Over 10 years we help companies reach their financial and branding goals. Maxbizz is a values-driven consulting agency dedicated.




411 University St, Seattle


Privacy Policy


Welcome to AAR’s Privacy Policy. We appreciate you taking the time to read all our notices carefully. AAR Limited (“AAR”, “We” “Us” “Our”) is committed to ensuring that your personal data is collected and used lawfully and transparently. We process your personal information under the Data Protection Act 2019 and the Data Protection (General) Regulations, 2021.


AAR is a leading medical and general insurance company, providing innovative underwriting solutions to individuals, families, and businesses. We offer products ranging from Family Plans, Personal Accident Insurance, School Insurance, Home Owners Insurance, Medical Insurance for SME’s and Corporates, Professional Indemnity, WIBA Cover, Travel Insurance, Marine Insurance and Landlord Insurance.
Our offices are located at Real Towers, Upperhill, Nairobi, Kenya.


To perform our functions, we need to collect certain types of information from various people including prospective job applicants, our members and their dependents, suppliers and vendors, agents and brokers, or any other relevant individuals (referred to as “you” or “your” in this Privacy Policy).
This Privacy Policy:

  • sets out the types of personal data that we collect about you
  • explains how and why we collect and use your personal data
  • explains how long we keep your personal data for
  • explains when, why and with who we will share your personal data
  • sets out the legal basis we have for using your personal data
  • explains the effect of refusing to provide the personal data collected
  • explains the different rights and choices you have when it comes to your personal data
  • explains how we may contact you and how you can contact us


AAR collects Personal Data directly from you as well as from other available sources to the extent permitted by law. AAR endeavors only to collect Personal Data that is necessary for the purpose (s) for which it is collected and to retain such data for no longer than necessary for such purpose (s). Subject to applicable law and practice, the categories of Personal Data that are typically collected and processed are: –

Category of data subjectType of personal data collected
Prospective ClientsName of the proposer, Nationality, postal address, postal code, town, telephone no., email address, mobile no., pin no., ID no., Occupation/Nature of business, source of income, current permanent address, spouse, and dependents name, date of birth, height, and weight, next of kin details, confidential medical history
Members and their DependentsName, telephone number, email address, date of birth/birth certificates, membership no., employer, diagnosis and treatment notes, fingerprints, nature of the complaint
Agents and BrokersName, postal address, postal code, PIN no., ID no., passport size-colored photos, email address, signature, certificate of proficiency, and bank details.
Third-party Service ProvidersPlease refer to Third Party Service Providers Privacy Policy
Job ApplicantsPlease refer to the Job Applicants Privacy Policy
Website/App UsersIP address, access sites, the sites linked from, pages visited, cookies and online identifiers, the links and features used, the content viewed or requested, browser or application type, language, and such other information. 


