Over 10 years we help companies reach their financial and branding goals. Maxbizz is a values-driven consulting agency dedicated.

Gallery

Contact

+1-800-456-478-23

411 University St, Seattle

maxbizz@mail.com

AAR’s Privacy Centre

We appreciate the trust you have in us. Keeping your privacy safe is a top priority for AAR Insurance Kenya, and we are committed to ensuring the security of your personal details. You can find more details about how we gather, manage, and utilize your information in our Privacy Center.
AAR Insurance Company Limited (“AAR”, “We” “Us” “Our”) is committed to processing your personal information in a lawful, fair and transparent manner and in accordance with data protection laws applicable in Kenya.

This Privacy Policy outlines how we collect, use, disclose, and protect personal information in connection with our services, including processing your medical and general insurance covers.
AAR is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Homeowners Insurance, Medical Insurance for SME’s and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance and related insurances.
 
Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.
This Privacy Policy applies to the personal data of:
  • Prospective policyholders their dependents and/or next of kin
  • Policyholders and their dependents and/or next of kin
  • Visitors to the company premises
  • Website/Mobile App Users
By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy
In this Privacy Policy, “personal data” refers to any information that relates to an identified or identifiable individual. This includes, but is not limited to identification details such as names, ID/Passport, nationality, contact details such as telephone numbers and email address new member application details for example for medical insurance; information contained in membership application and claims forms and for non-medical insurance; information contained application forms and claims forms relating to  travel insurance, home insurance, professional indemnity and any other data that can be used to directly or indirectly identify an individual.

Personal data may also include sensitive information, such as racial or ethnic origin, religious beliefs, health information (such as medical history), family information including children’s information, biometric data (such as fingerprint data collected when processing a health claim), property records, financial information (such as bank account details or statements of account, utilisation reports, premiums payable etc).
AAR collects Personal Data directly from you as well as from other available sources to the extent permitted by law.  AAR endeavours only to collect Personal Data that is necessary for the purpose(s) for which it is collected and to retain such data for no longer than necessary for such purpose(s).
Subject to applicable law and practice, the categories of Personal Data that are typically collected and processed are: –

Category of data subject Type of personal data collected
Prospective Policyholders           (Medical and Non-Medical) Identification     details:     Name     of     the      proposer,ID/Passport, gender, nationality, marital statusContact details: telephone number, email address postal address, postal code.
Medical Insurance Details: – o Information contained in the Membership Application form i.e., current permanent address, KRA PIN, occupation/nature of business, source of income, spouse and dependents details i.e., name, date of birth, height, and weight, confidential medical history,
cover option, weight and height, Next of kin details i.e., relation with applicant.
o   Information contained in quotations.
o   Medical Tests: data revealing past, present or future state of physical or mental health of an individual (for prospective members above 45 years with underlying medical conditions)
o   Reasons for disapproving prospective member(s)’ application.
o   Information contained in the List of members(for Corporate Clients and SME’s employees)
Non-Medical Insurance: –
o   Information contained in Non-Medical Insurance Application Forms such as travel insurance, personal accident, home insurance, professional indemnity, Landlord Insurance.
o   Information contained in quotations.
Passport photos
Correspondence: Email/Phone calls/SMS
Online identifiers i.e., Cookies and IP addresses
CCTV footage (when you visit our premises)
Policyholders  (Medical       and        Non-Medical)  Identification     details:     Name     of     the     proposer,ID/Passport, gender, date of birth, nationality.Contact details: telephone number, email address postal address, postal code.
Medical Insurance Details: –
o Information            contained          in          Member Application form: current permanent address, KRA PIN Occupation/Nature of business, source of income, spouse and dependents such
as name, date of birth, height, and weight, confidential medical history, and next of kin details such name, contact details and relationship to the applicant.o   Information         contained       in         list       of       members (Corporate and SME’s employees)
o Information contained in medical policy covers
o Claims details: pre-authorisation, admission and treatment details i.e., membership number, diagnosis and treatment notes, prescription, biometrics (like fingerprints) attending doctor’s name and signature.
o   Medical Cards
o   Scheme renewal details: information contained in scheme renewal forms, Copies of children’s birth certificates, proof of guardianship.
o   Information required to reimburse members
i.e., invoices, treatment notes, diagnosis.
Non-Medical Insurance: – o Information   contained       in         non-medical insurance forms such as Travel insurance, Home Insurance,          Personal Accident forms,Professional Indemnity, Landlord Insurance
o   Information contained non-medical insurance policy covers.
o   Claims details: nature of claim, investigation results, claims payment details, reasons of disapproving claims and adjustment of payment details.
o   Policy covers renewal details.
•       Payment details: KRA PIN, bank account details, premiums payable, information contained in cash receipts and invoices.
•       Information required to onboard members to the wellness program i.e., confidential medical history.
•       Passport Photos.
•       Customer complaints/Queries/ Complaints submitted through email, phone calls or through the website, social media or mobile app.
•       Online identifiers such as cookies and IP addresses
•       CCTV footage (when you visit our premises)
Agents and Brokers Please refer to the Agents and Brokers Privacy Policyview policy
Third-party Service Providers (Medical Service    Providers,    Loss Assessors,                     Loss Adjusters, Investigators)  Please refer to Third Party Service Providers PrivacyPolicy
Job Applicants Please refer to the Job Applicants Privacy Policy
Office Visitors •       Contact details: phone number.
•       Identification details: name, ID, car registration number
•       CCTV records
•       Complaints/requests
Website/App Users
•       Identification details: name, date of birth, ID/Passport
•       Contact details: phone number/email address.
•       Information contained in online medical and nonmedical forms (when you apply insurance cover through our website or Mobile App)
Online identifiers such as cookies and related tags, IP addresses
Category of Data SubjectHow we Collect Your Personal DataPurpose of CollectionLawful Basis for Collection
Prospective Policyholders
  • Directly from you when you fill out our data collection forms or when you call or email us.
  • Indirectly through:
    • agents/brokers
    • your employer when they enroll you onto our medical scheme
    • website or social media sites such as Facebook, Instagram, X (formerly known as Twitter)
    • when you visit our premises
  • Assess your eligibility to onboard you onto the medical scheme or other non-medical covers.
  • Assess your eligibility for payment plans and process your premium and other payments.
  • To facilitate the issuance of policy documents
  • Comply with legal process and respond to requests from public and governmental authorities (including those outside your country of residence).
  • Establish and defend legal rights.
  • Pursue available remedies or limit our damages.
  • Legitimate interests
  • Legal Obligation
  • Consent
   
  • Provide marketing information to you (including information about other products and services offered by selected third-party partners) in accordance with the preferences you have expressed.
Policyholders
  • Directly from you when you fill out our data collection forms or when you call or email us.
  • Indirectly through:
    • our third-party service providers such as our claims processing providers, SMART, M-TIBA, agents/brokers, Loss Assessors/Adjustors, Investigators, and medical service providers
    • your employer when they enroll you onto our medical scheme.
  • To provide you with medical insurance services such as inpatient and outpatient services i.e., consultation, laboratory investigations, drugs administration and dispensing, dental healthcare services, radiological examinations, nursing and midwifery services, surgical services, radiotherapy and physiotherapy services
  • To facilitate payment of medical services
  • To make reimbursement for medical claims
  • Contract
  • Consent
  • Legal Obligation
  • Legitimate Interests
 
  • Website or social media sites such as Facebook, Instagram, X (formerly known as Twitter)
  • To offer you our nonmedical products such as personal accident, travel insurance, home insurance, professional indemnity, AIK protect cover, landlord insurance, marine insurance, school insurance, etc.
  • To determine whether you qualify for a specific non-medical by engaging the services of an independent assessor, investigator, loss assessor, and adjusters
  • To facilitate handling and resolution of medical-related complaints
  • To obtain consent to process your children and sensitive personal data.
  • To use your personal data to provide marketing information to you (including
 
In some cases, if you choose not to provide certain personal data requested by us, it may impact our ability to fully provide you with the requested products, services, or information. The specific consequences of not providing personal data will depend on the context and the purpose for which the data is requested.

For example, if you are a prospective policyholder and you do not provide contact details or other necessary information, we may not be able to effectively communicate with you, provide relevant product information, or process your inquiries. Similarly, if you are a policyholder and fail to provide required identification or payment details, it may hinder our ability to fulfil contractual obligations or complete necessary financial transactions.

We encourage you to carefully consider the personal data requested and its importance for the intended purposes. If you have concerns about providing certain information, please contact us to discuss your specific circumstances and requirements.
We may share your personal data within the company to facilitate our internal operations and provide you efficient products and services. 

We may share your personal data with third parties in the following circumstances:
    • Service Providers: We may engage third-party service providers to perform various services on our behalf, such as our medical claims providers i.e. MTIBA and SMART, medical service providers, accountants, actuaries, loss assessors/adjusters, claims investigators, auditors, outsourced legal service providers, travel agencies, re-insurance service providers, call center service providers; IT systems support and hosting service providers, printing, advertising, marketing and market research and analysis service providers; banks and financial institutions that service our accounts, document and records management providers, construction consultants, engineers and document storage providers. These service providers will have access to your personal data as necessary to perform their functions but are strictly prohibited from using your personal data for any other purposes.
    • Business Partners: We may share your personal data with trusted business partners who collaborate with us to provide products or services to you. These partners may use your personal data only for the purposes specified in our agreement with them.
    • Legal Obligations: We may disclose your personal data if required to do so by law or in response to a valid legal request, such as a court order or government inquiry or with insurance regulators, tax auditors or other authorities when we believe in good faith that the law or other regulations requires us to share this data.
    • Corporate Transactions: In the event of a merger, acquisition, or any form of corporate restructuring, we may transfer your personal data to the involved parties, if they agree to treat your personal data in accordance with this privacy policy and data protection laws.
    • Consent: We may share your personal data with third parties if you have given us explicit consent to do so. You have the right to withdraw your consent at any time.
When sharing your personal data with third parties, we prioritise the security and confidentiality of your information. We take stringent measures to ensure that these parties comply with strict data protection standards and handle your personal data in accordance with our instructions.

We carefully select and evaluate third-party service providers, business partners, and other recipients of your personal data. We enter into contractual agreements with these parties, imposing obligations to protect your personal data and restricting their use of the information solely for the specified purposes outlined in our agreement. Furthermore, we require these third parties to implement appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction of your personal data.
We understand the importance of keeping your personal data secure and take appropriate measures to protect it against unauthorised access, loss, misuse, or alteration. We have implemented robust security measures to ensure theconfidentiality, integrity, and availability of your information, including: – 
  • Technical Safeguards: To protect your information during transmission, we utilise industry-standard encryption protocols, ensuring the confidentiality of your data. Our secure network infrastructure incorporates firewalls, intrusion detection systems, and other security measures to prevent unauthorised access and mitigate external threats. Additionally, access controls are in place, restricting data access to authorised individuals through unique user credentials, strong passwords, and role-based privileges. Regular data backups and recovery processes are performed to maintain data integrity and availability.
  • Organisational Safeguards: Our commitment to data security extends to our employees and third-party service providers. Strict confidentiality agreements bind them, emphasising the importance of maintaining the security and confidentiality of your personal data. Regular training programs are conducted to educate employees on data protection best practices, security protocols, and their responsibilities. Access controls and authorisation mechanisms ensure that only authorised personnel can access your data. We have established comprehensive data protection policies and procedures to guide the proper handling, storage, retention, and disposal of personal data. In the event of any security incidents, our incident response plan enables swift identification, mitigation, and notification, as well as measures to prevent future occurrences.
While we continually enhance our security measures, it is important to note that no security measure can provide absolute protection. However, we are dedicated to maintaining the highest possible standards of data security and will continue to invest in measures to safeguard your information.

If you suspect any misuse or loss of or unauthorised access to your personal data, please let us know immediately by sending us an email privacy@aar.co.ke
We retain your personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy, or as required by applicable laws and regulations. 

Once the retention period expires, we securely delete or anonymise your data to ensure it is no longer identifiable or accessible. 

The retention periods for each category of data subjects and their respective personal data may vary based on the specific circumstances and legal requirements. Here are some general guidelines regarding data retention: 
  • Prospective Policyholders: We retain your personal information as outlined in Clause 5 of this Privacy Policy period of two (2) years from the date of collection or until consent is withdrawn. This allows us to maintain effective communication, improve our marketing strategies and fulfil the purposes outlined in this Privacy Policy.
 
