comply with the law, develop our products, or protect our rights.
  • We do not store personal information on our servers unless required for the on-going operation of one of our services.

Sensitive personal data

Koa collects personal data such as data revealing an individual’s biometric data, property details, marital status, family details including names of the person's children, parents, spouse or spouses, sex or the sexual orientation.Where we collect sensitive data, the data shall be processed in accordance with the law and under the legally provided grounds set out below.

Protection of personal data & rights of data subjects

As Koa, we will ensure that we support the rights of persons whose personal data we collect. These rights include the right:

  • to be informed of the use to which data subject’s personal data is to be put;
  • to access data subject’s personal data in our custody;
  • to object to the processing of all or part of data subject’s personal data;
  • to correction of false or misleading data; and
  • to delete false or misleading data about data subjects.

Principles for data protection

The Act provides principles for data protection. It requires Koa to ensure that personal data is:

  • processed in accordance with the right to privacy of the data subject;
  • processed lawfully, fairly and in a transparent manner in relation to any data subject;
  • collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
  • adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
  • accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
  • kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected;
  • released to a third party only with the consent of the data subject; and
  • to delete if not transferred outside Kenya unless there is proof of adequate data protection safeguards or consent from the data subject, false or misleading data about data subjects.

Koa will ensure that it complies with all of these principles both in the processing it carries out and as part of new methods of processing such as new IT systems.

Exercise of the rights of the Data subject

In order to exercise any of the rights of the data subject Koa has in place procedures to enable you to do the following:

  • access personal data held by Koa;
  • object to processing of personal data by Koa;
  • correct or delete of false or misleading data held by Koa;
  • restrict of processing of personal data;
  • data portability;
  • share and/or lodge complaints; and
  • get information on automatic individual decision making.

To access the procedure please contact the officer in charge at the following email

How do we use the personal data we collect?

We use information we collect in the following ways:

  • to facilitate your access Koa’s Platform;
  • billing you for using our services;
  • responding to any of your queries or concerns;
  • quality control and ensuring maintenance of optimal business and system operations;
  • for the purpose of management of our employees; and
  • for purposes of management of contracts with Third Parties.

We may associate one or more categories of information with any other category of information that we see fit to and this combined information will be treated as personal data in accordance with the provisions set out in this policy, for as long as it is combined.

Processing of personal data

Koa will process the personal data we collect based on a lawful basis allowed under Data Protection Laws being:

  • with the data subject’s consent;
  • for performance of providing services through Koa’s Platform, or fulfilling contractual obligations with the data subject;
  • to support our legitimate business interests’;
  • in compliance with a mandatory legal obligation;
  • n the interests of the data subjects vital interest; and
  • public interest.

Disclosure of personal data

Koa will not share personal information with any other individual, or Third Party except in the following cases:where we have obtained the data subject’s consent;for legal reasons where there is a court order or a legal obligation which we have to comply with; orit is necessary for public interest or national security.Where we share personal data in the cases listed above we take all necessary steps to ensure that: the data is processed lawfully, we only disclose what is necessary, and the data is kept secure and all safeguards are put in place to ensure its protection.

Data Retention Policy

We only retain personal data for as long as it is necessary to do so in line with the provisions of Data Protection Laws. Once it is no longer necessary to retain the data we anonymize or pseudonymize the personal data. We ensure that we retain and maintain all relevant records in a manner that is: secure, confidential, accurate and up to date. How we handle data retention is more elaborately explained in our Data Retention Policy.

Exercise of Rights of the Data Subject

Every data subject has the right to:

  • be informed of the use to which their personal data is to be put;
  • access their personal data in custody of data controller or data processor;
  • object to the processing of all or part of their personal data;
  • correction of false or misleading data; and
  • deletion of false or misleading data about them.

In order to comply with these requirements, Koa has established the following procedures:

  • procedure for access to personal data;
  • procedure for objection to processing of personal data; and
  • procedure for correction and deletion of false or misleading data.

These procedures can be found in the Data Requests Procedures Manual.

Data Security

Koa is dedicated to keeping personal data secure. We shall endeavor to keep an up to date security procedure which shall include:

  • use of HTTPS for all communications with our servers;
  • storage in services which are encrypted at rest;
  • limiting access authorizations to the database and database systems including physical storage systems;
  • instructions to authorized users of the database, database systems and physical storage systems regarding the protection of data store in the database;
  • clear instructions concerning the management and usage of portable devices;
  • carrying out periodic audits to ensure Koa complies with Data Protection Laws and policies; and
  • periodical audits to ensure the data held is accurate and up to date.

Data Breach

At Koa we ensure that we take all possible steps to safeguard all personal data that we store. However, in the event that there is a breach on our system and personal data has been accessed by an unauthorized person and there is real risk of harm to the data subject we shall:

  • take immediate action to contain and stop the breach.
  • notify the Data Commissioner within seventy-two (72) hours of becoming aware of the breach.
  • where we can identify the data subject we will communicate to them in writing within a reasonable practicable period. This communication may be limited where it is necessary and appropriate for purposes of prevention, detection or investigation of an offense.

The notification above will contain:

  • description and nature of the data breach;
  • description of the measures we have taken and intend to take to address the data breach;
  • procedure for correctiorecommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise;n and deletion of false or misleading data.
  • (where applicable) the identity of the unauthorized person who may have accessed or acquired the personal data; and
  • the name of the officer from whom more information could be obtained.

When a breach occurs we record the information, particularly: facts relating to the breach, effects of the breach, and the remedial action to be taken. We shall maintain a record of all security incidents at all times.

Data Protection Impact Assessment

At Koa we will undertake a Data Protection Impact Assessment (DPIA) whenever necessary where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

The DPIA will follow the following phases:

Phase 1 detailed listing of the data processing including: the data to be used, the legal basis or retention periods applied to the data

Phase 2 identify the legal and risk treatment controls which are currently implemented. This phase involves the current and existing set of measures from a legal, technical, physical and business point of view.

Phase 3 list the risk sources to the data processing.

Phase 4 analyze and list potential negative events and threats to the data processing focusing on data subjects’ personal data, and potential impact of the new processing.

Phase 5 write and present a report that summarizes the analysis, the current controls, the risks to the business and the threats to personal data.

Transfer of personal data outside KenyaWe may transfer any identifiable personal data about a data subject outside Kenya. In the event that we are required to transfer any data outside of Kenya, we shall ensure that we seek the necessary consent from you (where necessary). Any transfer of data will be done with adequate safeguard measures put in place to ensure that there is no risk of a data breach.

Complaints handling

All complaints from data subjects regarding the way data is handled will be forwarded to

A complaint can be made either orally or in writing but where an oral complaint is made the designated officer will as soon as practicable reduce the oral complaint into writing.

We will investigate every complaint that we receive and get back to you within 14 days of receiving the complaint.

If you are not satisfied with the findings you have the right to appeal or to lodge a complaint to the Data Commissioner established under the Act.

Changes to our Policies  

We reserve the right to update or change our Policies at any time and you should check our Website periodically. Your continued use of our services after we post any modifications to our Policies on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Policies.

If we make any material changes to our Policies, we will notify you either through the email address you have provided us, or by placing a prominent notice on our website or at our office.