Category of Data SubjectHow we Collect Your Personal DataPurpose of Collection
Prospective Clients
  • Directly from you when you fill out: –
  1. New Member Application forms
  2. Email
  3. AAR Website
  4. AAR App
  5. Travel/Insurance forms
  • Through Agents/Broker
  • Through your employer when they enroll you onto our medical scheme
  • When you send an email or call us
  1. Assess your eligibility to onboard you onto the medical scheme or other non-medical covers
  2. Assess your eligibility for payment plans and process your premium and other payments.
  3. To facilitate the issuance of policy documents
  4. comply with legal process and respond to requests from public and governmental authorities (including those outside your country of residence).
  5. establish and defend legal rights.
  6. pursue available remedies or limit our damages.
  7. provide marketing information to you (including information about other products and services offered by selected third-party partners) in accordance with the preferences you have expressed.
Members and their dependents
  • Directly from you when you fill out:
  1. Medical Claim forms
  2. Non-medical claim forms
  3. Pre-authorization forms
  4. M-TIBA
  5. SMART
  6. When you call us through phone calls
  7. Letters
  8. Emails
  9. Invoices
  10. Discharge Voucher
  • Indirectly thorough:
  1. Doctor’s treatment notes/medical reports and medical tests
  2. Loss Assessor/Adjuster’s report, Investigation Report
  1. To provide you with medical insurance services such as inpatient and outpatient services i.e., consultation, laboratory investigations, drugs administration and dispensing, dental healthcare services, radiological examinations, nursing and midwifery services, surgical services, radiotherapy and physiotherapy services
  2. to facilitate payment of medical services
  3. to make reimbursement for medical claims
  4. to offer you our non-medical products such as personal accident, travel insurance, home insurance, professional indemnity, AIK protect cover, landlord insurance, marine insurance, school insurance etc.
  5. to determine whether you qualify for our a specific non-medical by engaging the services of an independent assessor, investigator, loss assessor and adjusters
  6. to facilitate handling and resolution of medical-related complaints
  7. to obtain consent to process your children and sensitive personal data.
  8. to use your personal data to provide marketing information to you (including information about other products and services offered by selected third-party partners) in accordance with the preferences you have expressed.
  9. comply with applicable laws and regulatory obligations (including laws outside your country of residence), such as those relating to anti-money laundering and anti-terrorism, Prevention of Corruption.
  10. comply with legal process; and respond to requests from public and governmental authorities (including those outside your country of residence).
  11. establish and defend legal rights; protect our operations or insurance business partners, our rights, privacy, safety or property, and/or that of our group companies, you or others; and
  12. pursue available remedies or limit our damages.
Agents and Brokers
  • Directly from you through the Agent/Broker registration form
  1. assess your suitability for the role applied
  2. communicate to you about the progress of your application
  3.  facilitate the training process
  4. To onboard you as AAR’s authorized agent
  5.  maintain records in relation to the recruitment process according to our data retention policy, develop and improve our recruitment processes, website, and other related services
  6. If you are hired, for populating your employee file and various systems and tools used in connection with your employment at AAR, comply with any legal obligations imposed on us.
  7. Facilitate handling and resolution of complaints
Third Party Service Providers
  • directly through email
  • through the Procurement Portal
  1. to vet you for purposes of determining your suitability to offer required services
  2. to onboard you to AAR as its appointed vendor/supplier
  3. to facilitate disposal of contracts
  4. to answer any questions or handle complaints you make to AAR
  5. to perform our legal obligations
  6. to establish, exercise and defend legal claims
  7. to pursue available remedies or limit our damages
  8. provide marketing information to you
  9. to comply with applicable laws and regulatory obligations (including laws outside your country of residence) such as the public procurement and disposal act, anti-corruption and economic crimes act, prevention of terrorism act
  10. comply with legal processes and respond to requests from the public government authorities (including those outside your country of residence)
Job ApplicantsPlease refer to the Job Applicant’s Privacy Policy
Website/AAR Mobile users
  • Online identifiers such as cookies and related tags, IP address
  1. to improve your experience when using our website.
  2. to position our products on social media sites that you visit.


AAR processes your personal data for the following lawful basis:

  • where you consent to the processing for one or more specified purposes
  • where the processing is necessary: –
  1. for the performance of a contract to which you are a party or to take certain steps at your request before entering a contract
  2. for compliance with any legal obligation to which AAR is subject
  3. to protect your vital interests or another person/individual
  4. to enable us to perform a task carried on in public interest or in the exercise of official authority vested in AAR
  5. to perform any task carried out by a public authority
  6. for legitimate interests pursued by AAR by a third party to whom the data is disclosed, except if the processing is unwarranted in any case having regard to the harm and prejudice to your rights and freedoms or legitimate interests.
  7. for purpose of historical, statistical, journalistic, literature and art or scientific research.


Where appropriate, we may share your personal data in various ways and for various reasons with: -.