  • Policy holders: We retain your personal information as outlined in Clause 5 of this Privacy Policy for the duration of your policy with AAR and seven (7) years thereafter. However, such retention may be subject to any legal or regulatory requirements, further processing historical, statistical, journalistic, literature, art or research purposes or any you give consent for longer retention periods. Where we collect information based on consent, we retain your information until you withdraw your consent.
 
  • Website User and Visitors to the Company premises: If you are a Website/Mobile App User or a visitor to the company premises, we will retain your personal data for as long as it is necessary which duration, we have determined to be one (1) year to achieve the purpose stipulated in clause 6. If this time has come or you have expressly indicated that you are not interested in our website or mobile app services anymore, we will delete it from our systems unless we believe in good faith that the law or other regulation requires us to preserve it for example because of our obligations
The Data Protection Act accords you with several rights over your data. 
  • right to information: you have a right to be informed of how AAR will use your personal data.
 
  • right of access: you are entitled to access your personal data that is in our possession or custody.
 
  • right to object: you can object to the processing of all part of your personal data, unless we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
 
  • right to rectification: you have the right to request us to rectify or correct, without undue delay, personal data in our possession or under our control that is inaccurate, outdated, incomplete or misleading.
 
  • right to erasure: you can request us to delete or destroy, without undue delay personal data that we are no longer authorised to retain, or which is irrelevant, excessive, or obtained unlawfully.
 
  • right to data portability: you have the right to receive personal data concerning you in a structured, commonly used and machine-readable format and to transmit the data to another data controller without hindrance. Where technically possible. have personal data transmitted directly from us to another data controller or data processor.
 
  • automated decision making you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning or that significantly affects you. AAR may from time to time make decisions based on the automated processing of your personal data. In such instances, you will be informed, in writing, whenever a decision based on automated processing is taken. In addition, you can request us to reconsider any decisions made based on automated processing or to take a new decision that is not based solely on automated processing.
  • right of restriction: You have the right to request us to restrict the processing of personal data where: – oyou contest the accuracy of the personal data  o the personal data is no longer required for the purpose of the processing
    • the processing is unlawful, or you have opposed the erasure of the personal data and requested for restriction of its use instead.
    • you have objected to the processing of personal data, pending verification as to whether the legitimate interests of the data controller or data processor override those of the data subject.
  • right to raise a complaint: You can raise a complaint about our processing with the Regulator i.e., the Data Commissioner in Kenya. You may also be able to seek a remedy through the courts if you believe that your rights have been breached.
 

If you wish to exercise any of our rights above, please contact us on privacy@aar.co.ke We will seek to deal with your request without undue delay and in any event in accordance with the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021.

To ensure the security and accuracy of the personal data we provide, we may request additional information and verification of your identity. This is necessary to confirm that we are releasing the data to the rightful owner.

While we strive to fulfil all valid requests, there may be cases where we are unable to comply. If such a situation arises, we will inform you of the reasons for our inability to fulfil your request.
As part of our business operations, we may transfer personal data to recipients located in countries outside Kenya.

We are committed to ensuring that any transfer of personal data outside of Kenya complies with the provisions set forth by the Data Protection Act, 2019.

 We prioritise the security and protection of your personal data throughout the transfer process. Therefore, we have implemented the following policy regarding international data transfers: 
  • Appropriate Safeguards: Before transferring personal data to another country, we ensure that we have appropriate safeguards in place to ensure the security and protection of your data. These safeguards may include technical, organisational, and legal measures to uphold data privacy standards. We will document these safeguards and provide proof to the Data Commissioner as and when required.
 
  • Legal Grounds: We will only transfer personal data outside of Kenya when it is necessary and lawful. This includes situations where the transfer is required for the performance of a contract between you and AAR, the establishment, exercise, or defense of legal claims, the protection of vital interests, matters of public interest, or compelling legitimate interests that are not overridden by your rights and freedoms.
 
  • Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.
 
  • Data Commissioner Oversight: We acknowledge the authority of the Data Commissioner to request demonstrations of the effectiveness of security safeguards or the existence of compelling legitimate interests prior to the transfer
of personal data. We will cooperate with the Data Commissioner and comply with any conditions or restrictions imposed to protect the rights and fundamental freedoms of data subjects.

 We are committed to maintaining the privacy and security of your personal data, regardless of its location. If you have any questions or concerns regarding our international data transfer practices, please contact our Data Protection Officer (DPO) at privacy@aar.co.ke We will strive to address your inquiries and provide you with transparent information regarding the transfer of your personal data outside of Kenya.


 A “cookie” is a bite-sized piece of data that is stored on your computer’s hard drive. They are used by nearly all websites and do not harm your system. We use them to track your activity to help ensure you get the smoothest possible experience when visiting our website. We can use the information from cookies to ensure we present you with options tailored to your preferences on your next visit. We can also use cookies to analyse traffic and for advertising purposes.

If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings. However, rejecting all cookies through your browser’s privacy settings means that you may not be able to take full advantage of all our website’s features.

For more information generally on cookies, including how to disable them, please refer to aboutcookies.org. You will also find details on how to delete cookies from your computer.
If you have any comments, questions or complaints you can email us on privacy@aar.co.ke  or contact us via our social media platform such as Facebook, Twitter, Instagram, LinkedIn or through our WhatsApp platform.You may also contact us by writing to us on the following address: –

Data Protection Officer 
Real Towers Upperhill 
P.O. Box 41766 – 00100 
Nairobi, Kenya. 

Tel: +254 703 063 000, +254 730 633 000, +254 202 895 000
Website: https://aarinsurance.com/ke.
As a data subject, it is important that you understand and fulfil certain responsibilities to ensure the protection and privacy of your personal data.

By providing your personal data to AAR you agree to adhere to the following responsibilities: 
  • Accuracy and Updates: You are responsible for providing accurate and up-todate personal data to the Company. Please inform us promptly of any changes or updates to your contact details or other relevant information.
 
  • Third-Party Data: If you give us personal data of third parties, such as family members or associates, next of kin or your dependents, it is your responsibility to ensure that you have obtained the necessary consent or authority to share their information. Inform these individuals about the processing activities and possible international transfers of their data.
 
  • Exercise of Rights: If you wish to exercise your rights with respect to your personal data, including the rights of access, rectification, erasure, objection, or data portability, please follow the procedures outlined in our Privacy Policy. We may require additional information or verification to process your request and ensure the security and confidentiality of your data.
 
  • Reporting Concerns: If you have any concerns or complaints regarding the processing or transfer of your personal data, please contact our designated Data Protection Officer (DPO) at privacy@aar.co.ke We appreciate your feedback and will promptly address any issues raised.
We may periodically update or revise this Privacy Policy to ensure its alignment with legal requirements and our evolving business practices. We encourage you to review this Policy periodically to stay informed about how we handle your personal data.

If we make any material changes to this Policy, we will notify you through appropriate means, such as by posting a notice on our website or sending a direct communication. Your continued use of our services after the effective date of any revised Privacy Policy constitutes your acceptance of the revised Policy.

We recommend that you regularly check this Privacy Policy to stay updated on any changes. If you disagree with any modifications to this Policy, you should discontinue using our services and contact us to exercise your rights or request the removal of your personal data, as outlined in this Policy. 
1.1 AAR Insurance Company Limited (“AAR”, “We” “Us” “Our”) is committed to processing your personal information in a lawful, fair and transparent manner and in accordance with data protection laws applicable in Kenya.
 
1.2. This Privacy Policy outlines how we collect, use, disclose, and protect personal information in connection with our services, including processing your medical and general insurance covers.
2.1 AAR is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Homeowners Insurance, Medical Insurance for SME’s and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance and related insurances.

2.2. Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.
3.1. This Privacy Policy applies to the personal data of:
  • Prospective policyholders their dependents and/or next of kin
  • Policyholders and their dependents and/or next of kin
  • Visitors to the company premises
  • Website/Mobile App Users
3.2. By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy
Edit Content

Welcome to the AAR’s Job Applicant Privacy Policy. We appreciate you taking time to read all our notices carefully.

AAR Insurance Limited (“AAR”, “We” “Us” “Our”) is committed to processing your personal information in a lawful, fair and transparent manner and in accordance with data protection laws applicable in Kenya.


This job applicant privacy policy outlines the types of information we collect, how we use and protect it, and the rights of job applicants in relation to their personal data.

 

AAR is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Homeowners Insurance, Medical Insurance for SME’s and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance.
Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.

This Job Applicant Privacy Policy applies to all personal information collected, processed, and stored by the Company during the job application and recruitment process. It encompasses all stages of recruitment, including the submission of applications, interviews, assessments, and background checks.


This policy applies to all job applicants, whether they apply through our website, email, or any other method.


This policy does not cover the privacy practices of third-party websites or services that may be linked to or accessible through our website. We encourage you to review the privacy policies of those third parties before providing any personal information.


By submitting your application and personal information, you acknowledge that you have read and understood this Job Applicant Privacy Policy.

In this Job Applicant Privacy Policy, "personal data" refers to any information that relates to an identified or identifiable individual. This includes but not limited to: Identification details (e.g., name, ID/Passport), Contact details (e.g., name, address, phone number, email address), Professional information (e.g., resume/CV, employment history, educational background, qualifications) and References and recommendation letters.


It is important to note that personal data may be collected and processed in both electronic and physical formats, and includes information collected through online application systems, email communications, interviews, assessments, and other relevant interactions during the recruitment process.

In the context of this Job Applicant Privacy Policy, "processing" refers to any operation or set of operations performed on personal data, whether automated or manual.


Processing includes, but is not limited to, the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction of personal data.


Processing of personal data occurs throughout the entire job application and recruitment process, starting from the initial submission of the application until the final decision regarding the job applicant's suitability for the position.

As part of our recruitment process, we collect and process personal data relating to Job Applicants: -

Type of Information collectedPurpose for CollectionLawful Reason

Identification details: name, ID no/passport number

 

·      To identify and verify job applicants.

 

Lawful obligations

·      to comply with legal requirements for employment verification

Contact details: telephone number, personal email address, postal address.·      To communicate with job applicants regarding the application process

Legitimate interests

·      To schedule interviews and assessments

·      To provide updates on the application process

Education & Work History: Information contained in CVs and Cover Letters, Academic and professional certificates·      To assess the qualifications, skills, and experience of job applicants.

Legitimate Interests

·      To evaluate suitability for the applied.

Interviews: interview dates, responses given during job interview, interview notes·      To assess the job applicant's responses, qualifications, and suitability for the role

Legitimate Interests

·      To evaluate suitability for the applied.

Background search results including police clearance certificates and references from former employers, psychometric test results, information from referees·      To verify information provided by the job applicant

Consent

Legitimate Interests

·      To assess the job applicant's suitability, performance

Legal Obligation

·      To comply with Occupational Health and Safety requirements

CCTV footage when you visit our offices·      To secure company premises and assets.

Legitimate interests

·      To monitor and ensure the safety and security of the workplace

Car Registration Details (if you visit our Company with a car)·      To manage parking facilities and ensure security on company premises

Legitimate interests

·      To manage parking facilities and ensure security on company premises

Correspondence: Any correspondence with job applicants through emails or phone calls·      To communicate with job applicants regarding the application process

Legitimate Interests

·      To address inquiries and provide information

Online identifiers i.e., IP addresses, cookies, usernames etc.

 

 

To monitor and improve website functionality and user experience

 

Consent (where applicable)

Legitimate Interests

·      To detect and prevent fraudulent activities



Please note that the lawful basis for collection may vary depending on applicable data protection laws and the specific circumstances of data processing.



The Company does not usually request information regarding your race, ethnicity, political opinions, religion and religious beliefs, trade union membership, details of your spouse or children, sexual orientation, or political affiliation as part of your application. Unless specifically responding to a question, please do not include this type of personal data. If we require this information in connection with your application, we will inform you of the reasons and lawful basis for the collection.


If you fail to provide the required information or provide inaccurate or incomplete information, it may hinder our ability to properly evaluate your application. This could result in the rejection of your application or the inability to proceed with the recruitment process.