  • appropriate personnel within AAR.
  • individuals and organizations who hold information related to your reference or application to work for us, such as current, past, or prospective employers, educators and examining bodies.
  • insurance regulators, tax audit or other authorities when we believe in good faith that the law or other regulations requires us to share this data
  • third-party service providers who perform functions on our behalf (including medical professionals, accountants, actuaries, loss assessors/adjusters, claims investigators, auditors, outsourced legal services, MTIBA, SMART, travel agencies, Re-Insurance service providers, call center service providers; IT systems, support and hosting service providers; printing, advertising, marketing and market research and analysis service providers; banks and financial institutions that service our accounts; document and records management providers; claim investigators and adjusters; construction consultants; engineers and document storage providers where we have an appropriate processing agreement (or similar protections) in place.


  • We care about protecting your information. That is why we have put in place appropriate measures that are designed to prevent unauthorized access to, and misuse of, your personal data.
  • We do this by having in place a range of appropriate technical and organizational measures including measures to deal with any suspected breaches.
  • If you suspect any misuse or loss of or unauthorized access to your personal data, please let us know immediately by sending us an email on privacy@aar.co.ke


  • We will only keep your personal data for as long is necessary to achieve the purposes for which it was required unless the retention is required or authorized by law, reasonably necessary for a lawful purpose, you have consented to longer retention periods or if the personal data is required for statistical, journalistic, literature and art or research purposes.
  • For the avoidance of doubt: –
  1. If you are a Member, Third-Party Service Provider, we will retain your personal data to provide you with services or to receive services from you or to provide you with information about our services that we believe you may be interested in. If you have expressly indicated that you would rather, we did not retain your personal data, then we will delete it from our systems and records.
  2. If you are a Prospective Member, Job Applicant or Member of the Public and we have not had any meaningful contact with you for a period of two years, we will delete your personal data from our systems unless we believe in good faith that the law or other regulation requires us to preserve it (for example because of our obligations to tax authorities or in connection with any anticipated litigation). If you expressly indicate that you are not interested in our services, then we will delete your personal data from our systems unless we believe in good faith that the law or other regulation requires us to preserve it. For purpose of this clause, “meaningful contact” means communication between us either verbal or written.
  3. If you are a Website User, we will retain your personal data for as long as it is necessary to achieve the purpose it was collected or processed for. If this time has come or you have expressly indicated that you are not interested in our website or mobile app services anymore, we will delete it from our systems unless we believe in good faith that the law or other regulation requires us to preserve it for example because of our obligations to tax authorities or in connection with any anticipated litigation).


Our ability to perform our obligations derived from your employment contract with AAR and our ability to comply with our legal and contractual obligations sometimes depends on AAR accessing to and being able to use certain personal data. Therefore, and depending on the circumstances, if you do not provide us with the personal data we request or if you ask that we stop processing your personal data, we may not be able to perform our contractual obligations, we may be in breach of one or more legal obligations applicable to us. In some cases, if we are not allowed to process your personal data, this may result in us being required to terminate our work relationship with you.


The Data Protection Act accords you with several rights over your data.

  • right to information: you have a right to be informed of how AAR will use your personal data.
  • right of access: you are entitled to access your personal data that is in our possession or custody.
  • right to object:   you can object to the processing of all part of your personal data, unless we can demonstrate a compelling legitimate interest for the processing which overrides your interests or for the establishment, exercise or defence of a legal claim.
  • right to rectification: you have the right to request us to rectify or correct, without undue delay, personal data in our possession or under our control that is inaccurate, outdated, incomplete or misleading
  • right to erasure: you can request us to delete or destroy, without undue delay personal data that we are no longer authorized to retain, or which is irrelevant, excessive, or obtained unlawfully.
  • right to data portability:  you have the right to receive personal data concerning you in a structured, commonly used and machine-readable format and to transmit the data to another data controller without hindrance. Where technically possible. have personal data transmitted directly from us to another data controller or data processor.
  • automated decision making you have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning or that significantly affects you. AAR may from time to time make decisions based on the automated processing of your personal data. In such instances, you will be informed, in writing, whenever a decision based on automated processing is taken. In addition, you can request us to reconsider any decisions made based on automated processing or to take a new decision that is not based solely on automated processing.
  • right of restriction: You have the right to request us to restrict the processing of personal data where: –
    1. you contest the accuracy of the personal data 
    2. the personal data is no longer required for the purpose of the processing
    3. the processing is unlawful of you have opposed the erasure of the personal data and requested for restriction of its use instead.
    4. you have objected to the processing of personal data, pending verification as to whether the legitimate interests of the data controller or data processor override those of the data subject.
  • right to raise a complaint: You can raise a complaint about our processing with the Regulator i.e. the Data Commissioner in Kenya. You may also be able to seek a remedy through the courts if you believe that your rights have been breached.
  • If you wish to exercise any of our rights above, please contact us on privacy@aar.co.ke. We will seek to deal with your request without undue delay and in any event in accordance with the Data Protection Act, 2019 and the Data Protection (General) Regulations, 2021.
  • We may ask for identification, because we need to know for certain whether we are issuing the data to the right person


  • To provide you with the best services and carry out the purposes outlined in this Privacy Policy, your data will be transferred
  1. to third party advisors or other suppliers to the AAR’s business
  2. oversees clients, where applicable
  3. clients within your country, where applicable, who may in turn transfer your data internationally
  4. to a cloud-based storage provider
  5. to other third parties as stated in clause 9 of this Privacy Policy
  • We will only transfer your personal data outside Kenya where such transfer is compliant with the provisions of the Data Protection Act 2019 and the Data Protection (General) Regulations,2021
  • To ensure that your personal data receives adequate levels of protection, we shall put in place appropriate procedures with the third parties we share your personal data with to ensure that your personal information is treated by those third parties in a way that is consistent with, and which respects the data protection laws.


  • A “cookie” is a bite-sized piece of data that is stored on your computer’s hard drive. They are used by nearly all websites and do not harm your system. We use them to track your activity to help ensure you get the smoothest possible experience when visiting our website. We can use the information from cookies to ensure we present you with options tailored to your preferences on your next visit. We can also use cookies to analyze traffic and for advertising purposes.
  • If you want to check or change what types of cookies you accept, this can usually be altered within your browser settings, or you visit our Cookie Preference Center. We also provide information about this in our Marketing preferences page on the Hays website.
  • When you first visit our website(s) you will be asked to choose what kind of cookies you want to receive, so we ask for your prior consent for some cookies through our Cookies Preference Center while strictly necessary cookies will be set within our legitimate interests. You may also use your browser’s privacy settings to do this. However, rejecting all cookies through your browser’s privacy settings means that you may not be able to take full advantage of all our website’s features. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences.
  • You can update your given consent at any time by visiting our Cookie Preference Center which can be found by clicking on the “Cookie Preferences” link either on the top or bottom of our website. Instead of using our Cookie Preference Center you may choose to opt-out to cookies which are not strictly necessary to perform basic features of our site by changing your browser settings. If you use our Cookie Preference Center to update your choice of cookies, please note that this does not result in deletion of already placed cookies on your device. So, if you want to delete such cookies you may delete them in your browser’s privacy settings.
  • If you choose to delete all cookies through your browser’s privacy settings, this will also delete any placed opt-out cookie on your computer, and you may need to actively opt-out again.


  • You are responsible for the information you make available to AAR, and you must ensure it is accurate, honest, truthful, and not misleading in any way. You must ensure that the information does not contain material that is obscene, defamatory, or infringing on any rights of any third party.
  • Further, if you provide any information concerning any other person, such as individuals you provide as references or next of kin, you are responsible for providing any notices and obtaining any consents necessary for AAR to collect and use that information before you provide the referee’s or next of kins Personal Data to AAR. 


If you have any questions or complaints about the processing of personal data, you can contact AAR on privacy@aar.co.ke

Updated on: 02-06-2022

To stop receiving emails, please enter your email address and Click “Unsubscribe.”