We get information about you from the following sources:-

Directly from you: -

  • when you submit your CV and cover letter to us electronically, or in hard copy format when you present your application to our offices in person.
  • during the interview process, which may take place in person or through video conferencing platforms.
  • after the interview process for successful candidates

Indirectly: -

  • from our recruitment or employment agents and head-hunter firms
  • from our background check services providers.
  • from your employment references.
  • From our website where we collect online identifiers such as cookies, IP address, domain names, information about pages you view on our website including but not limited to links clicked, traffic data and features used.
  • when you access our premises through CCTV Cameras.
  • when you interact with our website or other social media platforms such as LinkedIn or other publicly available professional networking platforms.
  • Social media platforms such as Facebook, Instagram, LinkedIn, Twitter (X), and YouTube (in this case we collect cookies and online identifiers

Where we collect information from social media platforms, we shall adhere to the platform’s terms and your privacy settings.

We will only contact you if your settings and the terms of use permit us to do so.

We retain the personal information of unsuccessful job candidates for a period of (3) three years from the date of the decision or completion of the recruitment process. This retention period allows us to defend ourselves in case of any legal claims or disputes that may arise.

For successful job candidates who are hired, we retain their personal information for the duration of their employment with our company and for a period of three (3) years after the termination of their employment. This extended retention period ensures compliance with legal, contractual, and regulatory requirements, as well as for potential reference purposes.

During the retention period, appropriate measures will be taken to protect the personal information from unauthorised access, use, disclosure, alteration, or destruction.

After the expiration of the respective retention periods, we will securely dispose of or anonymise the personal information in a manner that complies with applicable data protection laws and regulations.

To fulfill the purposes outlined in clause 6 of this Privacy Policy, your data may be transferred via our IT cloud systems (AWS) whose servers are in the Western Europe region.

We will only transfer your personal data outside Kenya where such transfer is compliant with the provisions of the Data Protection Act 2019 and the Data Protection (General) Regulations,2021.

To ensure that your personal data receives adequate levels of protection, we carefully select third party services providers who can provide sufficient guarantees regarding adequate security measures to safeguard your personal information.

We take care to ensure your personal data is only accessed by authorised individuals.

We may share your Personal Data in the following ways:

  • With third party service providers and agents: We may make certain Personal Data available to third parties who provide services to us such as our human resource management software, background checks and psychometric service providers, headhunter firms, cloud service providers, and recruitment service providers. When we share with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of the Personal Data.
  • With other third parties: We may also share your information with other types of third parties, such as our legal representatives, industry groups or self-regulatory bodies, on lawful grounds. For example:
    • with your consent.
    • to comply with our legal obligations (including to comply with laws, regulations, and contracts, to respond to court orders, administrative or judicial process and search warrants, or to meet national security and law enforcement requests);
    • to establish, exercise, or defend against potential, threatened, or actual litigation.
    • to protect the safety, property, or vital interests of a person.
    • to protect AAR’s rights or property.
    • to protect AAR our other employees, customers, or the public from harm or illegal activities.
    • to respond to an emergency that we, in good faith, believe requires us to disclose data to prevent harm; and
    • in connection with the sale, assignment, merger, or other reorganisation or transfer of all or part of our business.

AAR has taken appropriate technical, administrative, physical and procedural security measures, consistent with local and international information practices, to protect the personal data from misuse, unauthorised access or disclosure, loss, alteration, or destruction. These measures include:

  • Physical safeguards, such as locked doors and file cabinets, controlled access to our facilities, and secure destruction of media containing personal data.
  • Technology safeguards, such as use of anti-virus and endpoint protection software, passwords, encryption, and monitoring of our systems and data centres to ensure compliance with our security policies.
  • Organisational safeguards, through training and awareness programs on security and privacy, to ensure employees understand the importance and means by which they must protect personal data, as well as through privacy policies and policy standards that govern how AAR treats personal data.

If you suspect any misuse, loss, or unauthorised access to your personal data, please let us know immediately by sending us an email on privacy@aar.co.ke

12.1 The data protection Act accords you several rights. However, these rights are not absolute and may be subject to some exceptions according to the data protection law.

 

  • Right to information you have a right to be informed of how AAR will use your personal data.
  • Right of access: you are entitled to access your personal data that is in our possession or custody.
  • Right to object: you can object to the processing of all part of your personal data, unless we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
  • Right to rectification: you have the right to request us to rectify or correct, without undue delay, personal data in our possession or under our control that is inaccurate, outdated, incomplete or misleading
  • Right to erasure: you can request us to delete or destroy, without undue delay personal data that we are no longer authorised to retain or which is irrelevant, excessive or obtained unlawfully.
  • Right to data portability: you have the right to receive personal data concerning you in a structured, commonly used and machine-readable format and to transmit the data to another data controller without hinderance. Where technically possible. have personal data transmitted directly from us to another data controller or data processor.
  • Automated decision making you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning or that significantly affects you. You also have the right to be informed, in writing, whenever a decision based on automated processing is taken. In addition, you can request us to reconsider any decisions made based on automated processing or to take a new decision that is not based solely on automated processing.
  • Right of restriction: You have the right to request us to restrict the processing of personal data where: -
  • you contest the accuracy of the personal data
  • the personal data is no longer required for the purpose of the processing
  • the processing is unlawful of you have opposed to the erasure of the personal data and requested for restriction of its use instead
  • you have objected to the processing of personal data, pending verification as to whether the legitimate interests of the data controller or data processor overrides those of the data subject.
  • Right to raise a complaint: You can raise a complaint about our processing with the Regulator i.e. the Data Commissioner in Kenya. You may also be able to seek a remedy through the courts if you believe that your rights have been breached.

 If you wish to exercise any of the rights stated in clause 12, please write an email to the Data Protection Officer (DPO) on privacy@aar.co.ke

We will endeavour to respond to all inquiries via email within the timelines stipulated in law.

When your information is processed by third-party services providers, we will promptly request third parties to your personal data.

To ensure that we release information to the correct individual, we may request identification verification.

In some cases, we will not be able to comply with your request. If this happens, you will be duly notified.

Providing accurate information: It is your responsibility to provide accurate and up-to-date personal information during the job application process. This includes details such as your contact information, employment history, educational background, and any other relevant information requested by the employer.

Security measures: While we take appropriate measures to protect your personal information, it is important for job applicants to also take precautions to safeguard their own information. This includes using secure internet connections when submitting online applications, keeping login credentials confidential, and being cautious when sharing personal information through email or other communication channels.

Reference information confidentiality: As a job applicant, it is your responsibility to respect the confidentiality of information related to your references. When providing references, you should seek their consent and inform them that their contact information and any relevant details will be shared with the employer for the purpose of evaluating your application. You should also advise them to refrain from disclosing any confidential or sensitive information about themselves or others during the reference process. By ensuring the confidentiality of reference information, you help maintain trust and protect the privacy of all individuals involved in the job application process.

If you have any questions, concerns, or inquiries regarding the processing of your personal data or this Job Applicant Privacy Policy, please feel free to contact our Data Protection Officer (DPO) on privacy@aar.co.ke. You may also contact us at: -

The Data Protection Officer

Real Towers Upperhill

P.O. Box 41766 - 00100

Nairobi, Kenya.

Tel: +254 703 063 000, +254 730 633 000, +254 202 895 000

We reserve the right to update or modify this Job Applicant Privacy Policy from time to time. Any changes will be effective immediately upon posting the revised policy on our website or notifying you through other appropriate means. It is your responsibility to review this policy periodically to stay informed about any updates or modifications.

By continuing to use our services or submitting job applications after any changes to this policy, you acknowledge and agree to the revised terms. If you disagree with any changes to this policy, you should refrain from using our services or submitting job applications.

We encourage you to regularly check this page for the most up-to-date version of our Job Applicant Privacy Policy.

Edit Content

Welcome to the AAR’s Agents Privacy Policy. We appreciate you taking the time to read all our notices carefully.

AAR Insurance Limited (“AAR”, “We” “Us” “Our”) is committed to processing your personal information in a lawful, fair and transparent manner and in accordance with data protection laws in Kenya.

This Privacy Policy outlines how we collect, use, disclose, and protect personal information in connection with our services, including provision of medical and general insurance products and services.

Please take time to read this Privacy Policy to understand how and why we collect and use your information in connection with our insurance business.

AAR Insurance Kenya Limited is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Homeowners Insurance, Medical Insurance for SMEs and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance.

Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.

This Privacy Policy applies to all AAR Insurance Kenya Limited Agents in connection with our insurance business.

In this Privacy Policy, "personal data" refers to any information relating to an identified or identifiable individual. This includes, but is not limited to, identification details, contact details, commissions, lead management details, performance appraisals, social media profiles, HMIS Code and any other data that can be used to directly or indirectly identify an individual.

Personal data may also include sensitive information, such as racial or ethnic origin, religious beliefs, health information, family information including children’s information, biometric data, property records, financial information, transaction records, where applicable and subject to applicable laws and regulations.

  • We collect Personal Data directly from you as well as from other available sources to the extent permitted by law. We endeavour to only collect Personal Data that is necessary for the purpose(s) for which it is collected and to retain such data for no longer than necessary for such purpose(s). Subject to applicable law and practice, the categories of Personal Data that are typically collected and processed are:

 

Data Subject

Type of personal data collected

Purpose of Collection

Lawful Basis

Agents

§  Identification details: name, date of birth, ID/Passport, HMIS Code

§  For identification purposes

§  To grant access to My Wakalaar

§  To confirm that the details provided on registration on My Wakalaar match with those in AIK Agent database.

§  To allow for background data synchronization on My Wakaalar

§  Legal Obligation

 

§  Contact details: telephone number, WhatsApp number, email address

§  For communication purposes including OTP delivery

§  To facilitate user-agent interactions including enabling users communicate their needs and enquiries to the agent, foster engagement and communication with agent on my Wakalaar platform.

 

§  Legitimate interests

§  Recruitment details: CV, Academic Certificates, Passport Photographs, examination results

§  To your determine suitable for role applied

§  Legitimate interests

§  Onboarding details: Insurance certificate, contractual details

§  To onboard you to AAR Insurrance

§  Contract

§  Legal Requirement

§  Performance Management details: Weekly activity templates, productivity appraisals

§  To assess your performance against set KPIs

§  Contract

§  Commission details: Commission, monthly statements, payment details including bank account numbers

§  To process your commissions

§  Contract

§  Consent details: Consent to receive marketing communications, consent to receive OTP, consent to process customer information

§  For marketing/promotional purposes

§  To enable you perform accurate calculations of quotations, personalize the quotation process, communicate with client and track the progress of quotation and see its eventual closure.

§  Consent

§  One Time Password (OTP) & agents’ passwords

§  For validation and authentication of agents during registration to My Wakaalar

§  To ensure that you have control over your account on My Wakaalar and update it when necessary.

§  Legitimate interests

§  Social Media details: social media accounts, consent to post on linked social media accounts, access tokens

§  To enable you seamlessly link your social media accounts with My Wakalaar.

§  Consent

§  Lead Management details: lead source, lead probability, lead value, tags, notes consent to process potential customer’s information

§  To enable you save lead information on My Wakaalar platform and effectively manage lead data

 

§  Legitimate interests

§  CCTV Records

§   To secure company premises and assets

§  Legitimate interests

§  Complaints/requests

 

§  To receive, register and resolve your complaints

§  Legitimate interests

§  Online identifiers: such as cookies and related tags, IP addresses

§  To improve your experience when you access our website

§  Legitimate interests

 

We collect your information directly when you call, message, email or populate your details on the Agents’ platform My Wakalaar.

We also collect personal data indirectly when you use our website or access My Wakalaar, social medial platforms or when you visit our offices, and your images are captured by CCTV.

In some cases, if you choose not to provide certain personal data requested by us, it may impact our ability to fulfil our contractual obligations or provide you requested services or information. The specific consequences of not providing personal data will depend on the context and the purpose for which the data is requested.

For example, if you fail to provide us accurate bank account details, we may fail to process your commission statements.

We encourage you to carefully consider personal data requested and its importance for the intended purposes. If you have concerns about providing certain information, please contact us to discuss your specific circumstances and requirements. We will endeavor to find alternative solutions or assess if there are any legal or contractual obligations that require the provision of the requested data.

We may share your personal data within the Company to facilitate our internal operations and provide you with efficient services.

We may share your personal data with third parties in the following circumstances:

  • Service Providers: We may engage third-party service providers to perform various services on our behalf, such as IT service providers and legal services providers. These service providers will have access to your personal data as necessary to perform their functions but are strictly prohibited from using your personal data for any other purposes.
  • Business Partners: We may share your personal data with trusted business partners who collaborate with us to provide products or services to you. These partners may use your personal data only for the purposes specified in our agreement with them.
  • Obligations: may disclose your personal data if required to do so by law or in response to a valid legal request, such as a court order or government inquiry.
  • Corporate Transactions:In the event of a merger, acquisition, or any form of corporate restructuring, we may transfer your personal data to the involved parties, if they agree to treat your personal data in accordance with this privacy policy.
  • Consent:We may share your personal data with third parties if you have given us explicit consent to do so. You have the right to withdraw your consent at any time.

When sharing your personal data with third parties, we prioritise the security and confidentiality of your information. We take stringent measures to ensure that these parties comply with strict data protection standards and handle your personal data in accordance with our instructions.

We carefully select and evaluate third-party service providers, business partners, and other recipients of your personal data. We enter into contractual agreements with these parties, imposing obligations to protect your personal data and restricting their use of the information solely for the specified purposes outlined in our agreement. Furthermore, we require these third parties to implement appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction of your personal data.

We understand the importance of keeping your personal data secure and take appropriate measures to protect it against unauthorized access, loss, misuse, or alteration. We have implemented robust security measures to ensure the confidentiality, integrity, and availability of your information, including: -

  • Technical Safeguards: To protect your information during transmission, we utilize industry-standard encryption protocols, ensuring the confidentiality of your data. Our secure network infrastructure incorporates firewalls, intrusion detection systems, and other security measures to prevent unauthorised access and mitigate external threats. Additionally, access controls are in place, restricting data access to authorised individuals through unique user credentials, strong passwords, and role-based privileges. Regular data backups and recovery processes are performed to maintain data integrity and availability.
  • Organisational Safeguards: Our commitment to data security extends to our employees and third-party service providers. Strict confidentiality agreements bind them, emphasizing the importance of maintaining the security and confidentiality of your personal data. Regular training programs are conducted to educate employees on data protection best practices, security protocols, and their responsibilities. Access controls and authorization mechanisms ensure that only authorised personnel can access your data. We have established comprehensive data protection policies and procedures to guide the proper handling, storage, retention, and disposal of personal data. In the event of any security incidents, our incident response plan enables swift identification, mitigation, and notification, as well as measures to prevent future occurrences.

While we continually enhance our security measures, it is important to note that no security measure can provide absolute protection. However, we are dedicated to maintaining the highest possible standards of data security and will continue to invest in measures to safeguard your information

If you suspect any misuse or loss of or unauthorised access to your personal data, please let us know immediately by sending us an email on privacy@aar.co.ke

We retain your personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy, or as required by applicable laws and regulations.

Once the retention period expires, we securely delete or anonymise your data to ensure it is no longer identifiable or accessible.

The retention periods for each category of data subjects and their respective personal data may vary based on the specific circumstances and legal requirements.

Your personal data such as contact details, identification details, contract details, payment details, CCTV records, social media profiles, complaints/requests, and cookies/online identifiers, is generally retained for the duration of the business relationship and for six [6] years thereafter. This allows us to maintain effective communication, fulfil contractual obligations, and comply with legal requirements.

ice providers and agents: We may make certain Personal Data available to third parties who provide services to us such as our human resource management software, background checks and psychometric service providers, headhunter firms, cloud service providers, and recruitment service providers. When we share with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of the Personal Data.

  • With other third parties: We may also share your information with other types of third parties, such as our legal representatives, industry groups or self-regulatory bodies, on lawful grounds. For example:
    • with your consent.
    • to comply with our legal obligations (including to comply with laws, regulations, and contracts, to respond to court orders, administrative or judicial process and search warrants, or to meet national security and law enforcement requests);
    • to establish, exercise, or defend against potential, threatened, or actual litigation.
    • to protect the safety, property, or vital interests of a person.
    • to protect AAR’s rights or property.
    • to protect AAR our other employees, customers, or the public from harm or illegal activities.
    • to respond to an emergency that we, in good faith, believe requires us to disclose data to prevent harm; and
    • in connection with the sale, assignment, merger, or other reorganisation or transfer of all or part of our business.

Under the Data Protection Act, 2019, you have serval rights regarding your personal data.

  • right to information: you have a right to be informed of how the Company will use your personal data.
  • right to access: you are entitled to access your personal data that is in our possession or custody.
  • right to object: you can object to the processing of all part of your personal data, except when we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
  • right to rectification: you have the right to request the correction of inaccurate, outdated, incomplete or misleading personal data in our possession or under our control, without undue delay.
  • right to erasure: you have the right to request deletion or destruction, without undue delay, of personal data that we are no longer authorised to retain, or that is irrelevant, excessive, or obtained unlawfully.
  • right to data portability: you have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit the data to another data controller without hindrance. Where technically feasible, you may also request direct transmission of your personal data from us to another data controller or data processor.
  • automated decision making : you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects affects you. If we make automated decisions based on your personal data, you will be notified in writing. You can also request us to reconsider any decisions made solely through automated processing or to make a new decision that is not solely automated
  • right of restriction: : You can request the restriction of processing your personal data in certain circumstances, such as when you contest the accuracy of the data, it is no longer needed for processing, it was processed unlawfully, or you have objected to the processing pending verification of our legitimate interests.

If you wish to exercise any of the rights outlined above, please write an email to the Data Protection Officer (DPO) on privacy@aar.co.ke

We will make every effort to address your inquiries and requests via email within the timelines specified by applicable data protection laws and regulations.

To ensure the security and accuracy of the personal data we provide, we may request additional information and verification of your identity. This is necessary to confirm that we are releasing the data to the rightful owner.

While we strive to fulfill all valid requests, there may be cases where we are unable to comply. If such a situation arises, we will inform you of the reasons for our inability to fulfill your request.

As part of our business operations, we may transfer personal data to recipients located in countries outside Kenya.

We are committed to ensuring that any transfer of personal data outside of Kenya complies with the provisions set forth by the Data Protection Act, 2019.

We prioritise the security and protection of your personal data throughout the transfer process. Therefore, we have implemented the following policy regarding international data transfers:

  • Appropriate Safeguards Before transferring personal data to another country, we ensure that we have appropriate safeguards in place to ensure the security and protection of your data. These safeguards may include technical, organisational, and legal measures to uphold data privacy standards. We will document these safeguards and provide proof to the Data Commissioner as and when required.
  • Legal Grounds: We will only transfer personal data outside of Kenya when it is necessary and lawful. This includes situations where the transfer is required for the performance of a contract between you and AAR establishment, exercise, or defense of legal claims, the protection of vital interests, matters of public interest, or compelling legitimate interests that are not overridden by your rights and freedoms.
  • Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.
  • Data Commissioner OversightWe acknowledge the authority of the Data Commissioner to request demonstrations of the effectiveness of security safeguards or the existence of compelling legitimate interests prior to the transfer of personal data. We will cooperate with the Data Commissioner and comply with any conditions or restrictions imposed to protect the rights and fundamental freedoms of data subjects.

13.4. We are committed to maintaining the privacy and security of your personal data, regardless of its location. If you have any questions or concerns regarding our international data transfer practices, please contact our Data Protection Officer (DPO) at privacy@aar.co.ke We will strive to address your inquiries and provide you with transparent information regarding the transfer of your personal data outside of Kenya.

iries via email within the timelines stipulated in law.

When your information is processed by third-party services providers, we will promptly request third parties to your personal data.

To ensure that we release information to the correct individual, we may request identification verification.

In some cases, we will not be able to comply with your request. If this happens, you will be duly notified.

As a data subject, it is important that you understand and fulfill certain responsibilities to ensure the protection and privacy of your personal data. By providing your personal data to the Company, you agree to adhere to the following responsibilities:

  • Accuracy and Updates:You are responsible for providing accurate and up-to-date personal data to the Company. Please inform us promptly of any changes or updates to your contact details or other relevant information.
  • Third-Party Data: If you give us personal data of third parties, such as prospective member, it is your responsibility to ensure that you have obtained the necessary consent or authority to share their information. Inform these individuals about the processing activities and possible international transfers of their data.
  • Exercise of Rights: If you wish to exercise your rights with respect to your personal data, including the rights of access, rectification, erasure, objection, or data portability, please follow the procedures outlined in our Privacy Policy. We may require additional information or verification to process your request and ensure the security and confidentiality of your data.
  • Reporting Concerns: If you have any concerns or complaints regarding the processing or transfer of your personal data, please contact our designated Data Protection Officer (DPO) at privacy@aar.co.ke .We appreciate your feedback and will promptly address any issues raised.

We may periodically update or revise this Privacy Policy to ensure its alignment with legal requirements and our evolving business practices. We encourage you to review this Policy periodically to stay informed about how we handle your personal data.

If we make any material changes to this Policy, we will notify you through appropriate means, such as by posting a notice on our website or sending a direct communication. Your continued use of our services after the effective date of any revised Privacy Policy constitutes your acceptance of the revised Policy. We recommend that you regularly check this Privacy Policy to stay updated on any changes. If you disagree with any modifications to this Policy, you should discontinue using our services and contact us to exercise your rights or request the removal of your personal data, as outlined in this Policy.

Welcome to the AAR’s Agents Privacy Policy. We appreciate you taking the time to read all our notices carefully.

AAR Insurance Limited (“AAR”, “We” “Us” “Our”) is committed to processing your personal information in a lawful, fair and transparent manner and in accordance with data protection laws in Kenya.

This Privacy Policy outlines how we collect, use, disclose, and protect personal information in connection with our services, including provision of medical and general insurance products and services.

Please take time to read this Privacy Policy to understand how and why we collect and use your information in connection with our insurance business.

AAR Insurance Kenya Limited is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Homeowners Insurance, Medical Insurance for SMEs and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance.

Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.

This Privacy Policy applies to all AAR Insurance Kenya Limited Agents in connection with our insurance business.

In this Privacy Policy, "personal data" refers to any information relating to an identified or identifiable individual. This includes, but is not limited to, identification details, contact details, commissions, lead management details, performance appraisals, social media profiles, HMIS Code and any other data that can be used to directly or indirectly identify an individual.

Personal data may also include sensitive information, such as racial or ethnic origin, religious beliefs, health information, family information including children’s information, biometric data, property records, financial information, transaction records, where applicable and subject to applicable laws and regulations.

  • We collect Personal Data directly from you as well as from other available sources to the extent permitted by law. We endeavour to only collect Personal Data that is necessary for the purpose(s) for which it is collected and to retain such data for no longer than necessary for such purpose(s). Subject to applicable law and practice, the categories of Personal Data that are typically collected and processed are:

 

Data Subject

Type of personal data collected

Purpose of Collection

Lawful Basis

Agents

§  Identification details: name, date of birth, ID/Passport, HMIS Code

§  For identification purposes

§  To grant access to My Wakalaar

§  To confirm that the details provided on registration on My Wakalaar match with those in AIK Agent database.

§  To allow for background data synchronization on My Wakaalar

§  Legal Obligation

 

§  Contact details: telephone number, WhatsApp number, email address

§  For communication purposes including OTP delivery

§  To facilitate user-agent interactions including enabling users communicate their needs and enquiries to the agent, foster engagement and communication with agent on my Wakalaar platform.

 

§  Legitimate interests

§  Recruitment details: CV, Academic Certificates, Passport Photographs, examination results

§  To your determine suitable for role applied

§  Legitimate interests

§  Onboarding details: Insurance certificate, contractual details

§  To onboard you to AAR Insurrance

§  Contract

§  Legal Requirement

§  Performance Management details: Weekly activity templates, productivity appraisals

§  To assess your performance against set KPIs

§  Contract

§  Commission details: Commission, monthly statements, payment details including bank account numbers

§  To process your commissions

§  Contract

§  Consent details: Consent to receive marketing communications, consent to receive OTP, consent to process customer information

§  For marketing/promotional purposes

§  To enable you perform accurate calculations of quotations, personalize the quotation process, communicate with client and track the progress of quotation and see its eventual closure.

§  Consent

§  One Time Password (OTP) & agents’ passwords

§  For validation and authentication of agents during registration to My Wakaalar

§  To ensure that you have control over your account on My Wakaalar and update it when necessary.

§  Legitimate interests

§  Social Media details: social media accounts, consent to post on linked social media accounts, access tokens

§  To enable you seamlessly link your social media accounts with My Wakalaar.

§  Consent

§  Lead Management details: lead source, lead probability, lead value, tags, notes consent to process potential customer’s information

§  To enable you save lead information on My Wakaalar platform and effectively manage lead data

 

§  Legitimate interests

§  CCTV Records

§   To secure company premises and assets

§  Legitimate interests

§  Complaints/requests

 

§  To receive, register and resolve your complaints

§  Legitimate interests

§  Online identifiers: such as cookies and related tags, IP addresses

§  To improve your experience when you access our website

§  Legitimate interests

 

We collect your information directly when you call, message, email or populate your details on the Agents’ platform My Wakalaar.

We also collect personal data indirectly when you use our website or access My Wakalaar, social medial platforms or when you visit our offices, and your images are captured by CCTV.

In some cases, if you choose not to provide certain personal data requested by us, it may impact our ability to fulfil our contractual obligations or provide you requested services or information. The specific consequences of not providing personal data will depend on the context and the purpose for which the data is requested.

For example, if you fail to provide us accurate bank account details, we may fail to process your commission statements.

We encourage you to carefully consider personal data requested and its importance for the intended purposes. If you have concerns about providing certain information, please contact us to discuss your specific circumstances and requirements. We will endeavor to find alternative solutions or assess if there are any legal or contractual obligations that require the provision of the requested data.

We may share your personal data within the Company to facilitate our internal operations and provide you with efficient services.

We may share your personal data with third parties in the following circumstances:

  • Service Providers: We may engage third-party service providers to perform various services on our behalf, such as IT service providers and legal services providers. These service providers will have access to your personal data as necessary to perform their functions but are strictly prohibited from using your personal data for any other purposes.
  • Business Partners: We may share your personal data with trusted business partners who collaborate with us to provide products or services to you. These partners may use your personal data only for the purposes specified in our agreement with them.
  • Obligations: may disclose your personal data if required to do so by law or in response to a valid legal request, such as a court order or government inquiry.
  • Corporate Transactions:In the event of a merger, acquisition, or any form of corporate restructuring, we may transfer your personal data to the involved parties, if they agree to treat your personal data in accordance with this privacy policy.
  • Consent:We may share your personal data with third parties if you have given us explicit consent to do so. You have the right to withdraw your consent at any time.

When sharing your personal data with third parties, we prioritise the security and confidentiality of your information. We take stringent measures to ensure that these parties comply with strict data protection standards and handle your personal data in accordance with our instructions.

We carefully select and evaluate third-party service providers, business partners, and other recipients of your personal data. We enter into contractual agreements with these parties, imposing obligations to protect your personal data and restricting their use of the information solely for the specified purposes outlined in our agreement. Furthermore, we require these third parties to implement appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction of your personal data.

We understand the importance of keeping your personal data secure and take appropriate measures to protect it against unauthorized access, loss, misuse, or alteration. We have implemented robust security measures to ensure the confidentiality, integrity, and availability of your information, including: -

  • Technical Safeguards: To protect your information during transmission, we utilize industry-standard encryption protocols, ensuring the confidentiality of your data. Our secure network infrastructure incorporates firewalls, intrusion detection systems, and other security measures to prevent unauthorised access and mitigate external threats. Additionally, access controls are in place, restricting data access to authorised individuals through unique user credentials, strong passwords, and role-based privileges. Regular data backups and recovery processes are performed to maintain data integrity and availability.
  • Organisational Safeguards: Our commitment to data security extends to our employees and third-party service providers. Strict confidentiality agreements bind them, emphasizing the importance of maintaining the security and confidentiality of your personal data. Regular training programs are conducted to educate employees on data protection best practices, security protocols, and their responsibilities. Access controls and authorization mechanisms ensure that only authorised personnel can access your data. We have established comprehensive data protection policies and procedures to guide the proper handling, storage, retention, and disposal of personal data. In the event of any security incidents, our incident response plan enables swift identification, mitigation, and notification, as well as measures to prevent future occurrences.

While we continually enhance our security measures, it is important to note that no security measure can provide absolute protection. However, we are dedicated to maintaining the highest possible standards of data security and will continue to invest in measures to safeguard your information

If you suspect any misuse or loss of or unauthorised access to your personal data, please let us know immediately by sending us an email on privacy@aar.co.ke

We retain your personal data only for as long as necessary to fulfill the purposes outlined in our Privacy Policy, or as required by applicable laws and regulations.

Once the retention period expires, we securely delete or anonymise your data to ensure it is no longer identifiable or accessible.

The retention periods for each category of data subjects and their respective personal data may vary based on the specific circumstances and legal requirements.

Your personal data such as contact details, identification details, contract details, payment details, CCTV records, social media profiles, complaints/requests, and cookies/online identifiers, is generally retained for the duration of the business relationship and for six [6] years thereafter. This allows us to maintain effective communication, fulfil contractual obligations, and comply with legal requirements.

ice providers and agents: We may make certain Personal Data available to third parties who provide services to us such as our human resource management software, background checks and psychometric service providers, headhunter firms, cloud service providers, and recruitment service providers. When we share with these third parties, we do so on a need-to-know basis and under clear contractual terms and instructions for the processing of the Personal Data.

  • With other third parties: We may also share your information with other types of third parties, such as our legal representatives, industry groups or self-regulatory bodies, on lawful grounds. For example:
    • with your consent.
    • to comply with our legal obligations (including to comply with laws, regulations, and contracts, to respond to court orders, administrative or judicial process and search warrants, or to meet national security and law enforcement requests);
    • to establish, exercise, or defend against potential, threatened, or actual litigation.
    • to protect the safety, property, or vital interests of a person.
    • to protect AAR’s rights or property.
    • to protect AAR our other employees, customers, or the public from harm or illegal activities.
    • to respond to an emergency that we, in good faith, believe requires us to disclose data to prevent harm; and
    • in connection with the sale, assignment, merger, or other reorganisation or transfer of all or part of our business.

Under the Data Protection Act, 2019, you have serval rights regarding your personal data.

  • right to information: you have a right to be informed of how the Company will use your personal data.
  • right to access: you are entitled to access your personal data that is in our possession or custody.
  • right to object: you can object to the processing of all part of your personal data, except when we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
  • right to rectification: you have the right to request the correction of inaccurate, outdated, incomplete or misleading personal data in our possession or under our control, without undue delay.
  • right to erasure: you have the right to request deletion or destruction, without undue delay, of personal data that we are no longer authorised to retain, or that is irrelevant, excessive, or obtained unlawfully.
  • right to data portability: you have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit the data to another data controller without hindrance. Where technically feasible, you may also request direct transmission of your personal data from us to another data controller or data processor.
  • automated decision making : you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects affects you. If we make automated decisions based on your personal data, you will be notified in writing. You can also request us to reconsider any decisions made solely through automated processing or to make a new decision that is not solely automated
  • right of restriction: : You can request the restriction of processing your personal data in certain circumstances, such as when you contest the accuracy of the data, it is no longer needed for processing, it was processed unlawfully, or you have objected to the processing pending verification of our legitimate interests.

If you wish to exercise any of the rights outlined above, please write an email to the Data Protection Officer (DPO) on privacy@aar.co.ke

We will make every effort to address your inquiries and requests via email within the timelines specified by applicable data protection laws and regulations.

To ensure the security and accuracy of the personal data we provide, we may request additional information and verification of your identity. This is necessary to confirm that we are releasing the data to the rightful owner.

While we strive to fulfill all valid requests, there may be cases where we are unable to comply. If such a situation arises, we will inform you of the reasons for our inability to fulfill your request.

As part of our business operations, we may transfer personal data to recipients located in countries outside Kenya.

We are committed to ensuring that any transfer of personal data outside of Kenya complies with the provisions set forth by the Data Protection Act, 2019.

We prioritise the security and protection of your personal data throughout the transfer process. Therefore, we have implemented the following policy regarding international data transfers:

  • Appropriate Safeguards Before transferring personal data to another country, we ensure that we have appropriate safeguards in place to ensure the security and protection of your data. These safeguards may include technical, organisational, and legal measures to uphold data privacy standards. We will document these safeguards and provide proof to the Data Commissioner as and when required.
  • Legal Grounds: We will only transfer personal data outside of Kenya when it is necessary and lawful. This includes situations where the transfer is required for the performance of a contract between you and AAR establishment, exercise, or defense of legal claims, the protection of vital interests, matters of public interest, or compelling legitimate interests that are not overridden by your rights and freedoms.
  • Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.
  • Data Commissioner OversightWe acknowledge the authority of the Data Commissioner to request demonstrations of the effectiveness of security safeguards or the existence of compelling legitimate interests prior to the transfer of personal data. We will cooperate with the Data Commissioner and comply with any conditions or restrictions imposed to protect the rights and fundamental freedoms of data subjects.

13.4. We are committed to maintaining the privacy and security of your personal data, regardless of its location. If you have any questions or concerns regarding our international data transfer practices, please contact our Data Protection Officer (DPO) at privacy@aar.co.ke We will strive to address your inquiries and provide you with transparent information regarding the transfer of your personal data outside of Kenya.

iries via email within the timelines stipulated in law.

When your information is processed by third-party services providers, we will promptly request third parties to your personal data.

To ensure that we release information to the correct individual, we may request identification verification.

In some cases, we will not be able to comply with your request. If this happens, you will be duly notified.

As a data subject, it is important that you understand and fulfill certain responsibilities to ensure the protection and privacy of your personal data. By providing your personal data to the Company, you agree to adhere to the following responsibilities:

  • Accuracy and Updates:You are responsible for providing accurate and up-to-date personal data to the Company. Please inform us promptly of any changes or updates to your contact details or other relevant information.
  • Third-Party Data: If you give us personal data of third parties, such as prospective member, it is your responsibility to ensure that you have obtained the necessary consent or authority to share their information. Inform these individuals about the processing activities and possible international transfers of their data.
  • Exercise of Rights: If you wish to exercise your rights with respect to your personal data, including the rights of access, rectification, erasure, objection, or data portability, please follow the procedures outlined in our Privacy Policy. We may require additional information or verification to process your request and ensure the security and confidentiality of your data.
  • Reporting Concerns: If you have any concerns or complaints regarding the processing or transfer of your personal data, please contact our designated Data Protection Officer (DPO) at privacy@aar.co.ke .We appreciate your feedback and will promptly address any issues raised.

We may periodically update or revise this Privacy Policy to ensure its alignment with legal requirements and our evolving business practices. We encourage you to review this Policy periodically to stay informed about how we handle your personal data.

If we make any material changes to this Policy, we will notify you through appropriate means, such as by posting a notice on our website or sending a direct communication. Your continued use of our services after the effective date of any revised Privacy Policy constitutes your acceptance of the revised Policy. We recommend that you regularly check this Privacy Policy to stay updated on any changes. If you disagree with any modifications to this Policy, you should discontinue using our services and contact us to exercise your rights or request the removal of your personal data, as outlined in this Policy.

Edit Content
At AAR Insurance Company Limited (“We”, “Us”, “Our”, “Company”), we value your right to privacy. We are committed to processing your personal data in a fair, lawful and transparent manner and in accordance with the Data Protection Act, 2019.

This Privacy Policy outlines how we collect, use, disclose, and protect personal information in connection with our services including our offering medical and non-medical insurance products.

Please take time to read this Privacy Policy to understand how and why we collect and use your information in connection with our services, including offering medical and non-medical insurance products.
AAR is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Homeowners Insurance, Medical Insurance for SME’s and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance and related insurances.

Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.
This Privacy Notice applies to all AAR Insurance suppliers who provide goods or services to us as part of our operations and any other individual whose personal information we collect during our business activities.
In this Privacy Policy, “personal data” refers to any information that relates to an identified or identifiable individual. This includes, but is not limited to, names, contact details, identification numbers, employment details, and any other data that can be used to directly or indirectly identify an individual.

Personal data may also include sensitive information, such as biometric data, property records, financial information, transaction records, where applicable and subject to applicable laws and regulations.
We collect Personal Data directly from you as well as from other available sources to the extent permitted by law. We endeavour to only collect Personal Data that is necessary for the purpose(s) for which it is collected and to retain such data for no longer than necessary for such purpose(s). Subject to applicable law and practice, the categories of Personal Data that are typically collected and processed are:
Data SubjectType of personal data collectedPurpose of CollectionLawful Basis
Suppliers
  • Identification details: name, ID/Passport/KRA PIN
  • Contact details: name, phone number, email address.
  • Contract details
  • Information contained in statutory documents such as CR12
  • Payment details: credit terms supplier statements, bank account details
  • CCTV records
  • Complaints/requests
  • Online identifiers such as cookies and IP addresses (for suppliers who interact with our online platforms)
  • Supplier management and communication.
  • Payment processing.
  • Contract
  • Legal Obligation
  • Legitimate Interests
 
If you choose not to provide certain personal data requested by us, it may impact our ability to fulfil our contractual obligations or fully provide you with requested services, or information. The specific consequences of not providing personal data will depend on the context and the purpose for which the data is requested.

You are responsible for providing accurate and up-to-date personal data to the Company. Please inform us promptly of any changes or updates to your contact details or other relevant information.
We collect your personal data directly when you call, email us or in person when you visit our premises.

We may also collect your personal data indirectly when you use our website, submit tenders through our tendering platforms, access our social medial platforms or when you visit our offices, and your images are captured by our CCTV cameras.
We may share your personal data within the Company to facilitate our internal operations and provide you with efficient services.

We may share your personal data with third parties in the following circumstances:

  • Service Providers: We may engage third-party service providers to perform various services on our behalf, such as IT data processors and legal services providers. These service providers will have access to your personal data as necessary to perform their functions but are strictly prohibited from using your personal data for any other purposes.
  • Business Partners: We may share your personal data with trusted business partners who collaborate with us to provide products or services to you. These partners may use your personal data only for the purposes specified in our agreement with them.
  • Legal Obligations: We may disclose your personal data if required to do so by law or in response to a valid legal request, such as a court order or government inquiry.
  • Corporate Transactions: In the event of a merger, acquisition, or any form of corporate restructuring, we may transfer your personal data to the involved parties, if they agree to treat your personal data in accordance with this privacy policy.
  • Consent: We may share your personal data with third parties if you have given us explicit consent to do so. You have the right to withdraw your consent at any time.
    When sharing your personal data with third parties, we prioritise the security and confidentiality of your information. We take stringent measures to ensure that these parties comply with strict data protection standards and handle your personal data in accordance with our instructions.

    We carefully select and evaluate third-party service providers, business partners, and other recipients of your personal data. We enter into contractual agreements with these parties, imposing obligations to protect your personal data and restricting their use of the information solely for the specified purposes outlined in our agreement. Furthermore, we require these third parties to implement appropriate technical and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction of your personal data.



We understand the importance of keeping your personal data secure and take appropriate measures to protect it against unauthorized access, loss, misuse, or alteration. We have implemented robust security measures to ensure the confidentiality, integrity, and availability of your information, including: –

  • Technical Safeguards: To protect your information during transmission, we utilize industry-standard encryption protocols, ensuring the confidentiality of your data. Our secure network infrastructure incorporates firewalls, intrusion detection systems, and other security measures to prevent unauthorised access and mitigate external threats. Additionally, access controls are in place, restricting data access to authorised individuals through unique user credentials, strong passwords, and role-based privileges. Regular data backups and recovery processes are performed to maintain data integrity and availability.
  • Organisational Safeguards: Our commitment to data security extends to our employees and third-party service providers. Strict confidentiality agreements bind them, emphasizing the importance of maintaining the security and confidentiality of your personal data. Regular training programs are conducted to educate employees on data protection best practices, security protocols, and their responsibilities. Access controls and authorization mechanisms ensure that only authorised personnel can access your data. We have established comprehensive data protection policies and procedures to guide the proper handling, storage, retention, and disposal of personal data. In the event of any security incidents, our incident response plan enables swift identification, mitigation, and notification, as well as measures to prevent future occurrences


    While we continually enhance our security measures, it is important to note that no security measure can provide absolute protection. However, we are dedicated to maintaining the highest possible standards of data security and will continue to invest in measures to safeguard your information.


    If you suspect any misuse or loss of or unauthorised access to your personal data, please let us know immediately by sending us an email on privacy@aar.co.ke
We retain your personal data only for as long as necessary, which we have determined to be the duration of our business relationship to fulfill the purposes outlined in clause 5 or as required by applicable laws and regulations and six (6) years thereafter.

The retention periods for each category of data subjects and their respective personal data may vary based on the specific circumstances and legal requirements.

Once the retention period expires, we shall securely dispose your personal data in accordance with our Data Retention and Disposal Policy.
Under the Data Protection Act, 2019, you have serval rights regarding your personal data: –
  • right to information: you have a right to be informed of how the Company will use your personal data.
  • right of access: you are entitled to access your personal data that is in our possession or custody.
  • right to object: you can object to the processing of all part of your personal data, except when we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
  • right to rectification: you have the right to request the correction of inaccurate, outdated, incomplete or misleading personal data in our possession or under our control, without undue delay.
  • right to erasure: you have the right to request deletion or destruction, without undue delay, of personal data that we are no longer authorised to retain, or that is irrelevant, excessive, or obtained unlawfully.
  • right to data portability: you have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format and to transmit the data to another data controller without hindrance. Where technically feasible, you may also request direct transmission of your personal data from us to another data controller or data processor.
  • automated decision making you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects affects you. If we make automated decisions based on your personal data, you will be notified in writing. You can also request us to reconsider any decisions made solely through automated processing or to make a new decision that is not solely automated.
  • right of restriction: You can request the restriction of processing your personal data in certain circumstances, such as when you contest the accuracy of the data, it is no longer needed for processing, it was processed unlawfully, or you have objected to the processing pending verification of our legitimate interests.


If you wish to exercise any of the rights outlined above, please write an email to the Data Protection Officer (DPO) on privacy@aar.co.keWe will make every effort to address your inquiries and requests via email within the timelines specified by applicable data protection laws and regulations.

To ensure the security and accuracy of the personal data we provide, we may request additional information and verification of your identity. This is necessary to confirm that we are releasing the data to the rightful owner.

While we strive to fulfill all valid requests, there may be cases where we are unable to comply. If such a situation arises, we will inform you of the reasons for our inability to fulfill your request
As part of our business operations, we may transfer personal data to recipients located in countries outside Kenya.
We are committed to ensuring that any transfer of personal data outside of Kenya complies with the provisions set forth by the Data Protection Act, 2019.
We prioritise the security and protection of your personal data throughout the transfer process. Therefore, we have implemented the following policy regarding international data transfers:
  • Appropriate Safeguards: Before transferring personal data to another country, we ensure that we have appropriate safeguards in place to ensure the security and protection of your data. These safeguards may include technical, organisational, and legal measures to uphold data privacy standards. We will document these safeguards and provide proof to the Data Commissioner as and when required.
  • Legal Grounds: We will only transfer personal data outside of Kenya when it is necessary and lawful. This includes situations where the transfer is required for the performance of a contract between you and AAR Insurance the establishment, exercise, or defense of legal claims, the protection of vital interests, matters of public interest, or compelling legitimate interests that are not overridden by your rights and freedoms.
  • Consent and Sensitive Data: If the transfer involves sensitive personal data, we will obtain your explicit consent and confirmation of appropriate safeguards before processing such data outside of Kenya.
  • Data Commissioner Oversight: We acknowledge the authority of the Data Commissioner to request demonstrations of the effectiveness of security safeguards or the existence of compelling legitimate interests prior to the transfer of personal data. We will cooperate with the Data Commissioner and comply with any conditions or restrictions imposed to protect the rights and fundamental freedoms of data subjects.

We are committed to maintaining the privacy and security of your personal data, regardless of its location. If you have any questions or concerns regarding our international data transfer practices, please contact our Data Protection Officer (DPO) at privacy@aar.co.ke We will strive to address your inquiries and provide you with transparent information regarding the transfer of your personal data outside of Kenya.

As a data subject, it is important that you understand and fulfill certain responsibilities to ensure the protection and privacy of your personal data. By providing your personal data, you agree to adhere to the following responsibilities:
  • Third-Party Data: If you give us personal data of third parties, it is your responsibility to ensure that you have obtained the necessary consent or authority to share their information. Inform these individuals about the processing activities and possible international transfers of their data.
  • Exercise of Rights: If you wish to exercise your rights with respect to your personal data, including the rights of access, rectification, erasure, objection, or data portability, please follow the procedures outlined in our Privacy Policy. We may require additional information or verification to process your request and ensure the security and confidentiality of your data.
  • Reporting Concerns: If you have any concerns or complaints regarding the processing or transfer of your personal data, please contact our designated Data Protection Officer (DPO) at privacy@aar.co.ke We appreciate your feedback and will promptly address any issues raised.
We may periodically update or revise this Privacy Policy to ensure its alignment with legal requirements and our evolving business practices. We encourage you to review this Policy periodically to stay informed about how we handle your personal data.
Edit Content
AAR Insurance Company Limited (“We”, “Our” “Company”) is committed to maintaining the highest standards of data protection and physical security. To ensure the security of company premises and confidentiality and integrity of sensitive information, we have implemented this CCTV Policy.

This Policy is intended to regulate the management, operation, and use of CCTV within company premises. By adhering to this policy, we aim to minimize the risk of unauthorized access, data breaches, and information leakage.
This Policy is directly tied to data protection and helps prevent unauthorized access to company premises and information.

Unauthorized access to the company premises including employee offices, stores or restricted areas such as the company vault can expose confidential data, leading to potential data breaches or information leakage.

Compliance with this policy is essential for meeting legal and regulatory requirements related to data protection.
This policy outlines the purpose, use and management of our CCTV monitoring system.

The Company has installed the CCTV system to: –
  • increase personal safety within the premises and reduce the fear of crime
  • assist in the prevention and detection of crime
  • assist with potential investigation and identification of offenders
  • protect the company’s assets
  • as a means of assistance to employees in case of emergency situations.
CCTV systems are owned and operated by AAR Insurance Company Limited.

The Company understands that all systems, information, documents and recordings obtained and used as data is protected by the Data Protection Laws.

The viewing and copying of the images will be strictly controlled. Provision of images to external agencies will only be provided in line with clause 8.
The Board of Directors have the ultimate responsibility of ensuring that the Company complies with this policy.

Head of IT is responsible for the overall management and operation of the CCTV system, including activities relating to installations, recording, reviewing, monitoring, and ensuring compliance with this policy.

The Data Protection Officer(“DPO”) is responsible for the privacy and data protection aspects of this policy. Please refer any questions relating to this policy to the DPO.

This policy shall be reviewed annually by the Head of IT in collaboration with the DPO.

MANAGEMENT AND CONTROL OF THE CCTV SYSTEM

  • The CCTV system is owned and managed by the Company. The Head of IT is in charge of the day-to-day running of the system.
  • For the purpose of images collected and processed, the Company is a Data Controller. This means that AAR Insurance Company Limited is responsible for determining the purposes collecting and using CCTV images.
  • The CCTV system operates to meet the requirements of the Data Protection Laws and the relevant CCTV regulatory standards in Kenya and internationally.

DESCRIPTION OF SYSTEM

  • The Company’s CCTV cameras are located in various locations within the Company such as areas leading into employees offices, stores,
  • The CCTV system is operational and is capable of being monitored for 24 hours a day, every day of the year.
  • CCTV signs are placed at conspicuous places within the Company to inform visitors that the Company is under CCTV surveillance. The signage indicates that the system is managed by the Company.
  • Any proposed new CCTV installation is subject to a Data Protection Impact Assessment.

SITING OF CAMERAS

  • Cameras are sited to ensure that they secure the Company’s premises as far as possible by monitoring vulnerable public facing areas.
  • Cameras are sighted in prominent positions where they are clearly visible.
  • Cameras are not sited to focus on areas not intended to be monitored.
  • The Company will make all reasonable efforts to ensure that areas outside of our premises are not recorded.
  • Cameras will not be cited in areas where individuals have heightened expectation of privacy such as washrooms.
In its administration of the CCTV system, the Company shall comply with the following principles: –
  • respect the privacy of an individual when processing personal data.
  • process personal information lawfully, fairly and transparently.
  • collect data for specific and explicit legitimate purposes and restricts processing to those purposes.
  • retain your images/likeness for no longer than necessary for the purpose to which the information is collected.
  • shall not transfer your images outside the country. Where we do so, we have put in place appropriate technical and organizational measures to safeguard your personal information.
  • process personal data in a manner that ensures appropriate security and confidentiality of that information. We employ appropriate technical or organizational measures to protect your data against unauthorized access, accidental loss, destruction or damage.
Any individual whose data is collected and used through the CCTV System is entitled to the following rights: –
  • Right to information
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Right to automated decision making
For more information about these rights, please refer to the Policy on Handling Data Subjects Requests.

Where the Company is unable to comply with a Data Subject request without disclosing personal data of another individual who can be identified from that information, we are not obliged to comply with the request.
In limited circumstances it may be appropriate to disclose images collected on our CCTV system to third parties.

We may disclose personal information to third parties when it is required by law, in relation to the prevention or detection of a crime, or to comply with a written law or court order.

Such disclosures will be made at the discretion of the Head of IT in collaboration the Legal and the Data Protection Officer.

Where a suspicion of misconduct arises, we may use CCTV images in employee disciplinary cases.
Images on our CCTV system are automatically overwritten after 60 days from the date of recording.

Where it is necessary to hold an image for longer the period stipulated in 9.1, for example for evidentiary purposes, the investigation of an offence or as required by law, this request will be in writing and directed to the Data Protection Officer.

The images held beyond their retention period will be reviewed and any not for the specified in 9.2. above will be deleted.
The DPO shall receive all inquiries and complaints related to the privacy of a Data Subject and, where necessary, institute investigations. All complaints shall be sent to privacy@aar.co.ke

Data Subjects may inquire or request for any information regarding any matter relating to the processing of their personal data under the custody of Company, including data privacy and security policies implemented to ensure the protection of their personal data. They may write to the DPO and briefly discuss the inquiry, together with their contact details for reference.

The DPO shall maintain a log of all inquiries and complaints.
11.1. Compliance with the CCTV Policy will be periodically monitored by the Head of IT and DPO

11.2. Non-compliance may result in disciplinary action, up to and including termination of employment.
The following terms and conditions govern your access and use of this website (“Site”) and the content and services offered to you through this Site (“the Services”).
In order to access any of the Services you will be required to accept these terms and conditions. You will be deemed to have accepted these terms by: Completing our online registration process and confirming that you have read and accepted these terms; or Viewing, accessing or using content on the Site which does not require registration.

We suggest that you print out and keep a copy of these terms for your records. In addition to these terms, there may be additional terms and conditions which apply to individual Services which you will be required to accept when registering for that Service.
Registration and use of the Services In order to access or continue to use certain Services, you may be required to provide information about yourself (such as identification or contact details). You agree to provide true, accurate, current and complete information when registering for the Services.

You agree to use the Services only for purposes that are permitted by(i) these terms and (ii) any applicable law or regulation. You specifically agree not to access (or attempt to access) any of the Services through any automated means (including use of scripts or web crawlers) and shall ensure that you comply with the instructions set out in any part of the Site. You agree that you will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services). You agree that you will not reproduce, duplicate, copy, sell, trade or resell the Services for any purpose. You agree that you are solely responsible for (and that AAR has no responsibility to you or to any third party for) any breach of your obligations under these terms and for the consequences (including any loss or damage which AAR may suffer) of any such breach.

Password and Account Security For certain Services e.g. registration for use of the AAR Online services you will be required to choose a user name and a password. For any such Services: The user name you choose must not be obscene, threatening, menacing, racist, offensive, derogatory, defamatory or in violation of any intellectual property or proprietary rights of any third party; and If we consider in our sole and absolute discretion that the user name selected by you is inappropriate, we reserve the right to reject and prevent your use of such user name at any time with or without notice to you.
You will be prompted to change your password from time to time in a span of one month in accordance to AIK IT policy. Your password is confidential and being aware of this you agree and understand that you are responsible for maintaining the confidentiality of password(s) associated with your account(s). Accordingly, you agree that you will be solely responsible to AAR for all activities that occur under your account.
You, and any persons you allow to use the Services through your access to the Services, are not allowed to: Copy, disclose, modify, reformat, display, distribute, licence, transmit, sell, perform, publish, transfer, link to, reverse engineer or decompile (except to the extent expressly permitted by applicable law) or otherwise make available the Services or any part thereof except as set out in these terms; Include or create links (including deep-links) to or from the Services; Replicate the Site or create a separate border around any part of the Services (also known as “framing”); Use the Services for storing, reproducing, transmitting, communicating or receiving any Offending Material.

For the purpose of these terms Offending Material means any content transmitted using the Service that is: In breach of any law, regulation or code of practice invoked by AAR, industry regulator or any other competent authority or any policy adopted by AAR with regard to the acceptable use of the Services, or Abusive, indecent, defamatory, obscene, pornographic, offensive or menacing (or that has the effect (as may be contemplated by a reasonable person) of causing the recipient to feel so harassed, abused or offended; or Designed to cause annoyance, inconvenience or needless anxiety to any person; or In breach of confidence, intellectual property rights, privacy or any right of a third party.

Hack into, make excessive traffic demands, probe or port scan other computers, deliver viruses, mail bombs, chain letters or pyramid schemes or otherwise engage in any other behaviour intended to inhibit other users from using and enjoying the Services or any other website; Collect and process others’ personal data except in accordance with applicable data protection law; Advertise or offer to sell goods or services on the pretext that the same are endorsed, offered for sale or originate from AAR; Infringe any other person’s intellectual property rights; Use the Services to harvest or collect information about users of the Services or to post or otherwise distribute unauthorized or unsolicited advertising, junk or bulk email (also known as “spam”); Use the Services or the Content in any way that we in our sole and absolute discretion consider objectionable, inappropriate, likely to injure our brand and reputation or otherwise unacceptable; Use the Services to send emails and other content coached, phrased or written in such a manner as to give an impression that the email is correspondence from AAR.

You are responsible for any misuse of the Services even if it is by another person using your access to the Services.4.3 We reserve the right to block, remove, edit or refuse to post any material that you attempt to transmit through the Services that we deem to be in contravention of these terms and to take such other action as we in our sole and absolute discretion consider necessary to prevent or remedy any breach of these terms. If you become aware of any content or material circulated using the Services and that is in breach of these terms or content or material on the Site that is similarly in breach of these terms then we encourage you to promptly inform us by contacting our customer care service.

We are not responsible or liable for any failure to remove, block or delay in removing, any such infringing content or material or third party material from the Service or for any good faith but wrongful removal of third party material.
AAR may hold and use information provided by you for a number of purposes, which may include: Carrying out any activity in connection with a legal, governmental or regulatory requirement on AAR in connection with legal proceedings or in respect of crime or fraud prevention, detection or prosecution. Monitoring or recording of your communications for AAR’s business purposes such as marketing, quality control and training, prevention of unauthorised use of AAR’s information and communications system and ensuring effective systems operation in order to prevent or detect crime.


Equipment You will need to provide all equipment necessary to access the Service. If your equipment does not support the relevant technology allowing you to access the internet then you will not be able to use this Service.

Cost and Charges AAR will currently not charge you to sign up/register for the Services, save as may otherwise be communicated by AAR from time to time. However, AAR reserves the right to charge for access or all of Services in the future, subject to a clear notice when accessing Services that are charged.


Although AAR will take all reasonable steps to ensure that the Services are available to you at all times, it cannot guarantee a continuous fault free service. The quality and availability of Services may be affected by factors including (but not limited to) acts of God, planned maintenance or rectification work, or your equipment may interfere adversely with the quality and provision of the Services. We therefore do not warrant and shall not be liable for any delay or failure to send, receive or process messages, pictures, video clips and other communications or the quality of the materials received.

You accept and recognise that the Internet is not a secure environment and as such messages, pictures, video clips and other communications may be intercepted or accessed by those other than the intended recipient, manipulated, distorted, adapted, modified, stored or forwarded by others to you which may give unauthorised persons access to information stored on your PC or mobile device or may cause damage to your PC or mobile device. AAR accepts no liability for any loss or damage resulting from the receipt of any messages, pictures, video clips or other communications from any third parties. You will be required to take reasonable precautions while accessing websites, sending or receiving emails using the Services.

AAR may establish limits concerning the use of the Services for example the maximum number of characters that may be posted or received on the online services, the maximum capacity allocated to you for storage and/or transmission of Content.
All copyright, trade marks, patents and other intellectual property rights in any material or content (including without limitation software, data, applications, information, text, photographs, music, sound, videos, graphics, logos, symbols, artwork and other material or moving images) contained in or accessible via the Services (“Content”) is either owned by us or has been licensed to us by the rights owner(s) for use as part of the Services. You are only allowed to use the Services as set out in these terms. If you wish to do use the Content for any other purpose other than reviewing it on the Site then you will be required to obtain the prior written permission of the owner of the rights in that material. All rights are expressly reserved. Having noted the above you shall not be entitled in respect of any Content (wholly or partly): To pass it on to third parties or to allow third parties to access it unless and to the extent expressly permitted; or To change, edit, modify, reformat or adapt it in any other way.
The information contained in this Site may be out of date and/or may contain other errors or omissions. AAR provides the Service and Content on the Site “as is” and makes no warranties of any kind, either express or implied with respect to the Service and/or the Content (including without limitation regarding their satisfactory quality, freedom from viruses or other harmful components, fitness for a particular purpose, suitability, reliability, timeliness, accuracy, completeness, security or that they are free from error) unless specifically set out in these terms.
AAR explicitly disclaims any responsibility for the accuracy, content, or availability of information found on sites that link to or from the Site. The inclusion of links on the Service to third party sites not controlled by us does not imply any endorsement by us of such sites and as such any transaction you make with a third party flowing from such links is carried out entirely at your own risk and we accept no liability for any losses that you may suffer as a result.
If a dispute, controversy or claim arises out of or relates to the use of this Website or the breach of the terms and conditions of use thereof and if the dispute cannot be settled through negotiation within [21] days of an offer by one party to negotiate a settlement, the parties irrevocably agree that the courts of Kenya shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims)arising out of or in connection with this Terms and Conditions or its subject matter or formation.
We shall not be liable for any loss of use, profits or data or any indirect, special or consequential damages or losses, whether such losses or damages arise in contract, negligence or tort, including without limitation to the foregoing any losses in relation to: your use of, reliance upon or inability to use our Service and/or Content; the deletion with or without notice or cause of any of your data or information stored on the Service; any loss of your data or material resulting from delays, non-deliveries, missed deliveries, service interruptions or a failure, suspension or withdrawal of all or part of the Service at any time; the removal from the Service of any material sent or posted by you on or via the Service and/or the blocking or suspension of your access to the Service or any part of it in accordance with these terms. If you are dissatisfied with any part of the Service or with any of these terms, your sole and exclusive remedy is to discontinue using this Service.
You irrevocably agree to indemnify us (AAR Holdings Limited) and any of our third party providers (“together indemnified persons”)fully against and to hold the indemnified persons harmless on demand from all losses, costs, proceedings, damages, expenses (including reasonable legal costs and expenses) or liabilities howsoever incurred by the indemnified persons as a result of any claim by a third party resulting from your use of the Service (or use of the Service by anyone who accesses the Service via your password) in breach or non-observance of these terms.

We shall notify you of any claim that we or any of the other indemnified persons receives and you hereby agree to provide us and/or any of the indemnified persons with full authority to defend or settle such claims and shall provide us and/or any of the indemnified persons with all reasonable assistance necessary to defend such claims, at your sole expense.
AAR reserves the right to vary the terms and conditions of this Agreement at any time by placing the revised terms and conditions on its website www.aar-insurance.com and you will be deemed to have been bound by such variation by continuing to use the Services. You should periodically check the websites www.aar-insurance.com to make yourself aware of any variations.

The construction, validity and performance of these terms and conditions shall be governed in all respects by the Laws of Kenya.

If any provision of these terms and conditions are declared by any judicial or other competent authority to be void, voidable, illegal or otherwise unenforceable, such a term shall be amended or at the discretion of AAR it may be severed from these terms and conditions and the remaining provisions of these terms and conditions shall remain in full force and effect.

Except where this terms and conditions provides otherwise, the rights and remedies contained in it are cumulative and not exclusive to rights or remedies provided by law. The failure by AAR to enforce at any time or for any period any one or more of the terms and conditions shall not be a waiver of them or of the right at any time subsequently to enforce all terms and conditions.

No delay or failure by AAR shall constitute a breach or give rise to any claim for damages or loss of anticipated profits if such delay or failure is caused by force majeure. Force majeure shall mean an occurrence which is beyond and without fault or negligence of AAR affected and which AAR is unable to prevent or provide against by the exercise of reasonable diligence including, but not limited to, acts of God or of the public enemy, appropriation of confiscation of facilities, terrorists activity or other catastrophe, strike or any other concerted acts of employees or other similar occurrences.

You shall not assign these terms and conditions to a third party. Any unauthorized assignment or attempt to assign will automatically terminate this Service. AAR may assign these terms and conditions in whole or part to any third party at its discretion.14.7 You acknowledge and agree that in entering into this Agreement you do not rely on, shall have no remedy in respect of, any statement, representation, warranty or understanding (whether negligently or innocently made) of any person (whether party to these terms and conditions or not) other than as expressly set out in these terms and conditions as a warranty. Nothing in this clause shall, however, operate to limit or exclude liability for fraud.

We may suspend, vary or terminate your use of the Service or the Site without compensation for any period during which: AAR is required or requested to comply with an order or instruction of or a recommendation from the government, court, regulator or other competent authority; AAR reasonably suspects or believes that you are in breach of these terms and conditions; Such a suspension or variation is necessary as a consequences of technical problems or for reasons of safety; In order to update or upgrade the contents or functionality of the Service from time to time; Upon any detection of abuse/misuse, breach of content, fraud or attempted fraud relating to your use of the Service; Where you remain inactive for any period of time chosen by us in our reasonable discretion or where we believe, in our sole and absolute discretion; AAR suspends the provision of the Services for its commercial reasons or for any other reason as it may determine in its absolute discretion.



If we suspend your access to the Service to investigate or prevent a potential breach of these, terms shall continue to apply during such period of suspension and you shall remain liable for any charges payable by you during such period.



If your access to the Services is terminated for any reason then we may proceed to delete all information that you have stored on the Service. We therefore recommend that you save copies of all information that you wish to keep on another storage device apart from the Service.


If we terminate your access to the Service for material breach of these terms (including non-payment of any sums due by you-where applicable) then you shall remain liable for any such sums and for any other sums which you have contracted to pay prior to such termination, whether or not such charges relate to Services to be provided before or after such termination date and whether.

15.5 In the event that we decide to permanently withdraw the Services then we shall communicate this decision using such means as we shall deem. However please remain aware that depending on the nature of the reason for the suspension, change or termination of the services it may not always be possible to give advance notice. Consequently AAR shall not be liable to you for any ensuing loss or damages occasioned to you from such a suspension, change or termination. Termination shall however not affect the accrued rights and liabilities of either you or us.



You may terminate your use of the Services at any time by sending a message to the email address info@aar.co.ke or following such other instructions as may be communicated on the website or contacting us, as set out above. Termination of the Service will not affect your obligation to pay for Services used by you or any third party services or goods previously purchased using the Services.

All fields marked as * are mandatory

Edit Content

    If making a request on behalf of a minor or a person with no capacity:

    Details of the Personal Data Requested

    Mode of Access

    Inspect the record
    Listen to the record


    Photocopy (Please note that copying costs will apply)
    Number of copies required:

    Electronic
    Transcript (Please note that transcription charges may apply)
    Other (specify)
    Other Format:

    Delivery Method

    Collection in person
    By mail (provide address where different / in addition to details provided above)
    Town/City:

    By email (provide email address where different / in addition to details provided above)
    Email Address:

    Declaration

    Edit Content

      Details of the Data Subject

      Request on behalf of a minor or a person with no capacity

      Proposed Change(s)

      S/NO

      Personal Data currently on the file to be corrected

      The proposed change

      Reason for the proposed change

      1

      2

      Declaration

      Edit Content

        Details of the Data Subject

        Reason for Erasure Request

        Your Personal Data is no longer necessary for the purpose for which it was originally collected
        You have withdrawn consent that was the lawful basis for retaining the Personal Data
        You object to the Processing of your Personal Data and there is no overriding legitimate interest to continue the Processing
        The Processing of your Personal Data has been unlawful
        Required to comply with a legal obligation

        Personal Data to be Erased

        Edit Content

          Nature of Request

          RESTRICTION
          OBJECTION

          Details of the Data Subject

          Reasons for the Request

          Declaration

          Edit Content

            Details of the Data Subject

            (This section is to provide the details of the Data Subject)

            (Provide the following details when making a request on behalf of a minor or a person
            who has no capacity)

            Details of the Request

            Emailing a copy to them at
            Email Address:

            Mailing to:
            Mailing Address:

            Others (Please specify)
            Specify:

            Declaration

            We understand the importance of safeguarding your personal information and ensuring your privacy. Below are some frequently asked questions to help you better understand how we handle your personal data:
            Data protection refers to the practice of safeguarding personal information and ensuring that it is collected, processed, stored, and shared in a secure and responsible manner. It involves implementing measures to prevent unauthorised access, misuse, loss, or theft of personal data.
            Data protection aims to uphold individuals’ privacy rights, maintain their control over their personal information, and ensure compliance with relevant laws and regulations. At AAR Insurance, data protection is a fundamental aspect of our commitment to ensuring the confidentiality and security of your information.
            Personal data refers to any information that can directly or indirectly identify an individual. We collect and process this data as described in our Privacy Policy.
            Personal data is collected through both direct and indirect means. Direct collection involves information provided by individuals themselves, such as when you fill out forms or provide details when applying for a policy. Indirect collection, on the other hand, includes data gathered through automated processes or third-party sources. This could involve tracking user interactions with our website or receiving information from our partners or service providers.
            The personal data we collect, and process serves various purposes, all of which are outlined in our privacy policy. These purposes include providing you with accurate insurance quotes, establishing insurance policies or contracts with you, processing your claims, and maintaining communication with you.
            We process personal data in accordance with the lawful bases specified in our Privacy Policy. Should we decide to change the purposes for processing your information, we will promptly inform you of the change and obtain your consent to allow us to process your information on the identified new purpose(s).
            If you choose not to provide certain personal data requested by us, it may impact our ability to fully provide you with the requested products, services, or information. The specific consequences of not providing personal data will depend on the context and the purpose for which the data is requested.
            We employ a diverse range of technical and organisational measures to safeguard your data. These measures include encryption to secure information during transmission and storage, regular security assessments to identify and address vulnerabilities, strict access controls to ensure data is only accessible to authorised personnel, and secure storage practices. Our commitment to data security extends to regular employee training to ensure proper data handling practices. Additionally, we conduct routine audits to proactively identify and rectify any potential vulnerabilities in our systems.
            We only share your information with third parties as required to fulfill our services to you. This includes sharing data with claims service providers (MTIBA and SMART), Underwriters, medical professionals (if required for claims processing), Loss Assessors and Adjusters, and regulatory authorities as mandated by law. We do not sell your personal information to third parties for marketing purposes.
            We obtain your explicit consent before collecting and processing your personal data. Specifically, we seek consent when the data is intended for marketing purposes, entails the transfer of personal data outside Kenya, involves changes in processing purposes or pertains to your children. When you apply for our services, we present clear and concise consent statements that explain why we need your data and how it will be used. You have a right to withdraw your consent. If you wish to withdraw your consent, kindly contact the DPO at privacy@aar.co.ke
            You have several rights concerning your personal data, including the right to access, rectify, and erase your data. You can also restrict or object to the processing of your data and request data portability. These rights are detailed in our Privacy Policy, and you can exercise them by contacting our customer service teams or Data Protection Officer.

            For any questions or concerns regarding your data privacy, including data access requests, complaints, or inquiries about our data protection practices:

            Yes, you can opt out of receiving marketing communications from us at any time. We provide an “unsubscribe” link in our emails, and you can also manage your communication preferences in your online account settings. Each SMS we send contains an embedded opt-out mechanism that allows you to effortlessly discontinue receiving such messages. In addition, you will also have the option to opt-out of any marketing related phone calls.
            We retain your data in accordance with its original purpose, ensuring it serves its intended use. For example, as a policyholder your personal data is necessary for policy administration, claims processing, and customer support throughout coverage. We also adhere to legal and regulatory requirements, on data retention. Any retention beyond the original purpose for business-driven needs, like historical analysis, ensures we prioritise your privacy by anonymising or pseudonymising data. Our data retention policy establishes precise periods for different data types, consistently reviewed and updated for evolving requirements. Once data is no longer needed, our secure disposal practices, aligning with industry standards, ensure permanent removal or destruction to prevent unintended exposure. Your trust is paramount, and our meticulous data retention practices reflect our dedication to security and privacy.
            If you give us personal data of third parties, such as family members or associates, next of kin or your dependents, it is your responsibility to ensure that you have obtained the necessary consent or authority to share their information. Inform these individuals about the processing activities and possible international transfers of their data.
            In the unfortunate event of a data breach, we have a well-defined incident response plan. We will promptly notify affected individuals and regulatory authorities as required by law. We take immediate action to mitigate the breach’s impact and enhance our security measures to prevent future incidents.
            For detailed information about how we handle and protect your data, please refer to our Privacy Policy on our website. It outlines our data collection, processing practices, and your rights as a data subject.
            We do not knowingly collect or process personal data from individuals under the age of 18 without the appropriate parental or guardian consent. If we become aware that we have unintentionally collected data from a minor, we take immediate steps to delete the information.
            In some cases, your data may be transferred to countries outside your home country for processing or storage. Whenever we transfer your data internationally, we ensure that appropriate safeguards are in place to protect your data, in accordance with applicable laws.
            If you receive any suspicious communication claiming to be from AAR Insurance and requesting your personal information, please do not provide any details. Contact our official customer service number or email to verify the communication’s authenticity before taking any action.

            Service Update

            We have collaborated with M-TIBA (Carepay Limited) our health technology partner for claims administration.
            ×

            Dear Esteemed Client,

            We are currently in the process of a digital transformation aimed at improving our services and optimizing operations. As part of our ongoing commitment to delivering exceptional service, we are implementing a strategic decision to optimize member experience and fully manage our claims processing digitally. As AAR Insurance - Kenya (AIK) we are pleased to announce an expansion of our collaboration with M-TIBA (Carepay Limited), our health technology partner. This strategic partnership will streamline our customer service and claims management processes, to enhance efficiency and accuracy. By leveraging M-TIBA's expertise, we will dedicate our resources even more effectively to meet your insurance needs with the highest standards of excellence.

            Notable benefits arising from the digitization process include:

            • Optimized Customer Experience: Members can now access their Outpatient and Inpatient benefits real time, and have continued customer service support 24/7 on their mobile phone.
            • Enhanced Efficiency: The specialised expertise of our chosen technology partner M-TIBA will lead to faster turnaround times in service delivery.
            • Improved Customer Service: Our customer service teams are dedicated to addressing your individual needs and concerns, for a more personalised experience.
            • Technological Advancement: Use of cutting-edge technology to enhance the overall efficiency of claims management.
            • Upgrade from photo card to virtual M-TIBA: With this upgrade, the Inpatient only cover customers can view their benefits balance by dialling *253# and selecting 2. MY M-TIBA

            We wish to notify you that your personal data with us shall be shared with M-TIBA in order to administer your policy and receive services efficiently.

            AAR Insurance- Kenya (AIK) is committed to upholding the highest standards of data security and privacy, to ensure the complete confidentiality and integrity of your information. Please visit our website for more details about our data privacy – https://aar-insurance.com/policy-center/ and the link with more details on accessing benefits and onboarding – https://mtiba.com/aar-health-insurance-through-m-tiba/

            For any queries, please reach us through our customer service team on info@aar.co.ke.

            We sincerely appreciate your continued trust in AAR Insurance, and look forward to continue serving you with great efficiency and effectiveness.